Tips-Of-Mine/terraform-azure
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #73 from denniseik/master

Browse Source 
Including Azure ML compute with existing examples. Adding network-isolated examples.
This commit is contained in:
Mark Gray (MSFT) 2021-09-29 16:34:31 -07:00 committed by GitHub
commit 5219ad380e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 1008 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
.gitignore vendored Normal file
View File

35
quickstart/101-machine-learning/compute.tf Normal file
View File

@ -0,0 +1,35 @@
# Generate random string for unique compute instance name
resource "random_string" "ci_prefix" {
length = 8
upper = false
special = false
number = false
}
# Compute instance
resource "azurerm_machine_learning_compute_instance" "compute_instance" {
name = "${random_string.ci_prefix.result}instance"
location = azurerm_resource_group.default.location
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
virtual_machine_size = "STANDARD_DS2_V2"
}
# Compute Cluster
resource "azurerm_machine_learning_compute_cluster" "compute" {
name = "cpu-cluster"
location = azurerm_resource_group.default.location
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
vm_priority = "Dedicated"
vm_size = "STANDARD_DS2_V2"
identity {
type = "SystemAssigned"
}
scale_settings {
min_node_count = 0
max_node_count = 3
scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes
}
}

2
quickstart/101-machine-learning/main.tf
View File

@ -4,7 +4,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.56.0"
version = "=2.76.0"
}
}
}

36
quickstart/101-machine-learning/readme.md
View File

@ -1,33 +1,45 @@
# Azure Machine Learning workspace
# Azure Machine Learning workspace (public network connectivity)
This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace),
and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Network connectivity to the workspace is allowed over public endpoints, making this configuration suitable for open source projects or pilot environments.
## Resources
| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group all resources get deployed into |
| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace |
| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance |
| `azurerm_resource_group` | The resource group all resources get deployed into. |
| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace. |
| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace. |
| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace. |
| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace. |
| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance. |
| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. |
| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. |
## Variables
| Name | Description |
|-|-|
| name | Name of the deployment |
| environment | The deployment environment name (used for pre- and postfixing resource names) |
| location | The Azure region used for deployments |
| Name | Description | Default |
|-|-|-|
| name | Name of the deployment | - |
| environment | The deployment environment name (used for pre- and postfixing resource names) | dev |
| location | The Azure region used for deployments | East US |
## Usage
```bash
terraform init
terraform plan -var name=azureml567 -out demo.tfplan
terraform apply "demo.tfplan"
```
## Learn more
- If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/).
- To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security).
- For all configurations of Azure Machine Learning in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/machine_learning_workspace).

24
quickstart/101-machine-learning/workspace.tf
View File

@ -13,11 +13,6 @@ resource "azurerm_key_vault" "default" {
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = false
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_storage_account" "default" {
@ -26,19 +21,14 @@ resource "azurerm_storage_account" "default" {
resource_group_name = azurerm_resource_group.default.name
account_tier = "Standard"
account_replication_type = "GRS"
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
}
}
resource "azurerm_container_registry" "default" {
name = "cr${var.name}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
sku = "Premium"
admin_enabled = true
name = "cr${var.name}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
sku = "Premium"
admin_enabled = true
}
# Machine Learning workspace
@ -54,4 +44,6 @@ resource "azurerm_machine_learning_workspace" "default" {
identity {
type = "SystemAssigned"
}
}
}

41
quickstart/201-machine-learning-moderately-secure/compute.tf Normal file
View File

@ -0,0 +1,41 @@
# Generate random string for unique compute instance name
resource "random_string" "ci_prefix" {
length = 8
upper = false
special = false
number = false
}
# Compute instance
resource "azurerm_machine_learning_compute_instance" "compute_instance" {
name = "${random_string.ci_prefix.result}instance"
location = azurerm_resource_group.default.location
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
virtual_machine_size = "STANDARD_DS2_V2"
subnet_resource_id = azurerm_subnet.snet-training.id
depends_on = [
azurerm_private_endpoint.mlw_ple
]
}
# Compute cluster
resource "azurerm_machine_learning_compute_cluster" "compute" {
name = "cpu-cluster"
location = azurerm_resource_group.default.location
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
vm_priority = "Dedicated"
vm_size = "STANDARD_DS2_V2"
subnet_resource_id = azurerm_subnet.snet-training.id
identity {
type = "SystemAssigned"
}
scale_settings {
min_node_count = 0
max_node_count = 3
scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes
}
}

