Dennis Eikelenboom
GitHub
commit
a6baf22a68
37
quickstart/201-machine-learning-moderately-secure/.gitignore
vendored
Normal file
37
quickstart/201-machine-learning-moderately-secure/.gitignore
vendored
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
# Local .terraform directories
|
||||||
|
**/.terraform/*
|
||||||
|
|
||||||
|
# .tfstate files
|
||||||
|
*.tfstate
|
||||||
|
*.tfstate.*
|
||||||
|
|
||||||
|
# Crash log files
|
||||||
|
crash.log
|
||||||
|
|
||||||
|
# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
|
||||||
|
# .tfvars files are managed as part of configuration and so should be included in
|
||||||
|
# version control.
|
||||||
|
#
|
||||||
|
# example.tfvars
|
||||||
|
|
||||||
|
# Ignore override files as they are usually used to override resources locally and so
|
||||||
|
# are not checked in
|
||||||
|
override.tf
|
||||||
|
override.tf.json
|
||||||
|
*_override.tf
|
||||||
|
*_override.tf.json
|
||||||
|
values.tfvars
|
||||||
|
*.tfvars
|
||||||
|
settings.tfvars
|
||||||
|
# Include override files you do wish to add to version control using negated pattern
|
||||||
|
#
|
||||||
|
# !example_override.tf
|
||||||
|
|
||||||
|
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
|
||||||
|
# example: *tfplan*
|
||||||
|
terraform/.terraform.lock.hcl
|
||||||
|
.DS_Store
|
||||||
|
terraform/.terraform.lock.hcl
|
||||||
|
terraform/.terraform.lock.hcl
|
||||||
|
.terraform.lock.hcl
|
||||||
|
terraform/.terraform.lock.hcl
|
||||||
@ -4,7 +4,7 @@ terraform {
|
|||||||
required_providers {
|
required_providers {
|
||||||
azurerm = {
|
azurerm = {
|
||||||
source = "hashicorp/azurerm"
|
source = "hashicorp/azurerm"
|
||||||
version = "=2.72.0"
|
version = "=2.76.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -6,11 +6,27 @@ resource "azurerm_virtual_network" "default" {
|
|||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "azurerm_subnet" "mlsubnet" {
|
resource "azurerm_subnet" "snet-training" {
|
||||||
name = "mlsubnet"
|
name = "snet-training"
|
||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
virtual_network_name = azurerm_virtual_network.default.name
|
virtual_network_name = azurerm_virtual_network.default.name
|
||||||
address_prefixes = var.subnet_address_space
|
address_prefixes = var.training_subnet_address_space
|
||||||
|
enforce_private_link_endpoint_network_policies = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_subnet" "snet-aks" {
|
||||||
|
name = "snet-aks"
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
virtual_network_name = azurerm_virtual_network.default.name
|
||||||
|
address_prefixes = var.aks_subnet_address_space
|
||||||
|
enforce_private_link_endpoint_network_policies = true
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_subnet" "snet-workspace" {
|
||||||
|
name = "snet-workspace"
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
virtual_network_name = azurerm_virtual_network.default.name
|
||||||
|
address_prefixes = var.ml_subnet_address_space
|
||||||
enforce_private_link_endpoint_network_policies = true
|
enforce_private_link_endpoint_network_policies = true
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -87,3 +103,110 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnetlinknbs" {
|
|||||||
private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name
|
private_dns_zone_name = azurerm_private_dns_zone.dnsnotebooks.name
|
||||||
virtual_network_id = azurerm_virtual_network.default.id
|
virtual_network_id = azurerm_virtual_network.default.id
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Network Security Groups
|
||||||
|
|
||||||
|
resource "azurerm_network_security_group" "nsg-training" {
|
||||||
|
name = "nsg-training"
|
||||||
|
location = azurerm_resource_group.default.location
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
|
||||||
|
security_rule {
|
||||||
|
name = "BatchNodeManagement"
|
||||||
|
priority = 100
|
||||||
|
direction = "Inbound"
|
||||||
|
access = "Allow"
|
||||||
|
protocol = "Tcp"
|
||||||
|
source_port_range = "*"
|
||||||
|
destination_port_range = "29876-29877"
|
||||||
|
source_address_prefix = "BatchNodeManagement"
|
||||||
|
destination_address_prefix = "*"
|
||||||
|
}
|
||||||
|
security_rule {
|
||||||
|
name = "AzureMachineLearning"
|
||||||
|
priority = 110
|
||||||
|
direction = "Inbound"
|
||||||
|
access = "Allow"
|
||||||
|
protocol = "Tcp"
|
||||||
|
source_port_range = "*"
|
||||||
|
destination_port_range = "44224"
|
||||||
|
source_address_prefix = "AzureMachineLearning"
|
||||||
|
destination_address_prefix = "*"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_subnet_network_security_group_association" "nsg-training-link" {
