# [모듈 2.1] 카탈로그 포트폴리오 및 프러덕트 배포
# 설치 코드 리포
- https://github.com/aws-samples/amazon-sagemaker-reusable-components/blob/main/package-cfn.md

---
## 필수 권한
- S3FulllAccess
- CloudFullAccess
- IAMCreaterole
- CodeBuildFull
- LambdaFull
- ServiceCatalogFull

In [21]:
%store -r

# 1. 카탈로그 프트폴리오 및 프더덕트 CF 확인

## 1.1 실행할 CF YAML 파일 다운로드 

In [22]:
! aws s3 ls {bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml 
! aws s3 cp s3://{bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml .
# ! aws s3 ls https://s3.{bucket_region}.amazonaws.com/{bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml 

2022-02-04 13:17:23       7210 sm-project-sc-portfolio.yaml
download: s3://sagemaker-ap-northeast-2-189546603447/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml to ./sm-project-sc-portfolio.yaml


## 1.2 실행 결과의 Output 확인
- PortfolioId
    - 서비스 카탈로그 데이터 과학 포트폴리오 ID
- ProductId
    - 서비스 카탈로그 데이터 과학 제품 ID
- ProductName
    - 서비스 카탈로그 데이터 과학 제품 이름
- ProvisioningArtifactIds
    - 서비스 카탈로그 데이터 과학 프로비저닝 아티팩트 ID
- ProvisioningArtifactNames
    - 서비스 카탈로그 데이터 과학 프로비저닝 아티팩트 이름
- FSIngestionProductPolicyArn
    - Feature Store 수집 제품을 시작하기 위해 AmazonSageMakerServiceCatalogProductsLaunchRole에 대한 관리형 정책      
- AmazonSageMakerExecutionRolePolicyArn
    - Feature Store 수집 실험으로 노트북을 실행하려면 권한이 있는 Amazon SageMaker 실행 역할에 대한 관리형 정책      
- AmazonSageMakerExecutionRoleName
    - Amazon SageMaker 실행 역할의 이름

In [23]:
!pygmentize "sm-project-sc-portfolio.yaml"   | sed -n 6,50p

[94mOutputs[39;49;00m:
  [94mProductId[39;49;00m:
    [94mDescription[39;49;00m: Service Catalog data science product Id
    [94mValue[39;49;00m:
      [94mRef[39;49;00m: FeatureStoreDataIngestionProduct
  [94mPortfolioId[39;49;00m:
    [94mDescription[39;49;00m: Service Catalog data science portfolio Id
    [94mValue[39;49;00m:
      [94mRef[39;49;00m: DataScienceAutomationPortfolio
  [94mProductName[39;49;00m:
    [94mDescription[39;49;00m: Service Catalog data science product name
    [94mValue[39;49;00m:
      Fn::GetAtt:
      - FeatureStoreDataIngestionProduct
      - ProductName
  [94mProvisioningArtifactIds[39;49;00m:
    [94mDescription[39;49;00m: Service Catalog data science provisioning artifact Ids
    [94mValue[39;49;00m:
      Fn::GetAtt:
      - FeatureStoreDataIngestionProduct
      - ProvisioningArtifactIds
  [94mProvisioningArtifactNames[39;49;00m:
    [94mDescription[39;49;00m: Service Catalog data science provisioning artifact names

## 1.2 CF 파라미터
- SCPortfolioPrincipalRoleArn
    - 서비스 카탈로그 제품에 대한 액세스 권한이 부여될 IAM 역할
- SCProductLaunchRoleArn
    - SageMaker Studio가 제품을 시작될 때 서비스 카탈로그가 맡는 IAM 역할

In [24]:
!pygmentize "sm-project-sc-portfolio.yaml"   | sed -n 51,59p

[94mParameters[39;49;00m:
  [94mSCPortfolioPrincipalRoleArn[39;49;00m:
    [94mType[39;49;00m: String
    [94mDescription[39;49;00m: IAM role which will be granted access to Service Catalog products
  [94mSCProductLaunchRoleArn[39;49;00m:
    [94mType[39;49;00m: String
    [94mDescription[39;49;00m: IAM role that Service Catalog assumes when SageMaker Studio launches
      a product
    [94mDefault[39;49;00m: AmazonSageMakerServiceCatalogProductsLaunchRole


## 1.2 CF 생성될 리소스
- DataScienceAutomationPortfolio
    - 이 포트폴리오는 SageMaker Studio용 재사용 가능한 데이터 과학 자동화 구성 요소 모음입니다.
- FeatureStoreDataIngestionProduct
    - 이 템플릿은 데이터 변환을 하는 Data Wrangler 및 SageMaker 파이프라인을 사용하여 S3 버킷에서 피쳐 그룹으로 데이터 수집을 자동화하기 위한 SageMaker 프로젝트를 생성합니다.