2
quickstart/201-machine-learning-private/main.tf → quickstart/201-machine-learning-moderately-secure/main.tf
View File

@ -4,7 +4,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.72.0"
version = "=2.78.0"
}
}
}

210
quickstart/201-machine-learning-moderately-secure/network.tf Normal file
View File

@ -0,0 +1,210 @@
# Virtual Network
resource "azurerm_virtual_network" "default" {
name = "vnet-${var.name}-${var.environment}"
address_space = var.vnet_address_space
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_subnet" "snet-training" {
name = "snet-training"
resource_group_name = azurerm_resource_group.default.name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = var.training_subnet_address_space
enforce_private_link_endpoint_network_policies = true
}
resource "azurerm_subnet" "snet-aks" {
name = "snet-aks"
resource_group_name = azurerm_resource_group.default.name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = var.aks_subnet_address_space
enforce_private_link_endpoint_network_policies = true
}
resource "azurerm_subnet" "snet-workspace" {
name = "snet-workspace"
resource_group_name = azurerm_resource_group.default.name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = var.ml_subnet_address_space
enforce_private_link_endpoint_network_policies = true
}
# Private DNS Zones
resource "azurerm_private_dns_zone" "dnsvault" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkvault" {
name = "dnsvaultlink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsvault.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsstorageblob" {
name = "privatelink.blob.core.windows.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkblob" {
name = "dnsblobstoragelink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsstorageblob.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsstoragefile" {
name = "privatelink.file.core.windows.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkfile" {
name = "dnsfilestoragelink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsstoragefile.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnscontainerregistry" {
name = "privatelink.azurecr.io"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" {
name = "dnscrlink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnscontainerregistry.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsazureml" {
name = "privatelink.api.azureml.ms"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" {
name = "dnsazuremllink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsazureml.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsnotebooks" {
name = "privatelink.notebooks.azure.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" {
name = "dnsnotebookslink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name
virtual_network_id = azurerm_virtual_network.default.id
}
# Network Security Groups
resource "azurerm_network_security_group" "nsg-training" {
name = "nsg-training"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
security_rule {
name = "BatchNodeManagement"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "29876-29877"
source_address_prefix = "BatchNodeManagement"
destination_address_prefix = "*"
}
security_rule {
name = "AzureMachineLearning"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "44224"
source_address_prefix = "AzureMachineLearning"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "nsg-training-link" {
subnet_id = azurerm_subnet.snet-training.id
network_security_group_id = azurerm_network_security_group.nsg-training.id
}
resource "azurerm_network_security_group" "nsg-aks" {
name = "nsg-aks"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" {
subnet_id = azurerm_subnet.snet-aks.id
network_security_group_id = azurerm_network_security_group.nsg-aks.id
}
# User Defined Routes
# UDR for compute instance and compute clusters
resource "azurerm_route_table" "rt-training" {
name = "rt-training"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_route" "training-Internet-Route" {
name = "Internet"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-training.name
address_prefix = "0.0.0.0/0"
next_hop_type = "Internet"
}
resource "azurerm_route" "training-AzureMLRoute" {
name = "AzureMLRoute"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-training.name
address_prefix = "AzureMachineLearning"
next_hop_type = "Internet"
}
resource "azurerm_route" "training-BatchRoute" {
name = "BatchRoute"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-training.name
address_prefix = "BatchNodeManagement"
next_hop_type = "Internet"
}
resource "azurerm_subnet_route_table_association" "rt-training-link" {
subnet_id = azurerm_subnet.snet-training.id
route_table_id = azurerm_route_table.rt-training.id
}
# Inferencing (AKS) Route
resource "azurerm_route_table" "rt-aks" {
name = "rt-aks"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_route" "aks-Internet-Route" {
name = "Internet"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-aks.name
address_prefix = "0.0.0.0/0"
next_hop_type = "Internet"
}
resource "azurerm_subnet_route_table_association" "rt-aks-link" {
subnet_id = azurerm_subnet.snet-aks.id
route_table_id = azurerm_route_table.rt-aks.id
}

62
quickstart/201-machine-learning-moderately-secure/readme.md Normal file
View File

