Fix comments
This commit is contained in:
lcaggio
parent
1f4fac2f1d
commit
f4490fcaea
|
|
@ -98,5 +98,5 @@ module "test" {
|
|||
prefix = "prefix"
|
||||
}
|
||||
|
||||
# tftest modules=9 resources=47
|
||||
# tftest modules=9 resources=48
|
||||
```
|
||||
|
|
|
|||
|
|
@ -86,5 +86,5 @@ module "test" {
|
|||
parent = "folders/467898377"
|
||||
}
|
||||
}
|
||||
# tftest modules=8 resources=40
|
||||
# tftest modules=8 resources=41
|
||||
```
|
||||
|
|
|
|||
|
|
@ -52,19 +52,19 @@ This blueprint can be used as a building block for setting up an end2end ML Ops
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [notebooks](variables.tf#L73) | Vertex AI workbenchs to be deployed. Service Account runtime/instances deployed. | <code title="map(object({ type = string machine_type = optional(string, "n1-standard-4") internal_ip_only = optional(bool, true) idle_shutdown = optional(bool, false) owner = optional(string, null) }))">map(object({…}))</code> | ✓ | |
|
||||
| [project_config](variables.tf#L100) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string, null) parent = string project_id = string })">object({…})</code> | ✓ | |
|
||||
| [notebooks](variables.tf#L73) | Vertex AI workbenchs to be deployed. Service Account runtime/instances deployed. | <code title="map(object({ type = string machine_type = optional(string, "n1-standard-4") internal_ip_only = optional(bool, true) idle_shutdown = optional(bool, false) owner = optional(string) }))">map(object({…}))</code> | ✓ | |
|
||||
| [project_config](variables.tf#L100) | Provide 'billing_account_id' value if project creation is needed, uses existing 'project_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object({ billing_account_id = optional(string) parent = optional(string) project_id = string })">object({…})</code> | ✓ | |
|
||||
| [bucket_name](variables.tf#L18) | GCS bucket name to store the Vertex AI artifacts. | <code>string</code> | | <code>null</code> |
|
||||
| [dataset_name](variables.tf#L24) | BigQuery Dataset to store the training data. | <code>string</code> | | <code>null</code> |
|
||||
| [groups](variables.tf#L30) | Name of the groups (name@domain.org) to apply opinionated IAM permissions. | <code title="object({ gcp-ml-ds = optional(string, null) gcp-ml-eng = optional(string, null) gcp-ml-viewer = optional(string, null) })">object({…})</code> | | <code title="{ gcp-ml-ds = null gcp-ml-eng = null gcp-ml-viewer = null }">{…}</code> |
|
||||
| [groups](variables.tf#L30) | Name of the groups (name@domain.org) to apply opinionated IAM permissions. | <code title="object({ gcp-ml-ds = optional(string) gcp-ml-eng = optional(string) gcp-ml-viewer = optional(string) })">object({…})</code> | | <code title="{ gcp-ml-ds = null gcp-ml-eng = null gcp-ml-viewer = null }">{…}</code> |
|
||||
| [identity_pool_claims](variables.tf#L45) | Claims to be used by Workload Identity Federation (i.e.: attribute.repository/ORGANIZATION/REPO). If a not null value is provided, then google_iam_workload_identity_pool resource will be created. | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L51) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [location](variables.tf#L57) | Location used for multi-regional resources. | <code>string</code> | | <code>"eu"</code> |
|
||||
| [network_config](variables.tf#L63) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object({ host_project = string network_self_link = string subnet_self_link = string })">object({…})</code> | | <code>null</code> |
|
||||
| [prefix](variables.tf#L94) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L113) | Region used for regional resources. | <code>string</code> | | <code>"europe-west4"</code> |
