First commit
This commit is contained in:
parent
66f00903c6
commit
edf67fc5d0
|
@ -52,63 +52,54 @@ This blueprint can be used as a building block for setting up an end2end ML Ops
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [project_id](variables.tf#L101) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ | |
|
||||
| [notebooks](variables.tf#L73) | Vertex AI workbenchs to be deployed. Service Account runtime/instances deployed. | <code title="map(object({ type = string machine_type = optional(string, "n1-standard-4") internal_ip_only = optional(bool, true) idle_shutdown = optional(bool, false) owner = optional(string, null) }))">map(object({…}))</code> | ✓ | |
|
||||
| [project_config](variables.tf#L100) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string, null) parent = string project_id = string })">object({…})</code> | ✓ | |
|
||||
| [bucket_name](variables.tf#L18) | GCS bucket name to store the Vertex AI artifacts. | <code>string</code> | | <code>null</code> |
|
||||
| [dataset_name](variables.tf#L24) | BigQuery Dataset to store the training data. | <code>string</code> | | <code>null</code> |
|
||||
| [groups](variables.tf#L30) | Name of the groups (name@domain.org) to apply opinionated IAM permissions. | <code title="object({ gcp-ml-ds = string gcp-ml-eng = string gcp-ml-viewer = string })">object({…})</code> | | <code title="{ gcp-ml-ds = null gcp-ml-eng = null gcp-ml-viewer = null }">{…}</code> |
|
||||
| [groups](variables.tf#L30) | Name of the groups (name@domain.org) to apply opinionated IAM permissions. | <code title="object({ gcp-ml-ds = optional(string, null) gcp-ml-eng = optional(string, null) gcp-ml-viewer = optional(string, null) })">object({…})</code> | | <code title="{ gcp-ml-ds = null gcp-ml-eng = null gcp-ml-viewer = null }">{…}</code> |
|
||||
| [identity_pool_claims](variables.tf#L45) | Claims to be used by Workload Identity Federation (i.e.: attribute.repository/ORGANIZATION/REPO). If a not null value is provided, then google_iam_workload_identity_pool resource will be created. | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L51) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L57) | Location used for multi-regional resources. | <code>string</code> | | <code>"eu"</code> |
|
||||
| [network_config](variables.tf#L63) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object({ host_project = string network_self_link = string subnet_self_link = string })">object({…})</code> | | <code>null</code> |
|
||||
| [notebooks](variables.tf#L73) | Vertex AI workbenchs to be deployed. | <code title="map(object({ owner = string region = string subnet = string internal_ip_only = optional(bool, false) idle_shutdown = optional(bool) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L86) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L92) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = string parent = string })">object({…})</code> | | <code>null</code> |
|
||||
| [project_services](variables.tf#L106) | List of core services enabled on all projects. | <code>list(string)</code> | | <code title="[ "aiplatform.googleapis.com", "artifactregistry.googleapis.com", "bigquery.googleapis.com", "cloudbuild.googleapis.com", "compute.googleapis.com", "datacatalog.googleapis.com", "dataflow.googleapis.com", "iam.googleapis.com", "monitoring.googleapis.com", "notebooks.googleapis.com", "secretmanager.googleapis.com", "servicenetworking.googleapis.com", "serviceusage.googleapis.com" ]">[…]</code> |
|
||||
| [region](variables.tf#L126) | Region used for regional resources. | <code>string</code> | | <code>"europe-west4"</code> |
|
||||
| [repo_name](variables.tf#L132) | Cloud Source Repository name. null to avoid to create it. | <code>string</code> | | <code>null</code> |
|
||||
| [sa_mlops_name](variables.tf#L138) | Name for the MLOPs Service Account. | <code>string</code> | | <code>"sa-mlops"</code> |
|
||||
| [prefix](variables.tf#L94) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L113) | Region used for regional resources. | <code>string</code> | | <code>"europe-west4"</code> |
|
||||
| [repo_name](variables.tf#L119) | Cloud Source Repository name. null to avoid to create it. | <code>string</code> | | <code>null</code> |
|
||||
| [service_encryption_keys](variables.tf#L125) | Cloud KMS to use to encrypt different services. Key location should match service region. | <code title="object({ aiplatform = optional(string, null) bq = optional(string, null) notebooks = optional(string, null) secretmanager = optional(string, null) storage = optional(string, null) })">object({…})</code> | | <code title="{ aiplatform = null bq = null notebooks = null secretmanager = null storage = null }">{…}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [github](outputs.tf#L33) | Github Configuration. | |
|
||||
| [notebook](outputs.tf#L39) | Vertex AI managed notebook details. | |
|
||||
| [project](outputs.tf#L44) | The project resource as return by the `project` module. | |
|
||||
| [project_id](outputs.tf#L49) | Project ID. | |
|
||||
| [github](outputs.tf#L30) | Github Configuration. | |
|
||||
| [notebook](outputs.tf#L35) | Vertex AI managed notebook details. | |
|
||||
| [project](outputs.tf#L43) | The project resource as return by the `project` module. | |
|
||||
| [project_id](outputs.tf#L48) | Project ID. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
## TODO
|
||||
|
||||
- Add support for User Managed Notebooks, SA permission option and non default SA for Single User mode.