@ -0,0 +1,62 @@
# Azure Machine Learning workspace (moderately secure network set up)
This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace),
and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning
for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/).
This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. If you want to reuse existing network components, see [202 example](../201-machine-learning-moderately-secure/readme.md).
## Resources
| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group all resources get deployed into |
| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace |
| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance |
| `azurerm_virtual_network` | An Azure Machine Learning workspace instance |
| `azurerm_subnet` | An Azure Machine Learning workspace instance |
| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources |
| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource |
| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources |
| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. |
| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. |
| `azurerm_network_security_group` | Network security group with required inbound and outbound rules for Azure Machine Learning. |
## Variables
| Name | Description | Default |
|-|-|-|
| name | Name of the deployment | - |
| environment | The deployment environment name (used for pre- and postfixing resource names) | dev |
| location | The Azure region used for deployments | East US |
| vnet_address_space | Address space of the virtual network | ["10.0.0.0/16"] |
| training_subnet_address_space | Address space of the training subnet | ["10.0.1.0/24"] |
| aks_subnet_address_space | Address space of the aks subnet | ["10.0.2.0/23"] |
| ml_subnet_address_space | Address space of the ML workspace subnet | ["10.0.0.0/24"] |
| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder |
## Usage
```bash
terraform init
terraform plan \
-var name=azureml567 \
-var environment=dev \
# -var <for a full list of variables and default values, see 'Variables'> \
-out demo.tfplan
terraform apply "demo.tfplan"
```
## Learn more
- If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/).
- To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security).
- For all configurations of Azure Machine Learning in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/machine_learning_workspace).

46
quickstart/201-machine-learning-moderately-secure/variables.tf Normal file
View File

@ -0,0 +1,46 @@
variable "name" {
type = string
description = "Name of the deployment"
}
variable "environment" {
type = string
description = "Name of the environment"
default = "dev"
}
variable "location" {
type = string
description = "Location of the resources"
default = "East US"
}
variable "vnet_address_space" {
type = list(string)
description = "Address space of the virtual network"
default = ["10.0.0.0/16"]
}
variable "training_subnet_address_space" {
type = list(string)
description = "Address space of the training subnet"
default = ["10.0.1.0/24"]
}
variable "aks_subnet_address_space" {
type = list(string)
description = "Address space of the aks subnet"
default = ["10.0.2.0/23"]
}
variable "ml_subnet_address_space" {
type = list(string)
description = "Address space of the ML workspace subnet"
default = ["10.0.0.0/24"]
}
variable "image_build_compute_name" {
type = string
description = "Name of the compute cluster to be created and set to build docker images"
default = "image-builder"
}

75
quickstart/201-machine-learning-private/workspace.tf → quickstart/201-machine-learning-moderately-secure/workspace.tf
View File

