ML Provisioner Tool Documentation

Welcome to the ML Provisioner Tool documentation. This tool provisions and manages AWS ML product infrastructure using tier-based CloudFormation templates (starter, professional, enterprise).

📚 Getting Started (Read First)

Start here if you’re new to the ML Provisioner.

README

Quick start and overview - What the tool does, common commands, tier-based architecture, and AWS credentials setup.

USER_GUIDE

Complete command reference - All 12 actions (validate-config, create-prov-template, deploy-product, delete-product, etc.), deployment workflows, volume mounts, and best practices.

📖 Core Documentation (Essential)

CONFIGURATION

Configuration reference - Config file naming convention, discriminators (source_control, vpc_mode, vpc_source), and all enterprise tier combinations.

CONFIGURATION_GUIDE

Configuration guide - Step-by-step decision tree for selecting the correct config file, verifying prerequisites, and populating config values before deployment.

NAMING_CONVENTIONS

Naming conventions - Resource naming patterns, ml_name construction, artifact filename conventions, and SSM parameter paths.

PREREQUISITES

Pre-deployment requirements - S3 source control bucket setup, VPC and route table requirements for enterprise tier, standalone vs bundle networking.

🔒 Security

IAM_PERMISSIONS

Required AWS permissions - Least-privilege IAM policy for CloudFormation, SageMaker, CodePipeline, CodeBuild, KMS, VPC, and SSM operations.

SECURITY_GUIDELINES

Security guidelines - KMS encryption, permission boundaries, VPC endpoint security groups, and compliance monitoring.

🔧 Operations (Day-to-Day Use)

UPDATE_PROCEDURES

Update and maintenance procedures - How to update the Docker image, modify tier configurations, and perform maintenance tasks.

🐛 Troubleshooting

TROUBLESHOOTING

Common issues and solutions - AWS credentials, configuration errors, CloudFormation errors, VPC integration issues, and Docker errors.

📊 Advanced Topics (Optional)

RESOURCES_EXPLAINED

AWS resources explained — Educational guide to every AWS resource provisioned by the ML Provisioner, what it does, why it exists, and how it relates to other resources in the stack.

APPLICATION_ARCHITECTURE

Complete architecture documentation - Tier-based design, CFN generator architecture, blueprint system, SSM integration, and deployment patterns.

INTEGRATION_EXAMPLES

Integration examples - How to consume ML stack outputs from SSM Parameter Store in SageMaker, CI/CD pipelines, and downstream provisioners.

MIGRATION_GUIDE

Migration guide - Migrating from manually created ML infrastructure or other IaC tools to the ML Provisioner.

📋 Reference

ROADMAP

Future features and plans - Planned features, enhancement requests, and product roadmap.

RELEASE_NOTES

Version history and changes - Release history, new features, bug fixes, and upgrade notes.

SAMPLE_REPORTS

Sample HTML reports - Example pre-deployment review report and deployment report.

📚 Getting Started:

• README
  • Table of Contents
  • The Purpose
  • Key Features
  • Prerequisites & Installation
    • Requirements
    • Installation
    • AWS Credentials Setup
    • Working Directory Setup
  • Architecture & Tier Matrix
  • Quick Start
    • 1. Configuration File Selection
    • 2. Configuration File Adjustment
    • 3. Common Workflow
  • AWS Credentials
  • What Gets Created
    • Starter Tier
    • Professional Tier (all Starter plus)
    • Enterprise Tier (all Professional plus)
  • Directory Structure
  • Accessing Documentation
  • Quick Troubleshooting
  • License
• User Guide
  • Table of Contents
  • Pre-Deployment Checklist
    • Professional Tier (additional)
    • Enterprise Tier (additional)
  • Quick Reference — Actions by Safety Level
    • Local Actions (No AWS Calls besides subscription check)
    • Read-Only AWS Actions
    • Mutating AWS Actions (--force required)
  • Prerequisites
  • Configuration
  • Business Workflow
  • Scenario Matrix
    • Dimension Values
    • Representative Scenarios
  • Multi-Environment Deployment
    • Switching AWS Accounts
  • Volume Mounts
  • AWS Credentials
  • Best Practices
  • FAQ