|
||||
| [repo_name](variables.tf#L119) | Cloud Source Repository name. null to avoid to create it. | <code>string</code> | | <code>null</code> |
|
||||
| [service_encryption_keys](variables.tf#L125) | Cloud KMS to use to encrypt different services. Key location should match service region. | <code title="object({ aiplatform = optional(string, null) bq = optional(string, null) notebooks = optional(string, null) secretmanager = optional(string, null) storage = optional(string, null) })">object({…})</code> | | <code title="{ aiplatform = null bq = null notebooks = null secretmanager = null storage = null }">{…}</code> |
|
||||
| [region](variables.tf#L114) | Region used for regional resources. | <code>string</code> | | <code>"europe-west4"</code> |
|
||||
| [repo_name](variables.tf#L120) | Cloud Source Repository name. null to avoid to create it. | <code>string</code> | | <code>null</code> |
|
||||
| [service_encryption_keys](variables.tf#L126) | Cloud KMS to use to encrypt different services. Key location should match service region. | <code title="object({ aiplatform = optional(string) bq = optional(string) notebooks = optional(string) secretmanager = optional(string) storage = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -60,9 +60,9 @@ module "secret-manager" {
|
|||
secrets = {
|
||||
github-key = [var.region]
|
||||
}
|
||||
# encryption_key = {
|
||||
# "${var.region}" = try(var.service_encryption_keys["secretmanager"], null)
|
||||
# }
|
||||
encryption_key = {
|
||||
"${var.region}" = var.service_encryption_keys.secretmanager
|
||||
}
|
||||
iam = {
|
||||
github-key = {
|
||||
"roles/secretmanager.secretAccessor" = [
|
||||
|
|
|
|||
|
|
@ -64,8 +64,7 @@ locals {
|
|||
}
|
||||
)
|
||||
|
||||
service_encryption_keys = var.service_encryption_keys
|
||||
shared_vpc_project = try(var.network_config.host_project, null)
|
||||
shared_vpc_project = try(var.network_config.host_project, null)
|
||||
|
||||
subnet = (
|
||||
local.use_shared_vpc
|
||||
|
|
@ -109,7 +108,7 @@ module "gcs-bucket" {
|
|||
location = var.region
|
||||
storage_class = "REGIONAL"
|
||||
versioning = false
|
||||
encryption_key = try(local.service_encryption_keys.storage, null)
|
||||
encryption_key = var.service_encryption_keys.storage
|
||||
}
|
||||
|
||||
# Default bucket for Cloud Build to prevent error: "'us' violates constraint ‘gcp.resourceLocations’"
|
||||
|
|
@ -122,7 +121,7 @@ module "gcs-bucket-cloudbuild" {
|
|||
location = var.region
|
||||
storage_class = "REGIONAL"
|
||||
versioning = false
|
||||
encryption_key = try(local.service_encryption_keys.storage, null)
|
||||
encryption_key = var.service_encryption_keys.storage
|
||||
}
|
||||
|
||||
module "bq-dataset" {
|
||||
|
|
@ -131,7 +130,7 @@ module "bq-dataset" {
|
|||
project_id = module.project.project_id
|
||||
id = var.dataset_name
|
||||
location = var.region
|
||||
encryption_key = try(local.service_encryption_keys.bq, null)
|
||||
encryption_key = var.service_encryption_keys.bq
|
||||
}
|
||||
|
||||
module "vpc-local" {
|
||||
|
|
@ -191,18 +190,27 @@ module "cloudnat" {
|
|||
module "project" {
|
||||
source = "../../../modules/project"
|
||||
name = var.project_config.project_id
|
||||
parent = try(var.project_config.parent, null)
|
||||
billing_account = try(var.project_config.billing_account_id, null)
|
||||
parent = var.project_config.parent
|
||||
billing_account = var.project_config.billing_account_id
|
||||
project_create = var.project_config.billing_account_id != null
|
||||
prefix = var.prefix
|
||||
group_iam = local.group_iam
|
||||
iam = {
|
||||