@ -12,11 +12,11 @@ resource "azurerm_key_vault" "default" {
resource_group_name = azurerm_resource_group.default.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = false
purge_protection_enabled = true
network_acls {
default_action = "Deny"
bypass = "AzureServices"
bypass = "AzureServices"
}
}
@ -29,16 +29,21 @@ resource "azurerm_storage_account" "default" {
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
bypass = ["AzureServices"]
}
}
resource "azurerm_container_registry" "default" {
name = "cr${var.name}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
sku = "Premium"
admin_enabled = true
name = "cr${var.name}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
sku = "Premium"
admin_enabled = true
network_rule_set {
default_action = "Deny"
}
public_network_access_enabled = false
}
# Machine Learning workspace
@ -54,6 +59,11 @@ resource "azurerm_machine_learning_workspace" "default" {
identity {
type = "SystemAssigned"
}
# Args of use when using an Azure Private Link configuration
public_network_access_enabled = false
image_build_compute_name = var.image_build_compute_name
}
# Private endpoints
@ -61,7 +71,7 @@ resource "azurerm_private_endpoint" "kv_ple" {
name = "ple-${var.name}-${var.environment}-kv"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.mlsubnet.id
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
@ -71,7 +81,7 @@ resource "azurerm_private_endpoint" "kv_ple" {
private_service_connection {
name = "psc-${var.name}-kv"
private_connection_resource_id = azurerm_key_vault.default.id
subresource_names = [ "vault" ]
subresource_names = ["vault"]
is_manual_connection = false
}
}
@ -80,7 +90,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" {
name = "ple-${var.name}-${var.environment}-st-blob"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.mlsubnet.id
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
@ -90,7 +100,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" {
private_service_connection {
name = "psc-${var.name}-st"
private_connection_resource_id = azurerm_storage_account.default.id
subresource_names = [ "blob" ]
subresource_names = ["blob"]
is_manual_connection = false
}
}
@ -99,7 +109,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" {
name = "ple-${var.name}-${var.environment}-st-file"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.mlsubnet.id
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
@ -109,7 +119,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" {
private_service_connection {
name = "psc-${var.name}-st"
private_connection_resource_id = azurerm_storage_account.default.id
subresource_names = [ "file" ]
subresource_names = ["file"]
is_manual_connection = false
}
}
@ -118,7 +128,7 @@ resource "azurerm_private_endpoint" "cr_ple" {
name = "ple-${var.name}-${var.environment}-cr"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.mlsubnet.id
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
@ -128,7 +138,7 @@ resource "azurerm_private_endpoint" "cr_ple" {
private_service_connection {
name = "psc-${var.name}-cr"
private_connection_resource_id = azurerm_container_registry.default.id
subresource_names = [ "registry" ]
subresource_names = ["registry"]
is_manual_connection = false
}
}
@ -137,21 +147,38 @@ resource "azurerm_private_endpoint" "mlw_ple" {
name = "ple-${var.name}-${var.environment}-mlw"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.mlsubnet.id
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [
azurerm_private_dns_zone.dnsazureml.id,
azurerm_private_dns_zone.dnsnotebooks.id
]
private_dns_zone_ids = [azurerm_private_dns_zone.dnsazureml.id, azurerm_private_dns_zone.dnsnotebooks.id]
}
private_service_connection {
name = "psc-${var.name}-mlw"
private_connection_resource_id = azurerm_machine_learning_workspace.default.id
subresource_names = [ "amlworkspace" ]
subresource_names = ["amlworkspace"]
is_manual_connection = false
}
}
}
# Compute cluster for image building required since the workspace is behind a vnet.
# For more details, see https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds.
resource "azurerm_machine_learning_compute_cluster" "image-builder" {
name = var.image_build_compute_name
location = azurerm_resource_group.default.location
vm_priority = "LowPriority"
vm_size = "Standard_DS2_v2"
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
subnet_resource_id = azurerm_subnet.snet-training.id
scale_settings {
min_node_count = 0
max_node_count = 3
scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes
}
identity {
type = "SystemAssigned"
}
}

89
quickstart/201-machine-learning-private/network.tf
View File

@ -1,89 +0,0 @@
# Virtual Network
resource "azurerm_virtual_network" "default" {
name = "vnet-${var.name}-${var.environment}"
address_space = var.vnet_address_space
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_subnet" "mlsubnet" {
name = "mlsubnet"
resource_group_name = azurerm_resource_group.default.name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = var.subnet_address_space
enforce_private_link_endpoint_network_policies = true
}
# Private DNS Zones
resource "azurerm_private_dns_zone" "dnsvault" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkvault" {
name = "dnsvaultlink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsvault.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsstorageblob" {
name = "privatelink.blob.core.windows.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkblob" {
name = "dnsblobstoragelink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsstorageblob.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsstoragefile" {
name = "privatelink.file.core.windows.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkfile" {
name = "dnsfilestoragelink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsstoragefile.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnscontainerregistry" {
name = "privatelink.azurecr.io"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" {
name = "dnscrlink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnscontainerregistry.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsazureml" {
name = "privatelink.api.azureml.ms"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" {
name = "dnsazuremllink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsazureml.name
virtual_network_id = azurerm_virtual_network.default.id
}
resource "azurerm_private_dns_zone" "dnsnotebooks" {
name = "privatelink.azureml.notebooks.net"
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" {
name = "dnsnotebookslink"
resource_group_name = azurerm_resource_group.default.name
private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name
virtual_network_id = azurerm_virtual_network.default.id
}

44
quickstart/201-machine-learning-private/readme.md
View File

@ -1,44 +0,0 @@
# Azure Machine Learning workspace using Azure Private Link
This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace),
and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning
for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/).
This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up.
To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security).
## Resources
| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group all resources get deployed into |
| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace |
| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance |
| `azurerm_virtual_network` | An Azure Machine Learning workspace instance |
| `azurerm_subnet` | An Azure Machine Learning workspace instance |
| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources |
| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource |
| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources |
## Variables
| Name | Description |
|-|-|
| name | Name of the deployment |
| environment | The deployment environment name (used for pre- and postfixing resource names) |
| location | The Azure region used for deployments |
## Usage
```bash
terraform plan -var name=azureml567 -out demo.tfplan
terraform apply "demo.tfplan"
```

