Merge pull request #68 from denniseik/feature/azureml-workspace

Looks great!

quickstart/101-machine-learning/main.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">=0.15.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "=2.56.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "default" {
+  name     = "rg-${var.name}-${var.environment}"
+  location = var.location
+}

quickstart/101-machine-learning/readme.md

@@ -0,0 +1,33 @@
+# Azure Machine Learning workspace
+
+This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), 
+and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
+
+This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
+
+## Resources
+
+| Terraform Resource Type | Description |
+| - | - |
+| `azurerm_resource_group` | The resource group all resources get deployed into |
+| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
+| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
+| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
+| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace |
+| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance |
+
+## Variables
+
+| Name | Description |
+|-|-|
+| name | Name of the deployment |
+| environment | The deployment environment name (used for pre- and postfixing resource names) |
+| location | The Azure region used for deployments |
+
+## Usage
+
+```bash
+terraform plan -var name=azureml567 -out demo.tfplan
+
+terraform apply "demo.tfplan"
+```

quickstart/101-machine-learning/variables.tf

@@ -0,0 +1,16 @@
+variable "name" {
+  type        = string
+  description = "Name of the deployment"
+}
+
+variable "environment" {
+  type        = string
+  description = "Name of the environment"
+  default     = "dev"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resources"
+  default     = "East US"
+}

quickstart/101-machine-learning/workspace.tf

@@ -0,0 +1,57 @@
+# Dependent resources for Azure Machine Learning
+resource "azurerm_application_insights" "default" {
+  name                = "appi-${var.name}-${var.environment}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  application_type    = "web"
+}
+
+resource "azurerm_key_vault" "default" {
+  name                     = "kv-${var.name}-${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  tenant_id                = data.azurerm_client_config.current.tenant_id
+  sku_name                 = "premium"
+  purge_protection_enabled = false
+  
+  network_acls {
+    default_action = "Deny"
+    bypass = "AzureServices"
+  }
+}
+
+resource "azurerm_storage_account" "default" {
+  name                     = "st${var.name}${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  network_rules {
+    default_action = "Deny"
+    bypass = ["AzureServices"]
+  }
+}
+
+resource "azurerm_container_registry" "default" {
+  name                     = "cr${var.name}${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  sku                      = "Premium"
+  admin_enabled            = true
+}
+
+# Machine Learning workspace
+resource "azurerm_machine_learning_workspace" "default" {
+  name                    = "mlw-${var.name}-${var.environment}"
+  location                = azurerm_resource_group.default.location
+  resource_group_name     = azurerm_resource_group.default.name
+  application_insights_id = azurerm_application_insights.default.id
+  key_vault_id            = azurerm_key_vault.default.id
+  storage_account_id      = azurerm_storage_account.default.id
+  container_registry_id   = azurerm_container_registry.default.id
+
+  identity {
+    type = "SystemAssigned"
+  }
+}

quickstart/201-machine-learning-private/main.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">=0.15.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "=2.72.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "default" {
+  name     = "rg-${var.name}-${var.environment}"
+  location = var.location
+}

quickstart/201-machine-learning-private/network.tf

@@ -0,0 +1,89 @@
+# Virtual Network
+resource "azurerm_virtual_network" "default" {
+  name                = "vnet-${var.name}-${var.environment}"
+  address_space       = var.vnet_address_space
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_subnet" "mlsubnet" {
+  name                 = "mlsubnet"
+  resource_group_name  = azurerm_resource_group.default.name
+  virtual_network_name = azurerm_virtual_network.default.name
+  address_prefixes     = var.subnet_address_space
+  enforce_private_link_endpoint_network_policies = true
+}
+
+# Private DNS Zones
+resource "azurerm_private_dns_zone" "dnsvault" {
+  name                = "privatelink.vaultcore.azure.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkvault" {
+  name                  = "dnsvaultlink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsvault.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnsstorageblob" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkblob" {
+  name                  = "dnsblobstoragelink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsstorageblob.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+
+resource "azurerm_private_dns_zone" "dnsstoragefile" {
+  name                = "privatelink.file.core.windows.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkfile" {
+  name                  = "dnsfilestoragelink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsstoragefile.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnscontainerregistry" {
+  name                = "privatelink.azurecr.io"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" {
+  name                  = "dnscrlink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnscontainerregistry.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnsazureml" {
+  name                = "privatelink.api.azureml.ms"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" {
+  name                  = "dnsazuremllink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsazureml.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}
+
+resource "azurerm_private_dns_zone" "dnsnotebooks" {
+  name                = "privatelink.azureml.notebooks.net"
+  resource_group_name = azurerm_resource_group.default.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" {
+  name                  = "dnsnotebookslink"
+  resource_group_name   = azurerm_resource_group.default.name
+  private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name
+  virtual_network_id    = azurerm_virtual_network.default.id
+}