"roles/aiplatform.user" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/aiplatform.user" = [
|
||||
module.service-account-mlops.iam_email,
|
||||
module.service-account-notebook.iam_email
|
||||
]
|
||||
"roles/artifactregistry.reader" = [module.service-account-mlops.iam_email]
|
||||
"roles/artifactregistry.writer" = [module.service-account-github.iam_email]
|
||||
"roles/bigquery.dataEditor" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/bigquery.jobUser" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/bigquery.user" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/bigquery.dataEditor" = [
|
||||
module.service-account-mlops.iam_email,
|
||||
module.service-account-notebook.iam_email
|
||||
]
|
||||
"roles/bigquery.jobUser" = [
|
||||
module.service-account-mlops.iam_email,
|
||||
module.service-account-notebook.iam_email
|
||||
]
|
||||
"roles/bigquery.user" = [module.service-account-mlops.iam_email, module.service-account-notebook.iam_email]
|
||||
"roles/cloudbuild.builds.editor" = [
|
||||
module.service-account-mlops.iam_email,
|
||||
module.service-account-github.iam_email
|
||||
|
|
@ -232,11 +240,12 @@ module "project" {
|
|||
labels = var.labels
|
||||
|
||||
service_encryption_key_ids = {
|
||||
aiplatform = [try(local.service_encryption_keys.aiplatform, null)]
|
||||
bq = [try(local.service_encryption_keys.bq, null)]
|
||||
cloudbuild = [try(local.service_encryption_keys.storage, null)]
|
||||
notebooks = [try(local.service_encryption_keys.notebooks, null)]
|
||||
storage = [try(local.service_encryption_keys.storage, null)]
|
||||
aiplatform = [var.service_encryption_keys.aiplatform]
|
||||
bq = [var.service_encryption_keys.bq]
|
||||
cloudbuild = [var.service_encryption_keys.storage]
|
||||
notebooks = [var.service_encryption_keys.notebooks]
|
||||
secretmanager = [var.service_encryption_keys.secretmanager]
|
||||
storage = [var.service_encryption_keys.storage]
|
||||
}
|
||||
|
||||
services = [
|
||||
|
|
|
|||
|
|
@ -30,9 +30,9 @@ variable "dataset_name" {
|
|||
variable "groups" {
|
||||
description = "Name of the groups (name@domain.org) to apply opinionated IAM permissions."
|
||||
type = object({
|
||||
gcp-ml-ds = optional(string, null)
|
||||
gcp-ml-eng = optional(string, null)
|
||||
gcp-ml-viewer = optional(string, null)
|
||||
gcp-ml-ds = optional(string)
|
||||
gcp-ml-eng = optional(string)
|
||||
gcp-ml-viewer = optional(string)
|
||||
})
|
||||
default = {
|
||||
gcp-ml-ds = null
|
||||
|
|
@ -77,7 +77,7 @@ variable "notebooks" {
|
|||
machine_type = optional(string, "n1-standard-4")
|
||||
internal_ip_only = optional(bool, true)
|
||||
idle_shutdown = optional(bool, false)
|
||||
owner = optional(string, null)
|
||||
owner = optional(string)
|
||||
}))
|
||||
validation {
|
||||
condition = alltrue([
|
||||
|
|
@ -100,14 +100,15 @@ variable "prefix" {
|
|||
variable "project_config" {
|
||||
description = "Provide 'billing_account_id' value if project creation is needed, uses existing 'project_id' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format."
|
||||
type = object({
|
||||
billing_account_id = optional(string, null)
|
||||
parent = string
|
||||
billing_account_id = optional(string)
|
||||
parent = optional(string)
|
||||
project_id = string
|
||||
})
|
||||
validation {
|
||||
condition = var.project_config.project_id != null
|
||||
error_message = "Project id must be set."
|
||||
}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
|
|
@ -125,17 +126,12 @@ variable "repo_name" {
|
|||
variable "service_encryption_keys" {
|
||||
description = "Cloud KMS to use to encrypt different services. Key location should match service region."