In [25]:
!pygmentize "sm-project-sc-portfolio.yaml"   | sed -n 65,89p

[94mResources[39;49;00m:
  [94mDataScienceAutomationPortfolio[39;49;00m:
    [94mType[39;49;00m: AWS::ServiceCatalog::Portfolio
    [94mProperties[39;49;00m:
      [94mProviderName[39;49;00m: Data Science Administration Team
      [94mDescription[39;49;00m: This portfolio is a collection of re-usable data science automation
        components for SageMaker Studio
      [94mDisplayName[39;49;00m: Re-usable data science automation components for your ML environment
  [94mFeatureStoreDataIngestionProduct[39;49;00m:
    [94mType[39;49;00m: AWS::ServiceCatalog::CloudFormationProduct
    [94mProperties[39;49;00m:
      [94mName[39;49;00m: Automated Feature Transformation and Ingestion Pipeline v1.0
      [94mDescription[39;49;00m: This template creates a SageMaker project for automating a data
        ingestion from an S3 bucket into a feature group using Data Wrangler data
        transformation and SageMaker Pipelines
      [94mOwner[39;49;00m: Data Science Admini

## 1.3 이외 CF 생성될 리소스
- SCPortfolioFeatureStoreDataIngestionProductAssociation
- SCPortfolioPrincipleAssociation
- SCFeatureStoreDataIngestionProductLaunchRoleConstraint
- AmazonSageMakerExecutionRolePolicy
- AmazonSageMakerServiceCatalogFSIngestionProductPolicy


In [26]:
!pygmentize "sm-project-sc-portfolio.yaml"   | sed -n 90,199p

  [94mSCPortfolioFeatureStoreDataIngestionProductAssociation[39;49;00m:
    [94mType[39;49;00m: AWS::ServiceCatalog::PortfolioProductAssociation
    [94mProperties[39;49;00m:
      [94mPortfolioId[39;49;00m:
        [94mRef[39;49;00m: DataScienceAutomationPortfolio
      [94mProductId[39;49;00m:
        [94mRef[39;49;00m: FeatureStoreDataIngestionProduct
  [94mSCPortfolioPrincipleAssociation[39;49;00m:
    [94mType[39;49;00m: AWS::ServiceCatalog::PortfolioPrincipalAssociation
    [94mProperties[39;49;00m:
      [94mPortfolioId[39;49;00m:
        [94mRef[39;49;00m: DataScienceAutomationPortfolio
      [94mPrincipalARN[39;49;00m:
        [94mRef[39;49;00m: SCPortfolioPrincipalRoleArn
      [94mPrincipalType[39;49;00m: IAM
  [94mSCFeatureStoreDataIngestionProductLaunchRoleConstraint[39;49;00m:
    [94mType[39;49;00m: AWS::ServiceCatalog::LaunchRoleConstraint
    [94mDependsOn[39;49;00m:
    - SCPortfolioPrincipleAssociation
    [94mProperties[39;49;00

In [29]:
! aws s3 cp sm-project-sc-portfolio.yaml  s3://{bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml 

upload: ./sm-project-sc-portfolio.yaml to s3://sagemaker-ap-northeast-2-189546603447/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml


# 2. AWS Service Catalog 제품 포트폴리오 배포
- 'sm-project-sc-portfolio.yaml' 를 실행하여 카탈로그 포트폴리오 및 프로덕트에 등록하는 과정
- 아래와 같은 주요 파라미터가 필요 합니다.
```
aws cloudformation create-stack \
    --template-url # 포트폴리오 및 프로덕트가 정의된 CF YAML
    --region # 리젼
    --stack-name # 스텍 이름
    --disable-rollback 
    --capabilities CAPABILITY_NAMED_IAM \
    --parameters \
        ParameterKey=SCPortfolioPrincipalRoleArn,ParameterValue= <> # SageMaker Execution Role 할당
```

