From 22055a70a0452a1ead41c8667093d6963323a835 Mon Sep 17 00:00:00 2001 From: David Apolinar Date: Tue, 14 Sep 2021 13:09:53 -0400 Subject: [PATCH 01/53] removed network rules to allow for dataset creation --- quickstart/101-machine-learning/workspace.tf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index edc60426..6aa90fee 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -26,11 +26,7 @@ resource "azurerm_storage_account" "default" { resource_group_name = azurerm_resource_group.default.name account_tier = "Standard" account_replication_type = "GRS" - - network_rules { - default_action = "Deny" - bypass = ["AzureServices"] - } + } resource "azurerm_container_registry" "default" { From d42dcb167c8e64394fe9b8e515a5c8b83ca38dc7 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Tue, 14 Sep 2021 11:56:23 -0700 Subject: [PATCH 02/53] clarify network connectivitiy model --- quickstart/101-machine-learning/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index 0bfd76f1..4a99297c 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -1,9 +1,9 @@ -# Azure Machine Learning workspace +# Azure Machine Learning workspace (public network connectivity) This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. -This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. +This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. ## Resources From 76decf7a312972f8cad7875c27e8cf09dadc437c Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Tue, 14 Sep 2021 13:05:47 -0700 Subject: [PATCH 03/53] network connectivity purpose --- quickstart/101-machine-learning/readme.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index 4a99297c..ab837093 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -3,7 +3,9 @@ This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. -This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. +This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. + +Network connectivity to the workspace is allowed over public endpoints, making this configuration suitable for open source projects or pilot environments. ## Resources From 505f4238b551c3ca95de71235d55907ad981169d Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Tue, 14 Sep 2021 13:15:16 -0700 Subject: [PATCH 04/53] naming --- .../main.tf | 0 .../network.tf | 0 .../readme.md | 44 +++++++++++++++++++ .../variables.tf | 0 .../workspace.tf | 0 .../readme.md | 2 +- 6 files changed, 45 insertions(+), 1 deletion(-) rename quickstart/{201-machine-learning-private => 201-machine-learning-moderately-secure}/main.tf (100%) rename quickstart/{201-machine-learning-private => 201-machine-learning-moderately-secure}/network.tf (100%) create mode 100644 quickstart/201-machine-learning-moderately-secure/readme.md rename quickstart/{201-machine-learning-private => 201-machine-learning-moderately-secure}/variables.tf (100%) rename quickstart/{201-machine-learning-private => 201-machine-learning-moderately-secure}/workspace.tf (100%) rename quickstart/{201-machine-learning-private => 301-machine-learning-highly-secure}/readme.md (97%) diff --git a/quickstart/201-machine-learning-private/main.tf b/quickstart/201-machine-learning-moderately-secure/main.tf similarity index 100% rename from quickstart/201-machine-learning-private/main.tf rename to quickstart/201-machine-learning-moderately-secure/main.tf diff --git a/quickstart/201-machine-learning-private/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf similarity index 100% rename from quickstart/201-machine-learning-private/network.tf rename to quickstart/201-machine-learning-moderately-secure/network.tf diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md new file mode 100644 index 00000000..6815e382 --- /dev/null +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -0,0 +1,44 @@ +# Azure Machine Learning workspace (moderately secure network set up) + +This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), +and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. + +In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning +for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). + +This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. + +To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all resources get deployed into | +| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace | +| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace | +| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace | +| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace | +| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance | +| `azurerm_virtual_network` | An Azure Machine Learning workspace instance | +| `azurerm_subnet` | An Azure Machine Learning workspace instance | +| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources | +| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource | +| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources | + +## Variables + +| Name | Description | +|-|-| +| name | Name of the deployment | +| environment | The deployment environment name (used for pre- and postfixing resource names) | +| location | The Azure region used for deployments | + + +## Usage + +```bash +terraform plan -var name=azureml567 -out demo.tfplan + +terraform apply "demo.tfplan" +``` diff --git a/quickstart/201-machine-learning-private/variables.tf b/quickstart/201-machine-learning-moderately-secure/variables.tf similarity index 100% rename from quickstart/201-machine-learning-private/variables.tf rename to quickstart/201-machine-learning-moderately-secure/variables.tf diff --git a/quickstart/201-machine-learning-private/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf similarity index 100% rename from quickstart/201-machine-learning-private/workspace.tf rename to quickstart/201-machine-learning-moderately-secure/workspace.tf diff --git a/quickstart/201-machine-learning-private/readme.md b/quickstart/301-machine-learning-highly-secure/readme.md similarity index 97% rename from quickstart/201-machine-learning-private/readme.md rename to quickstart/301-machine-learning-highly-secure/readme.md index 70c1b663..5d0dfcad 100644 --- a/quickstart/201-machine-learning-private/readme.md +++ b/quickstart/301-machine-learning-highly-secure/readme.md @@ -1,4 +1,4 @@ -# Azure Machine Learning workspace using Azure Private Link +# Azure Machine Learning workspace (highly secure network set up) This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. From 40caddf47c6bb3daf89028ba99f1dd86643a0543 Mon Sep 17 00:00:00 2001 From: ryhud Date: Tue, 14 Sep 2021 17:37:10 -0400 Subject: [PATCH 05/53] updating 201 AML --- .../.gitignore | 37 +++++ .../main.tf | 2 +- .../network.tf | 129 +++++++++++++++++- .../variables.tf | 24 +++- .../workspace.tf | 45 +++++- 5 files changed, 223 insertions(+), 14 deletions(-) create mode 100644 quickstart/201-machine-learning-moderately-secure/.gitignore diff --git a/quickstart/201-machine-learning-moderately-secure/.gitignore b/quickstart/201-machine-learning-moderately-secure/.gitignore new file mode 100644 index 00000000..6f8b76c0 --- /dev/null +++ b/quickstart/201-machine-learning-moderately-secure/.gitignore @@ -0,0 +1,37 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json +values.tfvars +*.tfvars +settings.tfvars +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* +terraform/.terraform.lock.hcl +.DS_Store +terraform/.terraform.lock.hcl +terraform/.terraform.lock.hcl +.terraform.lock.hcl +terraform/.terraform.lock.hcl \ No newline at end of file diff --git a/quickstart/201-machine-learning-moderately-secure/main.tf b/quickstart/201-machine-learning-moderately-secure/main.tf index b6b66a46..67dea407 100644 --- a/quickstart/201-machine-learning-moderately-secure/main.tf +++ b/quickstart/201-machine-learning-moderately-secure/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=2.72.0" + version = "=2.76.0" } } } diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index dbf1b6a6..b1fcb2e8 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -6,11 +6,27 @@ resource "azurerm_virtual_network" "default" { resource_group_name = azurerm_resource_group.default.name } -resource "azurerm_subnet" "mlsubnet" { - name = "mlsubnet" +resource "azurerm_subnet" "training-subnet" { + name = "training-subnet" resource_group_name = azurerm_resource_group.default.name virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = var.subnet_address_space + address_prefixes = var.training_subnet_address_space + enforce_private_link_endpoint_network_policies = true +} + +resource "azurerm_subnet" "aks-subnet" { + name = "aks-subnet" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.aks_subnet_address_space + enforce_private_link_endpoint_network_policies = true +} + +resource "azurerm_subnet" "ml-subnet" { + name = "ml-subnet" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.ml_subnet_address_space enforce_private_link_endpoint_network_policies = true } @@ -87,3 +103,110 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" { private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name virtual_network_id = azurerm_virtual_network.default.id } + +# Network Security Groups + +resource "azurerm_network_security_group" "training-NSG" { + name = "training-NSG" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + + security_rule { + name = "BatchNodeManagement" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "29876-29877" + source_address_prefix = "BatchNodeManagement" + destination_address_prefix = "*" + } + security_rule { + name = "AzureMachineLearning" + priority = 110 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "44224" + source_address_prefix = "AzureMachineLearning" + destination_address_prefix = "*" + } +} + +resource "azurerm_subnet_network_security_group_association" "training-NSG-link" { + subnet_id = azurerm_subnet.training-subnet.id + network_security_group_id = azurerm_network_security_group.training-NSG.id +} + +resource "azurerm_network_security_group" "aks-NSG" { + name = "aks-NSG" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + + +} + +resource "azurerm_subnet_network_security_group_association" "aks-NSG-link" { + subnet_id = azurerm_subnet.aks-subnet.id + network_security_group_id = azurerm_network_security_group.aks-NSG.id +} + +# User Defined Routes + +#UDR for Compute instance and compute clusters +resource "azurerm_route_table" "training-UDR" { + name = "training-UDR" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_route" "training-Internet-Route" { + name = "Internet" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.training-UDR.name + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" +} + +resource "azurerm_route" "training-AzureMLRoute" { + name = "AzureMLRoute" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.training-UDR.name + address_prefix = "AzureMachineLearning" + next_hop_type = "Internet" +} + +resource "azurerm_route" "training-BatchRoute" { + name = "BatchRoute" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.training-UDR.name + address_prefix = "BatchNodeManagement" + next_hop_type = "Internet" +} + +resource "azurerm_subnet_route_table_association" "training-UDRlink" { + subnet_id = azurerm_subnet.training-subnet.id + route_table_id = azurerm_route_table.training-UDR.id +} +# Inferencing (AKS) Route + +resource "azurerm_route_table" "aks-UDR" { + name = "aks-UDR" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_route" "aks-Internet-Route" { + name = "Internet" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.aks-UDR.name + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" +} + +resource "azurerm_subnet_route_table_association" "aks-UDR-link" { + subnet_id = azurerm_subnet.aks-subnet.id + route_table_id = azurerm_route_table.aks-UDR.id +} \ No newline at end of file diff --git a/quickstart/201-machine-learning-moderately-secure/variables.tf b/quickstart/201-machine-learning-moderately-secure/variables.tf index ae58bfd1..bc226931 100644 --- a/quickstart/201-machine-learning-moderately-secure/variables.tf +++ b/quickstart/201-machine-learning-moderately-secure/variables.tf @@ -17,12 +17,30 @@ variable "location" { variable "vnet_address_space" { type = list(string) - description = "Address space of the subnet" + description = "Address space of the virtual network" default = ["10.0.0.0/16"] } -variable "subnet_address_space" { +variable "training_subnet_address_space" { type = list(string) - description = "Address space of the subnet" + description = "Address space of the training subnet" default = ["10.0.0.0/24"] +} + +variable "aks_subnet_address_space" { + type = list(string) + description = "Address space of the aks subnet" + default = ["10.0.1.0/24"] +} + +variable "ml_subnet_address_space" { + type = list(string) + description = "Address space of the ML workspace subnet" + default = ["10.0.2.0/24"] +} + +variable "image_build_compute_name" { + type = string + description = "Name of the compute cluster to be created and set to build docker images" + default = "image-builder" } \ No newline at end of file diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index da718bc2..dc4beb33 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -12,7 +12,7 @@ resource "azurerm_key_vault" "default" { resource_group_name = azurerm_resource_group.default.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" - purge_protection_enabled = false + purge_protection_enabled = true network_acls { default_action = "Deny" @@ -61,7 +61,7 @@ resource "azurerm_private_endpoint" "kv_ple" { name = "ple-${var.name}-${var.environment}-kv" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.mlsubnet.id + subnet_id = azurerm_subnet.ml-subnet.id private_dns_zone_group { name = "private-dns-zone-group" @@ -80,7 +80,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" { name = "ple-${var.name}-${var.environment}-st-blob" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.mlsubnet.id + subnet_id = azurerm_subnet.ml-subnet.id private_dns_zone_group { name = "private-dns-zone-group" @@ -99,7 +99,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" { name = "ple-${var.name}-${var.environment}-st-file" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.mlsubnet.id + subnet_id = azurerm_subnet.ml-subnet.id private_dns_zone_group { name = "private-dns-zone-group" @@ -118,7 +118,7 @@ resource "azurerm_private_endpoint" "cr_ple" { name = "ple-${var.name}-${var.environment}-cr" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.mlsubnet.id + subnet_id = azurerm_subnet.ml-subnet.id private_dns_zone_group { name = "private-dns-zone-group" @@ -137,7 +137,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { name = "ple-${var.name}-${var.environment}-mlw" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.mlsubnet.id + subnet_id = azurerm_subnet.ml-subnet.id private_dns_zone_group { name = "private-dns-zone-group" @@ -153,5 +153,36 @@ resource "azurerm_private_endpoint" "mlw_ple" { subresource_names = [ "amlworkspace" ] is_manual_connection = false } +} +#Compute cluster for image building https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds -} \ No newline at end of file +resource "azurerm_machine_learning_compute_cluster" "image-builder" { + name = "${var.image_build_compute_name}" + location = azurerm_resource_group.default.location + vm_priority = "LowPriority" + vm_size = "Standard_DS2_v2" + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + subnet_resource_id = azurerm_subnet.training-subnet.id + + scale_settings { + min_node_count = 0 + max_node_count = 1 + scale_down_nodes_after_idle_duration = "PT30S" # 30 seconds + } + + identity { + type = "SystemAssigned" + } +} + +# Update workspace for image-build-compute + +resource "null_resource" "ws_image_build_compute"{ + provisioner "local-exec" { + command = < Date: Thu, 16 Sep 2021 11:24:11 -0400 Subject: [PATCH 06/53] updating naming convention --- .../network.tf | 60 +++++++++---------- .../workspace.tf | 12 ++-- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index b1fcb2e8..3bcb8f41 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -6,24 +6,24 @@ resource "azurerm_virtual_network" "default" { resource_group_name = azurerm_resource_group.default.name } -resource "azurerm_subnet" "training-subnet" { - name = "training-subnet" +resource "azurerm_subnet" "snet-training" { + name = "snet-training" resource_group_name = azurerm_resource_group.default.name virtual_network_name = azurerm_virtual_network.default.name address_prefixes = var.training_subnet_address_space enforce_private_link_endpoint_network_policies = true } -resource "azurerm_subnet" "aks-subnet" { - name = "aks-subnet" +resource "azurerm_subnet" "snet-aks" { + name = "snet-aks" resource_group_name = azurerm_resource_group.default.name virtual_network_name = azurerm_virtual_network.default.name address_prefixes = var.aks_subnet_address_space enforce_private_link_endpoint_network_policies = true } -resource "azurerm_subnet" "ml-subnet" { - name = "ml-subnet" +resource "azurerm_subnet" "snet-workspace" { + name = "snet-workspace" resource_group_name = azurerm_resource_group.default.name virtual_network_name = azurerm_virtual_network.default.name address_prefixes = var.ml_subnet_address_space @@ -106,8 +106,8 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" { # Network Security Groups -resource "azurerm_network_security_group" "training-NSG" { - name = "training-NSG" +resource "azurerm_network_security_group" "nsg-training" { + name = "nsg-training" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name @@ -135,29 +135,29 @@ resource "azurerm_network_security_group" "training-NSG" { } } -resource "azurerm_subnet_network_security_group_association" "training-NSG-link" { - subnet_id = azurerm_subnet.training-subnet.id - network_security_group_id = azurerm_network_security_group.training-NSG.id +resource "azurerm_subnet_network_security_group_association" "nsg-training-link" { + subnet_id = azurerm_subnet.snet-training.id + network_security_group_id = azurerm_network_security_group.nsg-training.id } -resource "azurerm_network_security_group" "aks-NSG" { - name = "aks-NSG" +resource "azurerm_network_security_group" "nsg-aks" { + name = "nsg-aks" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name } -resource "azurerm_subnet_network_security_group_association" "aks-NSG-link" { - subnet_id = azurerm_subnet.aks-subnet.id - network_security_group_id = azurerm_network_security_group.aks-NSG.id +resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { + subnet_id = azurerm_subnet.snet-aks.id + network_security_group_id = azurerm_network_security_group.nsg-aks.id } # User Defined Routes #UDR for Compute instance and compute clusters -resource "azurerm_route_table" "training-UDR" { - name = "training-UDR" +resource "azurerm_route_table" "rt-training" { + name = "rt-training" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name } @@ -165,7 +165,7 @@ resource "azurerm_route_table" "training-UDR" { resource "azurerm_route" "training-Internet-Route" { name = "Internet" resource_group_name = azurerm_resource_group.default.name - route_table_name = azurerm_route_table.training-UDR.name + route_table_name = azurerm_route_table.rt-training.name address_prefix = "0.0.0.0/0" next_hop_type = "Internet" } @@ -173,7 +173,7 @@ resource "azurerm_route" "training-Internet-Route" { resource "azurerm_route" "training-AzureMLRoute" { name = "AzureMLRoute" resource_group_name = azurerm_resource_group.default.name - route_table_name = azurerm_route_table.training-UDR.name + route_table_name = azurerm_route_table.rt-training.name address_prefix = "AzureMachineLearning" next_hop_type = "Internet" } @@ -181,19 +181,19 @@ resource "azurerm_route" "training-AzureMLRoute" { resource "azurerm_route" "training-BatchRoute" { name = "BatchRoute" resource_group_name = azurerm_resource_group.default.name - route_table_name = azurerm_route_table.training-UDR.name + route_table_name = azurerm_route_table.rt-training.name address_prefix = "BatchNodeManagement" next_hop_type = "Internet" } -resource "azurerm_subnet_route_table_association" "training-UDRlink" { - subnet_id = azurerm_subnet.training-subnet.id - route_table_id = azurerm_route_table.training-UDR.id +resource "azurerm_subnet_route_table_association" "rt-training-link" { + subnet_id = azurerm_subnet.snet-training.id + route_table_id = azurerm_route_table.rt-training.id } # Inferencing (AKS) Route -resource "azurerm_route_table" "aks-UDR" { - name = "aks-UDR" +resource "azurerm_route_table" "rt-aks" { + name = "rt-aks" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name } @@ -201,12 +201,12 @@ resource "azurerm_route_table" "aks-UDR" { resource "azurerm_route" "aks-Internet-Route" { name = "Internet" resource_group_name = azurerm_resource_group.default.name - route_table_name = azurerm_route_table.aks-UDR.name + route_table_name = azurerm_route_table.rt-aks.name address_prefix = "0.0.0.0/0" next_hop_type = "Internet" } -resource "azurerm_subnet_route_table_association" "aks-UDR-link" { - subnet_id = azurerm_subnet.aks-subnet.id - route_table_id = azurerm_route_table.aks-UDR.id +resource "azurerm_subnet_route_table_association" "rt-aks-link" { + subnet_id = azurerm_subnet.snet-aks.id + route_table_id = azurerm_route_table.rt-aks.id } \ No newline at end of file diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index dc4beb33..a6bc89d9 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -61,7 +61,7 @@ resource "azurerm_private_endpoint" "kv_ple" { name = "ple-${var.name}-${var.environment}-kv" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.ml-subnet.id + subnet_id = azurerm_subnet.snet-workspace.id private_dns_zone_group { name = "private-dns-zone-group" @@ -80,7 +80,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" { name = "ple-${var.name}-${var.environment}-st-blob" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.ml-subnet.id + subnet_id = azurerm_subnet.snet-workspace.id private_dns_zone_group { name = "private-dns-zone-group" @@ -99,7 +99,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" { name = "ple-${var.name}-${var.environment}-st-file" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.ml-subnet.id + subnet_id = azurerm_subnet.snet-workspace.id private_dns_zone_group { name = "private-dns-zone-group" @@ -118,7 +118,7 @@ resource "azurerm_private_endpoint" "cr_ple" { name = "ple-${var.name}-${var.environment}-cr" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.ml-subnet.id + subnet_id = azurerm_subnet.snet-workspace.id private_dns_zone_group { name = "private-dns-zone-group" @@ -137,7 +137,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { name = "ple-${var.name}-${var.environment}-mlw" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = azurerm_subnet.ml-subnet.id + subnet_id = azurerm_subnet.snet-workspace.id private_dns_zone_group { name = "private-dns-zone-group" @@ -162,7 +162,7 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { vm_priority = "LowPriority" vm_size = "Standard_DS2_v2" machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id - subnet_resource_id = azurerm_subnet.training-subnet.id + subnet_resource_id = azurerm_subnet.snet-training.id scale_settings { min_node_count = 0 From 0c5c67244a9aca8e0a2abdff46cc5a86481525cf Mon Sep 17 00:00:00 2001 From: David Apolinar Date: Thu, 16 Sep 2021 11:49:49 -0400 Subject: [PATCH 07/53] Added Compute Instance and Compute Cluster Resources --- quickstart/101-machine-learning/main.tf | 2 +- quickstart/101-machine-learning/workspace.tf | 29 ++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/quickstart/101-machine-learning/main.tf b/quickstart/101-machine-learning/main.tf index 3c5cf513..b7d6655b 100644 --- a/quickstart/101-machine-learning/main.tf +++ b/quickstart/101-machine-learning/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=2.56.0" + version = "=2.76.0" } } } diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index 6aa90fee..589c7144 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -50,4 +50,33 @@ resource "azurerm_machine_learning_workspace" "default" { identity { type = "SystemAssigned" } +} + +# Compite Instance + +resource "azurerm_machine_learning_compute_instance" "compute_instance" { + name = "default-instance" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + virtual_machine_size = "STANDARD_DS2_V2" +} + +# Compute Cluster + +resource "azurerm_machine_learning_compute_cluster" "compute" { + name = "default-compute" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + vm_priority = "Dedicated" + vm_size = "STANDARD_DS2_V2" + identity { + type = "SystemAssigned" + } + + scale_settings { + min_node_count = 0 + max_node_count = 3 + scale_down_nodes_after_idle_duration = "PT5M" # 30 seconds + } + } \ No newline at end of file From a314cc5351406e93bca77b0e08c8825680cdf8b3 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Thu, 16 Sep 2021 16:11:33 -0700 Subject: [PATCH 08/53] Fix typo --- quickstart/101-machine-learning/workspace.tf | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index 589c7144..89f0d64e 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -52,8 +52,7 @@ resource "azurerm_machine_learning_workspace" "default" { } } -# Compite Instance - +# Compute Instance resource "azurerm_machine_learning_compute_instance" "compute_instance" { name = "default-instance" location = azurerm_resource_group.default.location @@ -62,13 +61,12 @@ resource "azurerm_machine_learning_compute_instance" "compute_instance" { } # Compute Cluster - resource "azurerm_machine_learning_compute_cluster" "compute" { name = "default-compute" location = azurerm_resource_group.default.location machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id vm_priority = "Dedicated" - vm_size = "STANDARD_DS2_V2" + vm_size = "STANDARD_DS2_V2" identity { type = "SystemAssigned" } @@ -79,4 +77,4 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { scale_down_nodes_after_idle_duration = "PT5M" # 30 seconds } -} \ No newline at end of file +} From a420a370b0f2e4f9efff80b1a09552f6979b08d0 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Thu, 16 Sep 2021 16:13:26 -0700 Subject: [PATCH 09/53] Updated time --- quickstart/101-machine-learning/workspace.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index 89f0d64e..344144ee 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -12,7 +12,7 @@ resource "azurerm_key_vault" "default" { resource_group_name = azurerm_resource_group.default.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" - purge_protection_enabled = false + purge_protection_enabled = true network_acls { default_action = "Deny" @@ -74,7 +74,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { scale_settings { min_node_count = 0 max_node_count = 3 - scale_down_nodes_after_idle_duration = "PT5M" # 30 seconds + scale_down_nodes_after_idle_duration = "PT10M" # 10 minutes } } From 40a0e273fa0f81369a1786af42741e82084b29d8 Mon Sep 17 00:00:00 2001 From: ryhud Date: Fri, 17 Sep 2021 09:40:41 -0400 Subject: [PATCH 10/53] updating notebooks Private DNS Zone --- quickstart/201-machine-learning-moderately-secure/network.tf | 2 +- .../201-machine-learning-moderately-secure/workspace.tf | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index 3bcb8f41..707239f7 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -93,7 +93,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" { } resource "azurerm_private_dns_zone" "dnsnotebooks" { - name = "privatelink.azureml.notebooks.net" + name = "privatelink.notebooks.azure.net" resource_group_name = azurerm_resource_group.default.name } diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index a6bc89d9..3bedf68c 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -141,10 +141,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { private_dns_zone_group { name = "private-dns-zone-group" - private_dns_zone_ids = [ - azurerm_private_dns_zone.dnsazureml.id, - azurerm_private_dns_zone.dnsnotebooks.id - ] + private_dns_zone_ids = [azurerm_private_dns_zone.dnsazureml.id, azurerm_private_dns_zone.dnsnotebooks.id] } private_service_connection { From 6a6b30681f1b041a15aba51afcb00cbb5b5e40a6 Mon Sep 17 00:00:00 2001 From: ryhud Date: Fri, 17 Sep 2021 16:44:12 -0400 Subject: [PATCH 11/53] updating firewall on ACR --- .../201-machine-learning-moderately-secure/workspace.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index 3bedf68c..e5a28e03 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -39,6 +39,11 @@ resource "azurerm_container_registry" "default" { resource_group_name = azurerm_resource_group.default.name sku = "Premium" admin_enabled = true + + network_rule_set { + default_action = "Deny" + } + public_network_access_enabled = false } # Machine Learning workspace From 5173414efeec2085137340f729eebd554f6635e4 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:33:51 -0700 Subject: [PATCH 12/53] Include reference to compute --- quickstart/101-machine-learning/readme.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index ab837093..86ee1c63 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -11,12 +11,14 @@ Network connectivity to the workspace is allowed over public endpoints, making t | Terraform Resource Type | Description | | - | - | -| `azurerm_resource_group` | The resource group all resources get deployed into | -| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace | -| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace | -| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace | -| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace | -| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance | +| `azurerm_resource_group` | The resource group all resources get deployed into. | +| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace. | +| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace. | +| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace. | +| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace. | +| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance. | +| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance. | +| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster. | ## Variables From 790fbc87d35b7d63b84f1e6a15e11fa07afbbc2d Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:35:06 -0700 Subject: [PATCH 13/53] Update compute resources description --- quickstart/101-machine-learning/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index 86ee1c63..acfa0b50 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -17,8 +17,8 @@ Network connectivity to the workspace is allowed over public endpoints, making t | `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace. | | `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace. | | `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance. | -| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance. | -| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster. | +| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. | +| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. | ## Variables From cc25a4036249865d1302602b024d6c7b24fe9157 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:36:07 -0700 Subject: [PATCH 14/53] Include description on compute resources --- quickstart/201-machine-learning-moderately-secure/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 6815e382..8863934b 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -25,6 +25,8 @@ To learn more about security configurations in Azure Machine Learning, see [Ente | `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources | | `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource | | `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources | +| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. | +| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. | ## Variables From 3733966dfd77df3846303754bde282d6be93ac16 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:38:06 -0700 Subject: [PATCH 15/53] Updated compute properties --- .../201-machine-learning-moderately-secure/workspace.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index e5a28e03..032ae2e0 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -156,8 +156,9 @@ resource "azurerm_private_endpoint" "mlw_ple" { is_manual_connection = false } } -#Compute cluster for image building https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds +# Compute cluster for image building required since the workspace is behind a vnet. +# For more details, see https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds. resource "azurerm_machine_learning_compute_cluster" "image-builder" { name = "${var.image_build_compute_name}" location = azurerm_resource_group.default.location @@ -169,7 +170,7 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { scale_settings { min_node_count = 0 max_node_count = 1 - scale_down_nodes_after_idle_duration = "PT30S" # 30 seconds + scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } identity { @@ -178,7 +179,6 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { } # Update workspace for image-build-compute - resource "null_resource" "ws_image_build_compute"{ provisioner "local-exec" { command = < Date: Fri, 17 Sep 2021 14:39:33 -0700 Subject: [PATCH 16/53] Tidy up --- .../201-machine-learning-moderately-secure/network.