|
||||||
|
subnet_id = azurerm_subnet.snet-training.id
|
||||||
|
network_security_group_id = azurerm_network_security_group.nsg-training.id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_network_security_group" "nsg-aks" {
|
||||||
|
name = "nsg-aks"
|
||||||
|
location = azurerm_resource_group.default.location
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_subnet_network_security_group_association" "nsg-aks-link" {
|
||||||
|
subnet_id = azurerm_subnet.snet-aks.id
|
||||||
|
network_security_group_id = azurerm_network_security_group.nsg-aks.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# User Defined Routes
|
||||||
|
|
||||||
|
#UDR for Compute instance and compute clusters
|
||||||
|
resource "azurerm_route_table" "rt-training" {
|
||||||
|
name = "rt-training"
|
||||||
|
location = azurerm_resource_group.default.location
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_route" "training-Internet-Route" {
|
||||||
|
name = "Internet"
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
route_table_name = azurerm_route_table.rt-training.name
|
||||||
|
address_prefix = "0.0.0.0/0"
|
||||||
|
next_hop_type = "Internet"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_route" "training-AzureMLRoute" {
|
||||||
|
name = "AzureMLRoute"
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
route_table_name = azurerm_route_table.rt-training.name
|
||||||
|
address_prefix = "AzureMachineLearning"
|
||||||
|
next_hop_type = "Internet"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_route" "training-BatchRoute" {
|
||||||
|
name = "BatchRoute"
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
route_table_name = azurerm_route_table.rt-training.name
|
||||||
|
address_prefix = "BatchNodeManagement"
|
||||||
|
next_hop_type = "Internet"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_subnet_route_table_association" "rt-training-link" {
|
||||||
|
subnet_id = azurerm_subnet.snet-training.id
|
||||||
|
route_table_id = azurerm_route_table.rt-training.id
|
||||||
|
}
|
||||||
|
# Inferencing (AKS) Route
|
||||||
|
|
||||||
|
resource "azurerm_route_table" "rt-aks" {
|
||||||
|
name = "rt-aks"
|
||||||
|
location = azurerm_resource_group.default.location
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_route" "aks-Internet-Route" {
|
||||||
|
name = "Internet"
|
||||||
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
|
route_table_name = azurerm_route_table.rt-aks.name
|
||||||
|
address_prefix = "0.0.0.0/0"
|
||||||
|
next_hop_type = "Internet"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_subnet_route_table_association" "rt-aks-link" {
|
||||||
|
subnet_id = azurerm_subnet.snet-aks.id
|
||||||
|
route_table_id = azurerm_route_table.rt-aks.id
|
||||||
|
}
|
||||||
@ -17,12 +17,30 @@ variable "location" {
|
|||||||
|
|
||||||
variable "vnet_address_space" {
|
variable "vnet_address_space" {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
description = "Address space of the subnet"
|
description = "Address space of the virtual network"
|
||||||
default = ["10.0.0.0/16"]
|
default = ["10.0.0.0/16"]
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "subnet_address_space" {
|
variable "training_subnet_address_space" {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
description = "Address space of the subnet"
|
description = "Address space of the training subnet"
|
||||||
default = ["10.0.0.0/24"]
|
default = ["10.0.0.0/24"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "aks_subnet_address_space" {
|
||||||
|
type = list(string)
|
||||||
|
description = "Address space of the aks subnet"
|
||||||
|
default = ["10.0.1.0/24"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ml_subnet_address_space" {
|
||||||
|
type = list(string)
|
||||||
|
description = "Address space of the ML workspace subnet"
|
||||||
|
default = ["10.0.2.0/24"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "image_build_compute_name" {
|
||||||
|
type = string
|
||||||
|
description = "Name of the compute cluster to be created and set to build docker images"
|
||||||
|
default = "image-builder"
|
||||||
}
|
}
|
||||||
@ -12,7 +12,7 @@ resource "azurerm_key_vault" "default" {
|
|||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
tenant_id = data.azurerm_client_config.current.tenant_id
|
tenant_id = data.azurerm_client_config.current.tenant_id
|
||||||
sku_name = "premium"
|
sku_name = "premium"
|
||||||
purge_protection_enabled = false
|
purge_protection_enabled = true
|
||||||
|
|
||||||
network_acls {
|
network_acls {
|
||||||
default_action = "Deny"
|
default_action = "Deny"
|
||||||
@ -61,7 +61,7 @@ resource "azurerm_private_endpoint" "kv_ple" {
|
