Integration Test — globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm¶

Field	Value
Config file	`globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml`
ml_name	`globalbank-prod-c001-us-west-2-demand-forecasting-ml`
Stack name	`globalbank-prod-c001-us-west-2-demand-forecasting-ml-stack`
Tier	enterprise
Source control	s3
VPC mode	sg-provisioner
VPC source	parameter-store
Region	us-west-2
Account	123456789012
CFN resources	36 (no CodeCommit repos — source control is S3; no SecurityGroup — managed by SG Provisioner)
SSM parameters	9 (no RepositoryUrl — source control is S3)
Tested	- [x] Passed (ml-provisioner:enterprise)

Artifacts¶

Artifact	Filename
Template	`globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-ssm-sgprov-template.yaml`
Policy	`globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-ssm-iam-policy.json`
Log	`globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-ssm-{action}-{timestamp}.log`
Review	`globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-ssm-create-review-report-{timestamp}.html`
Deploy	`globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-ssm-deployment-{timestamp}.html`

For full verification commands refer to: RERUN-SEQUENCE.md

1. Prerequisites¶

1.1 VPC Provisioner¶

Already deployed. Verify SSM params are present:

aws ssm get-parameters-by-path \
  --path /vpc/globalbank-prod-c001-us-west-2-vpc \
  --recursive \
  --region us-west-2 \
  --query 'Parameters[*].[Name,Value]' \
  --output table

If PrivateSubnetIds combined parameter is missing, create it:

aws ssm put-parameter \
  --name /vpc/globalbank-prod-c001-us-west-2-vpc/PrivateSubnetIds \
  --value "subnet-03ef04e345a08b008,subnet-059d4326e512a5a33,subnet-038b75b317519b7d4" \
  --type StringList \
  --region us-west-2

Verify:

aws ssm get-parameter \
  --name /vpc/globalbank-prod-c001-us-west-2-vpc/PrivateSubnetIds \
  --region us-west-2 \
  --query Parameter.Value \
  --output text

# Expected: subnet-03ef04e345a08b008,subnet-059d4326e512a5a33,subnet-038b75b317519b7d4

1.2 SG Provisioner¶

Already deployed. Verify SSM param is present:

aws ssm get-parameter \
  --name /sg/globalbank-prod-c001-us-west-2-sg/app/SecurityGroupId \
  --region us-west-2 \
  --query Parameter.Value \
  --output text

# Expected: sg-09468cab28bcf1020

1.3 S3 Source Bucket¶

The bucket must exist with versioning enabled before deploying.

Create the bucket:

aws s3api create-bucket \
  --bucket globalbank-c001-ml-source \
  --region us-west-2 \
  --create-bucket-configuration LocationConstraint=us-west-2

Enable versioning (required by CodePipeline S3 source action):

aws s3api put-bucket-versioning \
  --bucket globalbank-c001-ml-source \
  --versioning-configuration Status=Enabled \
  --region us-west-2

Block public access:

aws s3api put-public-access-block \
  --bucket globalbank-c001-ml-source \
  --public-access-block-configuration \
    BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true \
  --region us-west-2

Verify:

aws s3api head-bucket \
  --bucket globalbank-c001-ml-source \
  --region us-west-2

aws s3api get-bucket-versioning \
  --bucket globalbank-c001-ml-source \
  --region us-west-2 \
  --query Status \
  --output text

# Expected: Enabled

2. Commands¶

validate-config¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act validate-config

list-products¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act list-products

show-product¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act show-product

create-policy¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/policies:/app/policies \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act create-policy

create-prov-template¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act create-prov-template

validate-prov-template¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act validate-prov-template

create-review-report¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act create-review-report

deploy-product¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act deploy-product --force

show-changes¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act show-changes

check-drift¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act check-drift

test-deploy¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act test-deploy

List all provisioned resources¶

aws cloudformation describe-stack-resources \
  --stack-name globalbank-prod-c001-us-west-2-demand-forecasting-ml-stack \
  --region us-west-2 \
  --query "StackResources[*].[ResourceType,PhysicalResourceId]" \
  --output table

delete-product¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con globalbank-prod-c001-us-west-2-demand-forecasting-ml-s3-sgprov-ssm.yaml \
  -act delete-product --force

