The ARC Terraform module provides a robust and fully extensible solution for managing SageMaker Studio domains, user profiles, models, endpoint, endpoint configurations, and pipelines. It supports custom app settings, and VPC integration to meet enterprise-grade machine learning needs. With dynamic configurations and secure defaults, the module enables rapid, consistent, and scalable SageMaker infrastructure provisioning using best practices.
Before using this module, ensure you have the following:
- AWS credentials configured.
- Terraform installed.
- A working knowledge of Terraform.
- Define the Module
Initially, it's essential to define a Terraform module, which is organized as a distinct directory encompassing Terraform configuration files. Within this module directory, input variables and output values must be defined in the variables.tf and outputs.tf files, respectively. The following illustrates an example directory structure:
sagemaker/
|-- main.tf
|-- variables.tf
|-- outputs.tf
- Define Input Variables
Inside the variables.tf or in *.tfvars file, you should define values for the variables that the module requires.
- Use the Module in Your Main Configuration In your main Terraform configuration file (e.g., main.tf), you can use the module. Specify the source of the module, and version, For Example
module "sagemaker_model" {
source = "sourcefuse/arc-sagemaker/aws"
version = "0.0.1"
name = "terraform-arc"
create_endpoint_config = true
create_model = true
primary_container = {
image = "683313688378.dkr.ecr.us-east-1.amazonaws.com/sagemaker-scikit-learn:1.0-1-cpu-py3"
model_data_url = "s3://your-sagemaker-model-bucket-21-05-25/model/model.tar.gz"
environment = {}
}
production_variants = [
{
variant_name = "AllTraffic"
initial_instance_count = 1
instance_type = "ml.m5.large"
initial_variant_weight = 1.0
}
]
tags = module.tags.tags
}- Output Values
Inside the outputs.tf file of the module, you can define output values that can be referenced in the main configuration. For example:
output "model_name" {
description = "Name of the SageMaker model"
value = module.sagemaker_model.model_name
}
output "model_arn" {
description = "ARN of the SageMaker model"
value = module.sagemaker_model.model_arn
}
output "endpoint_config_arn" {
description = "ARN of the SageMaker endpoint configuration"
value = module.sagemaker_model.endpoint_config_arn
}
- .tfvars
Inside the .tfvars file of the module, you can provide desired values that can be referenced in the main configuration.
uncomment the backend block in main.tf
terraform init -backend-config=config.dev.hclIf testing locally, terraform init should be fine
Create a dev workspace
terraform workspace new devPlan Terraform
terraform plan -var-file dev.tfvarsApply Terraform
terraform apply -var-file dev.tfvarsterraform init -backend-config=config.prod.hclCreate a prod workspace
terraform workspace new prodPlan Terraform
terraform plan -var-file prod.tfvarsApply Terraform
terraform apply -var-file prod.tfvars Destroy Terraform
terraform destroy -var-file dev.tfvars| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | 5.100.0 |
| Name | Source | Version |
|---|---|---|
| arc_security_group | sourcefuse/arc-security-group/aws | 0.0.1 |
| Name | Type |
|---|---|
| aws_iam_role.execution_role | resource |
| aws_iam_role.pipeline_role | resource |
| aws_iam_role.sagemaker_execution_role | resource |
| aws_iam_role_policy.execution_role_custom | resource |
| aws_iam_role_policy.pipeline_role_custom | resource |
| aws_iam_role_policy_attachment.attach_policy | resource |
| aws_iam_role_policy_attachment.execution_role_all_policies | resource |
| aws_iam_role_policy_attachment.pipeline_role_sagemaker_full_access | resource |
| aws_sagemaker_domain.this | resource |
| aws_sagemaker_endpoint.this | resource |
| aws_sagemaker_endpoint_configuration.this | resource |
| aws_sagemaker_model.this | resource |
| aws_sagemaker_pipeline.this | resource |
| aws_sagemaker_user_profile.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_iam_policies | List of additional IAM policy ARNs to attach to the execution role | list(string) |
[] |
no |
| additional_security_group_ids | List of additional security group IDs to attach to the domain | list(string) |
[] |
no |
| app_network_access_type | Specifies the VPC used for non-EFS traffic. Valid values are PublicInternetOnly and VpcOnly | string |
"PublicInternetOnly" |
no |
| app_security_group_management | The entity that creates and manages the required security groups for inter-app communication in VPCOnly mode. Valid values are Service and Customer | string |
"Service" |
no |
| async_inference_config | (Optional) Configuration for asynchronous inference. | object({ |
null |
no |
| auth_mode | The mode of authentication that members use to access the domain. Valid values are IAM and SSO | string |
"IAM" |
no |
| container | List of containers for inference pipeline (alternative to primary_container) | list(any) |