|||||||
name = "ple-${var.name}-${var.environment}-kv"
|
name = "ple-${var.name}-${var.environment}-kv"
|
||||||
location = azurerm_resource_group.default.location
|
location = azurerm_resource_group.default.location
|
||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
subnet_id = azurerm_subnet.mlsubnet.id
|
subnet_id = azurerm_subnet.snet-workspace.id
|
||||||
|
|
||||||
private_dns_zone_group {
|
private_dns_zone_group {
|
||||||
name = "private-dns-zone-group"
|
name = "private-dns-zone-group"
|
||||||
@ -80,7 +80,7 @@ resource "azurerm_private_endpoint" "st_ple_blob" {
|
|||||||
name = "ple-${var.name}-${var.environment}-st-blob"
|
name = "ple-${var.name}-${var.environment}-st-blob"
|
||||||
location = azurerm_resource_group.default.location
|
location = azurerm_resource_group.default.location
|
||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
subnet_id = azurerm_subnet.mlsubnet.id
|
subnet_id = azurerm_subnet.snet-workspace.id
|
||||||
|
|
||||||
private_dns_zone_group {
|
private_dns_zone_group {
|
||||||
name = "private-dns-zone-group"
|
name = "private-dns-zone-group"
|
||||||
@ -99,7 +99,7 @@ resource "azurerm_private_endpoint" "storage_ple_file" {
|
|||||||
name = "ple-${var.name}-${var.environment}-st-file"
|
name = "ple-${var.name}-${var.environment}-st-file"
|
||||||
location = azurerm_resource_group.default.location
|
location = azurerm_resource_group.default.location
|
||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
subnet_id = azurerm_subnet.mlsubnet.id
|
subnet_id = azurerm_subnet.snet-workspace.id
|
||||||
|
|
||||||
private_dns_zone_group {
|
private_dns_zone_group {
|
||||||
name = "private-dns-zone-group"
|
name = "private-dns-zone-group"
|
||||||
@ -118,7 +118,7 @@ resource "azurerm_private_endpoint" "cr_ple" {
|
|||||||
name = "ple-${var.name}-${var.environment}-cr"
|
name = "ple-${var.name}-${var.environment}-cr"
|
||||||
location = azurerm_resource_group.default.location
|
location = azurerm_resource_group.default.location
|
||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
subnet_id = azurerm_subnet.mlsubnet.id
|
subnet_id = azurerm_subnet.snet-workspace.id
|
||||||
|
|
||||||
private_dns_zone_group {
|
private_dns_zone_group {
|
||||||
name = "private-dns-zone-group"
|
name = "private-dns-zone-group"
|
||||||
@ -137,7 +137,7 @@ resource "azurerm_private_endpoint" "mlw_ple" {
|
|||||||
name = "ple-${var.name}-${var.environment}-mlw"
|
name = "ple-${var.name}-${var.environment}-mlw"
|
||||||
location = azurerm_resource_group.default.location
|
location = azurerm_resource_group.default.location
|
||||||
resource_group_name = azurerm_resource_group.default.name
|
resource_group_name = azurerm_resource_group.default.name
|
||||||
subnet_id = azurerm_subnet.mlsubnet.id
|
subnet_id = azurerm_subnet.snet-workspace.id
|
||||||
|
|
||||||
private_dns_zone_group {
|
private_dns_zone_group {
|
||||||
name = "private-dns-zone-group"
|
name = "private-dns-zone-group"
|
||||||
@ -153,5 +153,36 @@ resource "azurerm_private_endpoint" "mlw_ple" {
|
|||||||
subresource_names = [ "amlworkspace" ]
|
subresource_names = [ "amlworkspace" ]
|
||||||
is_manual_connection = false
|
is_manual_connection = false
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
#Compute cluster for image building https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds
|
||||||
|
|
||||||
}
|
resource "azurerm_machine_learning_compute_cluster" "image-builder" {
|
||||||
|
name = "${var.image_build_compute_name}"
|
||||||
|
location = azurerm_resource_group.default.location
|
||||||
|
vm_priority = "LowPriority"
|
||||||
|
vm_size = "Standard_DS2_v2"
|
||||||
|
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
|
||||||
|
subnet_resource_id = azurerm_subnet.snet-training.id
|
||||||
|
|
||||||
|
scale_settings {
|
||||||
|
min_node_count = 0
|
||||||
|
max_node_count = 1
|
||||||
|
scale_down_nodes_after_idle_duration = "PT30S" # 30 seconds
|
||||||
|
}
|
||||||
|
|
||||||
|
identity {
|
||||||
|
type = "SystemAssigned"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Update workspace for image-build-compute
|
||||||
|
|
||||||
|
resource "null_resource" "ws_image_build_compute"{
|
||||||
|
provisioner "local-exec" {
|
||||||
|
command = <<EOF
|
||||||
|
az ml workspace update --resource-group ${azurerm_resource_group.default.name} --workspace-name ${azurerm_machine_learning_workspace.default.name} --image-build-compute ${azurerm_machine_learning_compute_cluster.image-builder.name}
|
||||||
|
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
depends_on = [azurerm_machine_learning_compute_cluster.image-builder]
|
||||||
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user