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index 707239f7..f6566eb7 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -55,7 +55,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkblob" { virtual_network_id = azurerm_virtual_network.default.id } - resource "azurerm_private_dns_zone" "dnsstoragefile" { name = "privatelink.file.core.windows.net" resource_group_name = azurerm_resource_group.default.name @@ -155,7 +154,7 @@ resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { # User Defined Routes -#UDR for Compute instance and compute clusters +# UDR for Compute instance and compute clusters resource "azurerm_route_table" "rt-training" { name = "rt-training" location = azurerm_resource_group.default.location @@ -190,8 +189,8 @@ resource "azurerm_subnet_route_table_association" "rt-training-link" { subnet_id = azurerm_subnet.snet-training.id route_table_id = azurerm_route_table.rt-training.id } -# Inferencing (AKS) Route +# Inferencing (AKS) Route resource "azurerm_route_table" "rt-aks" { name = "rt-aks" location = azurerm_resource_group.default.location @@ -209,4 +208,4 @@ resource "azurerm_route" "aks-Internet-Route" { resource "azurerm_subnet_route_table_association" "rt-aks-link" { subnet_id = azurerm_subnet.snet-aks.id route_table_id = azurerm_route_table.rt-aks.id -} \ No newline at end of file +} From 7973eb855dd6fb1ca5cab512538d2ee1ad14e62b Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:40:06 -0700 Subject: [PATCH 17/53] Tidy up --- quickstart/201-machine-learning-moderately-secure/network.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index f6566eb7..1fbbf6f1 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -143,8 +143,6 @@ resource "azurerm_network_security_group" "nsg-aks" { name = "nsg-aks" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - - } resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { From bb5e5893e723fcba88d0a4b4f07d4971aeeccd4b Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:42:02 -0700 Subject: [PATCH 18/53] Include nsg resource with docs --- quickstart/201-machine-learning-moderately-secure/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 8863934b..45d1fbe5 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -27,6 +27,7 @@ To learn more about security configurations in Azure Machine Learning, see [Ente | `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources | | `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. | | `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. | +| `azurerm_network_security_group` | Network security group with required inbound and outbound rules for Azure Machine Learning. | ## Variables From c2ded7bfd46a3e7c28934418e6b9b7d00022814a Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:43:57 -0700 Subject: [PATCH 19/53] Reflect latest variable state --- quickstart/201-machine-learning-moderately-secure/readme.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 45d1fbe5..e0696859 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -36,7 +36,11 @@ To learn more about security configurations in Azure Machine Learning, see [Ente | name | Name of the deployment | | environment | The deployment environment name (used for pre- and postfixing resource names) | | location | The Azure region used for deployments | - +| vnet_address_space | Address space of the virtual network | +| training_subnet_address_space | Address space of the training subnet | +| aks_subnet_address_space | Address space of the aks subnet | +| ml_subnet_address_space | Address space of the ML workspace subnet | +| image_build_compute_name | Name of the compute cluster to be created and set to build docker images | ## Usage From a78a330a33620404f5c9344e0c19c884f2f4c902 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:46:38 -0700 Subject: [PATCH 20/53] Include learn more links --- .../201-machine-learning-moderately-secure/readme.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index e0696859..cf9b2b9e 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -8,8 +8,6 @@ for private network connectivity using [Azure Private Link](https://docs.microso This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. -To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). - ## Resources | Terraform Resource Type | Description | @@ -49,3 +47,8 @@ terraform plan -var name=azureml567 -out demo.tfplan terraform apply "demo.tfplan" ``` + +## Learn more + +- If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/). +- To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). From c272d2d0eaef207b6d36f25e19d9014971315079 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 14:47:23 -0700 Subject: [PATCH 21/53] Include learn more links --- quickstart/101-machine-learning/readme.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index acfa0b50..8d3fac5c 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -35,3 +35,8 @@ terraform plan -var name=azureml567 -out demo.tfplan terraform apply "demo.tfplan" ``` + +## Learn more + +- If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/). +- To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). From ce37d06206b2f969c902c2122da390e546896549 Mon Sep 17 00:00:00 2001 From: ryhud Date: Fri, 17 Sep 2021 18:05:06 -0400 Subject: [PATCH 22/53] Adding 202 for existing VNet --- .../.gitignore | 37 +++ .../main.tf | 21 ++ .../network.tf | 214 ++++++++++++++++++ .../readme.md | 44 ++++ .../variables.tf | 71 ++++++ .../workspace.tf | 193 ++++++++++++++++ 6 files changed, 580 insertions(+) create mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore create mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf create mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf create mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md create mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf create mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore b/quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore new file mode 100644 index 00000000..6f8b76c0 --- /dev/null +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore @@ -0,0 +1,37 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json +values.tfvars +*.tfvars +settings.tfvars +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* +terraform/.terraform.lock.hcl +.DS_Store +terraform/.terraform.lock.hcl +terraform/.terraform.lock.hcl +.terraform.lock.hcl +terraform/.terraform.lock.hcl \ No newline at end of file diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf new file mode 100644 index 00000000..67dea407 --- /dev/null +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf @@ -0,0 +1,21 @@ +terraform { + required_version = ">=0.15.0" + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "=2.76.0" + } + } +} + +provider "azurerm" { + features {} +} + +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "default" { + name = "rg-${var.name}-${var.environment}" + location = var.location +} diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf new file mode 100644 index 00000000..287c5846 --- /dev/null +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf @@ -0,0 +1,214 @@ +/* +# Virtual Network +resource "azurerm_virtual_network" "default" { + name = "vnet-${var.name}-${var.environment}" + address_space = var.vnet_address_space + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_subnet" "snet-training" { + name = "snet-training" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.training_subnet_address_space + enforce_private_link_endpoint_network_policies = true +} + +resource "azurerm_subnet" "snet-aks" { + name = "snet-aks" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.aks_subnet_address_space + enforce_private_link_endpoint_network_policies = true +} + +resource "azurerm_subnet" "snet-workspace" { + name = "snet-workspace" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.ml_subnet_address_space + enforce_private_link_endpoint_network_policies = true +} + +# Private DNS Zones +resource "azurerm_private_dns_zone" "dnsvault" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkvault" { + name = "dnsvaultlink" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.dnsvault.name + virtual_network_id = azurerm_virtual_network.default.id +} + +resource "azurerm_private_dns_zone" "dnsstorageblob" { + name = "privatelink.blob.core.windows.net" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkblob" { + name = "dnsblobstoragelink" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.dnsstorageblob.name + virtual_network_id = azurerm_virtual_network.default.id +} + + +resource "azurerm_private_dns_zone" "dnsstoragefile" { + name = "privatelink.file.core.windows.net" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkfile" { + name = "dnsfilestoragelink" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.dnsstoragefile.name + virtual_network_id = azurerm_virtual_network.default.id +} + +resource "azurerm_private_dns_zone" "dnscontainerregistry" { + name = "privatelink.azurecr.io" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" { + name = "dnscrlink" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.dnscontainerregistry.name + virtual_network_id = azurerm_virtual_network.default.id +} + +resource "azurerm_private_dns_zone" "dnsazureml" { + name = "privatelink.api.azureml.ms" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" { + name = "dnsazuremllink" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.dnsazureml.name + virtual_network_id = azurerm_virtual_network.default.id +} + +resource "azurerm_private_dns_zone" "dnsnotebooks" { + name = "privatelink.azureml.notebooks.net" + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" { + name = "dnsnotebookslink" + resource_group_name = azurerm_resource_group.default.name + private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name + virtual_network_id = azurerm_virtual_network.default.id +} +*/ + +# Network Security Groups + +resource "azurerm_network_security_group" "nsg-training" { + name = "nsg-training" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + + security_rule { + name = "BatchNodeManagement" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "29876-29877" + source_address_prefix = "BatchNodeManagement" + destination_address_prefix = "*" + } + security_rule { + name = "AzureMachineLearning" + priority = 110 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "*" + destination_port_range = "44224" + source_address_prefix = "AzureMachineLearning" + destination_address_prefix = "*" + } +} + +resource "azurerm_subnet_network_security_group_association" "nsg-training-link" { + subnet_id = var.training_subnet_resource_id + network_security_group_id = azurerm_network_security_group.nsg-training.id +} + +resource "azurerm_network_security_group" "nsg-aks" { + name = "nsg-aks" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + + +} + +resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { + subnet_id = var.aks_subnet_resource_id + network_security_group_id = azurerm_network_security_group.nsg-aks.id +} + +# User Defined Routes + +#UDR for Compute instance and compute clusters +resource "azurerm_route_table" "rt-training" { + name = "rt-training" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_route" "training-Internet-Route" { + name = "Internet" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.rt-training.name + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" +} + +resource "azurerm_route" "training-AzureMLRoute" { + name = "AzureMLRoute" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.rt-training.name + address_prefix = "AzureMachineLearning" + next_hop_type = "Internet" +} + +resource "azurerm_route" "training-BatchRoute" { + name = "BatchRoute" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.rt-training.name + address_prefix = "BatchNodeManagement" + next_hop_type = "Internet" +} + +resource "azurerm_subnet_route_table_association" "rt-training-link" { + subnet_id = var.training_subnet_resource_id + route_table_id = azurerm_route_table.rt-training.id +} +# Inferencing (AKS) Route + +resource "azurerm_route_table" "rt-aks" { + name = "rt-aks" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name +} + +resource "azurerm_route" "aks-Internet-Route" { + name = "Internet" + resource_group_name = azurerm_resource_group.default.name + route_table_name = azurerm_route_table.rt-aks.name + address_prefix = "0.0.0.0/0" + next_hop_type = "Internet" +} + +resource "azurerm_subnet_route_table_association" "rt-aks-link" { + subnet_id = var.aks_subnet_resource_id + route_table_id = azurerm_route_table.rt-aks.id +} \ No newline at end of file diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md new file mode 100644 index 00000000..6815e382 --- /dev/null +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -0,0 +1,44 @@ +# Azure Machine Learning workspace (moderately secure network set up) + +This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), +and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. + +In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning +for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). + +This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. + +To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). + +## Resources + +| Terraform Resource Type | Description | +| - | - | +| `azurerm_resource_group` | The resource group all resources get deployed into | +| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace | +| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace | +| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace | +| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace | +| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance | +| `azurerm_virtual_network` | An Azure Machine Learning workspace instance | +| `azurerm_subnet` | An Azure Machine Learning workspace instance | +| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources | +| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource | +| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources | + +## Variables + +| Name | Description | +|-|-| +| name | Name of the deployment | +| environment | The deployment environment name (used for pre- and postfixing resource names) | +| location | The Azure region used for deployments | + + +## Usage + +```bash +terraform plan -var name=azureml567 -out demo.tfplan + +terraform apply "demo.tfplan" +``` diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf new file mode 100644 index 00000000..bd1ff762 --- /dev/null +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf @@ -0,0 +1,71 @@ +variable "name" { + type = string + description = "Name of the deployment" +} + +variable "environment" { + type = string + description = "Name of the environment" + default = "dev" +} + +variable "location" { + type = string + description = "Location of the resources" +} + +variable "image_build_compute_name" { + type = string + description = "Name of the compute cluster to be created and set to build docker images" + default = "image-builder" +} + +# Existing subnets variables + +variable "training_subnet_resource_id" { + type = string + description = "Resource ID of the existing training subnet" +} + +variable "aks_subnet_resource_id" { + type = string + description = "Resource ID of the existing aks subnet" +} + +variable "ml_subnet_resource_id" { + type = string + description = "Resource ID of the existing ML workspace subnet" +} + + +# Existing private DNS zones variables + +variable "privatelink_api_azureml_ms_resource_id" { + type = string + description = "Resource ID of the existing privatelink.api.azureml.ms private dns zone" +} + +variable "privatelink_azurecr_io_resource_id" { + type = string + description = "Resource ID of the existing privatelink.azurecr.io private dns zone" +} + +variable "privatelink_notebooks_azure_net_resource_id" { + type = string + description = "Resource ID of the existing privatelink.notebooks.azure.net private dns zone" +} + +variable "privatelink_blob_core_windows_net_resource_id" { + type = string + description = "Resource ID of the existing privatelink.blob.core.windows.net private dns zone" +} + +variable "privatelink_file_core_windows_net_resource_id" { + type = string + description = "Resource ID of the existing privatelink.file.core.windows.net private dns zone" +} + +variable "privatelink_vaultcore_azure_net_resource_id" { + type = string + description = "Resource ID of the existing privatelink.vaultcore.azure.net private dns zone" +} diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf new file mode 100644 index 00000000..d6b76fcb --- /dev/null +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -0,0 +1,193 @@ +# Dependent resources for Azure Machine Learning +resource "azurerm_application_insights" "default" { + name = "appi-${var.name}-${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + application_type = "web" +} + +resource "azurerm_key_vault" "default" { + name = "kv-${var.name}-${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "premium" + purge_protection_enabled = true + + network_acls { + default_action = "Deny" + bypass = "AzureServices" + } +} + +resource "azurerm_storage_account" "default" { + name = "st${var.name}${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + account_tier = "Standard" + account_replication_type = "GRS" + + network_rules { + default_action = "Deny" + bypass = ["AzureServices"] + } +} + +resource "azurerm_container_registry" "default" { + name = "cr${var.name}${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + sku = "Premium" + admin_enabled = true + + network_rule_set { + default_action = "Deny" + } + public_network_access_enabled = false +} + +# Machine Learning workspace +resource "azurerm_machine_learning_workspace" "default" { + name = "mlw-${var.name}-${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + application_insights_id = azurerm_application_insights.default.id + key_vault_id = azurerm_key_vault.default.id + storage_account_id = azurerm_storage_account.default.id + container_registry_id = azurerm_container_registry.default.id + + identity { + type = "SystemAssigned" + } +} + +# Private endpoints +resource "azurerm_private_endpoint" "kv_ple" { + name = "ple-${var.name}-${var.environment}-kv" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = var.ml_subnet_resource_id + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [var.privatelink_vaultcore_azure_net_resource_id] + } + + private_service_connection { + name = "psc-${var.name}-kv" + private_connection_resource_id = azurerm_key_vault.default.id + subresource_names = [ "vault" ] + is_manual_connection = false + } +} + +resource "azurerm_private_endpoint" "st_ple_blob" { + name = "ple-${var.name}-${var.environment}-st-blob" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = var.ml_subnet_resource_id + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [var.privatelink_blob_core_windows_net_resource_id] + } + + private_service_connection { + name = "psc-${var.name}-st" + private_connection_resource_id = azurerm_storage_account.default.id + subresource_names = [ "blob" ] + is_manual_connection = false + } +} + +resource "azurerm_private_endpoint" "storage_ple_file" { + name = "ple-${var.name}-${var.environment}-st-file" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = var.ml_subnet_resource_id + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [var.privatelink_file_core_windows_net_resource_id] + } + + private_service_connection { + name = "psc-${var.name}-st" + private_connection_resource_id = azurerm_storage_account.default.id + subresource_names = [ "file" ] + is_manual_connection = false + } +} + +resource "azurerm_private_endpoint" "cr_ple" { + name = "ple-${var.name}-${var.environment}-cr" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = var.ml_subnet_resource_id + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [var.privatelink_azurecr_io_resource_id] + } + + private_service_connection { + name = "psc-${var.name}-cr" + private_connection_resource_id = azurerm_container_registry.default.id + subresource_names = [ "registry" ] + is_manual_connection = false + } +} + +resource "azurerm_private_endpoint" "mlw_ple" { + name = "ple-${var.name}-${var.environment}-mlw" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + subnet_id = var.ml_subnet_resource_id + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [ + var.privatelink_api_azureml_ms_resource_id, + var.privatelink_notebooks_azure_net_resource_id + ] + } + + private_service_connection { + name = "psc-${var.name}-mlw" + private_connection_resource_id = azurerm_machine_learning_workspace.default.id + subresource_names = [ "amlworkspace" ] + is_manual_connection = false + } +} +#Compute cluster for image building https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds + +resource "azurerm_machine_learning_compute_cluster" "image-builder" { + name = "${var.image_build_compute_name}" + location = azurerm_resource_group.default.location + vm_priority = "LowPriority" + vm_size = "Standard_DS2_v2" + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + subnet_resource_id = var.training_subnet_resource_id + + scale_settings { + min_node_count = 0 + max_node_count = 1 + scale_down_nodes_after_idle_duration = "PT30S" # 30 seconds + } + + identity { + type = "SystemAssigned" + } +} + +# Update workspace for image-build-compute + +resource "null_resource" "ws_image_build_compute"{ + provisioner "local-exec" { + command = < Date: Fri, 17 Sep 2021 15:12:11 -0700 Subject: [PATCH 23/53] link terraform docs --- quickstart/201-machine-learning-moderately-secure/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index cf9b2b9e..a6a59fcb 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -52,3 +52,4 @@ terraform apply "demo.tfplan" - If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/). - To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). +- For all configurations of Azure Machine Learning in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/machine_learning_workspace). From 8011d6b516ff735a82cb0a199860265925741449 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 15:12:35 -0700 Subject: [PATCH 24/53] Link terraform docs --- quickstart/101-machine-learning/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index 8d3fac5c..86160834 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -40,3 +40,4 @@ terraform apply "demo.tfplan" - If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/). - To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). +- For all configurations of Azure Machine Learning in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/machine_learning_workspace). From 4f13164bdea84b3117688bcb62f0a2b37bb33ce9 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 15:24:49 -0700 Subject: [PATCH 25/53] Tidy up --- .../workspace.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf index d6b76fcb..0f3acd81 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -159,8 +159,9 @@ resource "azurerm_private_endpoint" "mlw_ple" { is_manual_connection = false } } -#Compute cluster for image building https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds +# Compute cluster for image building required since the workspace is behind a vnet. +# For more details, see https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds. resource "azurerm_machine_learning_compute_cluster" "image-builder" { name = "${var.image_build_compute_name}" location = azurerm_resource_group.default.location @@ -181,7 +182,6 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { } # Update workspace for image-build-compute - resource "null_resource" "ws_image_build_compute"{ provisioner "local-exec" { command = < Date: Fri, 17 Sep 2021 15:25:11 -0700 Subject: [PATCH 26/53] Update compute timeout --- .../workspace.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf index 0f3acd81..a443ce96 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -173,7 +173,7 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { scale_settings { min_node_count = 0 max_node_count = 1 - scale_down_nodes_after_idle_duration = "PT30S" # 30 seconds + scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } identity { From 1631260cd2661ce825b4c5c15d7251402321551b Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 17 Sep 2021 15:31:06 -0700 Subject: [PATCH 27/53] Add readme links and variable descriptions --- .../readme.md | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index 6815e382..b3650d2c 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -25,6 +25,10 @@ To learn more about security configurations in Azure Machine Learning, see [Ente | `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources | | `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource | | `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources | +| `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. | +| `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. | +| `azurerm_network_security_group` | Network security group with required inbound and outbound rules for Azure Machine Learning. | + ## Variables @@ -33,7 +37,16 @@ To learn more about security configurations in Azure Machine Learning, see [Ente | name | Name of the deployment | | environment | The deployment environment name (used for pre- and postfixing resource names) | | location | The Azure region used for deployments | - +| image_build_compute_name | Name of the compute cluster to be created and set to build docker images | +| training_subnet_resource_id | Resource ID of the existing training subnet | +| aks_subnet_resource_id | Resource ID of the existing aks subnet | +| ml_subnet_resource_id | Resource ID of the existing ML workspace subnet | +| privatelink_api_azureml_ms_resource_id | Resource ID of the existing privatelink.api.azureml.ms private dns zone | +| privatelink_azurecr_io_resource_id | Resource ID of the existing privatelink.azurecr.io private dns zone | +| privatelink_notebooks_azure_net_resource_id | Resource ID of the existing privatelink.notebooks.azure.net private dns zone | +| privatelink_blob_core_windows_net_resource_id | Resource ID of the existing privatelink.blob.core.windows.net private dns zone | +| privatelink_file_core_windows_net_resource_id | Resource ID of the existing privatelink.file.core.windows.net private dns zone | +| privatelink_vaultcore_azure_net_resource_id | Resource ID of the existing privatelink.vaultcore.azure.net private dns zone | ## Usage @@ -42,3 +55,9 @@ terraform plan -var name=azureml567 -out demo.tfplan terraform apply "demo.tfplan" ``` + +## Learn more + +- If you are new to Azure Machine Learning, see [Azure Machine Learning service](https://azure.microsoft.com/services/machine-learning-service/) and [Azure Machine Learning documentation](https://docs.microsoft.com/azure/machine-learning/). +- To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). +- For all configurations of Azure Machine Learning in Terraform, see [Terraform Hashicorp AzureRM provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/machine_learning_workspace). From b52527ceb6fde89ec1370a234f4165caf826728a Mon Sep 17 00:00:00 2001 From: ryhud Date: Fri, 17 Sep 2021 18:40:44 -0400 Subject: [PATCH 28/53] clearing comments --- .../network.tf | 108 ------------------ 1 file changed, 108 deletions(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf index 287c5846..73caea14 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf @@ -1,111 +1,3 @@ -/* -# Virtual Network -resource "azurerm_virtual_network" "default" { - name = "vnet-${var.name}-${var.environment}" - address_space = var.vnet_address_space - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name -} - -resource "azurerm_subnet" "snet-training" { - name = "snet-training" - resource_group_name = azurerm_resource_group.default.name - virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = var.training_subnet_address_space - enforce_private_link_endpoint_network_policies = true -} - -resource "azurerm_subnet" "snet-aks" { - name = "snet-aks" - resource_group_name = azurerm_resource_group.default.name - virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = var.aks_subnet_address_space - enforce_private_link_endpoint_network_policies = true -} - -resource "azurerm_subnet" "snet-workspace" { - name = "snet-workspace" - resource_group_name = azurerm_resource_group.default.name - virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = var.ml_subnet_address_space - enforce_private_link_endpoint_network_policies = true -} - -# Private DNS Zones -resource "azurerm_private_dns_zone" "dnsvault" { - name = "privatelink.vaultcore.azure.net" - resource_group_name = azurerm_resource_group.default.name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkvault" { - name = "dnsvaultlink" - resource_group_name = azurerm_resource_group.default.name - private_dns_zone_name = azurerm_private_dns_zone.dnsvault.name - virtual_network_id = azurerm_virtual_network.default.id -} - -resource "azurerm_private_dns_zone" "dnsstorageblob" { - name = "privatelink.blob.core.windows.net" - resource_group_name = azurerm_resource_group.default.name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkblob" { - name = "dnsblobstoragelink" - resource_group_name = azurerm_resource_group.default.name - private_dns_zone_name = azurerm_private_dns_zone.dnsstorageblob.name - virtual_network_id = azurerm_virtual_network.default.id -} - - -resource "azurerm_private_dns_zone" "dnsstoragefile" { - name = "privatelink.file.core.windows.net" - resource_group_name = azurerm_resource_group.default.name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkfile" { - name = "dnsfilestoragelink" - resource_group_name = azurerm_resource_group.default.name - private_dns_zone_name = azurerm_private_dns_zone.dnsstoragefile.name - virtual_network_id = azurerm_virtual_network.default.id -} - -resource "azurerm_private_dns_zone" "dnscontainerregistry" { - name = "privatelink.azurecr.io" - resource_group_name = azurerm_resource_group.default.name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" { - name = "dnscrlink" - resource_group_name = azurerm_resource_group.default.name - private_dns_zone_name = azurerm_private_dns_zone.dnscontainerregistry.name - virtual_network_id = azurerm_virtual_network.default.id -} - -resource "azurerm_private_dns_zone" "dnsazureml" { - name = "privatelink.api.azureml.ms" - resource_group_name = azurerm_resource_group.default.name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" { - name = "dnsazuremllink" - resource_group_name = azurerm_resource_group.default.name - private_dns_zone_name = azurerm_private_dns_zone.dnsazureml.name - virtual_network_id = azurerm_virtual_network.default.id -} - -resource "azurerm_private_dns_zone" "dnsnotebooks" { - name = "privatelink.azureml.notebooks.net" - resource_group_name = azurerm_resource_group.default.name -} - -resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" { - name = "dnsnotebookslink" - resource_group_name = azurerm_resource_group.default.name - private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name - virtual_network_id = azurerm_virtual_network.default.id -} -*/ - # Network Security Groups resource "azurerm_network_security_group" "nsg-training" { From 44679c877af8ec966e1366b56d46276a71c29420 Mon Sep 17 00:00:00 2001 From: David Apolinar Date: Mon, 20 Sep 2021 11:22:12 -0400 Subject: [PATCH 29/53] separated compute --- quickstart/101-machine-learning/compute.tf | 26 ++++++++++++++++++++ quickstart/101-machine-learning/workspace.tf | 25 ------------------- 2 files changed, 26 insertions(+), 25 deletions(-) create mode 100644 quickstart/101-machine-learning/compute.tf diff --git a/quickstart/101-machine-learning/compute.tf b/quickstart/101-machine-learning/compute.tf new file mode 100644 index 00000000..fc65a7d6 --- /dev/null +++ b/quickstart/101-machine-learning/compute.tf @@ -0,0 +1,26 @@ +# Compute Instance +resource "azurerm_machine_learning_compute_instance" "compute_instance" { + name = "default-instance" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + virtual_machine_size = "STANDARD_DS2_V2" +} + +# Compute Cluster +resource "azurerm_machine_learning_compute_cluster" "compute" { + name = "default-compute" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + vm_priority = "Dedicated" + vm_size = "STANDARD_DS2_V2" + identity { + type = "SystemAssigned" + } + + scale_settings { + min_node_count = 0 + max_node_count = 3 + scale_down_nodes_after_idle_duration = "PT10M" # 10 minutes + } + +} \ No newline at end of file diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index 344144ee..d0499258 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -52,29 +52,4 @@ resource "azurerm_machine_learning_workspace" "default" { } } -# Compute Instance -resource "azurerm_machine_learning_compute_instance" "compute_instance" { - name = "default-instance" - location = azurerm_resource_group.default.location - machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id - virtual_machine_size = "STANDARD_DS2_V2" -} -# Compute Cluster -resource "azurerm_machine_learning_compute_cluster" "compute" { - name = "default-compute" - location = azurerm_resource_group.default.location - machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id - vm_priority = "Dedicated" - vm_size = "STANDARD_DS2_V2" - identity { - type = "SystemAssigned" - } - - scale_settings { - min_node_count = 0 - max_node_count = 3 - scale_down_nodes_after_idle_duration = "PT10M" # 10 minutes - } - -} From 5c6087899ab0fbd39cd28bded5f3aace6cd34476 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Mon, 20 Sep 2021 10:18:18 -0700 Subject: [PATCH 30/53] formatting updates --- quickstart/101-machine-learning/compute.tf | 1 + quickstart/101-machine-learning/workspace.tf | 4 +- .../network.tf | 3 +- .../network.tf | 6 +-- .../variables.tf | 2 - .../readme.md | 44 ------------------- 6 files changed, 8 insertions(+), 52 deletions(-) delete mode 100644 