Personalize pre-create/delete resource improvements (aws-samples#564)

* Fix for output path change
* Add support for remaining resource states
* Add support for Personalize content generator

aws/cloudformation-templates/base/notebook.yaml

@@ -178,6 +178,7 @@ Resources:
                   - s3:GetObjectVersion
                   - s3:GetBucketVersioning
                   - s3:GetBucketPolicy
+                  - s3:ListBucket
                 Resource:
                   - !Sub arn:aws:s3:::${StackBucketName}/*
                   - !Sub arn:aws:s3:::${StackBucketName}

aws/cloudformation-templates/deployment-support.yaml

@@ -56,6 +56,9 @@ Parameters:
   Subnet2:
     Type: String
 
+  LambdaVpcSecurityGroup:
+    Type: String
+
   OpenSearchSecurityGroupId:
     Type: String
 
@@ -120,17 +123,17 @@ Conditions:
   AutoCreatePersonalizedOffersCampaign: !Equals
     - !Ref DeployPersonalizedOffersCampaign
     - 'Yes'
-  
-  # If the Personalize offers campaign isn't being pre-created then we can invoke the pinpoint-auto-workshop lambda immediately, 
-  # otherwise we have to wait until it completes.  See personalize_pre_create_resources.py.  When all the personalize resources are 
-  # created it writes the resource arn's in SSM parameter store.  To wait for the offers campaign we setup an eventbridge rule to  
-  # trigger the pinpoint-auto-workshop lambda when create/updates events are received for the respective SSM parameter.  
+
+  # If the Personalize offers campaign isn't being pre-created then we can invoke the pinpoint-auto-workshop lambda immediately,
+  # otherwise we have to wait until it completes.  See personalize_pre_create_resources.py.  When all the personalize resources are
+  # created it writes the resource arn's in SSM parameter store.  To wait for the offers campaign we setup an eventbridge rule to
+  # trigger the pinpoint-auto-workshop lambda when create/updates events are received for the respective SSM parameter.
 
   DeployPreCreatePinpointWorkshop: !And
     - !Condition AutoCreatePinpointWorkshop
     - !Not [!Condition AutoCreatePersonalizedOffersCampaign]
 
-  WaitForOffersCampaignCreationAndDeployPreCreatePinpointWorkshop: !And 
+  WaitForOffersCampaignCreationAndDeployPreCreatePinpointWorkshop: !And
     - !Condition AutoCreatePinpointWorkshop
     - !Condition AutoCreatePersonalizedOffersCampaign
 
@@ -154,17 +157,23 @@ Resources:
       Runtime: python3.12
       Timeout: 900
       FunctionName: RetailDemoStorePersonalizePreCreateResources
+      VpcConfig:
+        SecurityGroupIds:
+          - !Ref LambdaVpcSecurityGroup
+        SubnetIds:
+          - !Ref Subnet1
+          - !Ref Subnet2
       Environment:
         Variables:
-          csv_bucket: !Ref StackBucketName
+          bucket: !Ref StackBucketName
           csv_path:  'csvs/'
           base_url: 'https://code.retaildemostore.retail.aws.dev/'
           lambda_event_rule_name: 'RetailDemoStore-PersonalizePreCreateScheduledRule'
           Uid: !Ref Uid
           DeployPersonalizedOffersCampaign: !Ref DeployPersonalizedOffersCampaign
           ProductsServiceExternalUrl: !Ref ProductsServiceExternalUrl
           PersonalizeRoleArn: !Ref PersonalizeRoleArn
-          PreCreatePersonalizeResources: !Ref PreCreatePersonalizeResources          
+          PreCreatePersonalizeResources: !Ref PreCreatePersonalizeResources
 
   PersonalizePreCreateLambdaExecutionRole:
     Type: 'AWS::IAM::Role'
@@ -199,6 +208,10 @@ Resources:
               - Effect: Allow
                 Action:
                   - logs:CreateLogGroup
+                  - ec2:CreateNetworkInterface
+                  - ec2:DeleteNetworkInterface
+                  - ec2:DescribeNetworkInterfaces
+                  - servicediscovery:DiscoverInstances
                 Resource: '*'
               - Effect: Allow
                 Action:
@@ -254,9 +267,10 @@ Resources:
                   - s3:GetObjectVersion
                   - s3:GetBucketVersioning
                   - s3:GetBucketPolicy
+                  - s3:ListBucket
                 Resource:
                   - !Sub arn:aws:s3:::${StackBucketName}/*
-                  - !Sub arn:aws:s3:::${StackBucketName}                  
+                  - !Sub arn:aws:s3:::${StackBucketName}
               - Effect: Allow
                 Action:
                   - codepipeline:StartPipelineExecution

aws/cloudformation-templates/template.yaml

@@ -370,7 +370,7 @@ Parameters:
   AlexaDefaultSandboxEmail:
     Type: String
     Description: >
-      Fallback email address to receive order confirmation emails.  This will be used until the steps are followed to enable Alexa to authenticate with Cognito, 
+      Fallback email address to receive order confirmation emails.  This will be used until the steps are followed to enable Alexa to authenticate with Cognito,
       after which it will be able to retrieve the user's details.
 
   IncludeSegmentDependencies:
@@ -743,7 +743,7 @@ Resources:
         OrdersServiceExternalUrl: !GetAtt Services.Outputs.OrdersServiceUrl
         OffersServiceExternalUrl: !GetAtt Services.Outputs.OffersServiceUrl
         UsersServiceExternalUrl: !GetAtt Services.Outputs.UsersServiceUrl
-        WebURL: 
+        WebURL:
           !If [
             ConditionCustomDomain,
             !Sub 'https://${CloudfrontCustomDomain}' ,
@@ -802,6 +802,7 @@ Resources:
         PreCreatePersonalizeResources: !Ref PreCreatePersonalizeResources
         Subnet1: !GetAtt Base.Outputs.Subnet1
         Subnet2: !GetAtt Base.Outputs.Subnet2
+        LambdaVpcSecurityGroup: !GetAtt Base.Outputs.PrivateVPCSecurityGroup
         OpenSearchSecurityGroupId: !GetAtt Base.Outputs.OpenSearchSecurityGroupId
         OpenSearchDomainArn: !GetAtt Base.Outputs.OpenSearchDomainArn
         OpenSearchDomainEndpoint: !GetAtt Base.Outputs.OpenSearchDomainEndpoint
@@ -941,7 +942,7 @@ Outputs:
   OffersServiceUrl:
     Description: Offers service load balancer URL.
     Value: !GetAtt Services.Outputs.OffersServiceUrl
-  
+
   APIEndpoint:
     Value: !GetAtt ApiGateway.Outputs.APIEndpoint
 
@@ -978,7 +979,7 @@ Outputs:
         OPENSEARCH_DOMAIN_SCHEME=https
         OPENSEARCH_DOMAIN_HOST="${Base.Outputs.OpenSearchDomainEndpoint}"
         OPENSEARCH_DOMAIN_PORT=9200
-      
+
         # Evidently
         EVIDENTLY_PROJECT_NAME="${Base.Outputs.EvidentlyProjectName}"