28
quickstart/201-machine-learning-private/variables.tf
View File

@ -1,28 +0,0 @@
variable "name" {
type = string
description = "Name of the deployment"
}
variable "environment" {
type = string
description = "Name of the environment"
default = "dev"
}
variable "location" {
type = string
description = "Location of the resources"
default = "East US"
}
variable "vnet_address_space" {
type = list(string)
description = "Address space of the subnet"
default = ["10.0.0.0/16"]
}
variable "subnet_address_space" {
type = list(string)
description = "Address space of the subnet"
default = ["10.0.0.0/24"]
}

41
quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf Normal file
View File

@ -0,0 +1,41 @@
# Generate random string for unique compute instance name
resource "random_string" "ci_prefix" {
length = 8
upper = false
special = false
number = false
}
# Compute instance
resource "azurerm_machine_learning_compute_instance" "compute_instance" {
name = "${random_string.ci_prefix.result}instance"
location = azurerm_resource_group.default.location
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
virtual_machine_size = "STANDARD_DS2_V2"
subnet_resource_id = data.azurerm_subnet.training.id
depends_on = [
azurerm_private_endpoint.mlw_ple
]
}
# Compute cluster
resource "azurerm_machine_learning_compute_cluster" "compute" {
name = "cpu-cluster"
location = azurerm_resource_group.default.location
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
vm_priority = "Dedicated"
vm_size = "STANDARD_DS2_V2"
subnet_resource_id = data.azurerm_subnet.training.id
identity {
type = "SystemAssigned"
}
scale_settings {
min_node_count = 0
max_node_count = 3
scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes
}
}

21
quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf Normal file
View File

@ -0,0 +1,21 @@
terraform {
required_version = ">=0.15.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.78.0"
}
}
}
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "default" {
name = "rg-${var.name}-${var.environment}"
location = var.location
}

126
quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf Normal file
View File

@ -0,0 +1,126 @@
# Data Sources
data "azurerm_subnet" "training" {
name = var.training_subnet_name
virtual_network_name = var.vnet_name
resource_group_name = var.vnet_resource_group_name
}
data "azurerm_subnet" "aks" {
name = var.aks_subnet_name
virtual_network_name = var.vnet_name
resource_group_name = var.vnet_resource_group_name
}
data "azurerm_subnet" "ml" {
name = var.ml_subnet_name
virtual_network_name = var.vnet_name
resource_group_name = var.vnet_resource_group_name
}
# Network Security Groups
resource "azurerm_network_security_group" "nsg-training" {
name = "nsg-training"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
security_rule {
name = "BatchNodeManagement"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "29876-29877"
source_address_prefix = "BatchNodeManagement"
destination_address_prefix = "*"
}
security_rule {
name = "AzureMachineLearning"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "44224"
source_address_prefix = "AzureMachineLearning"
destination_address_prefix = "*"
}
}
resource "azurerm_subnet_network_security_group_association" "nsg-training-link" {
subnet_id = data.azurerm_subnet.training.id
network_security_group_id = azurerm_network_security_group.nsg-training.id
}
resource "azurerm_network_security_group" "nsg-aks" {
name = "nsg-aks"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" {
subnet_id = data.azurerm_subnet.aks.id
network_security_group_id = azurerm_network_security_group.nsg-aks.id
}
# User Defined Routes
# UDR for Compute instance and compute clusters
resource "azurerm_route_table" "rt-training" {
name = "rt-training"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_route" "training-Internet-Route" {
name = "Internet"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-training.name
address_prefix = "0.0.0.0/0"
next_hop_type = "Internet"
}
resource "azurerm_route" "training-AzureMLRoute" {
name = "AzureMLRoute"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-training.name
address_prefix = "AzureMachineLearning"
next_hop_type = "Internet"
}
resource "azurerm_route" "training-BatchRoute" {
name = "BatchRoute"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-training.name
address_prefix = "BatchNodeManagement"
next_hop_type = "Internet"
}
resource "azurerm_subnet_route_table_association" "rt-training-link" {
subnet_id = data.azurerm_subnet.training.id
route_table_id = azurerm_route_table.rt-training.id
}
# Inferencing (AKS) Route
resource "azurerm_route_table" "rt-aks" {
name = "rt-aks"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_route" "aks-Internet-Route" {
name = "Internet"
resource_group_name = azurerm_resource_group.default.name
route_table_name = azurerm_route_table.rt-aks.name
address_prefix = "0.0.0.0/0"
next_hop_type = "Internet"
}
resource "azurerm_subnet_route_table_association" "rt-aks-link" {
subnet_id = data.azurerm_subnet.aks.id
route_table_id = azurerm_route_table.rt-aks.id
}