quickstart/301-machine-learning-highly-secure/readme.md diff --git a/quickstart/101-machine-learning/compute.tf b/quickstart/101-machine-learning/compute.tf index fc65a7d6..3db218f0 100644 --- a/quickstart/101-machine-learning/compute.tf +++ b/quickstart/101-machine-learning/compute.tf @@ -13,6 +13,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id vm_priority = "Dedicated" vm_size = "STANDARD_DS2_V2" + identity { type = "SystemAssigned" } diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index d0499258..facea4a1 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -13,7 +13,7 @@ resource "azurerm_key_vault" "default" { tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" purge_protection_enabled = true - + network_acls { default_action = "Deny" bypass = "AzureServices" @@ -46,7 +46,7 @@ resource "azurerm_machine_learning_workspace" "default" { key_vault_id = azurerm_key_vault.default.id storage_account_id = azurerm_storage_account.default.id container_registry_id = azurerm_container_registry.default.id - + identity { type = "SystemAssigned" } diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index 1fbbf6f1..c1751545 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -121,6 +121,7 @@ resource "azurerm_network_security_group" "nsg-training" { source_address_prefix = "BatchNodeManagement" destination_address_prefix = "*" } + security_rule { name = "AzureMachineLearning" priority = 110 @@ -152,7 +153,7 @@ resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { # User Defined Routes -# UDR for Compute instance and compute clusters +# UDR for compute instance and compute clusters resource "azurerm_route_table" "rt-training" { name = "rt-training" location = azurerm_resource_group.default.location diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf index 73caea14..09c6a8bc 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf @@ -1,5 +1,4 @@ # Network Security Groups - resource "azurerm_network_security_group" "nsg-training" { name = "nsg-training" location = azurerm_resource_group.default.location @@ -16,6 +15,7 @@ resource "azurerm_network_security_group" "nsg-training" { source_address_prefix = "BatchNodeManagement" destination_address_prefix = "*" } + security_rule { name = "AzureMachineLearning" priority = 110 @@ -49,7 +49,7 @@ resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { # User Defined Routes -#UDR for Compute instance and compute clusters +# UDR for Compute instance and compute clusters resource "azurerm_route_table" "rt-training" { name = "rt-training" location = azurerm_resource_group.default.location @@ -84,8 +84,8 @@ resource "azurerm_subnet_route_table_association" "rt-training-link" { subnet_id = var.training_subnet_resource_id route_table_id = azurerm_route_table.rt-training.id } -# Inferencing (AKS) Route +# Inferencing (AKS) Route resource "azurerm_route_table" "rt-aks" { name = "rt-aks" location = azurerm_resource_group.default.location diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf index bd1ff762..894d03f8 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf @@ -21,7 +21,6 @@ variable "image_build_compute_name" { } # Existing subnets variables - variable "training_subnet_resource_id" { type = string description = "Resource ID of the existing training subnet" @@ -39,7 +38,6 @@ variable "ml_subnet_resource_id" { # Existing private DNS zones variables - variable "privatelink_api_azureml_ms_resource_id" { type = string description = "Resource ID of the existing privatelink.api.azureml.ms private dns zone" diff --git a/quickstart/301-machine-learning-highly-secure/readme.md b/quickstart/301-machine-learning-highly-secure/readme.md deleted file mode 100644 index 5d0dfcad..00000000 --- a/quickstart/301-machine-learning-highly-secure/readme.md +++ /dev/null @@ -1,44 +0,0 @@ -# Azure Machine Learning workspace (highly secure network set up) - -This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), -and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. - -In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning -for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). - -This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. - -To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). - -## Resources - -| Terraform Resource Type | Description | -| - | - | -| `azurerm_resource_group` | The resource group all resources get deployed into | -| `azurerm_application_insights` | An Azure Application Insights instance associated to the Azure Machine Learning workspace | -| `azurerm_key_vault` | An Azure Key Vault instance associated to the Azure Machine Learning workspace | -| `azurerm_storage_account` | An Azure Storage instance associated to the Azure Machine Learning workspace | -| `azurerm_container_registry` | An Azure Container Registry instance associated to the Azure Machine Learning workspace | -| `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance | -| `azurerm_virtual_network` | An Azure Machine Learning workspace instance | -| `azurerm_subnet` | An Azure Machine Learning workspace instance | -| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources | -| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource | -| `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources | - -## Variables - -| Name | Description | -|-|-| -| name | Name of the deployment | -| environment | The deployment environment name (used for pre- and postfixing resource names) | -| location | The Azure region used for deployments | - - -## Usage - -```bash -terraform plan -var name=azureml567 -out demo.tfplan - -terraform apply "demo.tfplan" -``` From ae58331e4ea4a8068f54a0ddd38f4c0dc79348ad Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Mon, 20 Sep 2021 10:41:09 -0700 Subject: [PATCH 31/53] fit and finish 101 --- .gitignore | 4 ++++ quickstart/101-machine-learning/compute.tf | 4 ++-- quickstart/101-machine-learning/readme.md | 2 ++ .../201-machine-learning-moderately-secure/readme.md | 2 +- .../201-machine-learning-moderately-secure/workspace.tf | 2 +- .../readme.md | 8 ++++---- .../workspace.tf | 2 +- 7 files changed, 15 insertions(+), 9 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..d2f6471c --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +quickstart/101-machine-learning/.terraform.lock.hcl +quickstart/101-machine-learning/.terraform/providers/registry.terraform.io/hashicorp/azurerm/2.76.0/windows_amd64/terraform-provider-azurerm_v2.76.0_x5.exe +quickstart/101-machine-learning/terraform.tfstate +quickstart/101-machine-learning/demo.tfplan diff --git a/quickstart/101-machine-learning/compute.tf b/quickstart/101-machine-learning/compute.tf index 3db218f0..bbab56ba 100644 --- a/quickstart/101-machine-learning/compute.tf +++ b/quickstart/101-machine-learning/compute.tf @@ -8,7 +8,7 @@ resource "azurerm_machine_learning_compute_instance" "compute_instance" { # Compute Cluster resource "azurerm_machine_learning_compute_cluster" "compute" { - name = "default-compute" + name = "cpu-cluster" location = azurerm_resource_group.default.location machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id vm_priority = "Dedicated" @@ -21,7 +21,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { scale_settings { min_node_count = 0 max_node_count = 3 - scale_down_nodes_after_idle_duration = "PT10M" # 10 minutes + scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } } \ No newline at end of file diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index 86160834..c7c9584f 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -31,6 +31,8 @@ Network connectivity to the workspace is allowed over public endpoints, making t ## Usage ```bash +terraform init + terraform plan -var name=azureml567 -out demo.tfplan terraform apply "demo.tfplan" diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index a6a59fcb..6c5fbe6e 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -6,7 +6,7 @@ and its associated resources including Azure Key Vault, Azure Storage, Azure App In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). -This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. +This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configuration creates new network components. If you want to reuse existing network components, see [202 example](../201-machine-learning-moderately-secure/readme.md). ## Resources diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index 032ae2e0..deb00941 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -169,7 +169,7 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { scale_settings { min_node_count = 0 - max_node_count = 1 + max_node_count = 3 scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index b3650d2c..402df750 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -1,4 +1,4 @@ -# Azure Machine Learning workspace (moderately secure network set up) +# Azure Machine Learning workspace (moderately secure network set up - existing virtual network) This deployment configuration specifies an [Azure Machine Learning workspace](https://docs.microsoft.com/en-us/azure/machine-learning/concept-workspace), and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. @@ -6,9 +6,7 @@ and its associated resources including Azure Key Vault, Azure Storage, Azure App In addition to these core services, this configuration specifies any networking components that are required to set up Azure Machine Learning for private network connectivity using [Azure Private Link](https://docs.microsoft.com/en-us/azure/private-link/). -This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. - -To learn more about security configurations in Azure Machine Learning, see [Enterprise security and governance for Azure Machine Learning](https://docs.microsoft.com/en-us/azure/machine-learning/concept-enterprise-security). +This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configurations assumes that you have existing network components to reuse. The [201 example](../201-machine-learning-moderately-secure/readme.md), alternatively creates new network components. ## Resources @@ -51,6 +49,8 @@ To learn more about security configurations in Azure Machine Learning, see [Ente ## Usage ```bash +terraform init + terraform plan -var name=azureml567 -out demo.tfplan terraform apply "demo.tfplan" diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf index a443ce96..936bb4b9 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -172,7 +172,7 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { scale_settings { min_node_count = 0 - max_node_count = 1 + max_node_count = 3 scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } From 2713f07c822027c5d0ee3dcc8f62e8aa06f7a1f1 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Mon, 20 Sep 2021 15:41:46 -0700 Subject: [PATCH 32/53] include compute resources and network dependencies --- .gitignore | 1 + .../compute.tf | 37 +++++++++++++++++++ .../network.tf | 10 +++++ .../readme.md | 2 + 4 files changed, 50 insertions(+) create mode 100644 quickstart/201-machine-learning-moderately-secure/compute.tf diff --git a/.gitignore b/.gitignore index d2f6471c..8f21e32a 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ quickstart/101-machine-learning/.terraform.lock.hcl quickstart/101-machine-learning/.terraform/providers/registry.terraform.io/hashicorp/azurerm/2.76.0/windows_amd64/terraform-provider-azurerm_v2.76.0_x5.exe quickstart/101-machine-learning/terraform.tfstate quickstart/101-machine-learning/demo.tfplan +quickstart/201-machine-learning-moderately-secure/demo.tfplan diff --git a/quickstart/201-machine-learning-moderately-secure/compute.tf b/quickstart/201-machine-learning-moderately-secure/compute.tf new file mode 100644 index 00000000..2544c5a6 --- /dev/null +++ b/quickstart/201-machine-learning-moderately-secure/compute.tf @@ -0,0 +1,37 @@ +# Generate random string for unique compute instance name +resource "random_string" "ci_prefix" { + length = 8 + upper = false + special = false + number = false +} + +# Compute instance +resource "azurerm_machine_learning_compute_instance" "compute_instance" { + name = "${random_string.ci_prefix.result}instance" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + virtual_machine_size = "STANDARD_DS2_V2" + subnet_resource_id = azurerm_subnet.snet-training.id +} + +# Compute cluster +resource "azurerm_machine_learning_compute_cluster" "compute" { + name = "cpu-cluster" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + vm_priority = "Dedicated" + vm_size = "STANDARD_DS2_V2" + subnet_resource_id = azurerm_subnet.snet-training.id + + identity { + type = "SystemAssigned" + } + + scale_settings { + min_node_count = 0 + max_node_count = 3 + scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes + } + +} \ No newline at end of file diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index c1751545..06010ff7 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -82,6 +82,11 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" { resource "azurerm_private_dns_zone" "dnsazureml" { name = "privatelink.api.azureml.ms" resource_group_name = azurerm_resource_group.default.name + + depends_on = [ + azurerm_machine_learning_compute_cluster.compute, + azurerm_machine_learning_compute_instance.compute_instance + ] } resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" { @@ -94,6 +99,11 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" { resource "azurerm_private_dns_zone" "dnsnotebooks" { name = "privatelink.notebooks.azure.net" resource_group_name = azurerm_resource_group.default.name + + depends_on = [ + azurerm_machine_learning_compute_cluster.compute, + azurerm_machine_learning_compute_instance.compute_instance + ] } resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" { diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 6c5fbe6e..17bbf831 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -43,6 +43,8 @@ This configuration describes the minimal set of resources you require to get sta ## Usage ```bash +terraform init + terraform plan -var name=azureml567 -out demo.tfplan terraform apply "demo.tfplan" From fdbb100df1523ef254b228a466204f73d83ca1fc Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Mon, 20 Sep 2021 15:51:03 -0700 Subject: [PATCH 33/53] add comment --- .../compute.tf | 37 +++++++++++++++++++ .../readme.md | 4 +- 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf new file mode 100644 index 00000000..aa16e3b5 --- /dev/null +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf @@ -0,0 +1,37 @@ +# Generate random string for unique compute instance name +resource "random_string" "ci_prefix" { + length = 8 + upper = false + special = false + number = false +} + +# Compute instance +resource "azurerm_machine_learning_compute_instance" "compute_instance" { + name = "${random_string.ci_prefix.result}instance" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + virtual_machine_size = "STANDARD_DS2_V2" + subnet_resource_id = var.training_subnet_resource_id +} + +# Compute cluster +resource "azurerm_machine_learning_compute_cluster" "compute" { + name = "cpu-cluster" + location = azurerm_resource_group.default.location + machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id + vm_priority = "Dedicated" + vm_size = "STANDARD_DS2_V2" + subnet_resource_id = var.training_subnet_resource_id + + identity { + type = "SystemAssigned" + } + + scale_settings { + min_node_count = 0 + max_node_count = 3 + scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes + } + +} \ No newline at end of file diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index 402df750..6f7fbc52 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -8,6 +8,8 @@ for private network connectivity using [Azure Private Link](https://docs.microso This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configurations assumes that you have existing network components to reuse. The [201 example](../201-machine-learning-moderately-secure/readme.md), alternatively creates new network components. +Please note that this template does not configure Azure Private DNS zones. The assumption is that you have already configured DNS zones that are linked to your virtual network resources, or use your private DNS. + ## Resources | Terraform Resource Type | Description | @@ -20,8 +22,6 @@ This configuration describes the minimal set of resources you require to get sta | `azurerm_machine_learning_workspace` | An Azure Machine Learning workspace instance | | `azurerm_virtual_network` | An Azure Machine Learning workspace instance | | `azurerm_subnet` | An Azure Machine Learning workspace instance | -| `azurerm_private_dns_zone` | Private DNS Zones for FQDNs required for Azure Machine Learning and associated resources | -| `azurerm_private_dns_zone_virtual_network_link` | Virtual network links of the Private DNS Zones to