null |
no |
| create_domain | Whether to create the SageMaker domain | bool |
false |
no |
| create_endpoint | Whether to create the SageMaker endpoint | bool |
false |
no |
| create_endpoint_config | Whether to create the SageMaker endpoint configuration | bool |
false |
no |
| create_execution_role | Whether to create an execution role for SageMaker | bool |
false |
no |
| create_model | Whether to create the SageMaker model | bool |
false |
no |
| create_pipeline | Whether to create the SageMaker pipeline | bool |
false |
no |
| create_pipeline_role | Whether to create a separate role for pipelines | bool |
false |
no |
| create_sagemaker_execution_role | Whether to create an SageMaker execution role | bool |
false |
no |
| create_security_groups | Whether to create security groups for SageMaker Studio | bool |
false |
no |
| create_user_profile | Whether to create the SageMaker user profile | bool |
false |
no |
| data_capture_config | (Optional) Configuration for capturing input/output data. | object({ |
null |
no |
| default_space_settings | The default space settings for the domain | object({ |
null |
no |
| default_user_settings | The default user settings for the domain | object({ |
null |
no |
| deployment_config | Deployment configuration block | object({ |
null |
no |
| domain_name | The name of the SageMaker domain | string |
"arc-sagemaker-domain" |
no |
| domain_settings | The domain settings | object({ |
null |
no |
| enable_network_isolation | Isolate the model container from external network | bool |
null |
no |
| execution_role_name | Name of the execution role to create | string |
"SageMakerStudioExecutionRole" |
no |
| execution_role_path | Path for the execution role | string |
"/" |
no |
| inference_execution_config | Multi-container execution configuration | object({ |
null |
no |
| kms_key_arn | (Optional) ARN of the KMS key to encrypt storage volume data. | string |
null |
no |
| kms_key_id | The AWS KMS customer managed CMK used to encrypt the EFS volume attached to the domain | string |
null |
no |
| name | The name of the SageMaker model. | string |
"terraform-sg" |
no |
| name_prefix | (Optional) Prefix for the endpoint configuration name. Conflicts with name. | string |
null |
no |
| pipeline_role_name | Name of the pipeline role to create | string |
"SageMakerPipelineExecutionRole" |
no |
| pipeline_role_path | Path for the pipeline role | string |
"/" |
no |
| pipelines | List of SageMaker pipelines to create | list(object({ |
[] |
no |
| primary_container | Primary container block | object({ |
{ |
no |
| production_variants | (Required) List of production variant configurations. | list(object({ |
[ |
no |
| retention_policy | The retention policy for the domain | object({ |
null |
no |
| security_group_data | (optional) Security Group data | object({ |
{ |
no |
| security_group_name | sagemaker security group name | string |
"sagemaker-sg" |
no |
| shadow_production_variants | (Optional) List of shadow production variant configurations. | list(object({ |
[] |
no |
| subnet_ids | The VPC subnets that Studio uses for communication | list(string) |
[] |
no |
| tag_propagation | Indicates whether custom tag propagation is supported for the domain. Valid values are ENABLED and DISABLED | string |
"DISABLED" |
no |
| tags | Tags to assign to the SageMaker model | map(string) |
{} |
no |
| user_profiles | List of user profiles to create | list(object({ |
[] |
no |
| vpc_config | VPC configuration for the model | object({ |
null |
no |
| vpc_id | The ID of the VPC that Studio uses for communication | string |
null |
no |
| Name | Description |
|---|---|
| domain_arn | ARN of the SageMaker domain |
| domain_id | ID of the SageMaker domain |
| domain_url | URL to access the SageMaker Studio |
| endpoint_arn | ARN of the SageMaker endpoint |
| endpoint_config_arn | ARN of the SageMaker endpoint configuration |
| endpoint_config_name | Name of the SageMaker endpoint configuration |
| endpoint_name | Name of the SageMaker endpoint |
| model_arn | ARN of the SageMaker model |
| model_name | Name of the SageMaker model |
| pipeline_arns | List of SageMaker pipeline ARNs |
| pipeline_names | List of SageMaker pipeline names |
| user_profile_names | List of SageMaker user profile names |
| user_profiles | Map of SageMaker user profiles with their ARNs |
This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.
When you intend to commit to main, you will need to increment this version. Once the project is merged,
the pipeline will kick off and tag the latest git commit.
- Configure pre-commit hooks
pre-commit install
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly
- Tests are available in
testdirectory - Configure the dependencies
cd test/ go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name> go get github.com/gruntwork-io/terratest/modules/terraform
- Now execute the test
go test -timeout 30m
This project is authored by:
- SourceFuse ARC Team