74
quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md Normal file
View File

@ -0,0 +1,74 @@
# Azure Machine Learning workspace (moderately secure network set up - existing virtual network)
This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace),
and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry.
In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning
for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/).
This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configurations assumes that you have existing network components to reuse. The [201 example](../201-machine-learning-moderately-secure/readme.md), alternatively creates new network components.
Please note that this template does not create Azure Private DNS zones. The assumption is that you have already configured Azure private DNS zones that are linked to your virtual network resources.
## Resources
| Terraform Resource Type | Description |
| - | - |
| `azurerm_resource_group` | The resource group all resources get deployed into |
| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace |
| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace |
| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace |
| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace |
| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance |
| `azurerm_virtual_network` | An Azure Machine Learning workspace instance |
| `azurerm_subnet` | An Azure Machine Learning workspace instance |
| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources |
| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. |
| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. |
| `azurerm_network_security_group` | Network security group with required inbound and outbound rules for Azure Machine Learning. |
## Variables
| Name | Description | Default |
|-|-|-|
| name | Name of the deployment | - |
| environment | The deployment environment name (used for pre- and postfixing resource names) | dev |
| location | The Azure region used for deployments | East US |
| vnet_resource_group_name | Name of the existing VNet Resource Group | - |
| vnet_name | Name of the existing VNet | - |
| training_subnet_name | Name of the existing training subnet | - |
| aks_subnet_name | Name of the existing aks subnet | - |
| ml_subnet_name | Name of the existing ML workspace subnet | - |
| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder |
| vnet_resource_group_name | Name of the resource group for the existing VNet | - |
| vnet_name | Name of the existing VNet | - |
| training_subnet_name | Name of the existing training subnet | - |
| aks_subnet_name | Name of the existing AKS subnet | - |
| ml_subnet_name | Name of the existing ML workspace subnet | - |
| privatelink_api_azureml_ms_resource_id | Resource ID of the existing privatelink.api.azureml.ms private dns zone | - |
| privatelink_azurecr_io_resource_id | Resource ID of the existing privatelink.azurecr.io private dns zone | - |
| privatelink_notebooks_azure_net_resource_id | Resource ID of the existing privatelink.notebooks.azure.net private dns zone | - |
| privatelink_blob_core_windows_net_resource_id | Resource ID of the existing privatelink.blob.core.windows.net private dns zone | - |
| privatelink_file_core_windows_net_resource_id | Resource ID of the existing privatelink.file.core.windows.net private dns zone | - |
| privatelink_vaultcore_azure_net_resource_id | Resource ID of the existing privatelink.vaultcore.azure.net private dns zone | - |
## Usage
```bash
terraform init
terraform plan \
-var name=azureml567 \
-var environment=dev \
# -var <for a full list of variables and default values, see 'Variables'> \
-out demo.tfplan
terraform apply "demo.tfplan"
```
## Learn more
- If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/).
- To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security).
- For all configurations of Azure Machine Learning in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/machine_learning_workspace).

81
quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf Normal file
View File

@ -0,0 +1,81 @@
variable "name" {
type = string
description = "Name of the deployment"
}
variable "environment" {
type = string
description = "Name of the environment"
default = "dev"
}
variable "location" {
type = string
description = "Location of the resources"
default = "East US"
}
variable "image_build_compute_name" {
type = string
description = "Name of the compute cluster to be created and set to build docker images"
default = "image-builder"
}
# Existing vnet and subnets variables
variable "vnet_resource_group_name" {
type = string
description = "Name of the resource group for the existing VNet"
}
variable "vnet_name" {
type = string
description = "Name of the existing VNet"
}
variable "training_subnet_name" {
type = string
description = "Name of the existing training subnet"
}
variable "aks_subnet_name" {
type = string
description = "Name of the existing aks subnet"
}
variable "ml_subnet_name" {
type = string
description = "Name of the existing ML workspace subnet"
}
# Existing private DNS zones variables
variable "privatelink_api_azureml_ms_resource_id" {
type = string
description = "Resource ID of the existing privatelink.api.azureml.ms private dns zone"
}
variable "privatelink_azurecr_io_resource_id" {
type = string
description = "Resource ID of the existing privatelink.azurecr.io private dns zone"
}
variable "privatelink_notebooks_azure_net_resource_id" {
type = string
description = "Resource ID of the existing privatelink.notebooks.azure.net private dns zone"
}
variable "privatelink_blob_core_windows_net_resource_id" {
type = string
description = "Resource ID of the existing privatelink.blob.core.windows.net private dns zone"
}
variable "privatelink_file_core_windows_net_resource_id" {
type = string
description = "Resource ID of the existing privatelink.file.core.windows.net private dns zone"
}
variable "privatelink_vaultcore_azure_net_resource_id" {
type = string
description = "Resource ID of the existing privatelink.vaultcore.azure.net private dns zone"
}

