Enterprise — SG Provisioner Scenarios — Run Commands¶

Both sgprov scenarios share the same 12 actions. The only difference is the config file name.

Available Configurations¶

Config file	Source control	VPC source	ml_name
`globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-sgprov-ssm.yaml`	codecommit	parameter-store	`globalbank-prod-c001-us-west-2-demand-forecasting-ml`
`globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-sgprov-direct.yaml`	codecommit	direct	`globalbank-prod-c001-us-west-2-demand-forecasting-ml`

Prerequisites¶

Important — Standalone vs SG Provisioner conflict¶

In sg-provisioner mode the ML Provisioner does NOT create its own Security Group — it reads an existing SG ID from SSM Parameter Store. The SG Provisioner must be deployed before running any sgprov scenario.

If you previously ran a standalone scenario, its ML stack must be deleted first. The two modes cannot coexist in the same VPC — standalone creates an inline SG that conflicts with the SG Provisioner-managed SG.

SG Provisioner — must be deployed¶

aws cloudformation describe-stacks \
  --stack-name globalbank-prod-c001-us-west-2-sg-stack \
  --region us-west-2 \
  --query "Stacks[0].StackStatus" --output text 2>&1
# Expected: CREATE_COMPLETE
# If output contains 'does not exist' — deploy SG Provisioner first

Deploy SG Provisioner:

docker run --rm \
  -v ~/.aws:/home/sguser/.aws:ro \
  -v $(pwd)/sg/configs:/app/configs:ro \
  -v $(pwd)/sg/templates:/app/templates \
  -v $(pwd)/sg/reports:/app/reports \
  sg-provisioner:latest \
  -con globalbank-prod-c001-us-west-2-sg-ssm-3tier.yaml \
  -act create-security-groups \
  --force

Verify SG SSM param is present:

aws ssm get-parameter \
  --name /sg/globalbank-prod-c001-us-west-2-sg/app/SecurityGroupId \
  --region us-west-2 \
  --query Parameter.Value \
  --output text
# Expected: sg-xxxxxxxxxxxxxxxxx

VPC SSM params — ssm scenario only¶

Required by: codecommit-sgprov-ssm

aws ssm get-parameter \
  --name /vpc/globalbank-prod-c001-us-west-2-vpc/PrivateSubnetIds \
  --region us-west-2 --query Parameter.Value --output text
# Expected: subnet-xxx,subnet-xxx,subnet-xxx

If PrivateSubnetIds is missing, create it:

aws ssm put-parameter \
  --name /vpc/globalbank-prod-c001-us-west-2-vpc/PrivateSubnetIds \
  --value "subnet-03ef04e345a08b008,subnet-059d4326e512a5a33,subnet-038b75b317519b7d4" \
  --type StringList \
  --region us-west-2

VPC — direct scenario only¶

Required by: codecommit-sgprov-direct

aws ec2 describe-vpcs \
  --vpc-ids vpc-01d82c12b5b84da89 \
  --region us-west-2 \
  --query "Vpcs[0].VpcId" --output text
# Expected: vpc-01d82c12b5b84da89

Set Config¶

Set the three variables before running the commands below. Pick one set from the list:

codecommit-sgprov-ssm — codecommit + sg-provisioner + parameter-store
codecommit-sgprov-direct — codecommit + sg-provisioner + direct

# codecommit + sg-provisioner + parameter-store
CONFIG=globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-sgprov-ssm.yaml
STACK_NAME=globalbank-prod-c001-us-west-2-demand-forecasting-ml-stack
SSM_PATH=/ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/

# codecommit + sg-provisioner + direct
# CONFIG=globalbank-prod-c001-us-west-2-demand-forecasting-ml-codecommit-sgprov-direct.yaml
# STACK_NAME=globalbank-prod-c001-us-west-2-demand-forecasting-ml-stack
# SSM_PATH=/ml/globalbank-prod-c001-us-west-2-demand-forecasting-ml/

Commands¶

validate-config¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act validate-config

list-products¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act list-products

show-product¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act show-product

create-policy¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/policies:/app/policies \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act create-policy

create-prov-template¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act create-prov-template

validate-prov-template¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act validate-prov-template

create-review-report¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act create-review-report

test-deploy (optional — recommended)¶

Deploys a temporary stack with a random suffix to validate the template before the real deployment. The test stack must be deleted before running deploy-product.

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act test-deploy

delete test stack (required if test-deploy was run)¶

Replace <test-stack-name> with the stack name printed by the test-deploy output above.

aws cloudformation delete-stack \
  --stack-name <test-stack-name> \
  --region us-west-2

aws cloudformation wait stack-delete-complete \
  --stack-name <test-stack-name> \
  --region us-west-2

deploy-product¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act deploy-product --force

show-changes (optional)¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/templates:/app/templates \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act show-changes

check-drift (optional)¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act check-drift

delete-product¶

docker run --rm \
  -v ~/.aws:/home/mluser/.aws:ro \
  -v $(pwd)/ml/configs:/app/configs:ro \
  -v $(pwd)/ml/reports:/app/reports \
  ml-provisioner:enterprise \
  -con $CONFIG \
  -act delete-product --force

Verify¶

List all provisioned resources¶

aws cloudformation describe-stack-resources \
  --stack-name $STACK_NAME \
  --region us-west-2 \
  --query "StackResources[*].[ResourceType,PhysicalResourceId]" \
  --output table

List all SSM parameters¶

aws ssm get-parameters-by-path \
  --path $SSM_PATH \
  --recursive \
  --region us-west-2 \
  --query "Parameters[*].Name" \
  --output table