In [30]:
import sagemaker
region = sagemaker.Session().boto_region_name
SC_PORTFOLIO_STACK_NAME='sm-project-sc-portfolio'

In [31]:
%%sh -s "{bucket}" "{SC_PORTFOLIO_STACK_NAME}" "{region}"

bucket_name=$1
sc_portfolio_stack_name=$2
region=$3
echo 'bucket_name' :  $bucket_name
echo 'stack_name' :  $sc_portfolio_stack_name
echo 'Bucket Region' : $region
    
export SM_DOMAIN_ID=$(aws sagemaker list-domains \
    --output text --query 'Domains[0].DomainId')
echo 'SageMaker Studio Domain ID' : $SM_DOMAIN_ID

export SM_EXECUTION_ROLE=$(aws sagemaker describe-domain \
    --domain-id $SM_DOMAIN_ID \
    --output text --query 'DefaultUserSettings.ExecutionRole')
echo 'SageMaker Execution Role' : $SM_EXECUTION_ROLE

echo 'CF File: ' : https://s3.$region.amazonaws.com/$bucket_name/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml

aws cloudformation create-stack \
    --template-url https://s3.$region.amazonaws.com/$bucket_name/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml \
    --region $region \
    --stack-name $sc_portfolio_stack_name  \
    --disable-rollback \
    --capabilities CAPABILITY_NAMED_IAM \
    --parameters \
        ParameterKey=SCPortfolioPrincipalRoleArn,ParameterValue=$SM_EXECUTION_ROLE

bucket_name : sagemaker-ap-northeast-2-189546603447
stack_name : sm-project-sc-portfolio
Bucket Region : ap-northeast-2
SageMaker Studio Domain ID : d-hflleebdlsun
SageMaker Execution Role : arn:aws:iam::189546603447:role/MLOps-custom-template-gonsoomoon
CF File:  : https://s3.ap-northeast-2.amazonaws.com/sagemaker-ap-northeast-2-189546603447/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml
{
    "StackId": "arn:aws:cloudformation:ap-northeast-2:189546603447:stack/sm-project-sc-portfolio/09a2a550-85bd-11ec-b6f4-028c03ca2672"
}


# 4. Add permissions to Service Catalog launch and SageMaker execution IAM roles

In [16]:
! aws cloudformation describe-stacks \
    --stack-name {SC_PORTFOLIO_STACK_NAME} \
    --output text \
    --query 'Stacks[0].Outputs[?OutputKey==`FSIngestionProductPolicyArn`].OutputValue'

None


In [51]:
%%sh -s "{SC_PORTFOLIO_STACK_NAME}" 

sc_portfolio_stack_name=$1
export SM_SC_FS_INGESTION_POLICY_ARN=$(aws cloudformation describe-stacks \
    --stack-name $sc_portfolio_stack_name \
    --output text \
    --query 'Stacks[0].Outputs[?OutputKey==`FSIngestionProductPolicyArn`].OutputValue')

echo 'SM_SC_FS_INGESTION_POLICY_ARN' : $SM_SC_FS_INGESTION_POLICY_ARN
    
export SM_EXECUTION_ROLE_POLICY_ARN=$(aws cloudformation describe-stacks \
    --stack-name $sc_portfolio_stack_name \
    --output text \
    --query 'Stacks[0].Outputs[?OutputKey==`AmazonSageMakerExecutionRolePolicyArn`].OutputValue')

echo ''
echo 'SM_EXECUTION_ROLE_POLICY_ARN' : $SM_EXECUTION_ROLE_POLICY_ARN    
    
export SM_EXECUTION_ROLE_NAME=$(aws cloudformation describe-stacks \
    --stack-name $sc_portfolio_stack_name \
    --output text \
    --query 'Stacks[0].Outputs[?OutputKey==`AmazonSageMakerExecutionRoleName`].OutputValue')

echo ''
echo 'SM_EXECUTION_ROLE_NAME' : $SM_EXECUTION_ROLE_NAME    

aws iam attach-role-policy \
    --role-name AmazonSageMakerServiceCatalogProductsLaunchRole \
    --policy-arn $SM_SC_FS_INGESTION_POLICY_ARN

aws iam attach-role-policy \
    --role-name  $SM_EXECUTION_ROLE_NAME \
    --policy-arn $SM_EXECUTION_ROLE_POLICY_ARN