quickstart/201-machine-learning-private/readme.md

@@ -0,0 +1,44 @@
+# Azure Machine Learning workspace using Azure Private Link
+
+This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), 
+and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
+
+In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning
+for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). 
+
+This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up.
+
+To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security).
+
+## Resources
+
+| Terraform Resource Type | Description |
+| - | - |
+| `azurerm_resource_group` | The resource group all resources get deployed into |
+| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
+| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
+| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
+| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace |
+| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance |
+| `azurerm_virtual_network` | An Azure Machine Learning workspace instance |
+| `azurerm_subnet` | An Azure Machine Learning workspace instance |
+| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources |
+| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource |
+| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources |
+
+## Variables
+
+| Name | Description |
+|-|-|
+| name | Name of the deployment |
+| environment | The deployment environment name (used for pre- and postfixing resource names) |
+| location | The Azure region used for deployments |
+
+
+## Usage
+
+```bash
+terraform plan -var name=azureml567 -out demo.tfplan
+
+terraform apply "demo.tfplan"
+```

quickstart/201-machine-learning-private/variables.tf

@@ -0,0 +1,28 @@
+variable "name" {
+  type        = string
+  description = "Name of the deployment"
+}
+
+variable "environment" {
+  type        = string
+  description = "Name of the environment"
+  default     = "dev"
+}
+
+variable "location" {
+  type        = string
+  description = "Location of the resources"
+  default     = "East US"
+}
+
+variable "vnet_address_space" {
+  type        = list(string)
+  description = "Address space of the subnet"
+  default     = ["10.0.0.0/16"]
+}
+
+variable "subnet_address_space" {
+  type        = list(string)
+  description = "Address space of the subnet"
+  default     = ["10.0.0.0/24"]
+}

quickstart/201-machine-learning-private/workspace.tf

@@ -0,0 +1,157 @@
+# Dependent resources for Azure Machine Learning
+resource "azurerm_application_insights" "default" {
+  name                = "appi-${var.name}-${var.environment}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  application_type    = "web"
+}
+
+resource "azurerm_key_vault" "default" {
+  name                     = "kv-${var.name}-${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  tenant_id                = data.azurerm_client_config.current.tenant_id
+  sku_name                 = "premium"
+  purge_protection_enabled = false
+  
+  network_acls {
+    default_action = "Deny"
+    bypass = "AzureServices"
+  }
+}
+
+resource "azurerm_storage_account" "default" {
+  name                     = "st${var.name}${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  network_rules {
+    default_action = "Deny"
+    bypass = ["AzureServices"]
+  }
+}
+
+resource "azurerm_container_registry" "default" {
+  name                     = "cr${var.name}${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  sku                      = "Premium"
+  admin_enabled            = true
+}
+
+# Machine Learning workspace
+resource "azurerm_machine_learning_workspace" "default" {
+  name                    = "mlw-${var.name}-${var.environment}"
+  location                = azurerm_resource_group.default.location
+  resource_group_name     = azurerm_resource_group.default.name
+  application_insights_id = azurerm_application_insights.default.id
+  key_vault_id            = azurerm_key_vault.default.id
+  storage_account_id      = azurerm_storage_account.default.id
+  container_registry_id   = azurerm_container_registry.default.id
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# Private endpoints
+resource "azurerm_private_endpoint" "kv_ple" {
+  name                = "ple-${var.name}-${var.environment}-kv"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.mlsubnet.id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.dnsvault.id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-kv"
+    private_connection_resource_id = azurerm_key_vault.default.id
+    subresource_names              = [ "vault" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "st_ple_blob" {
+  name                = "ple-${var.name}-${var.environment}-st-blob"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.mlsubnet.id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.dnsstorageblob.id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-st"
+    private_connection_resource_id = azurerm_storage_account.default.id
+    subresource_names              = [ "blob" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "storage_ple_file" {
+  name                = "ple-${var.name}-${var.environment}-st-file"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.mlsubnet.id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.dnsstoragefile.id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-st"
+    private_connection_resource_id = azurerm_storage_account.default.id
+    subresource_names              = [ "file" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "cr_ple" {
+  name                = "ple-${var.name}-${var.environment}-cr"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.mlsubnet.id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.dnscontainerregistry.id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-cr"
+    private_connection_resource_id = azurerm_container_registry.default.id
+    subresource_names              = [ "registry" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "mlw_ple" {
+  name                = "ple-${var.name}-${var.environment}-mlw"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = azurerm_subnet.mlsubnet.id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [
+      azurerm_private_dns_zone.dnsazureml.id,
+      azurerm_private_dns_zone.dnsnotebooks.id
+    ]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-mlw"
+    private_connection_resource_id = azurerm_machine_learning_workspace.default.id
+    subresource_names              = [ "amlworkspace" ]
+    is_manual_connection           = false
+  }
+
+}