Merge pull request #1224 from GoogleCloudPlatform/lcaggio/project-notebook

Fix JIT notebook service account.

blueprints/data-solutions/bq-ml/README.md

@@ -98,5 +98,5 @@ module "test" {
   prefix     = "prefix"
 }
 
-# tftest modules=9 resources=46
+# tftest modules=9 resources=47
 ```

blueprints/data-solutions/data-playground/README.md

@@ -17,30 +17,35 @@ This sample creates several distinct groups of resources:
 - One BigQuery dataset
 
 ## Virtual Private Cloud (VPC) design
+
 As is often the case in real-world configurations, this blueprint accepts as input an existing Shared-VPC via the network_config variable. Make sure that 'container.googleapis.com', 'notebooks.googleapis.com' and 'servicenetworking.googleapis.com' are enabled in the VPC host project.
 
 If the network_config variable is not provided, one VPC will be created in each project that supports network resources (load, transformation and orchestration).
 
 ## Deploy your enviroment
+
 We assume the identiy running the following steps has the following role:
 
 - resourcemanager.projectCreator in case a new project will be created.
 - owner on the project in case you use an existing project.
 
 Run Terraform init:
+
 ```
-$ terraform init
+terraform init
 ```
 
 Configure the Terraform variable in your terraform.tfvars file. You need to spefify at least the following variables:
+
 ```
 prefix = "prefix"
 project_id      = "data-001"
 ```
 
 You can run now:
+
 ```
-$ terraform apply
+terraform apply
 ```
 
 You can now connect to the Vertex AI notbook to perform your data analysy.
@@ -81,5 +86,5 @@ module "test" {
     parent             = "folders/467898377"
   }
 }
-# tftest modules=8 resources=39
+# tftest modules=8 resources=40
 ```

blueprints/data-solutions/vertex-mlops/README.md

@@ -1,10 +1,13 @@
 # MLOps with Vertex AI
 
 ## Introduction
+
 This example implements the infrastructure required to deploy an end-to-end [MLOps process](https://services.google.com/fh/files/misc/practitioners_guide_to_mlops_whitepaper.pdf) using [Vertex AI](https://cloud.google.com/vertex-ai) platform.
 
-##  GCP resources
+## GCP resources
+
 The blueprint will deploy all the required resources to have a fully functional MLOPs environment containing:
+
 - Vertex Workbench (for the experimentation environment)
 - GCP Project (optional) to host all the resources
 - Isolated VPC network and a subnet to be used by Vertex and Dataflow. Alternatively, an external Shared VPC can be configured using the `network_config`variable.
@@ -33,8 +36,9 @@ We use the following groups to control access to resources:
 
 Please note that these groups are not suitable for production grade environments. Roles can be customized in the `main.tf`file.
 
-##  Instructions
-###  Deploy the experimentation environment
+## Instructions
+
+### Deploy the experimentation environment
 
 - Create a `terraform.tfvars` file and specify the variables to match your desired configuration. You can use the provided `terraform.tfvars.sample`  as reference.
 - Run `terraform init` and `terraform apply`
@@ -76,6 +80,7 @@ This blueprint can be used as a building block for setting up an end2end ML Ops
 <!-- END TFDOC -->
 
 ## TODO
+
 - Add support for User Managed Notebooks, SA permission option and non default SA for Single User mode.
 - Improve default naming for local VPC and Cloud NAT
 
@@ -105,5 +110,5 @@ module "test" {
     parent             = "folders/111111111111"
   }
 }
-# tftest modules=12 resources=56
+# tftest modules=12 resources=57
 ```

modules/project/service-accounts.tf

@@ -83,6 +83,7 @@ locals {
     "multiclusteringress.googleapis.com", # grant roles/multiclusteringress.serviceAgent to multicluster-ingress
     "pubsub.googleapis.com",              # grant roles/pubsub.serviceAgent to pubsub
     "meshconfig.googleapis.com",          # grant roles/anthosservicemesh.serviceAgent to meshconfig
+    "notebooks.googleapis.com",           # no grants needed
     "secretmanager.googleapis.com",       # no grants needed
     "sqladmin.googleapis.com",            # grant roles/cloudsql.serviceAgent to sqladmin (TODO: verify)
   ]