Adding 202 for existing VNet

quickstart/202-machine-learning-moderately-secure-existing-VNet/workspace.tf

@@ -0,0 +1,193 @@
+# Dependent resources for Azure Machine Learning
+resource "azurerm_application_insights" "default" {
+  name                = "appi-${var.name}-${var.environment}"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  application_type    = "web"
+}
+
+resource "azurerm_key_vault" "default" {
+  name                     = "kv-${var.name}-${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  tenant_id                = data.azurerm_client_config.current.tenant_id
+  sku_name                 = "premium"
+  purge_protection_enabled = true
+  
+  network_acls {
+    default_action = "Deny"
+    bypass = "AzureServices"
+  }
+}
+
+resource "azurerm_storage_account" "default" {
+  name                     = "st${var.name}${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+
+  network_rules {
+    default_action = "Deny"
+    bypass = ["AzureServices"]
+  }
+}
+
+resource "azurerm_container_registry" "default" {
+  name                     = "cr${var.name}${var.environment}"
+  location                 = azurerm_resource_group.default.location
+  resource_group_name      = azurerm_resource_group.default.name
+  sku                      = "Premium"
+  admin_enabled            = true
+
+  network_rule_set {
+    default_action = "Deny"
+    }
+  public_network_access_enabled = false
+}
+
+# Machine Learning workspace
+resource "azurerm_machine_learning_workspace" "default" {
+  name                    = "mlw-${var.name}-${var.environment}"
+  location                = azurerm_resource_group.default.location
+  resource_group_name     = azurerm_resource_group.default.name
+  application_insights_id = azurerm_application_insights.default.id
+  key_vault_id            = azurerm_key_vault.default.id
+  storage_account_id      = azurerm_storage_account.default.id
+  container_registry_id   = azurerm_container_registry.default.id
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# Private endpoints
+resource "azurerm_private_endpoint" "kv_ple" {
+  name                = "ple-${var.name}-${var.environment}-kv"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = var.ml_subnet_resource_id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [var.privatelink_vaultcore_azure_net_resource_id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-kv"
+    private_connection_resource_id = azurerm_key_vault.default.id
+    subresource_names              = [ "vault" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "st_ple_blob" {
+  name                = "ple-${var.name}-${var.environment}-st-blob"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = var.ml_subnet_resource_id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [var.privatelink_blob_core_windows_net_resource_id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-st"
+    private_connection_resource_id = azurerm_storage_account.default.id
+    subresource_names              = [ "blob" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "storage_ple_file" {
+  name                = "ple-${var.name}-${var.environment}-st-file"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = var.ml_subnet_resource_id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [var.privatelink_file_core_windows_net_resource_id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-st"
+    private_connection_resource_id = azurerm_storage_account.default.id
+    subresource_names              = [ "file" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "cr_ple" {
+  name                = "ple-${var.name}-${var.environment}-cr"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = var.ml_subnet_resource_id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [var.privatelink_azurecr_io_resource_id]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-cr"
+    private_connection_resource_id = azurerm_container_registry.default.id
+    subresource_names              = [ "registry" ]
+    is_manual_connection           = false
+  }
+}
+
+resource "azurerm_private_endpoint" "mlw_ple" {
+  name                = "ple-${var.name}-${var.environment}-mlw"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  subnet_id           = var.ml_subnet_resource_id
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [
+      var.privatelink_api_azureml_ms_resource_id,
+      var.privatelink_notebooks_azure_net_resource_id
+    ]
+  }
+
+  private_service_connection {
+    name                           = "psc-${var.name}-mlw"
+    private_connection_resource_id = azurerm_machine_learning_workspace.default.id
+    subresource_names              = [ "amlworkspace" ]
+    is_manual_connection           = false
+  }
+}
+#Compute cluster for image building https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds
+
+resource "azurerm_machine_learning_compute_cluster" "image-builder" {
+  name                          = "${var.image_build_compute_name}"
+  location                      = azurerm_resource_group.default.location
+  vm_priority                   = "LowPriority"
+  vm_size                       = "Standard_DS2_v2"
+  machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
+  subnet_resource_id            = var.training_subnet_resource_id
+
+  scale_settings {
+    min_node_count                       = 0
+    max_node_count                       = 1
+    scale_down_nodes_after_idle_duration = "PT30S" # 30 seconds
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# Update workspace for image-build-compute
+
+resource "null_resource" "ws_image_build_compute"{
+  provisioner "local-exec" {
+    command = <<EOF
+    az ml workspace update --resource-group ${azurerm_resource_group.default.name} --workspace-name ${azurerm_machine_learning_workspace.default.name} --image-build-compute ${azurerm_machine_learning_compute_cluster.image-builder.name}
+    
+    EOF
+  }
+  depends_on = [azurerm_machine_learning_compute_cluster.image-builder]
+}