|
||||
- Improve default naming for local VPC and Cloud NAT
|
||||
|
||||
## Test
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
source = "./fabric/blueprints/data-solutions/vertex-mlops/"
|
||||
labels = {
|
||||
"env" : "dev",
|
||||
"team" : "ml"
|
||||
"env" = "dev",
|
||||
"team" = "ml"
|
||||
}
|
||||
bucket_name = "test-dev"
|
||||
dataset_name = "test"
|
||||
bucket_name = "gcs-test"
|
||||
dataset_name = "bq-test"
|
||||
identity_pool_claims = "attribute.repository/ORGANIZATION/REPO"
|
||||
notebooks = {
|
||||
"myworkbench" : {
|
||||
"owner" : "user@example.com",
|
||||
"region" : "europe-west4",
|
||||
"subnet" : "default",
|
||||
"myworkbench" = {
|
||||
type = "USER_MANAGED"
|
||||
}
|
||||
}
|
||||
prefix = "pref"
|
||||
project_id = "test-dev"
|
||||
project_create = {
|
||||
prefix = "pref-dev"
|
||||
project_config = {
|
||||
billing_account_id = "000000-123456-123456"
|
||||
parent = "folders/111111111111"
|
||||
project_id = "test-dev"
|
||||
}
|
||||
}
|
||||
# tftest modules=12 resources=57
|
||||
# tftest modules=13 resources=65
|
||||
```
|
||||
|
|
|
@ -44,14 +44,11 @@ module "artifact_registry" {
|
|||
project_id = module.project.project_id
|
||||
location = var.region
|
||||
format = "DOCKER"
|
||||
# iam = {
|
||||
# "roles/artifactregistry.admin" = ["group:cicd@example.com"]
|
||||
# }
|
||||
}
|
||||
|
||||
module "service-account-github" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
name = "sa-github"
|
||||
name = "${var.prefix}-sa-github"
|
||||
project_id = module.project.project_id
|
||||
iam = var.identity_pool_claims == null ? {} : { "roles/iam.workloadIdentityUser" = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_pool[0].name}/${var.identity_pool_claims}"] }
|
||||
}
|
||||
|
@ -63,6 +60,9 @@ module "secret-manager" {
|
|||
secrets = {
|
||||
github-key = [var.region]
|
||||
}
|
||||
# encryption_key = {
|
||||
# "${var.region}" = try(var.service_encryption_keys["secretmanager"], null)
|
||||
# }
|
||||
iam = {
|
||||
github-key = {
|
||||
"roles/secretmanager.secretAccessor" = [
|
||||
|
@ -71,4 +71,4 @@ module "secret-manager" {
|
|||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -117,7 +117,7 @@ module "gcs-bucket" {
|
|||
module "gcs-bucket-cloudbuild" {
|
||||
source = "../../../modules/gcs"
|
||||
project_id = module.project.project_id
|
||||
name = "${var.project_id}_cloudbuild"
|
||||
name = "${var.prefix}_cloudbuild"
|
||||
prefix = var.prefix
|
||||
location = var.region
|
||||
storage_class = "REGIONAL"
|
||||
|
@ -190,19 +190,19 @@ module "cloudnat" {
|
|||
|
||||
module "project" {
|
||||
source = "../../../modules/project"
|
||||
name = var.project_id
|
||||
parent = try(var.project_create.parent, null)
|
||||
billing_account = try(var.project_create.billing_account_id, null)
|
||||
project_create = var.project_create != null
|
||||
name = var.project_config.project_id
|
||||
parent = try(var.project_config.parent, null)
|
||||
billing_account = try(var.project_config.billing_account_id, null)
|
||||
project_create = var.project_config.billing_account_id != null
|
||||
prefix = var.prefix
|
||||
group_iam = local.group_iam
|
||||
iam = {
|
||||
"roles/aiplatform.user" = [module.service-account-mlops.iam_email]
|
||||
"roles/aiplatform.user" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/artifactregistry.reader" = [module.service-account-mlops.iam_email]
|
||||
"roles/artifactregistry.writer" = [module.service-account-github.iam_email]
|
||||