SM_SC_FS_INGESTION_POLICY_ARN : arn:aws:iam::057716757052:policy/sm-project-sc-portfolio-AmazonSageMakerServiceCatalogFSIngestionProductPolicy-1H4PBAVHSCZYK

SM_EXECUTION_ROLE_POLICY_ARN : arn:aws:iam::057716757052:policy/sm-project-sc-portfolio-AmazonSageMakerExecutionRolePolicy-1GXCCW2EKN3U9

SM_EXECUTION_ROLE_NAME : mlops-sagemaker-project-gsmoon


# A. 트러블 슈팅 커맨드

In [96]:
! aws s3 cp s3://mlops-gonsoomoon-sydney/amazon-sagemaker-reusable-components/amazon-sagemaker-reusable-components.zip .

download: s3://mlops-gonsoomoon-sydney/amazon-sagemaker-reusable-components/amazon-sagemaker-reusable-components.zip to ./amazon-sagemaker-reusable-components.zip


In [14]:
# 스택 이벤트 실행 내역 보여주기
! aws cloudformation describe-stack-events --stack-name amazon-sagemaker-reusable-components-package-cfn

{
    "StackEvents": [
        {
            "StackId": "arn:aws:cloudformation:ap-southeast-2:057716757052:stack/amazon-sagemaker-reusable-components-package-cfn/d112c110-7929-11ec-9477-0275392b8e7c",
            "EventId": "0cee1680-792a-11ec-83ed-0abbffeda692",
            "StackName": "amazon-sagemaker-reusable-components-package-cfn",
            "LogicalResourceId": "amazon-sagemaker-reusable-components-package-cfn",
            "PhysicalResourceId": "arn:aws:cloudformation:ap-southeast-2:057716757052:stack/amazon-sagemaker-reusable-components-package-cfn/d112c110-7929-11ec-9477-0275392b8e7c",
            "ResourceType": "AWS::CloudFormation::Stack",
            "Timestamp": "2022-01-19T13:16:45.402Z",
            "ResourceStatus": "ROLLBACK_FAILED",
            "ResourceStatusReason": "The following resource(s) failed to delete: [StartBuildLambda]. "
        },
        {
            "StackId": "arn:aws:cloudformation:ap-southeast-2:057716757052:stack/amazon-sagemaker-reusable-co

In [98]:
# 스택 삭제
! aws cloudformation delete-stack --stack-name amazon-sagemaker-reusable-components-package-cfn

In [121]:
! aws cloudformation delete-stack --stack-name {SC_PORTFOLIO_STACK_NAME}


In [53]:
! aws s3 ls https://s3.{bucket_region}.amazonaws.com/{bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml
# ! aws s3 ls https://s3.ap-southeast-2.amazonaws.com/sagemaker-ap-southeast-2-057716757052/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml


Error parsing parameter 'paths': Unable to retrieve https://s3.ap-northeast-2.amazonaws.com/mlops-gonsoomoon-share/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml: received non 200 status code of 403


In [97]:
! aws s3 ls {bucket} --recursive

2022-01-23 10:42:21      22207 amazon-sagemaker-reusable-components/amazon-sagemaker-reusable-components.zip
2022-01-23 10:42:23      15589 amazon-sagemaker-reusable-components/project-s3-fs-ingestion.yaml
2022-01-23 10:42:22        606 amazon-sagemaker-reusable-components/seed-code/s3-fs-ingestion-v1.0.zip
2022-01-23 10:42:23       7196 amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml


In [84]:
! aws s3 rm s3://{bucket} --recursive

delete: s3://sagemaker-ap-southeast-2-057716757052/amazon-sagemaker-reusable-components/amazon-sagemaker-reusable-components.zip
delete: s3://sagemaker-ap-southeast-2-057716757052/amazon-sagemaker-reusable-components/project-s3-fs-ingestion.yaml
delete: s3://sagemaker-ap-southeast-2-057716757052/amazon-sagemaker-reusable-components/seed-code/s3-fs-ingestion-v1.0.zip
delete: s3://sagemaker-ap-southeast-2-057716757052/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml


## 버킷의 오너십 변경 
- 오브젝트를 Write 한 계정 보다는 버켓 소유자에게 오너십을 변경 함

In [115]:
import boto3

client = boto3.client('s3')

response = client.put_bucket_ownership_controls(
    Bucket= bucket,
    OwnershipControls={
        'Rules': [
            {
                'ObjectOwnership': 'BucketOwnerPreferred'
            },
        ]
    }
)

In [116]:
response

{'ResponseMetadata': {'RequestId': '861BAHHVDC9TTGQM',
  'HostId': 'm/m+P350joT64rCHGTsSHb0FcqkW49dYqAWLehDjIcxyhZnLCgzly+O+l1QSR0YrjBj5Ce4veqQ=',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amz-id-2': 'm/m+P350joT64rCHGTsSHb0FcqkW49dYqAWLehDjIcxyhZnLCgzly+O+l1QSR0YrjBj5Ce4veqQ=',
   'x-amz-request-id': '861BAHHVDC9TTGQM',
   'date': 'Sun, 23 Jan 2022 11:22:06 GMT',
   'server': 'AmazonS3',
   'content-length': '0'},
  'RetryAttempts': 0}}

# B 에러

아래 스택 실행시에 에러 발생 함. 아래 처럼 수정하고 다시 S3 에 업로딩
https://s3.ap-southeast-2.amazonaws.com/mlops-gonsoomoon-sydney/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml

Template error: Fn::Select cannot select nonexistent value at index 2

```
AmazonSageMakerExecutionRoleName:
    Description: Name of the Amazon SageMaker execution role
    Value:
      Fn::Select:
      - 1 # 기존에 2 였음. 1로 변경 함
```
아래 파일을 다음과 같이 변경 
amazon-sagemaker-reusable-components/build/sm-project-sc-portfolio.yaml
```
Before:
  AmazonSageMakerExecutionRoleName:
    Description: Name of the Amazon SageMaker execution role
    Value: !Select [2, !Split ['/', !Ref SCPortfolioPrincipalRoleArn ] ] 
```
```
After: 
  AmazonSageMakerExecutionRoleName:
    Description: Name of the Amazon SageMaker execution role
    Value: !Select [1, !Split ['/', !Ref SCPortfolioPrincipalRoleArn ] ] 


```

## Project 실행시 에러

![lambda_error.png](img2/lambda_error.png)


## 해결
- AmazonSageMakerServiceCatalogProductsLaunchRole 에 LambdaFull 추가 함


## 에러: seed-code/s3-fs-ingestion-v1.0.zip 생성시 전부 아티펙트를 포함하지 않음.
```
Zipping MLOps project seed code
147	  adding: .ipynb_checkpoints/ (stored 0%)
148	  adding: .ipynb_checkpoints/buildspec-checkpoint.yml (deflated 54%)
149	  adding: buildspec.yml (deflated 54%)
```
정상 케이스
```
Zipping MLOps project seed code
  adding: LICENSE (deflated 39%)
  adding: pipeline/ (stored 0%)
  adding: pipeline/pipeline.py (deflated 70%)
  adding: buildspec.yml (deflated 54%)
  adding: .ipynb_checkpoints/ (stored 0%)
  adding: .ipynb_checkpoints/buildspec-checkpoint.yml (deflated 54%)
  adding: build.py (deflated 63%)
  adding: README.md (stored 0%)
  adding: functions/ (stored 0%)
  adding: functions/start_fs_ingestion.py (deflated 58%)
```

### 해결
- Before
    - zip -r amazon-sagemaker-reusable-components.zip . -i "*.yaml" "*.yml" "*.sh"
- After
    - zip -r amazon-sagemaker-reusable-components.zip . -i "*.yaml" "*.yml" "*.sh" "*.py"

## 포트폴리오 및 프러덕트 배포시 에러

![error-deploy-portfolio-product.png](img2/error-deploy-portfolio-product.png)

In [20]:
arn = 'arn:aws:iam::189546603447:role/service-role/AmazonSageMakerServiceCatalogProductsLaunchRole'
role_name = arn.split('/')[2]
role_name

'AmazonSageMakerServiceCatalogProductsLaunchRole'

## 랭글러 에러
![wrangler_erro.png](img2/wrangler_error.png)