the virtual network resource | | `azurerm_private_endpoint` | Private Endpoints for the Azure Machine Learning workspace and associated resources | | `azurerm_machine_learning_compute_instance` | An Azure Machine Learning compute instance a single-node managed compute. | | `azurerm_machine_learning_compute_cluster` | An Azure Machine Learning compute cluster as multi-node shared and managed compute. | From 9d04bc247e6c3da3e84328996c718209b80b35cc Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Mon, 20 Sep 2021 15:55:51 -0700 Subject: [PATCH 34/53] ci naming --- quickstart/101-machine-learning/compute.tf | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/quickstart/101-machine-learning/compute.tf b/quickstart/101-machine-learning/compute.tf index bbab56ba..d8ec709a 100644 --- a/quickstart/101-machine-learning/compute.tf +++ b/quickstart/101-machine-learning/compute.tf @@ -1,9 +1,17 @@ -# Compute Instance +# Generate random string for unique compute instance name +resource "random_string" "ci_prefix" { + length = 8 + upper = false + special = false + number = false +} + +# Compute instance resource "azurerm_machine_learning_compute_instance" "compute_instance" { - name = "default-instance" + name = "${random_string.ci_prefix.result}instance" location = azurerm_resource_group.default.location machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id - virtual_machine_size = "STANDARD_DS2_V2" + virtual_machine_size = "STANDARD_DS2_V2" } # Compute Cluster From 7c4abc8e7eb20fe673ebcaffc1d2b4c5977613b9 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Mon, 20 Sep 2021 15:57:46 -0700 Subject: [PATCH 35/53] update gitignore --- .gitignore | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 8f21e32a..0f1c8537 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ -quickstart/101-machine-learning/.terraform.lock.hcl -quickstart/101-machine-learning/.terraform/providers/registry.terraform.io/hashicorp/azurerm/2.76.0/windows_amd64/terraform-provider-azurerm_v2.76.0_x5.exe -quickstart/101-machine-learning/terraform.tfstate -quickstart/101-machine-learning/demo.tfplan -quickstart/201-machine-learning-moderately-secure/demo.tfplan +*.terraform.lock.hcl +*.exe +*.tfstate +*.tfplan +*.tfplan From bcd263ed5f213db899d86fe499955b08cd0d0faf Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Tue, 21 Sep 2021 17:02:40 -0700 Subject: [PATCH 36/53] updates to network and compute --- .../201-machine-learning-moderately-secure/compute.tf | 6 +++++- .../201-machine-learning-moderately-secure/network.tf | 10 ---------- .../readme.md | 2 +- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/compute.tf b/quickstart/201-machine-learning-moderately-secure/compute.tf index 2544c5a6..ee2983b1 100644 --- a/quickstart/201-machine-learning-moderately-secure/compute.tf +++ b/quickstart/201-machine-learning-moderately-secure/compute.tf @@ -13,6 +13,10 @@ resource "azurerm_machine_learning_compute_instance" "compute_instance" { machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id virtual_machine_size = "STANDARD_DS2_V2" subnet_resource_id = azurerm_subnet.snet-training.id + + depends_on = [ + azurerm_private_endpoint.mlw_ple + ] } # Compute cluster @@ -33,5 +37,5 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { max_node_count = 3 scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } - + } \ No newline at end of file diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index 06010ff7..c1751545 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -82,11 +82,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkcr" { resource "azurerm_private_dns_zone" "dnsazureml" { name = "privatelink.api.azureml.ms" resource_group_name = azurerm_resource_group.default.name - - depends_on = [ - azurerm_machine_learning_compute_cluster.compute, - azurerm_machine_learning_compute_instance.compute_instance - ] } resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" { @@ -99,11 +94,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinkml" { resource "azurerm_private_dns_zone" "dnsnotebooks" { name = "privatelink.notebooks.azure.net" resource_group_name = azurerm_resource_group.default.name - - depends_on = [ - azurerm_machine_learning_compute_cluster.compute, - azurerm_machine_learning_compute_instance.compute_instance - ] } resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" { diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index 6f7fbc52..c3b68e67 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -8,7 +8,7 @@ for private network connectivity using [Azure Private Link](https://docs.microso This configuration describes the minimal set of resources you require to get started with Azure Machine Learning in a network-isolated set-up. This configurations assumes that you have existing network components to reuse. The [201 example](../201-machine-learning-moderately-secure/readme.md), alternatively creates new network components. -Please note that this template does not configure Azure Private DNS zones. The assumption is that you have already configured DNS zones that are linked to your virtual network resources, or use your private DNS. +Please note that this template does not create Azure Private DNS zones. The assumption is that you have already configured Azure private DNS zones that are linked to your virtual network resources. ## Resources From 37d13dbb1974a8cd47618f0c0d2c11a9a77c8e55 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Tue, 21 Sep 2021 17:10:13 -0700 Subject: [PATCH 37/53] update gitignores --- .gitignore | 4 -- .../.gitignore | 37 ------------------- 2 files changed, 41 deletions(-) delete mode 100644 quickstart/201-machine-learning-moderately-secure/.gitignore diff --git a/.gitignore b/.gitignore index d2f6471c..e69de29b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +0,0 @@ -quickstart/101-machine-learning/.terraform.lock.hcl -quickstart/101-machine-learning/.terraform/providers/registry.terraform.io/hashicorp/azurerm/2.76.0/windows_amd64/terraform-provider-azurerm_v2.76.0_x5.exe -quickstart/101-machine-learning/terraform.tfstate -quickstart/101-machine-learning/demo.tfplan diff --git a/quickstart/201-machine-learning-moderately-secure/.gitignore b/quickstart/201-machine-learning-moderately-secure/.gitignore deleted file mode 100644 index 6f8b76c0..00000000 --- a/quickstart/201-machine-learning-moderately-secure/.gitignore +++ /dev/null @@ -1,37 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log - -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json -values.tfvars -*.tfvars -settings.tfvars -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* -terraform/.terraform.lock.hcl -.DS_Store -terraform/.terraform.lock.hcl -terraform/.terraform.lock.hcl -.terraform.lock.hcl -terraform/.terraform.lock.hcl \ No newline at end of file From fff24e257bfeb509fb237058b90e1947a3e17928 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Tue, 21 Sep 2021 17:12:56 -0700 Subject: [PATCH 38/53] remove gitignore before tf repo merge --- .../.gitignore | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore b/quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore deleted file mode 100644 index 6f8b76c0..00000000 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/.gitignore +++ /dev/null @@ -1,37 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log - -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json -values.tfvars -*.tfvars -settings.tfvars -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* -terraform/.terraform.lock.hcl -.DS_Store -terraform/.terraform.lock.hcl -terraform/.terraform.lock.hcl -.terraform.lock.hcl -terraform/.terraform.lock.hcl \ No newline at end of file From cb79cbc2724c9e7db144a7d8afba9e944248a5fa Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 24 Sep 2021 09:53:07 -0700 Subject: [PATCH 39/53] remove ACLs keyvault --- quickstart/101-machine-learning/workspace.tf | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index facea4a1..95f4e978 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -12,12 +12,7 @@ resource "azurerm_key_vault" "default" { resource_group_name = azurerm_resource_group.default.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" - purge_protection_enabled = true - - network_acls { - default_action = "Deny" - bypass = "AzureServices" - } + purge_protection_enabled = false } resource "azurerm_storage_account" "default" { @@ -26,7 +21,6 @@ resource "azurerm_storage_account" "default" { resource_group_name = azurerm_resource_group.default.name account_tier = "Standard" account_replication_type = "GRS" - } resource "azurerm_container_registry" "default" { From 9a52e9aa55136dd57b9c9be1eb72c87a81f1e252 Mon Sep 17 00:00:00 2001 From: ryhud Date: Fri, 24 Sep 2021 14:21:54 -0400 Subject: [PATCH 40/53] updating minimum TF version --- quickstart/201-machine-learning-moderately-secure/main.tf | 2 +- .../main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/main.tf b/quickstart/201-machine-learning-moderately-secure/main.tf index 67dea407..b5e0c3a8 100644 --- a/quickstart/201-machine-learning-moderately-secure/main.tf +++ b/quickstart/201-machine-learning-moderately-secure/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=2.76.0" + version = "=2.78.0" } } } diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf index 67dea407..b5e0c3a8 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "=2.76.0" + version = "=2.78.0" } } } From e814b48966a695b0ed9e2964b57520d9b4c39299 Mon Sep 17 00:00:00 2001 From: ryhud Date: Fri, 24 Sep 2021 14:25:06 -0400 Subject: [PATCH 41/53] adding resource dependency to compute instance --- .../compute.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf index aa16e3b5..026c21a1 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf @@ -13,6 +13,10 @@ resource "azurerm_machine_learning_compute_instance" "compute_instance" { machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id virtual_machine_size = "STANDARD_DS2_V2" subnet_resource_id = var.training_subnet_resource_id + + depends_on = [ + azurerm_private_endpoint.mlw_ple + ] } # Compute cluster From 44955e34222c1a25350e15f70247515df880cc0a Mon Sep 17 00:00:00 2001 From: ryhud Date: Fri, 24 Sep 2021 14:30:07 -0400 Subject: [PATCH 42/53] adding TF native image_build_compute setting --- .../workspace.tf | 15 +++------------ .../workspace.tf | 15 +++------------ 2 files changed, 6 insertions(+), 24 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index deb00941..28ddee0a 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -59,6 +59,8 @@ resource "azurerm_machine_learning_workspace" "default" { identity { type = "SystemAssigned" } + + image_build_compute_name = var.image_build_compute_name } # Private endpoints @@ -176,15 +178,4 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { identity { type = "SystemAssigned" } -} - -# Update workspace for image-build-compute -resource "null_resource" "ws_image_build_compute"{ - provisioner "local-exec" { - command = < Date: Fri, 24 Sep 2021 14:33:46 -0400 Subject: [PATCH 43/53] updating aks subnetvar default to larger cidr --- .../201-machine-learning-moderately-secure/variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/variables.tf b/quickstart/201-machine-learning-moderately-secure/variables.tf index bc226931..6a67c802 100644 --- a/quickstart/201-machine-learning-moderately-secure/variables.tf +++ b/quickstart/201-machine-learning-moderately-secure/variables.tf @@ -24,19 +24,19 @@ variable "vnet_address_space" { variable "training_subnet_address_space" { type = list(string) description = "Address space of the training subnet" - default = ["10.0.0.0/24"] + default = ["10.0.1.0/24"] } variable "aks_subnet_address_space" { type = list(string) description = "Address space of the aks subnet" - default = ["10.0.1.0/24"] + default = ["10.0.2.0/23"] } variable "ml_subnet_address_space" { type = list(string) description = "Address space of the ML workspace subnet" - default = ["10.0.2.0/24"] + default = ["10.0.0.0/24"] } variable "image_build_compute_name" { From 8d25835eab58a62407419a36e1aa2d01bddc975a Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 24 Sep 2021 12:15:24 -0700 Subject: [PATCH 44/53] Include public mode arg for completeness --- .../201-machine-learning-moderately-secure/workspace.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index 28ddee0a..a39982e9 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -55,12 +55,15 @@ resource "azurerm_machine_learning_workspace" "default" { key_vault_id = azurerm_key_vault.default.id storage_account_id = azurerm_storage_account.default.id container_registry_id = azurerm_container_registry.default.id - + identity { type = "SystemAssigned" } + # Args of use when using an Azure Private Link configuration + public_network_access_enabled = false image_build_compute_name = var.image_build_compute_name + } # Private endpoints @@ -178,4 +181,4 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { identity { type = "SystemAssigned" } -} \ No newline at end of file +} From 71e22e1e3b61e5ba77fc8189541a2b0c0dc312a0 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Fri, 24 Sep 2021 12:16:23 -0700 Subject: [PATCH 45/53] Include public network access arg --- .../workspace.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf index 79ede245..56bf85ba 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -59,7 +59,9 @@ resource "azurerm_machine_learning_workspace" "default" { identity { type = "SystemAssigned" } - + + # Args of use when using an Azure Private Link configuration + public_network_access_enabled = false image_build_compute_name = var.image_build_compute_name } @@ -181,4 +183,4 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { identity { type = "SystemAssigned" } -} \ No newline at end of file +} From a609b64fd19a5597d6dee5ea4dd432c691f95254 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Tue, 28 Sep 2021 12:31:17 -0700 Subject: [PATCH 46/53] update image_build_compute ref --- quickstart/201-machine-learning-moderately-secure/readme.md | 2 +- .../readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 17bbf831..1a43286b 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -38,7 +38,7 @@ This configuration describes the minimal set of resources you require to get sta | training_subnet_address_space | Address space of the training subnet | | aks_subnet_address_space | Address space of the aks subnet | | ml_subnet_address_space | Address space of the ML workspace subnet | -| image_build_compute_name | Name of the compute cluster to be created and set to build docker images | +| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | ## Usage diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index c3b68e67..db1c8425 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -35,7 +35,7 @@ Please note that this template does not create Azure Private DNS zones. The assu | name | Name of the deployment | | environment | The deployment environment name (used for pre- and postfixing resource names) | | location | The Azure region used for deployments | -| image_build_compute_name | Name of the compute cluster to be created and set to build docker images | +| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | | training_subnet_resource_id | Resource ID of the existing training subnet | | aks_subnet_resource_id | Resource ID of the existing aks subnet | | ml_subnet_resource_id | Resource ID of the existing ML workspace subnet | From 9fcd0f3fb2ccd3895ca4af625c24a2888130ca9d Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Wed, 29 Sep 2021 08:48:01 -0700 Subject: [PATCH 47/53] apply terraform fmt --- quickstart/101-machine-learning/compute.tf | 10 ++--- quickstart/101-machine-learning/workspace.tf | 12 +++--- .../compute.tf | 8 ++-- .../network.tf | 24 ++++++------ .../workspace.tf | 38 +++++++++---------- .../compute.tf | 10 ++--- .../workspace.tf | 36 +++++++++--------- 7 files changed, 69 insertions(+), 69 deletions(-) diff --git a/quickstart/101-machine-learning/compute.tf b/quickstart/101-machine-learning/compute.tf index d8ec709a..3d75fdd4 100644 --- a/quickstart/101-machine-learning/compute.tf +++ b/quickstart/101-machine-learning/compute.tf @@ -1,9 +1,9 @@ # Generate random string for unique compute instance name resource "random_string" "ci_prefix" { - length = 8 - upper = false + length = 8 + upper = false special = false - number = false + number = false } # Compute instance @@ -21,7 +21,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id vm_priority = "Dedicated" vm_size = "STANDARD_DS2_V2" - + identity { type = "SystemAssigned" } @@ -31,5 +31,5 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { max_node_count = 3 scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } - + } \ No newline at end of file diff --git a/quickstart/101-machine-learning/workspace.tf