"roles/bigquery.dataEditor" = [module.service-account-mlops.iam_email]
|
||||
"roles/bigquery.jobUser" = [module.service-account-mlops.iam_email]
|
||||
"roles/bigquery.user" = [module.service-account-mlops.iam_email]
|
||||
"roles/bigquery.dataEditor" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/bigquery.jobUser" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/bigquery.user" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/cloudbuild.builds.editor" = [
|
||||
module.service-account-mlops.iam_email,
|
||||
module.service-account-github.iam_email
|
||||
|
@ -213,6 +213,8 @@ module "project" {
|
|||
"roles/dataflow.worker" = [module.service-account-mlops.iam_email]
|
||||
"roles/iam.serviceAccountUser" = [
|
||||
module.service-account-mlops.iam_email,
|
||||
module.service-account-notebook.iam_email,
|
||||
module.service-account-github.iam_email,
|
||||
"serviceAccount:${module.project.service_accounts.robots.cloudbuild}"
|
||||
]
|
||||
"roles/monitoring.metricWriter" = [module.service-account-mlops.iam_email]
|
||||
|
@ -223,28 +225,40 @@ module "project" {
|
|||
]
|
||||
"roles/storage.admin" = [
|
||||
module.service-account-mlops.iam_email,
|
||||
module.service-account-github.iam_email
|
||||
module.service-account-github.iam_email,
|
||||
module.service-account-notebook.iam_email
|
||||
]
|
||||
}
|
||||
labels = var.labels
|
||||
|
||||
org_policies = {
|
||||
# Example of applying a project wide policy
|
||||
# "compute.requireOsLogin" = {
|
||||
# rules = [{ enforce = false }]
|
||||
# }
|
||||
}
|
||||
|
||||
service_encryption_key_ids = {
|
||||
aiplatform = [try(local.service_encryption_keys.aiplatform, null)]
|
||||
bq = [try(local.service_encryption_keys.bq, null)]
|
||||
compute = [try(local.service_encryption_keys.compute, null)]
|
||||
cloudbuild = [try(local.service_encryption_keys.storage, null)]
|
||||
notebooks = [try(local.service_encryption_keys.compute, null)]
|
||||
notebooks = [try(local.service_encryption_keys.notebooks, null)]
|
||||
storage = [try(local.service_encryption_keys.storage, null)]
|
||||
}
|
||||
services = var.project_services
|
||||
|
||||
|
||||
services = [
|
||||
"aiplatform.googleapis.com",
|
||||
"artifactregistry.googleapis.com",
|
||||
"bigquery.googleapis.com",
|
||||
"bigquerystorage.googleapis.com",
|
||||
"cloudbuild.googleapis.com",
|
||||
"compute.googleapis.com",
|
||||
"datacatalog.googleapis.com",
|
||||
"dataflow.googleapis.com",
|
||||
"iam.googleapis.com",
|
||||
"ml.googleapis.com",
|
||||
"monitoring.googleapis.com",
|
||||
"notebooks.googleapis.com",
|
||||
"secretmanager.googleapis.com",
|
||||
"servicenetworking.googleapis.com",
|
||||
"serviceusage.googleapis.com",
|
||||
"stackdriver.googleapis.com",
|
||||
"storage.googleapis.com",
|
||||
"storage-component.googleapis.com"
|
||||
]
|
||||
shared_vpc_service_config = local.shared_vpc_project == null ? null : {
|
||||
attach = true
|
||||
host_project = local.shared_vpc_project
|
||||
|
@ -254,11 +268,8 @@ module "project" {
|
|||
|
||||
module "service-account-mlops" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
name = var.sa_mlops_name
|
||||
name = "${var.prefix}-sa-mlops"
|
||||
project_id = module.project.project_id
|
||||
iam = {
|
||||
"roles/iam.serviceAccountUser" = [module.service-account-github.iam_email]
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_project_iam_member" "shared_vpc" {
|
||||
|
@ -268,11 +279,8 @@ resource "google_project_iam_member" "shared_vpc" {
|
|||
member = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
|
||||
}
|
||||
|
||||
|
||||
resource "google_sourcerepo_repository" "code-repo" {
|
||||
count = var.repo_name == null ? 0 : 1
|
||||
name = var.repo_name
|
||||
project = module.project.project_id
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -1,60 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
resource "google_notebooks_runtime" "runtime" {
|
||||
for_each = var.notebooks
|
||||
name = each.key
|
||||
|
||||
project = module.project.project_id
|
||||
location = var.notebooks[each.key].region
|
||||
access_config {
|
||||
access_type = "SINGLE_USER"
|
||||
runtime_owner = var.notebooks[each.key].owner
|
||||
}
|
||||
software_config {
|
||||
enable_health_monitoring = true
|
||||
idle_shutdown = var.notebooks[each.key].idle_shutdown
|
||||
idle_shutdown_timeout = 1800
|
||||
}
|
||||
virtual_machine {
|
||||
virtual_machine_config {
|
||||
machine_type = "n1-standard-4"
|
||||
network = local.vpc
|
||||
subnet = local.subnet
|
||||
internal_ip_only = var.notebooks[each.key].internal_ip_only
|
||||
dynamic "encryption_config" {
|
||||
for_each = try(local.service_encryption_keys.compute, null) == null ? [] : [1]
|
||||
content {
|
||||
kms_key = local.service_encryption_keys.compute
|
||||
}
|
||||
}
|
||||
metadata = {
|
||||
notebook-disable-nbconvert = "false"
|
||||
notebook-disable-downloads = "false"
|
||||
notebook-disable-terminal = "false"
|
||||
#notebook-disable-root = "true"
|
||||
#notebook-upgrade-schedule = "48 4 * * MON"
|
||||
}
|
||||
data_disk {
|
||||
initialize_params {
|
||||
disk_size_gb = "100"
|
||||
disk_type = "PD_STANDARD"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -14,9 +14,6 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
# TODO(): proper outputs
|
||||
|
||||
|
||||
locals {
|
||||
docker_split = try(split("/", module.artifact_registry.id), null)
|
||||
docker_repo = try("${local.docker_split[3]}-docker.pkg.dev/${local.docker_split[1]}/${local.docker_split[5]}", null)
|
||||
|
@ -31,22 +28,19 @@ locals {
|
|||
}
|
||||
|
||||
output "github" {
|
||||
|
||||
description = "Github Configuration."
|
||||
value = local.gh_config
|
||||
}
|
||||
|
||||
output "notebook" {
|
||||
description = "Vertex AI managed notebook details."
|
||||
value = { for k, v in resource.google_notebooks_runtime.runtime : k => v.id }
|
||||
description = "Vertex AI notebooks ids."
|
||||
value = merge(
|
||||
{ for k, v in resource.google_notebooks_runtime.runtime : k => v.id },
|
||||
{ for k, v in resource.google_notebooks_instance.playground : k => v.id }
|
||||
)
|
||||
}
|
||||
|
||||
output "project" {
|
||||
description = "The project resource as return by the `project` module."
|
||||
value = module.project
|
||||
}
|
||||
|
||||
output "project_id" {
|
||||
description = "Project ID."
|
||||
value = module.project.project_id
|
||||
}
|
||||
|
|
|
@ -30,9 +30,9 @@ variable "dataset_name" {
|
|||
variable "groups" {
|
||||
description = "Name of the groups (name@domain.org) to apply opinionated IAM permissions."
|
||||
type = object({
|
||||
gcp-ml-ds = string
|
||||
gcp-ml-eng = string
|
||||
gcp-ml-viewer = string
|
||||
gcp-ml-ds = optional(string, null)
|
||||
gcp-ml-eng = optional(string, null)
|
||||
gcp-ml-viewer = optional(string, null)
|
||||
})
|
||||
default = {
|
||||
gcp-ml-ds = null
|
||||
|
@ -71,16 +71,24 @@ variable "network_config" {
|
|||
}
|
||||
|
||||
variable "notebooks" {
|
||||
description = "Vertex AI workbenchs to be deployed."