🚀 Onboarding Examples:

• Onboarding Examples
  • Scenario Index
  • Standalone Scenarios — Run Commands
  • Enterprise — SG Provisioner Scenarios — Run Commands
  • Edge — Professional Tier Scenarios — Run Commands
  • TechCorp — Starter Tier Scenarios — Run Commands
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-standalone-ssm
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-standalone-direct
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-standalone-direct-rtb
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-standalone-ssm-workload
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-sgprov-ssm
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-sgprov-direct
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-standalone-ssm
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-standalone-direct
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-standalone-direct-rtb
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-standalone-ssm-workload
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm
  • Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-direct
  • Integration Test — edge-prod-b001-us-west-2-fraud-detection-ml-codecommit
  • Integration Test — edge-prod-b001-us-west-2-fraud-detection-ml-s3
  • Integration Test — edge-prod-b001-us-west-2-fraud-detection-ml-codecommit-workload
  • Integration Test — edge-prod-b001-us-west-2-fraud-detection-ml-s3-workload
  • Integration Test — techcorp-prod-a001-us-west-2-customer-churn-ml-codecommit
  • Integration Test — techcorp-prod-a001-us-west-2-customer-churn-ml-s3
  • Integration Test — techcorp-prod-a001-us-west-2-customer-churn-ml-codecommit-workload
  • Integration Test — techcorp-prod-a001-us-west-2-customer-churn-ml-s3-workload

📖 Core Documentation:

• Configuration Reference
  • Table of Contents
  • Config File Naming Convention
  • Configuration Discriminators
    • 1. source_control
    • 2. vpc_integration.mode
    • 3. vpc_integration.vpc_source
  • Discriminator Combinations (Enterprise Tier)
    • Choosing the right combination
• Configuration Guide
  • Table of Contents
  • Overview
  • Step 1 — Which tier have you purchased?
  • Step 2A — Starter
  • Step 2B — Professional
  • Step 2C — Enterprise Prerequisites
    • Prerequisite Check 1 — VPC
    • Prerequisite Check 2 — VPC Source
    • Prerequisite Check 3 — VPC Mode (SG Provisioner)
  • Step 2D — Enterprise Config Selection
    • Enterprise Config Matrix
  • Step 3 — Populate your config file
    • Starter Example
    • Professional Example
    • Enterprise Example (standalone + SSM)
    • Field Reference
    • All Tiers
    • Enterprise Only — alerts
    • Enterprise Only — vpc_source: parameter-store
    • Enterprise Only — vpc_source: direct
    • S3 Source Control Only
  • Step 4 — Validate and deploy
  • Quick Reference — Config File by Scenario
    • Starter (ml-provisioner:starter)
    • Professional (ml-provisioner:professional)
    • Enterprise (ml-provisioner:enterprise)
• Naming Conventions
  • Table of Contents
  • ML Product Name
  • Physical Resource Names
    • Resource Suffixes
  • CloudFormation Logical IDs
  • SSM Parameter Store Paths
    • Full Path Reference
  • KMS Key Alias
  • CloudFormation Stack Name
  • Tags
  • Name Length Limits
• Prerequisites
  • Table of Contents
  • S3 Source Control Bucket (source_control: s3)
    • Requirements
    • Why the ML Provisioner does not validate this
    • Recommended setup checklist (client)
  • SNS Email Confirmation (professional + enterprise)
    • What happens
    • Recommended setup
  • SG Provisioner (enterprise + sgprov mode)
    • Requirements
    • Verify SG Provisioner is ready
  • VPC (enterprise tier only)
    • Route tables for S3 Gateway endpoint
      • Manual association (after deploy)