b/quickstart/101-machine-learning/workspace.tf index 95f4e978..0b018893 100644 --- a/quickstart/101-machine-learning/workspace.tf +++ b/quickstart/101-machine-learning/workspace.tf @@ -24,11 +24,11 @@ resource "azurerm_storage_account" "default" { } resource "azurerm_container_registry" "default" { - name = "cr${var.name}${var.environment}" - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - sku = "Premium" - admin_enabled = true + name = "cr${var.name}${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + sku = "Premium" + admin_enabled = true } # Machine Learning workspace @@ -40,7 +40,7 @@ resource "azurerm_machine_learning_workspace" "default" { key_vault_id = azurerm_key_vault.default.id storage_account_id = azurerm_storage_account.default.id container_registry_id = azurerm_container_registry.default.id - + identity { type = "SystemAssigned" } diff --git a/quickstart/201-machine-learning-moderately-secure/compute.tf b/quickstart/201-machine-learning-moderately-secure/compute.tf index ee2983b1..e5be7fbb 100644 --- a/quickstart/201-machine-learning-moderately-secure/compute.tf +++ b/quickstart/201-machine-learning-moderately-secure/compute.tf @@ -1,9 +1,9 @@ # Generate random string for unique compute instance name resource "random_string" "ci_prefix" { - length = 8 - upper = false + length = 8 + upper = false special = false - number = false + number = false } # Compute instance @@ -27,7 +27,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { vm_priority = "Dedicated" vm_size = "STANDARD_DS2_V2" subnet_resource_id = azurerm_subnet.snet-training.id - + identity { type = "SystemAssigned" } diff --git a/quickstart/201-machine-learning-moderately-secure/network.tf b/quickstart/201-machine-learning-moderately-secure/network.tf index c1751545..0e56d74d 100644 --- a/quickstart/201-machine-learning-moderately-secure/network.tf +++ b/quickstart/201-machine-learning-moderately-secure/network.tf @@ -7,26 +7,26 @@ resource "azurerm_virtual_network" "default" { } resource "azurerm_subnet" "snet-training" { - name = "snet-training" - resource_group_name = azurerm_resource_group.default.name - virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = var.training_subnet_address_space + name = "snet-training" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.training_subnet_address_space enforce_private_link_endpoint_network_policies = true } resource "azurerm_subnet" "snet-aks" { - name = "snet-aks" - resource_group_name = azurerm_resource_group.default.name - virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = var.aks_subnet_address_space + name = "snet-aks" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.aks_subnet_address_space enforce_private_link_endpoint_network_policies = true } resource "azurerm_subnet" "snet-workspace" { - name = "snet-workspace" - resource_group_name = azurerm_resource_group.default.name - virtual_network_name = azurerm_virtual_network.default.name - address_prefixes = var.ml_subnet_address_space + name = "snet-workspace" + resource_group_name = azurerm_resource_group.default.name + virtual_network_name = azurerm_virtual_network.default.name + address_prefixes = var.ml_subnet_address_space enforce_private_link_endpoint_network_policies = true } diff --git a/quickstart/201-machine-learning-moderately-secure/workspace.tf b/quickstart/201-machine-learning-moderately-secure/workspace.tf index a39982e9..34b24334 100644 --- a/quickstart/201-machine-learning-moderately-secure/workspace.tf +++ b/quickstart/201-machine-learning-moderately-secure/workspace.tf @@ -13,10 +13,10 @@ resource "azurerm_key_vault" "default" { tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" purge_protection_enabled = true - + network_acls { default_action = "Deny" - bypass = "AzureServices" + bypass = "AzureServices" } } @@ -29,20 +29,20 @@ resource "azurerm_storage_account" "default" { network_rules { default_action = "Deny" - bypass = ["AzureServices"] + bypass = ["AzureServices"] } } resource "azurerm_container_registry" "default" { - name = "cr${var.name}${var.environment}" - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - sku = "Premium" - admin_enabled = true + name = "cr${var.name}${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + sku = "Premium" + admin_enabled = true network_rule_set { default_action = "Deny" - } + } public_network_access_enabled = false } @@ -55,15 +55,15 @@ resource "azurerm_machine_learning_workspace" "default" { key_vault_id = azurerm_key_vault.default.id storage_account_id = azurerm_storage_account.default.id container_registry_id = azurerm_container_registry.default.id - + identity { type = "SystemAssigned" } - + # Args of use when using an Azure Private Link configuration public_network_access_enabled = false - image_build_compute_name = var.image_build_compute_name - + image_build_compute_name = var.image_build_compute_name + } # Private endpoints @@ -81,7 +81,7 @@ resource "azurerm_private_endpoint" "kv_ple" { private_service_connection { name = "psc-${var.name}-kv" private_connection_resource_id = azurerm_key_vault.default.id - subresource_names = [ "vault" ] + subresource_names = ["vault"] is_manual_connection = false } } @@ -100,7 +100,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" { private_service_connection { name = "psc-${var.name}-st" private_connection_resource_id = azurerm_storage_account.default.id - subresource_names = [ "blob" ] + subresource_names = ["blob"] is_manual_connection = false } } @@ -119,7 +119,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" { private_service_connection { name = "psc-${var.name}-st" private_connection_resource_id = azurerm_storage_account.default.id - subresource_names = [ "file" ] + subresource_names = ["file"] is_manual_connection = false } } @@ -138,7 +138,7 @@ resource "azurerm_private_endpoint" "cr_ple" { private_service_connection { name = "psc-${var.name}-cr" private_connection_resource_id = azurerm_container_registry.default.id - subresource_names = [ "registry" ] + subresource_names = ["registry"] is_manual_connection = false } } @@ -157,7 +157,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { private_service_connection { name = "psc-${var.name}-mlw" private_connection_resource_id = azurerm_machine_learning_workspace.default.id - subresource_names = [ "amlworkspace" ] + subresource_names = ["amlworkspace"] is_manual_connection = false } } @@ -165,7 +165,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { # Compute cluster for image building required since the workspace is behind a vnet. # For more details, see https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds. resource "azurerm_machine_learning_compute_cluster" "image-builder" { - name = "${var.image_build_compute_name}" + name = var.image_build_compute_name location = azurerm_resource_group.default.location vm_priority = "LowPriority" vm_size = "Standard_DS2_v2" diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf index 026c21a1..ae11470b 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf @@ -1,9 +1,9 @@ # Generate random string for unique compute instance name resource "random_string" "ci_prefix" { - length = 8 - upper = false + length = 8 + upper = false special = false - number = false + number = false } # Compute instance @@ -27,7 +27,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { vm_priority = "Dedicated" vm_size = "STANDARD_DS2_V2" subnet_resource_id = var.training_subnet_resource_id - + identity { type = "SystemAssigned" } @@ -37,5 +37,5 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { max_node_count = 3 scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes } - + } \ No newline at end of file diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf index 56bf85ba..dae223a1 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -13,10 +13,10 @@ resource "azurerm_key_vault" "default" { tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" purge_protection_enabled = true - + network_acls { default_action = "Deny" - bypass = "AzureServices" + bypass = "AzureServices" } } @@ -29,20 +29,20 @@ resource "azurerm_storage_account" "default" { network_rules { default_action = "Deny" - bypass = ["AzureServices"] + bypass = ["AzureServices"] } } resource "azurerm_container_registry" "default" { - name = "cr${var.name}${var.environment}" - location = azurerm_resource_group.default.location - resource_group_name = azurerm_resource_group.default.name - sku = "Premium" - admin_enabled = true + name = "cr${var.name}${var.environment}" + location = azurerm_resource_group.default.location + resource_group_name = azurerm_resource_group.default.name + sku = "Premium" + admin_enabled = true network_rule_set { default_action = "Deny" - } + } public_network_access_enabled = false } @@ -59,10 +59,10 @@ resource "azurerm_machine_learning_workspace" "default" { identity { type = "SystemAssigned" } - + # Args of use when using an Azure Private Link configuration public_network_access_enabled = false - image_build_compute_name = var.image_build_compute_name + image_build_compute_name = var.image_build_compute_name } # Private endpoints @@ -80,7 +80,7 @@ resource "azurerm_private_endpoint" "kv_ple" { private_service_connection { name = "psc-${var.name}-kv" private_connection_resource_id = azurerm_key_vault.default.id - subresource_names = [ "vault" ] + subresource_names = ["vault"] is_manual_connection = false } } @@ -99,7 +99,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" { private_service_connection { name = "psc-${var.name}-st" private_connection_resource_id = azurerm_storage_account.default.id - subresource_names = [ "blob" ] + subresource_names = ["blob"] is_manual_connection = false } } @@ -118,7 +118,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" { private_service_connection { name = "psc-${var.name}-st" private_connection_resource_id = azurerm_storage_account.default.id - subresource_names = [ "file" ] + subresource_names = ["file"] is_manual_connection = false } } @@ -137,7 +137,7 @@ resource "azurerm_private_endpoint" "cr_ple" { private_service_connection { name = "psc-${var.name}-cr" private_connection_resource_id = azurerm_container_registry.default.id - subresource_names = [ "registry" ] + subresource_names = ["registry"] is_manual_connection = false } } @@ -149,7 +149,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { subnet_id = var.ml_subnet_resource_id private_dns_zone_group { - name = "private-dns-zone-group" + name = "private-dns-zone-group" private_dns_zone_ids = [ var.privatelink_api_azureml_ms_resource_id, var.privatelink_notebooks_azure_net_resource_id @@ -159,7 +159,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { private_service_connection { name = "psc-${var.name}-mlw" private_connection_resource_id = azurerm_machine_learning_workspace.default.id - subresource_names = [ "amlworkspace" ] + subresource_names = ["amlworkspace"] is_manual_connection = false } } @@ -167,7 +167,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { # Compute cluster for image building required since the workspace is behind a vnet. # For more details, see https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds. resource "azurerm_machine_learning_compute_cluster" "image-builder" { - name = "${var.image_build_compute_name}" + name = var.image_build_compute_name location = azurerm_resource_group.default.location vm_priority = "LowPriority" vm_size = "Standard_DS2_v2" From 5c674c6100f1718146d5f7d2954c093b8f89d389 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Wed, 29 Sep 2021 09:13:01 -0700 Subject: [PATCH 48/53] Include variable defaults in read me --- quickstart/101-machine-learning/readme.md | 10 +++---- .../readme.md | 21 ++++++------- .../readme.md | 30 +++++++++---------- .../variables.tf | 1 + 4 files changed, 32 insertions(+), 30 deletions(-) diff --git a/quickstart/101-machine-learning/readme.md b/quickstart/101-machine-learning/readme.md index c7c9584f..56c63e2d 100644 --- a/quickstart/101-machine-learning/readme.md +++ b/quickstart/101-machine-learning/readme.md @@ -22,11 +22,11 @@ Network connectivity to the workspace is allowed over public endpoints, making t ## Variables -| Name | Description | -|-|-| -| name | Name of the deployment | -| environment | The deployment environment name (used for pre- and postfixing resource names) | -| location | The Azure region used for deployments | +| Name | Description | Default | +|-|-|-| +| name | Name of the deployment | - | +| environment | The deployment environment name (used for pre- and postfixing resource names) | dev | +| location | The Azure region used for deployments | East US | ## Usage diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 1a43286b..d9691f1c 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -29,16 +29,17 @@ This configuration describes the minimal set of resources you require to get sta ## Variables -| Name | Description | -|-|-| -| name | Name of the deployment | -| environment | The deployment environment name (used for pre- and postfixing resource names) | -| location | The Azure region used for deployments | -| vnet_address_space | Address space of the virtual network | -| training_subnet_address_space | Address space of the training subnet | -| aks_subnet_address_space | Address space of the aks subnet | -| ml_subnet_address_space | Address space of the ML workspace subnet | -| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | +| Name | Description | Default | +|-|-|-| +| name | Name of the deployment | - | +| environment | The deployment environment name (used for pre- and postfixing resource names) | dev | +| location | The Azure region used for deployments | East US | +| vnet_address_space | Address space of the virtual network | ["10.0.0.0/16"] | +| training_subnet_address_space | Address space of the training subnet | ["10.0.1.0/24"] | +| aks_subnet_address_space | Address space of the aks subnet | ["10.0.2.0/23"] | +| ml_subnet_address_space | Address space of the ML workspace subnet | ["10.0.0.0/24"] | +| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder | + ## Usage diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index db1c8425..970d07ff 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -30,21 +30,21 @@ Please note that this template does not create Azure Private DNS zones. The assu ## Variables -| Name | Description | -|-|-| -| name | Name of the deployment | -| environment | The deployment environment name (used for pre- and postfixing resource names) | -| location | The Azure region used for deployments | -| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | -| training_subnet_resource_id | Resource ID of the existing training subnet | -| aks_subnet_resource_id | Resource ID of the existing aks subnet | -| ml_subnet_resource_id | Resource ID of the existing ML workspace subnet | -| privatelink_api_azureml_ms_resource_id | Resource ID of the existing privatelink.api.azureml.ms private dns zone | -| privatelink_azurecr_io_resource_id | Resource ID of the existing privatelink.azurecr.io private dns zone | -| privatelink_notebooks_azure_net_resource_id | Resource ID of the existing privatelink.notebooks.azure.net private dns zone | -| privatelink_blob_core_windows_net_resource_id | Resource ID of the existing privatelink.blob.core.windows.net private dns zone | -| privatelink_file_core_windows_net_resource_id | Resource ID of the existing privatelink.file.core.windows.net private dns zone | -| privatelink_vaultcore_azure_net_resource_id | Resource ID of the existing privatelink.vaultcore.azure.net private dns zone | +| Name | Description | Default | +|-|-|-| +| name | Name of the deployment | - | +| environment | The deployment environment name (used for pre- and postfixing resource names) | dev | +| location | The Azure region used for deployments | East US | +| training_subnet_resource_id | Resource ID of the existing training subnet | - | +| aks_subnet_resource_id | Resource ID of the existing aks subnet | - | +| ml_subnet_resource_id | Resource ID of the existing ML workspace subnet | - | +| image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder | +| privatelink_api_azureml_ms_resource_id | Resource ID of the existing privatelink.api.azureml.ms private dns zone | - | +| privatelink_azurecr_io_resource_id | Resource ID of the existing privatelink.azurecr.io private dns zone | - | +| privatelink_notebooks_azure_net_resource_id | Resource ID of the existing privatelink.notebooks.azure.net private dns zone | - | +| privatelink_blob_core_windows_net_resource_id | Resource ID of the existing privatelink.blob.core.windows.net private dns zone | - | +| privatelink_file_core_windows_net_resource_id | Resource ID of the existing privatelink.file.core.windows.net private dns zone | - | +| privatelink_vaultcore_azure_net_resource_id | Resource ID of the existing privatelink.vaultcore.azure.net private dns zone | - | ## Usage diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf index 894d03f8..04f138d2 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf @@ -12,6 +12,7 @@ variable "environment" { variable "location" { type = string description = "Location of the resources" + default = "East US" } variable "image_build_compute_name" { From ac8b38f3dd5e0de9d965838bbee5f5526a4dddbf Mon Sep 17 00:00:00 2001 From: ryhud Date: Wed, 29 Sep 2021 14:07:54 -0400 Subject: [PATCH 49/53] updating readme variables --- .../readme.