|
||||
description = "Vertex AI workbenchs to be deployed. Service Account runtime/instances deployed."
|
||||
type = map(object({
|
||||
owner = string
|
||||
region = string
|
||||
subnet = string
|
||||
internal_ip_only = optional(bool, false)
|
||||
idle_shutdown = optional(bool)
|
||||
type = string
|
||||
machine_type = optional(string, "n1-standard-4")
|
||||
internal_ip_only = optional(bool, true)
|
||||
idle_shutdown = optional(bool, false)
|
||||
owner = optional(string, null)
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for k, v in var.notebooks : contains(["USER_MANAGED", "MANAGED"], v.type)])
|
||||
error_message = "All `type` must be one of `USER_MANAGED` or `MANAGED`."
|
||||
}
|
||||
validation {
|
||||
condition = alltrue([
|
||||
for k, v in var.notebooks : (v.type == "MANAGED" && try(v.owner != null, false) || v.type == "USER_MANAGED")])
|
||||
error_message = "`owner` must be set for `MANAGED` instances."
|
||||
}
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
|
@ -89,38 +97,17 @@ variable "prefix" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "project_create" {
|
||||
description = "Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||
variable "project_config" {
|
||||
description = "Provide 'billing_account_id' value if project creation is needed, uses existing 'project_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||
type = object({
|
||||
billing_account_id = string
|
||||
billing_account_id = optional(string, null)
|
||||
parent = string
|
||||
project_id = string
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "Project id, references existing project if `project_create` is null."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "project_services" {
|
||||
description = "List of core services enabled on all projects."
|
||||
type = list(string)
|
||||
default = [
|
||||
"aiplatform.googleapis.com",
|
||||
"artifactregistry.googleapis.com",
|
||||
"bigquery.googleapis.com",
|
||||
"cloudbuild.googleapis.com",
|
||||
"compute.googleapis.com",
|
||||
"datacatalog.googleapis.com",
|
||||
"dataflow.googleapis.com",
|
||||
"iam.googleapis.com",
|
||||
"monitoring.googleapis.com",
|
||||
"notebooks.googleapis.com",
|
||||
"secretmanager.googleapis.com",
|
||||
"servicenetworking.googleapis.com",
|
||||
"serviceusage.googleapis.com"
|
||||
]
|
||||
validation {
|
||||
condition = var.project_config.project_id != null
|
||||
error_message = "Project id must be set."
|
||||
}
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
|
@ -135,18 +122,20 @@ variable "repo_name" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "sa_mlops_name" {
|
||||
description = "Name for the MLOPs Service Account."
|
||||
type = string
|
||||
default = "sa-mlops"
|
||||
}
|
||||
|
||||
variable "service_encryption_keys" { # service encription key
|
||||
variable "service_encryption_keys" {
|
||||
description = "Cloud KMS to use to encrypt different services. Key location should match service region."