Resources Provisioned¶

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|                                                                               DescribeStackResources                                                                                |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------+
|  AWS::SNS::Subscription           |  arn:aws:sns:us-west-2:123456789012:globalbank-prod-c001-us-west-2-demand-forecasting-ml-security-alerts:5e5947c9-c6d4-4e99-8c28-6a67d1500545   |
|  AWS::SNS::Topic                  |  arn:aws:sns:us-west-2:123456789012:globalbank-prod-c001-us-west-2-demand-forecasting-ml-security-alerts                                        |
|  AWS::S3::Bucket                  |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-artifacts                                                                                 |
|  AWS::CodeBuild::Project          |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-build                                                                                     |
|  AWS::CodeBuild::Project          |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-deploy                                                                                    |
|  AWS::Logs::LogGroup              |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-compliance-logs                                                                           |
|  AWS::CloudWatch::Dashboard       |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-dashboard                                                                                 |
|  AWS::Events::Rule                |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-event-rule                                                                                |
|  AWS::IAM::Role                   |  globalbank-prod-c001-demand-forecasting-ml-codebuild-role                                                                                      |
|  AWS::IAM::Role                   |  globalbank-prod-c001-demand-forecasting-ml-pipeline-role                                                                                       |
|  AWS::IAM::Role                   |  globalbank-prod-c001-demand-forecasting-ml-sm-exec-role                                                                                        |
|  AWS::KMS::Alias                  |  alias/globalbank-prod-c001-us-west-2-demand-forecasting-ml-key                                                                                 |
|  AWS::KMS::Key                    |  59dee91c-31ea-47d7-b4b0-23d50b4a9ce6                                                                                                           |
|  AWS::IAM::ManagedPolicy          |  arn:aws:iam::123456789012:policy/globalbank-prod-c001-demand-forecasting-ml-build-policy                                                       |
|  AWS::IAM::ManagedPolicy          |  arn:aws:iam::123456789012:policy/globalbank-prod-c001-demand-forecasting-ml-deploy-policy                                                      |
|  AWS::SageMaker::ModelPackageGroup|  arn:aws:sagemaker:us-west-2:123456789012:model-package-group/globalbank-prod-c001-us-west-2-demand-forecasting-ml-models                       |
|  AWS::IAM::ManagedPolicy          |  arn:aws:iam::123456789012:policy/globalbank-prod-c001-demand-forecasting-ml-perm-boundary                                                      |
|  AWS::CodePipeline::Pipeline      |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-build-pipeline                                                                            |
|  AWS::CodePipeline::Pipeline      |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-deploy-pipeline                                                                           |
|  AWS::CloudWatch::Alarm           |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-root-account-usage                                                                        |
|  AWS::Logs::MetricFilter          |  GlobalbankDemandForecastingSecurityAlarmsRootAccountUsageFilter-DhavLjNYc57j                                                                   |
|  AWS::CloudWatch::Alarm           |  globalbank-prod-c001-us-west-2-demand-forecasting-ml-unauthorized-api-calls                                                                    |
|  AWS::Logs::MetricFilter          |  GlobalbankDemandForecastingSecurityAlarmsUnauthorizedApiCallsFilter-uhkTDn6iNuU4                                                               |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/BucketName                                                                            |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/DashboardName                                                                         |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/KmsKeyArn                                                                             |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/LogGroupName                                                                          |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/ModelPackageGroupArn                                                                  |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdS3                                                                       |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdSagemakerApi                                                             |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdSagemakerRuntime                                                         |
|  AWS::SSM::Parameter              |  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdSts                                                                      |
|  AWS::EC2::VPCEndpoint            |  vpce-0e0842126c1d8bfa4                                                                                                                         |
|  AWS::EC2::VPCEndpoint            |  vpce-0eeda26a95a21c283                                                                                                                         |
|  AWS::EC2::VPCEndpoint            |  vpce-0d77ec035ae8910be                                                                                                                         |
|  AWS::EC2::VPCEndpoint            |  vpce-07522123da004293b                                                                                                                         |
+-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------+

SSM Parameters Created¶

--------------------------------------------------------------------------------------------
|                                    GetParametersByPath                                   |
+------------------------------------------------------------------------------------------+
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/BucketName                     |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/DashboardName                  |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/KmsKeyArn                      |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/LogGroupName                   |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/ModelPackageGroupArn           |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdS3                |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdSagemakerApi      |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdSagemakerRuntime  |
|  /ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/VpcEndpointIdSts               |
+------------------------------------------------------------------------------------------+

Note: RepositoryUrl and SecurityGroupId are NOT present — source control is S3 (no CodeCommit repo) and VPC mode is sg-provisioner (SG managed externally).