|
||||
type = object({
|
||||
aiplatform = optional(string, null)
|
||||
bq = optional(string, null)
|
||||
notebooks = optional(string, null)
|
||||
secretmanager = optional(string, null)
|
||||
storage = optional(string, null)
|
||||
aiplatform = optional(string)
|
||||
bq = optional(string)
|
||||
notebooks = optional(string)
|
||||
secretmanager = optional(string)
|
||||
storage = optional(string)
|
||||
})
|
||||
default = {
|
||||
aiplatform = null
|
||||
bq = null
|
||||
notebooks = null
|
||||
secretmanager = null
|
||||
storage = null
|
||||
}
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,10 +21,10 @@ resource "google_vertex_ai_metadata_store" "store" {
|
|||
description = "Vertex Ai Metadata Store"
|
||||
region = var.region
|
||||
dynamic "encryption_spec" {
|
||||
for_each = try(var.service_encryption_keys.aiplatform, null) == null ? [] : [""]
|
||||
for_each = var.service_encryption_keys.aiplatform == null ? [] : [""]
|
||||
|
||||
content {
|
||||
kms_key_name = try(var.service_encryption_keys.aiplatform, null)
|
||||
kms_key_name = var.service_encryption_keys.aiplatform
|
||||
}
|
||||
}
|
||||
# `state` value will be decided automatically based on the result of the configuration
|
||||
|
|
@ -42,7 +42,6 @@ module "service-account-notebook" {
|
|||
resource "google_notebooks_runtime" "runtime" {
|
||||
for_each = { for k, v in var.notebooks : k => v if v.type == "MANAGED" }
|
||||
name = "${var.prefix}-${each.key}"
|
||||
|
||||
project = module.project.project_id
|
||||
location = var.region
|
||||
access_config {
|
||||
|
|
@ -59,9 +58,9 @@ resource "google_notebooks_runtime" "runtime" {
|
|||
subnet = local.subnet
|
||||
internal_ip_only = var.notebooks[each.key].internal_ip_only
|
||||
dynamic "encryption_config" {
|
||||
for_each = try(local.service_encryption_keys.notebooks, null) == null ? [] : [1]
|
||||
for_each = var.service_encryption_keys.notebooks == null ? [] : [1]
|
||||
content {
|
||||
kms_key = local.service_encryption_keys.notebooks
|
||||
kms_key = var.service_encryption_keys.notebooks
|
||||
}
|
||||
}
|
||||
metadata = {
|
||||
|
|
@ -83,7 +82,7 @@ resource "google_notebooks_runtime" "runtime" {
|
|||
resource "google_notebooks_instance" "playground" {
|
||||
for_each = { for k, v in var.notebooks : k => v if v.type == "USER_MANAGED" }
|
||||
name = "${var.prefix}-${each.key}"
|
||||
location = format("%s-%s", var.region, "b")
|
||||
location = "${var.region}-b"
|
||||
machine_type = var.notebooks[each.key].machine_type
|
||||
project = module.project.project_id
|
||||
|
||||
|
|
@ -95,8 +94,8 @@ resource "google_notebooks_instance" "playground" {
|
|||
install_gpu_driver = true
|
||||
boot_disk_type = "PD_SSD"
|
||||
boot_disk_size_gb = 110
|
||||
disk_encryption = try(local.service_encryption_keys.notebooks != null, false) ? "CMEK" : null
|
||||
kms_key = try(local.service_encryption_keys.notebooks, null)
|
||||
disk_encryption = var.service_encryption_keys.notebooks != null ? "CMEK" : null
|
||||
kms_key = var.service_encryption_keys.notebooks
|
||||
|
||||
no_public_ip = var.notebooks[each.key].internal_ip_only
|
||||
no_proxy_access = false
|
||||
|
|
|
|||
Loading…
Reference in New Issue