|
||||
type = object({
|
||||
bq = string
|
||||
compute = string
|
||||
storage = string
|
||||
aiplatform = optional(string, null)
|
||||
bq = optional(string, null)
|
||||
notebooks = optional(string, null)
|
||||
secretmanager = optional(string, null)
|
||||
storage = optional(string, null)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
default = {
|
||||
aiplatform = null
|
||||
bq = null
|
||||
notebooks = null
|
||||
secretmanager = null
|
||||
storage = null
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,128 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
resource "google_vertex_ai_metadata_store" "store" {
|
||||
provider = google-beta
|
||||
project = module.project.project_id
|
||||
name = "default"
|
||||
description = "Vertex Ai Metadata Store"
|
||||
region = var.region
|
||||
dynamic "encryption_spec" {
|
||||
for_each = try(var.service_encryption_keys.aiplatform, null) == null ? [] : [""]
|
||||
|
||||
content {
|
||||
kms_key_name = try(var.service_encryption_keys.aiplatform, null)
|
||||
}
|
||||
}
|
||||
# `state` value will be decided automatically based on the result of the configuration
|
||||
lifecycle {
|
||||
ignore_changes = [state]
|
||||
}
|
||||
}
|
||||
|
||||
module "service-account-notebook" {
|
||||
source = "../../../modules/iam-service-account"
|
||||
project_id = module.project.project_id
|
||||
name = "notebook-sa"
|
||||
}
|
||||
|
||||
resource "google_notebooks_runtime" "runtime" {
|
||||
for_each = { for k, v in var.notebooks : k => v if v.type == "MANAGED" }
|
||||
name = "${var.prefix}-${each.key}"
|
||||
|
||||
project = module.project.project_id
|
||||
location = var.region
|
||||
access_config {
|
||||
access_type = "SINGLE_USER"
|
||||
runtime_owner = try(var.notebooks[each.key].owner, null)
|
||||
}
|
||||
software_config {
|
||||
enable_health_monitoring = true
|
||||
}
|
||||
virtual_machine {
|
||||
virtual_machine_config {
|
||||
machine_type = var.notebooks[each.key].machine_type
|
||||
network = local.vpc
|
||||
subnet = local.subnet
|
||||
internal_ip_only = var.notebooks[each.key].internal_ip_only
|
||||
dynamic "encryption_config" {
|
||||
for_each = try(local.service_encryption_keys.notebooks, null) == null ? [] : [1]
|
||||
content {
|
||||
kms_key = local.service_encryption_keys.notebooks
|
||||
}
|
||||
}
|
||||
metadata = {
|
||||
notebook-disable-nbconvert = "false"
|
||||
notebook-disable-downloads = "true"
|
||||
notebook-disable-terminal = "false"
|
||||
notebook-disable-root = "true"
|
||||
}
|
||||
data_disk {
|
||||
initialize_params {
|
||||
disk_size_gb = "100"
|
||||
disk_type = "PD_STANDARD"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_notebooks_instance" "playground" {
|
||||
for_each = { for k, v in var.notebooks : k => v if v.type == "USER_MANAGED" }
|
||||
name = "${var.prefix}-${each.key}"
|
||||
location = format("%s-%s", var.region, "b")
|
||||
machine_type = var.notebooks[each.key].machine_type
|
||||
project = module.project.project_id
|
||||
|
||||
container_image {
|
||||
repository = "gcr.io/deeplearning-platform-release/base-cpu"
|
||||
tag = "latest"
|
||||
}
|
||||
|
||||
install_gpu_driver = true
|
||||
boot_disk_type = "PD_SSD"
|
||||
boot_disk_size_gb = 110
|
||||
disk_encryption = try(local.service_encryption_keys.notebooks != null, false) ? "CMEK" : null
|
||||
kms_key = try(local.service_encryption_keys.notebooks, null)
|
||||
|
||||
no_public_ip = var.notebooks[each.key].internal_ip_only
|
||||
no_proxy_access = false
|
||||
|
||||
network = local.vpc
|
||||
subnet = local.subnet
|
||||
|
||||
instance_owners = try(tolist(var.notebooks[each.key].owner), null)
|
||||
service_account = module.service-account-notebook.email
|
||||
|
||||
metadata = {
|
||||
notebook-disable-nbconvert = "false"
|
||||
notebook-disable-downloads = "false"
|
||||
notebook-disable-terminal = "false"
|
||||
notebook-disable-root = "true"
|
||||
}
|
||||
|
||||
# Remove once terraform-provider-google/issues/9164 is fixed
|
||||
lifecycle {
|
||||
ignore_changes = [disk_encryption, kms_key]
|
||||
}
|
||||
|
||||
#TODO Uncomment once terraform-provider-google/issues/9273 is fixed
|
||||
# tags = ["ssh"]
|
||||
depends_on = [
|
||||
google_project_iam_member.shared_vpc,
|
||||
]
|
||||
}
|
||||
|
|
@ -18,6 +18,7 @@
|
|||
service_agent: "service-%s@gcp-sa-adsdatahub.iam.gserviceaccount.com"
|
||||
- name: "aiplatform"
|
||||
service_agent: "service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com"
|
||||
jit: true
|
||||
- name: "aiplatform-cc"
|
||||
service_agent: "service-%s@gcp-sa-aiplatform-cc.iam.gserviceaccount.com"
|
||||
- name: "alloydb"
|
||||
|
|
Loading…
Reference in New Issue