AWS AI Deployment Pipeline

Registry‑Driven Endpoint Promotion · Pipeline‑3

Triggering AWS Lambda via AWS EventBridge when the model is manually approved. This leads to automated running of the third CI/CD pipeline for promotion of the approved model from SageMaker Model Registry to real-time endpoints.

MLOps CDK GitHub Action Psitron ML Build Psitron ML Deploy

Project Summary

MLOps + Cloud · cross‑industry

Category

MLOps + Cloud · AI Platform Engineering

Domain

Model Deployment & Serving · Enterprise AI

Method

CDK (IaC) · GitHub Actions · SageMaker

Key Technologies

AWS + CI/CD stack

AWS CDKSageMaker Endpoints Model RegistryEndpointConfig GitHub ActionsOIDC → IAM CloudFormationS3 / ECR KMS encryptionMulti‑env CloudWatchYAML config

Problem & Objective

Problem

  • Manual model deployment → inconsistent environments, security risks, slow promotion, lack of governance.

Objective

  • Secure, repeatable, registry‑driven promotion to SageMaker endpoints via CDK + CI/CD (GitHub Actions + OIDC).

Solution & Architecture

Overview

CDK pipeline fetches latest Approved model from SageMaker Model Registry, provisions Model, EndpointConfig, Endpoint to Dev/Pre‑Prod/Prod. Triggered by GitHub Actions (OIDC auth). Endpoint configuration (instance, weight) YAML‑driven. Completes lifecycle started in Pipeline‑2.

GitHub → OIDC → IAM → CDK → CloudFormation → SageMaker Endpoint
1GitHub Actions
2CDK synth
3Model Registry
4EndpointConfig
5Real‑time Endpoint
SageMaker deployment pipeline reference visual
SageMaker deployment YAML mapping visual

Components

  • AWS CDK (Python)
  • SageMaker Model Registry
  • Endpoint + EndpointConfig
  • IAM / KMS / S3 / ECR
  • CloudFormation backend

Scalability & reliability

  • Managed SageMaker endpoints (HA)
  • Config‑driven instance sizing
  • CloudFormation rollback
  • Multi‑environment isolation

MLOps & Automation

AI/ML type

MLOps Deployment / Model Serving Automation

Pipeline automation

Pull latest Approved model → create Model + EndpointConfig + Endpoint → CDK deployment

CI/CD & containerisation

  • GitHub Actions (orchestration) + OIDC → IAM
  • AWS CDK (deployment as code)
  • Docker/ECR for custom inference containers

Monitoring & optimisation

  • CloudWatch metrics & logs for endpoints
  • GitHub Actions + CloudFormation logs
  • YAML‑driven instance tuning
  • Cost guardrails via fixed defaults

Skills & Technologies

Primary skills

  • MLOps Deployment / Model Serving – Advanced
  • AWS CDK (IaC) – Advanced
  • SageMaker Endpoints – Advanced
  • CI/CD GitHub Actions – Advanced

Secondary tools

  • AWS IAM, KMS, S3
  • CloudFormation
  • Docker / ECR

Languages

Python (primary), YAML (CI/CD & config)

Challenges & Resolutions

Challenges

  • Registry‑driven without hardcoding versions
  • Secure CI/CD auth for prod
  • Environment‑specific config
  • IAM least‑privilege scoping

Resolutions

  • Lookup latest Approved model
  • OIDC‑based IAM roles for GitHub
  • YAML‑driven endpoint configs
  • Least‑privilege IAM + KMS encryption

CI/CD · AWS Mapping

Pipeline‑3 constructs

Architecture BlockAWS CI/CD Construct (Pipeline‑3)
Source RepositoryGitHub (deployment/IaC repo)
TriggerGitHub Actions (manual / approval)
CI RunnerGitHub Linux runner (ubuntu‑latest)
OrchestrationAWS CDK (synth / deploy)
Infra BackendAWS CloudFormation
Model SourceSageMaker Model Registry (approved packages)
Model PackagingSageMaker Model (CfnModel from Registry)
Endpoint ConfigurationSageMaker EndpointConfig (instance, weight)
Deployment TargetSageMaker Real‑time Endpoint (Dev/Pre‑Prod/Prod)
Artifact StorageAmazon S3 (model artifacts)
Container RegistryAmazon ECR (custom images)
Security & AuthOIDC (GitHub→AWS) + IAM roles
Endpoint Execution RoleIAM Role for SageMaker Endpoint runtime
Secrets / ConfigAWS SSM Parameter Store (+ env vars)
EncryptionAWS KMS (endpoint data & artifacts)
Monitoring & LogsAmazon CloudWatch Logs & Metrics (endpoint) + GitHub Actions Logs
Deployment GovernanceModel Registry approvals + CDK-controlled promotion
Infrastructure StateCloudFormation Stack Events (rollback on failure)

Process flow: GitHub → GitHub Actions → OIDC → IAM → CDK → CloudFormation → Model/EndpointConfig → Real‑time Endpoint.

AWS DevOps CI/CD – Reference Architecture

Pipeline‑3: Deployment / Promotion

Architecture Flow:

  1. Developer triggers deployment via GitHub Actions (manual/approval-based).
  2. GitHub Actions assumes AWS IAM Role via OIDC.
  3. CDK synth generates CloudFormation templates.
  4. CDK deploy provisions:
    • SageMaker Model (from Registry)
    • EndpointConfig (instance type, traffic)
    • SageMaker Endpoint
  5. CloudFormation applies changes with rollback on failure.
  6. Logs visible in GitHub Actions + CloudFormation + CloudWatch.

Security & Guardrails:

  • OIDC-based IAM roles
  • Least-privilege endpoint execution roles
  • KMS encryption for endpoint resources
  • Env isolation (Dev / Pre-Prod / Prod)
P3 Mapping: GitHub → GitHub Actions → OIDC → IAM → CDK → CloudFormation → SageMaker Model/EndpointConfig → Real-time Endpoint.

Assets & References

MLOps CDK GitHub Action

Infrastructure-as-code and GitHub Actions workflow for platform provisioning.

View GitHub repo

Psitron ML Build

Build repository for the ML pipeline stage and related implementation assets.

View GitHub repo

Psitron ML Deploy

Deployment repository for ML release workflows and production delivery assets.

View GitHub repo
Request Study Material

Study Material – Pipeline‑3

Official CDK & YAML reference
Downloadable PDF (public)
PDF
CDK file specific (restricted)
Detailed CDK constructs, IAM policies
PDF
Architecture diagrams (P3)
GitHub → OIDC → CDK → CloudFormation flow
PDF
SageMaker EndpointConfig YAML examples
Instance types, traffic weights, env vars
PDF