From 20ac4f6e64cdb5adb7f934f5f91f85a54680ccf7 Mon Sep 17 00:00:00 2001 From: Hongbo Miao <3375461+hongbo-miao@users.noreply.github.com> Date: Thu, 23 May 2024 01:28:12 -0700 Subject: [PATCH] feat(terraform): add sagemaker (#16869) --- .../development/aws/general/main.tf | 23 ++++++- .../production/aws/general/main.tf | 23 ++++++- .../aws/hm_amazon_emr_studio_iam/main.tf | 4 +- .../aws/hm_amazon_emr_studio_iam/variables.tf | 2 +- .../main.tf | 19 ++++++ .../variables.tf | 15 +++++ .../main.tf | 64 +++++++++++++++++++ .../outputs.tf | 3 + .../variables.tf | 9 +++ 9 files changed, 157 insertions(+), 5 deletions(-) create mode 100644 cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/main.tf create mode 100644 cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/variables.tf create mode 100644 cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/main.tf create mode 100644 cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/outputs.tf create mode 100644 cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/variables.tf diff --git a/cloud-infrastructure/terraform/environments/development/aws/general/main.tf b/cloud-infrastructure/terraform/environments/development/aws/general/main.tf index a4dff1eda4..71205d2ed7 100644 --- a/cloud-infrastructure/terraform/environments/development/aws/general/main.tf +++ b/cloud-infrastructure/terraform/environments/development/aws/general/main.tf @@ -241,7 +241,7 @@ module "development_hm_sedona_emr_studio_iam" { providers = { aws = aws.development } source = "../../../../modules/aws/hm_amazon_emr_studio_iam" amazon_emr_studio_name = "hm-sedona-emr-studio" - s3_bucket = data.terraform_remote_state.hm_terraform_remote_state_development_aws_network.outputs.development_hm_development_bucket_amazon_s3_bucket_name + s3_bucket_name = data.terraform_remote_state.hm_terraform_remote_state_development_aws_network.outputs.development_hm_development_bucket_amazon_s3_bucket_name environment = var.environment team = var.team } @@ -531,3 +531,24 @@ module "development_hm_aws_batch_job_definition" { module.development_hm_aws_batch_job_definition_iam ] } + +# Amazon SageMaker +locals { + amazon_sagemaker_notebook_instance_name = "hm-amazon-sagemaker-notebook" +} +module "development_hm_amazon_sagemaker_notebook_instance_iam" { + providers = { aws = aws.development } + source = "../../../../modules/aws/hm_amazon_sagemaker_notebook_instance_iam" + amazon_sagemaker_notebook_instance_name = local.amazon_sagemaker_notebook_instance_name + environment = var.environment + team = var.team +} +module "development_hm_amazon_sagemaker_notebook_instance" { + providers = { aws = aws.development } + source = "../../../../modules/aws/hm_amazon_sagemaker_notebook_instance" + amazon_sagemaker_notebook_instance_name = local.amazon_sagemaker_notebook_instance_name + iam_role_arn = module.development_hm_amazon_sagemaker_notebook_instance_iam.arn + instance_type = "ml.g4dn.4xlarge" + environment = var.environment + team = var.team +} diff --git a/cloud-infrastructure/terraform/environments/production/aws/general/main.tf b/cloud-infrastructure/terraform/environments/production/aws/general/main.tf index d8d9fe1582..64f29a88f8 100644 --- a/cloud-infrastructure/terraform/environments/production/aws/general/main.tf +++ b/cloud-infrastructure/terraform/environments/production/aws/general/main.tf @@ -241,7 +241,7 @@ module "production_hm_sedona_emr_studio_iam" { providers = { aws = aws.production } source = "../../../../modules/aws/hm_amazon_emr_studio_iam" amazon_emr_studio_name = "hm-sedona-emr-studio" - s3_bucket = data.terraform_remote_state.hm_terraform_remote_state_production_aws_network.outputs.production_hm_production_bucket_amazon_s3_bucket_name + s3_bucket_name = data.terraform_remote_state.hm_terraform_remote_state_production_aws_network.outputs.production_hm_production_bucket_amazon_s3_bucket_name environment = var.environment team = var.team } @@ -531,3 +531,24 @@ module "production_hm_aws_batch_job_definition" { module.production_hm_aws_batch_job_definition_iam ] } + +# Amazon SageMaker +locals { + amazon_sagemaker_notebook_instance_name = "hm-amazon-sagemaker-notebook" +} +module "production_hm_amazon_sagemaker_notebook_instance_iam" { + providers = { aws = aws.production } + source = "../../../../modules/aws/hm_amazon_sagemaker_notebook_instance_iam" + amazon_sagemaker_notebook_instance_name = local.amazon_sagemaker_notebook_instance_name + environment = var.environment + team = var.team +} +module "production_hm_amazon_sagemaker_notebook_instance" { + providers = { aws = aws.production } + source = "../../../../modules/aws/hm_amazon_sagemaker_notebook_instance" + amazon_sagemaker_notebook_instance_name = local.amazon_sagemaker_notebook_instance_name + iam_role_arn = module.production_hm_amazon_sagemaker_notebook_instance_iam.arn + instance_type = "ml.g4dn.4xlarge" + environment = var.environment + team = var.team +} diff --git a/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/main.tf b/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/main.tf index d7b7024556..479bd5dfad 100644 --- a/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/main.tf +++ b/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/main.tf @@ -45,8 +45,8 @@ resource "aws_iam_role_policy" "hm_amazon_emr_studio_iam_role_s3_policy" { "s3:PutObject" ] Resource = [ - "arn:aws:s3:::${var.s3_bucket}", - "arn:aws:s3:::${var.s3_bucket}/*" + "arn:aws:s3:::${var.s3_bucket_name}", + "arn:aws:s3:::${var.s3_bucket_name}/*" ] }, { diff --git a/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/variables.tf b/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/variables.tf index d56607239b..1283839429 100644 --- a/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/variables.tf +++ b/cloud-infrastructure/terraform/modules/aws/hm_amazon_emr_studio_iam/variables.tf @@ -1,7 +1,7 @@ variable "amazon_emr_studio_name" { type = string } -variable "s3_bucket" { +variable "s3_bucket_name" { type = string } variable "environment" { diff --git a/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/main.tf b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/main.tf new file mode 100644 index 0000000000..a252598142 --- /dev/null +++ b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/main.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } +} + +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance +resource "aws_sagemaker_notebook_instance" "hm_amazon_sagemaker_notebook_instance" { + name = var.amazon_sagemaker_notebook_instance_name + role_arn = var.iam_role_arn + instance_type = var.instance_type + tags = { + Environment = var.environment + Team = var.team + ResourceName = var.amazon_sagemaker_notebook_instance_name + } +} diff --git a/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/variables.tf b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/variables.tf new file mode 100644 index 0000000000..c19e01f44b --- /dev/null +++ b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance/variables.tf @@ -0,0 +1,15 @@ +variable "amazon_sagemaker_notebook_instance_name" { + type = string +} +variable "instance_type" { + type = string +} +variable "iam_role_arn" { + type = string +} +variable "environment" { + type = string +} +variable "team" { + type = string +} diff --git a/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/main.tf b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/main.tf new file mode 100644 index 0000000000..7703f92548 --- /dev/null +++ b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/main.tf @@ -0,0 +1,64 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } +} + +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role +resource "aws_iam_role" "hm_amazon_sagemaker_notebook_instance_iam" { + name = "AmazonSageMakerExecutionRole-${var.amazon_sagemaker_notebook_instance_name}" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "sagemaker.amazonaws.com" + } + Action = "sts:AssumeRole" + } + ] + }) + tags = { + Environment = var.environment + Team = var.team + ResourceName = "AmazonSageMakerExecutionRole-${var.amazon_sagemaker_notebook_instance_name}" + } +} +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy +resource "aws_iam_role_policy" "hm_amazon_sagemaker_notebook_instance_iam_s3_policy" { + name = "AmazonSageMakerExecutionPolicyForS3-${var.amazon_sagemaker_notebook_instance_name}" + role = aws_iam_role.hm_amazon_sagemaker_notebook_instance_iam.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ] + Resource = [ + "arn:aws:s3:::*" + ] + } + ] + }) +} +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment +resource "aws_iam_role_policy_attachment" "hm_amazon_sagemaker_notebook_instance_iam_policy_attachment_amazon_sagemaker_canvas_ai_services_access" { + role = aws_iam_role.hm_amazon_sagemaker_notebook_instance_iam.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerCanvasAIServicesAccess" +} +resource "aws_iam_role_policy_attachment" "hm_amazon_sagemaker_notebook_instance_iam_policy_attachment_amazon_sagemaker_canvas_full_access" { + role = aws_iam_role.hm_amazon_sagemaker_notebook_instance_iam.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerCanvasFullAccess" +} +resource "aws_iam_role_policy_attachment" "hm_amazon_sagemaker_notebook_instance_iam_policy_attachment_amazon_sagemaker_full_access" { + role = aws_iam_role.hm_amazon_sagemaker_notebook_instance_iam.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" +} diff --git a/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/outputs.tf b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/outputs.tf new file mode 100644 index 0000000000..cc8ab1cbad --- /dev/null +++ b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/outputs.tf @@ -0,0 +1,3 @@ +output "arn" { + value = aws_iam_role.hm_amazon_sagemaker_notebook_instance_iam.arn +} diff --git a/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/variables.tf b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/variables.tf new file mode 100644 index 0000000000..426a83ab97 --- /dev/null +++ b/cloud-infrastructure/terraform/modules/aws/hm_amazon_sagemaker_notebook_instance_iam/variables.tf @@ -0,0 +1,9 @@ +variable "amazon_sagemaker_notebook_instance_name" { + type = string +} +variable "environment" { + type = string +} +variable "team" { + type = string +}