🔒 Security & Compliance:

• IAM Permissions
  • Table of Contents
  • Overview
  • Quick Start — Generate IAM Policy
  • Generated Policy — Permissions by Tier
    • All Tiers
      • CloudFormation Management
      • SageMaker
      • CodeCommit
      • CodeBuild
      • CodePipeline
      • IAM
      • SSM Parameter Store
    • Professional Tier (additional)
      • S3 Artifacts Bucket
      • EventBridge
      • CloudWatch Dashboard
    • Enterprise Tier (additional)
      • KMS
      • CloudWatch Logs
      • SNS
      • VPC Endpoints and Security Group
  • Permissions by Action
    • Local Actions (No AWS Calls)
    • Read-Only Actions
    • Deployment Actions
  • Permission Scoping
    • CloudFormation
    • SageMaker
    • CodeCommit / CodeBuild / CodePipeline
    • IAM
    • SSM Parameter Store
  • Security Best Practices
  • Troubleshooting Permission Issues
    • Check Current Identity
    • Test Specific Permissions
    • Common Issues
    • Policy Simulator
  • Permission Summary by Action
• Security Guidelines
  • Table of Contents
  • Credential Management
    • AWS Credentials
      • 1. AWS IAM Roles (Recommended for EC2/ECS)
      • 2. AWS Profiles (Recommended for Developers)
      • 3. Environment Variables
      • 4. Use an Environment File
    • Security Practices
  • IAM Least Privilege
    • Use the Generated Policy
    • Separate Roles by Environment
    • MFA for Production
  • KMS Encryption (Enterprise Tier)
    • Key Rotation
    • Key Access Control
    • Key ARN in SSM
  • VPC Endpoint Security (Enterprise Tier)
    • Security Group for Endpoints
    • Endpoint Policy
    • Verify Endpoints are Active
  • Permission Boundaries (Enterprise Tier)
    • Purpose
    • Boundary Scope
    • Review Before Production
  • Compliance Monitoring (Enterprise Tier)
    • Log Retention
    • Alert Email
    • Verify Compliance Infrastructure
  • CloudFormation Security
    • Review Before Deployment
    • Drift Detection
    • Test Deployments
    • Stack Protection
  • Docker Security
    • Runtime Security
      • Read-only credentials (:ro)
      • Read-only config
      • No privileged mode
      • No host networking
      • No extra capabilities
    • Image Verification
  • Logging and Monitoring
    • Provisioner Audit Logs
    • CloudTrail
      • CloudFormation Events
      • CodeCommit Events
      • CodeBuild Events
      • CodePipeline Events
      • KMS Events (enterprise)
      • EC2 VPC Endpoint Events (enterprise)
      • SSM Events
    • CloudWatch Alarms (Enterprise Tier)
  • Security Checklist
  • References

🔧 Operations:

• Update Procedures
  • Table of Contents
  • Version Strategy
    • Semantic Versioning
    • Image Tags
  • Pre-Update Checklist
  • Updating the Docker Image
    • Get New Version from AWS Marketplace
    • Verify New Version
    • Test Before Production
  • Rollback Procedures
    • Quick Rollback
  • Configuration Updates
    • Modifying an Existing Configuration
      • Key constraints
      • Procedure
      • Applying changes
      • Config fields and their impact
      • Recommended pattern for significant changes
  • Infrastructure Maintenance
    • Drift Detection
    • Replacing a Deployment
  • Monitoring After Update
    • Verify Deployed Infrastructure
    • Review Logs
  • Update Schedule

🐛 Troubleshooting and Support:

• Troubleshooting
  • Table of Contents
  • Quick Diagnostics
    • Check AWS access
    • Check deployed stack status
    • Check SSM parameters
    • Check recent logs
  • Configuration Errors
    • Schema validation failed
    • use_case too long
    • Tier mismatch
    • Config file not found
  • AWS Credential Issues
    • No credentials found
    • Access denied
    • Expired credentials
  • VPC and SSM Prerequisite Errors (Enterprise Tier)
    • VPC SSM parameters not found
    • SG Provisioner SSM parameters not found
    • VPC does not exist
  • CloudFormation Errors
    • Stack already exists
    • Stack creation failed
    • IAM name too long
  • Template Generation Errors
    • Template file not found at deploy time
    • Unresolved !Ref or !GetAtt
  • Docker Errors
    • Permission denied on volume mount
    • Image not found
    • Wrong user in container
  • SSM Parameter Issues
    • Parameters not found after deployment
    • Stale parameters after failed deletion
  • Drift Detection Issues
    • No deployed stack found
    • Drift detected
  • Deletion Errors
    • Stack does not exist
    • Force flag required
    • Delete failed — S3 bucket not empty
  • Getting Help
• Support
  • Table of Contents
  • Quick Help
    • Documentation
    • Common Issues
  • Getting Support
    • AWS Marketplace Support
    • Product Support
  • Before Contacting Support
    • 1. Product Version
    • 2. Configuration File
    • 3. Error Message
    • 4. Command Used
    • 5. AWS Region
    • 6. Expected vs Actual Behavior
    • 7. CloudFormation Stack Events
  • Self-Service Resources
    • Validate Your Configuration
    • Check AWS Credentials
    • Check Reports
    • Test Docker Setup
  • Reporting Bugs
  • Feature Requests
  • Service Level Agreement (SLA)
    • Priority Definitions
  • License Validation Issues
    • 1. Verify Subscription
    • 2. Verify IAM Permissions
    • 3. Contact AWS Marketplace Support
  • Updates and Announcements
    • Release Notes
    • Product Roadmap
  • Feedback
  • Additional Resources
    • AWS Resources
• Feedback
  • Table of Contents
  • How to Submit
  • Feature Requests
    • Feature Voting
  • Documentation Feedback
    • What We’re Looking For
  • What Happens Next
  • Related Resources

📊 Advanced Topics:

• Application Architecture
  • Table of Contents
  • Overview
  • Position in the MLOps Suite
    • Dependency Chain via SSM Parameter Store
  • Design Decisions
    • Decision 1: Generic Templates, Parameterized Use Cases
    • Decision 2: Tier as Primary Template Dimension
    • Decision 3: CodeCommit as Primary, S3 as Fallback
    • Decision 4: 12 Actions — Same Pattern as SG Provisioner
    • Decision 5: SSM Parameter Store Outputs
    • Decision 6: Separate CI/CD Artifacts Bucket from ML Data Lake
    • Decision 7: No Service Catalog Dependency
    • Decision 8: IAM Resource Naming — Region Omitted
    • Decision 9: EventBridge Rule → CodePipeline (Direct Invocation)
    • Decision 10: License Per AWS Account, No Template Sharing Mechanism
    • Decision 11: IAM Policy — CodeCommit Resource Scoping
  • Product Tier System
    • Starter Tier
    • Professional Tier
    • Enterprise Tier
    • VPC Integration Modes (Enterprise Tier)
  • Configuration System
    • YAML Configuration File
    • Product Naming Convention
    • Multi-* System
  • CloudFormation Generation
    • Generation Flow
    • Security Validation
      • Blocking Checks (generation halted)
      • Warning Checks (generation proceeds with warning)
      • Out of Scope
  • SSM Parameter Store Integration
  • Actions Reference
  • Source Tree
  • Future Roadmap
• Resources - Detailed explanation of purpose
  • AWS::SageMaker::ModelPackageGroup
    • The Logical Handshake: Connecting Build and Deploy
    • The Approval Gate (The Security Boundary)
    • Version Management
    • Traceability and Lineage
    • In the ML Provisioner
  • AWS::CodeCommit::Repository
    • Cloud-Based Git Hosting
    • Native AWS Ecosystem Integration
    • Identity and Access Management (IAM)
    • Scalability and Security Management
    • In the ML Provisioner
  • AWS::CodeBuild::Project
    • Core purposes
    • Key Components Configured by the Resource
    • In the ML Provisioner
  • AWS::CodePipeline::Pipeline
    • Core Purposes
    • Essential Structure
    • In the ML Provisioner
  • AWS::IAM::Role
    • Primary Purposes
    • Core Components Defined in CloudFormation
    • Common Use Cases
    • In the ML Provisioner
  • AWS::SSM::Parameter
    • Core Purposes
    • In the ML Provisioner
  • AWS::Events::Rule
    • Common Use Cases
  • AWS::Events::Rule
    • Primary Purposes
    • Key Capabilities
    • Common Targets Supported
    • In the ML Provisioner
  • AWS::CloudWatch::Dashboard
    • Core Purposes
    • Key Capabilities
    • In the ML Provisioner
    • Basic Syntax Example
  • AWS::IAM::ManagedPolicy
    • Primary Purposes
    • Key Use Cases
    • In the ML Provisioner
  • AWS::KMS::Key
    • Primary Purposes
    • Core Configurations and Features
    • Typical Use Case Architecture
    • In the ML Provisioner
  • AWS::KMS::Alias
    • Primary Purposes
    • Key Characteristics & Constraints
    • In the ML Provisioner
  • AWS::Logs::LogGroup
    • Core Purposes
    • Key Properties in CloudFormation
    • In the ML Provisioner
  • AWS::CloudWatch::Alarm
    • Core Purposes
    • Key Evaluation Types
    • Common Use Cases
    • In the ML Provisioner
  • AWS::SNS::Topic
    • Primary Purposes
    • Core Capabilities
    • Common Use Cases
    • In the ML Provisioner
  • AWS::SNS::Subscription
    • Primary Purposes
    • Supported Protocols and Targets
    • Key Configuration Features
    • In the ML Provisioner
  • AWS::EC2::VPCEndpoint
    • Core Purposes
    • Endpoint Types Created
    • In the ML Provisioner
  • AWS::EC2::SecurityGroup
    • Core Purposes
    • Common Use Cases
    • In the ML Provisioner
    • Key Technical Attributes
• Integration Examples
  • Table of Contents
  • Discovering ML Provisioner SSM Outputs
    • Retrieve All Outputs for a Deployment
    • SSM Output Reference by Tier
  • VPC Provisioner Integration
    • VPC Provisioner SSM Outputs (inputs to ML Provisioner)
    • ML Provisioner Configuration (vpc_source: ssm)
  • SG Provisioner Integration
    • SG Provisioner SSM Output (input to ML Provisioner)
    • ML Provisioner Configuration (mode: sg-provisioner)
    • Provisioner Deployment Order
  • Consuming SSM Outputs via AWS CLI
    • Retrieve Model Registry ARN
    • Retrieve S3 Artifacts Bucket Name (Professional, Enterprise)
    • Retrieve CodeCommit Repository URL
    • Retrieve KMS Key ARN (Enterprise)
  • Consuming SSM Outputs via Boto3
    • Retrieve All ML Provisioner Outputs
    • Retrieve a Single Parameter
    • Register a Model Package Using ML Provisioner Outputs
• Migration Guide
  • Table of Contents
  • Migrating from Manual Setup
    • Step 1: Inventory Existing Resources
    • Step 2: Create Configuration Files
    • Step 3: Validate and Test
    • Step 4: Deploy
    • Step 5: Cutover
  • Upgrading Tiers
    • What Each Tier Adds
    • Tier Upgrade Procedure
    • Avoiding Naming Collisions
    • After Cutover
  • Region Migration

📋 Reference:

• Sample Reports
  • Starter Tier
    • Pre-Deployment Review Report
    • Post-Deployment Report
  • Professional Tier
    • Pre-Deployment Review Report
    • Post-Deployment Report
  • Enterprise Tier
    • Pre-Deployment Review Report
    • Post-Deployment Report
• Release Notes
  • v1.0.1 (2026-06-15)
    • Bug Fixes
  • v1.0.0 (2026-06-01)
    • Features
    • Architecture
    • Supported Scenarios
    • Known Limitations
• Roadmap
  • Table of Contents
  • v1.0.0
  • v1.1.0
    • SageMaker Provisioner Integration
    • Cross-Account Model Sharing (Enterprise Tier)
    • Shared CodeCommit Repositories
  • v1.1.1
    • Configuration Updates via Stack Update (apply-changes)
  • v1.2.0
    • Enhanced CloudWatch Dashboard (Enterprise Tier)
    • Cost Estimation
  • v2.0.0 — Phase 3 ML Solutions
• API Reference
  • Core Modules
    • ML Manager
      • MlManager
  • Configuration
    • Configuration Loader
      • AppConfig
      • load_app_config()
  • Generators
    • CloudFormation Generator
      • CfnGenerator
  • Utilities
    • HTML Generator
      • generate_deployment_documentation()
    • Review Report
      • generate_review_html()
  • Products
    • Product Loader
      • ProductLoader
    • Product Validator
      • ProductValidator
  • Data Models
    • Product Blueprint
  • License
    • License Validator
      • LicenseValidator
  • CLI Interface
    • MlProvisionerCLI
      • MlProvisionerCLI.__init__()
      • MlProvisionerCLI.add_custom_arguments()
      • MlProvisionerCLI.create_manager_instance()
      • MlProvisionerCLI.get_actions()
      • MlProvisionerCLI.get_actions_help()
      • MlProvisionerCLI.get_example_usage()
      • MlProvisionerCLI.get_manager_class()
      • MlProvisionerCLI.is_action_required()
      • MlProvisionerCLI.requires_force()
    • main()

🎯 Quick Navigation by Task

I want to…

Get started quickly

→ README → User Guide

Understand configuration options

→ Configuration Reference

Set up VPC integration

→ Prerequisites → Configuration Reference

Implement security best practices

→ Security Guidelines

Troubleshoot an issue

→ Troubleshooting

Understand the architecture

→ Application Architecture

Consume ML outputs from SSM

→ Integration Examples

Update the Docker image

→ Update Procedures

📖 Recommended Reading Order

For New Users

1. README - Overview and quick start

2. User Guide - Complete command reference

3. Configuration Reference - Configuration parameters

4. Prerequisites - Pre-deployment requirements

5. Troubleshooting - Common issues

For Production Deployment

1. Prerequisites - Ensure all prerequisites are met

2. Configuration Reference - Production configuration

3. Security Guidelines - Security hardening

🏗️ ML Product Tier Architecture

The ML Provisioner supports three tiers of ML product infrastructure:

Starter

SageMaker Project, Model Registry, CodeCommit/S3 repositories, CodeBuild, CodePipeline, IAM roles.

Professional

All Starter resources plus S3 artifacts bucket, EventBridge rule and pipe for automated deployment, CloudWatch dashboard, and enhanced managed policies.

Enterprise

All Professional resources plus KMS encryption, compliance log group, CloudWatch alarms, SNS alerting, VPC endpoints, and permission boundaries.

📝 Documentation Conventions

• UPPERCASE_WITH_UNDERSCORES.md - Main documentation files

• All paths are relative to the docs/ directory

• Code examples use bash syntax unless otherwise noted

• AWS resource names follow the pattern: {company_prefix}-{env}-{tenant_id}-{region}-{use_case}-ml

🔄 Documentation Updates

This documentation is version-controlled and updated with each release. See Release Notes for documentation changes in each version.

© 2026 Axon Tech Labs. All rights reserved.

Indices and tables

• Index

• Module Index

• Search Page