186
quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf Normal file
View File

@ -0,0 +1,186 @@
# Dependent resources for Azure Machine Learning
resource "azurerm_application_insights" "default" {
name = "appi-${var.name}-${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
application_type = "web"
}
resource "azurerm_key_vault" "default" {
name = "kv-${var.name}-${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = true
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "azurerm_storage_account" "default" {
name = "st${var.name}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
account_tier = "Standard"
account_replication_type = "GRS"
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
}
}
resource "azurerm_container_registry" "default" {
name = "cr${var.name}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
sku = "Premium"
admin_enabled = true
network_rule_set {
default_action = "Deny"
}
public_network_access_enabled = false
}
# Machine Learning workspace
resource "azurerm_machine_learning_workspace" "default" {
name = "mlw-${var.name}-${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
application_insights_id = azurerm_application_insights.default.id
key_vault_id = azurerm_key_vault.default.id
storage_account_id = azurerm_storage_account.default.id
container_registry_id = azurerm_container_registry.default.id
identity {
type = "SystemAssigned"
}
# Args of use when using an Azure Private Link configuration
public_network_access_enabled = false
image_build_compute_name = var.image_build_compute_name
}
# Private endpoints
resource "azurerm_private_endpoint" "kv_ple" {
name = "ple-${var.name}-${var.environment}-kv"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = data.azurerm_subnet.ml.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [var.privatelink_vaultcore_azure_net_resource_id]
}
private_service_connection {
name = "psc-${var.name}-kv"
private_connection_resource_id = azurerm_key_vault.default.id
subresource_names = ["vault"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "st_ple_blob" {
name = "ple-${var.name}-${var.environment}-st-blob"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = data.azurerm_subnet.ml.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [var.privatelink_blob_core_windows_net_resource_id]
}
private_service_connection {
name = "psc-${var.name}-st"
private_connection_resource_id = azurerm_storage_account.default.id
subresource_names = ["blob"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "storage_ple_file" {
name = "ple-${var.name}-${var.environment}-st-file"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = data.azurerm_subnet.ml.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [var.privatelink_file_core_windows_net_resource_id]
}
private_service_connection {
name = "psc-${var.name}-st"
private_connection_resource_id = azurerm_storage_account.default.id
subresource_names = ["file"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "cr_ple" {
name = "ple-${var.name}-${var.environment}-cr"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = data.azurerm_subnet.ml.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [var.privatelink_azurecr_io_resource_id]
}
private_service_connection {
name = "psc-${var.name}-cr"
private_connection_resource_id = azurerm_container_registry.default.id
subresource_names = ["registry"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "mlw_ple" {
name = "ple-${var.name}-${var.environment}-mlw"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = data.azurerm_subnet.ml.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [
var.privatelink_api_azureml_ms_resource_id,
var.privatelink_notebooks_azure_net_resource_id
]
}
private_service_connection {
name = "psc-${var.name}-mlw"
private_connection_resource_id = azurerm_machine_learning_workspace.default.id
subresource_names = ["amlworkspace"]
is_manual_connection = false
}
}
# Compute cluster for image building required since the workspace is behind a vnet.
# For more details, see https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds.
resource "azurerm_machine_learning_compute_cluster" "image-builder" {
name = var.image_build_compute_name
location = azurerm_resource_group.default.location
vm_priority = "LowPriority"
vm_size = "Standard_DS2_v2"
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
subnet_resource_id = data.azurerm_subnet.training.id
scale_settings {
min_node_count = 0
max_node_count = 3
scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes
}
identity {
type = "SystemAssigned"
}
}