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index 970d07ff..ac2e55f0 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -35,9 +35,11 @@ Please note that this template does not create Azure Private DNS zones. The assu | name | Name of the deployment | - | | environment | The deployment environment name (used for pre- and postfixing resource names) | dev | | location | The Azure region used for deployments | East US | -| training_subnet_resource_id | Resource ID of the existing training subnet | - | -| aks_subnet_resource_id | Resource ID of the existing aks subnet | - | -| ml_subnet_resource_id | Resource ID of the existing ML workspace subnet | - | +| vnet_resource_group_name | Name of the existing VNet Resource Group | - | +| vnet_name | Name of the existing VNet | - | +| training_subnet_name | Name of the existing training subnet | - | +| aks_subnet_name | Name of the existing aks subnet | - | +| ml_subnet_name | Name of the existing ML workspace subnet | - | | image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder | | privatelink_api_azureml_ms_resource_id | Resource ID of the existing privatelink.api.azureml.ms private dns zone | - | | privatelink_azurecr_io_resource_id | Resource ID of the existing privatelink.azurecr.io private dns zone | - | From 855902809994d193804f8a769f905cd096636ecc Mon Sep 17 00:00:00 2001 From: ryhud Date: Wed, 29 Sep 2021 14:10:20 -0400 Subject: [PATCH 50/53] updating TF variables --- .../compute.tf | 4 +-- .../network.tf | 28 ++++++++++++++++--- .../variables.tf | 25 ++++++++++++----- .../workspace.tf | 12 ++++---- 4 files changed, 50 insertions(+), 19 deletions(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf index ae11470b..3f7c118f 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf @@ -12,7 +12,7 @@ resource "azurerm_machine_learning_compute_instance" "compute_instance" { location = azurerm_resource_group.default.location machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id virtual_machine_size = "STANDARD_DS2_V2" - subnet_resource_id = var.training_subnet_resource_id + subnet_resource_id = "${data.azurerm_subnet.training.id}" depends_on = [ azurerm_private_endpoint.mlw_ple @@ -26,7 +26,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id vm_priority = "Dedicated" vm_size = "STANDARD_DS2_V2" - subnet_resource_id = var.training_subnet_resource_id + subnet_resource_id = "${data.azurerm_subnet.training.id}" identity { type = "SystemAssigned" diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf index 09c6a8bc..52ed9f13 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf @@ -1,3 +1,23 @@ +# Data Sources + +data "azurerm_subnet" "training" { + name = var.training_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group_name +} + +data "azurerm_subnet" "aks" { + name = var.aks_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group_name +} + +data "azurerm_subnet" "ml" { + name = var.ml_subnet_name + virtual_network_name = var.vnet_name + resource_group_name = var.vnet_resource_group_name +} + # Network Security Groups resource "azurerm_network_security_group" "nsg-training" { name = "nsg-training" @@ -30,7 +50,7 @@ resource "azurerm_network_security_group" "nsg-training" { } resource "azurerm_subnet_network_security_group_association" "nsg-training-link" { - subnet_id = var.training_subnet_resource_id + subnet_id = "${data.azurerm_subnet.training.id}" network_security_group_id = azurerm_network_security_group.nsg-training.id } @@ -43,7 +63,7 @@ resource "azurerm_network_security_group" "nsg-aks" { } resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { - subnet_id = var.aks_subnet_resource_id + subnet_id = "${data.azurerm_subnet.aks.id}" network_security_group_id = azurerm_network_security_group.nsg-aks.id } @@ -81,7 +101,7 @@ resource "azurerm_route" "training-BatchRoute" { } resource "azurerm_subnet_route_table_association" "rt-training-link" { - subnet_id = var.training_subnet_resource_id + subnet_id = "${data.azurerm_subnet.training.id}" route_table_id = azurerm_route_table.rt-training.id } @@ -101,6 +121,6 @@ resource "azurerm_route" "aks-Internet-Route" { } resource "azurerm_subnet_route_table_association" "rt-aks-link" { - subnet_id = var.aks_subnet_resource_id + subnet_id = "${data.azurerm_subnet.aks.id}" route_table_id = azurerm_route_table.rt-aks.id } \ No newline at end of file diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf index 04f138d2..6abe1b18 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/variables.tf @@ -21,20 +21,31 @@ variable "image_build_compute_name" { default = "image-builder" } -# Existing subnets variables -variable "training_subnet_resource_id" { +# Existing vnet and subnets variables + +variable "vnet_resource_group_name" { type = string - description = "Resource ID of the existing training subnet" + description = "Name of the resource group for the existing VNet" } -variable "aks_subnet_resource_id" { +variable "vnet_name" { type = string - description = "Resource ID of the existing aks subnet" + description = "Name of the existing VNet" } -variable "ml_subnet_resource_id" { +variable "training_subnet_name" { type = string - description = "Resource ID of the existing ML workspace subnet" + description = "Name of the existing training subnet" +} + +variable "aks_subnet_name" { + type = string + description = "Name of the existing aks subnet" +} + +variable "ml_subnet_name" { + type = string + description = "Name of the existing ML workspace subnet" } diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf index dae223a1..6c02bc58 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -70,7 +70,7 @@ resource "azurerm_private_endpoint" "kv_ple" { name = "ple-${var.name}-${var.environment}-kv" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = var.ml_subnet_resource_id + subnet_id = "${data.azurerm_subnet.ml.id}" private_dns_zone_group { name = "private-dns-zone-group" @@ -89,7 +89,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" { name = "ple-${var.name}-${var.environment}-st-blob" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = var.ml_subnet_resource_id + subnet_id = "${data.azurerm_subnet.ml.id}" private_dns_zone_group { name = "private-dns-zone-group" @@ -108,7 +108,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" { name = "ple-${var.name}-${var.environment}-st-file" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = var.ml_subnet_resource_id + subnet_id = "${data.azurerm_subnet.ml.id}" private_dns_zone_group { name = "private-dns-zone-group" @@ -127,7 +127,7 @@ resource "azurerm_private_endpoint" "cr_ple" { name = "ple-${var.name}-${var.environment}-cr" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = var.ml_subnet_resource_id + subnet_id = "${data.azurerm_subnet.ml.id}" private_dns_zone_group { name = "private-dns-zone-group" @@ -146,7 +146,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { name = "ple-${var.name}-${var.environment}-mlw" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = var.ml_subnet_resource_id + subnet_id = "${data.azurerm_subnet.ml.id}" private_dns_zone_group { name = "private-dns-zone-group" @@ -172,7 +172,7 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { vm_priority = "LowPriority" vm_size = "Standard_DS2_v2" machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id - subnet_resource_id = var.training_subnet_resource_id + subnet_resource_id = "${data.azurerm_subnet.training.id}" scale_settings { min_node_count = 0 From b63853c77b6b4f3983d987dcfd1e1eafcaa6fab0 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Wed, 29 Sep 2021 13:26:50 -0700 Subject: [PATCH 51/53] use data construct to reference existing resources --- .../compute.tf | 4 ++-- .../network.tf | 8 ++++---- .../readme.md | 5 +++++ .../workspace.tf | 12 ++++++------ 4 files changed, 17 insertions(+), 12 deletions(-) diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf index 3f7c118f..c8ddab0f 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/compute.tf @@ -12,7 +12,7 @@ resource "azurerm_machine_learning_compute_instance" "compute_instance" { location = azurerm_resource_group.default.location machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id virtual_machine_size = "STANDARD_DS2_V2" - subnet_resource_id = "${data.azurerm_subnet.training.id}" + subnet_resource_id = data.azurerm_subnet.training.id depends_on = [ azurerm_private_endpoint.mlw_ple @@ -26,7 +26,7 @@ resource "azurerm_machine_learning_compute_cluster" "compute" { machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id vm_priority = "Dedicated" vm_size = "STANDARD_DS2_V2" - subnet_resource_id = "${data.azurerm_subnet.training.id}" + subnet_resource_id = data.azurerm_subnet.training.id identity { type = "SystemAssigned" diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf index 52ed9f13..7c1b7c8f 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/network.tf @@ -50,7 +50,7 @@ resource "azurerm_network_security_group" "nsg-training" { } resource "azurerm_subnet_network_security_group_association" "nsg-training-link" { - subnet_id = "${data.azurerm_subnet.training.id}" + subnet_id = data.azurerm_subnet.training.id network_security_group_id = azurerm_network_security_group.nsg-training.id } @@ -63,7 +63,7 @@ resource "azurerm_network_security_group" "nsg-aks" { } resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" { - subnet_id = "${data.azurerm_subnet.aks.id}" + subnet_id = data.azurerm_subnet.aks.id network_security_group_id = azurerm_network_security_group.nsg-aks.id } @@ -101,7 +101,7 @@ resource "azurerm_route" "training-BatchRoute" { } resource "azurerm_subnet_route_table_association" "rt-training-link" { - subnet_id = "${data.azurerm_subnet.training.id}" + subnet_id = data.azurerm_subnet.training.id route_table_id = azurerm_route_table.rt-training.id } @@ -121,6 +121,6 @@ resource "azurerm_route" "aks-Internet-Route" { } resource "azurerm_subnet_route_table_association" "rt-aks-link" { - subnet_id = "${data.azurerm_subnet.aks.id}" + subnet_id = data.azurerm_subnet.aks.id route_table_id = azurerm_route_table.rt-aks.id } \ No newline at end of file diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index ac2e55f0..18f31e65 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -41,6 +41,11 @@ Please note that this template does not create Azure Private DNS zones. The assu | aks_subnet_name | Name of the existing aks subnet | - | | ml_subnet_name | Name of the existing ML workspace subnet | - | | image_build_compute_name | Name of the compute cluster to be created and configured for building docker images (Azure ML Environments) | image-builder | +| vnet_resource_group_name | Name of the resource group for the existing VNet | - | +| vnet_name | Name of the existing VNet | - | +| training_subnet_name | Name of the existing training subnet | - | +| aks_subnet_name | Name of the existing AKS subnet | - | +| ml_subnet_name | Name of the existing ML workspace subnet | - | | privatelink_api_azureml_ms_resource_id | Resource ID of the existing privatelink.api.azureml.ms private dns zone | - | | privatelink_azurecr_io_resource_id | Resource ID of the existing privatelink.azurecr.io private dns zone | - | | privatelink_notebooks_azure_net_resource_id | Resource ID of the existing privatelink.notebooks.azure.net private dns zone | - | diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf index 6c02bc58..bda44146 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf @@ -70,7 +70,7 @@ resource "azurerm_private_endpoint" "kv_ple" { name = "ple-${var.name}-${var.environment}-kv" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = "${data.azurerm_subnet.ml.id}" + subnet_id = data.azurerm_subnet.ml.id private_dns_zone_group { name = "private-dns-zone-group" @@ -89,7 +89,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" { name = "ple-${var.name}-${var.environment}-st-blob" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = "${data.azurerm_subnet.ml.id}" + subnet_id = data.azurerm_subnet.ml.id private_dns_zone_group { name = "private-dns-zone-group" @@ -108,7 +108,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" { name = "ple-${var.name}-${var.environment}-st-file" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = "${data.azurerm_subnet.ml.id}" + subnet_id = data.azurerm_subnet.ml.id private_dns_zone_group { name = "private-dns-zone-group" @@ -127,7 +127,7 @@ resource "azurerm_private_endpoint" "cr_ple" { name = "ple-${var.name}-${var.environment}-cr" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = "${data.azurerm_subnet.ml.id}" + subnet_id = data.azurerm_subnet.ml.id private_dns_zone_group { name = "private-dns-zone-group" @@ -146,7 +146,7 @@ resource "azurerm_private_endpoint" "mlw_ple" { name = "ple-${var.name}-${var.environment}-mlw" location = azurerm_resource_group.default.location resource_group_name = azurerm_resource_group.default.name - subnet_id = "${data.azurerm_subnet.ml.id}" + subnet_id = data.azurerm_subnet.ml.id private_dns_zone_group { name = "private-dns-zone-group" @@ -172,7 +172,7 @@ resource "azurerm_machine_learning_compute_cluster" "image-builder" { vm_priority = "LowPriority" vm_size = "Standard_DS2_v2" machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id - subnet_resource_id = "${data.azurerm_subnet.training.id}" + subnet_resource_id = data.azurerm_subnet.training.id scale_settings { min_node_count = 0 From 7f015dd153dbe9ef43123adbf56923305372e556 Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Wed, 29 Sep 2021 13:52:43 -0700 Subject: [PATCH 52/53] update readme --- .../201-machine-learning-moderately-secure/readme.md | 6 +++++- .../readme.md | 8 ++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index d9691f1c..4dda0e69 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -46,7 +46,11 @@ This configuration describes the minimal set of resources you require to get sta ```bash terraform init -terraform plan -var name=azureml567 -out demo.tfplan +terraform plan \ + -var name=azureml567 \ + -var environment=dev \ + -var \ + -out demo.tfplan terraform apply "demo.tfplan" ``` diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index 18f31e65..0327d64d 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -33,7 +33,7 @@ Please note that this template does not create Azure Private DNS zones. The assu | Name | Description | Default | |-|-|-| | name | Name of the deployment | - | -| environment | The deployment environment name (used for pre- and postfixing resource names) | dev | +| environment | The deployment environment name (used for pre- and postfixing resource names) | dev | | location | The Azure region used for deployments | East US | | vnet_resource_group_name | Name of the existing VNet Resource Group | - | | vnet_name | Name of the existing VNet | - | @@ -58,7 +58,11 @@ Please note that this template does not create Azure Private DNS zones. The assu ```bash terraform init -terraform plan -var name=azureml567 -out demo.tfplan +terraform plan \ + -var name=azureml567 \ + -var environment=dev \ + -var \ + -out demo.tfplan terraform apply "demo.tfplan" ``` From 2f2199f20467fcb99983041a966015ab06ebee7f Mon Sep 17 00:00:00 2001 From: Dennis Eikelenboom Date: Wed, 29 Sep 2021 14:01:30 -0700 Subject: [PATCH 53/53] include var --- quickstart/201-machine-learning-moderately-secure/readme.md | 2 +- .../readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/quickstart/201-machine-learning-moderately-secure/readme.md b/quickstart/201-machine-learning-moderately-secure/readme.md index 4dda0e69..1d206849 100644 --- a/quickstart/201-machine-learning-moderately-secure/readme.md +++ b/quickstart/201-machine-learning-moderately-secure/readme.md @@ -49,7 +49,7 @@ terraform init terraform plan \ -var name=azureml567 \ -var environment=dev \ - -var \ + # -var \ -out demo.tfplan terraform apply "demo.tfplan" diff --git a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md index 0327d64d..4e7690c4 100644 --- a/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md +++ b/quickstart/202-machine-learning-moderately-secure-existing-VNet/readme.md @@ -61,7 +61,7 @@ terraform init terraform plan \ -var name=azureml567 \ -var environment=dev \ - -var \ + # -var \ -out demo.tfplan terraform apply "demo.tfplan"