-
Notifications
You must be signed in to change notification settings - Fork 168
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #450 from harsh97/main
Updating AQUA stack
- Loading branch information
Showing
12 changed files
with
389 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Copyright (c) 2022 Oracle and/or its affiliates. All rights reserved. | ||
# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. | ||
# | ||
|
||
# Creates and Publishes the Oracle Resource Manager stack - v0.0.5 | ||
|
||
name: Generate stacks and publish release | ||
|
||
on: | ||
push: | ||
branches: [ main ] | ||
paths: ['VERSION'] | ||
|
||
jobs: | ||
|
||
publish_stack: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
|
||
- name: Create stacks | ||
id: create_stacks | ||
run: | | ||
STACKNAME=oci-ods-aqua | ||
STACK_FILES="ai-quick-actions/policies/terraform/*" | ||
RELEASE=$(cat VERSION) | ||
ASSETS+="${STACKNAME}.zip" | ||
echo "::group::Processing $STACKNAME" | ||
zip -r ${STACKNAME}-stack.zip $STACK_FILES || { printf '\n⛔ Unable to create %s stack.\n'; exit 1; } | ||
cp ${STACKNAME}-stack.zip ${STACKNAME}.zip || { printf '\n⛔ Unable to create %s stack.\n'; exit 1; } | ||
echo "::endgroup::" | ||
echo "::set-output name=assets::$ASSETS" | ||
echo "::set-output name=release::$RELEASE" | ||
echo "::set-output name=prefix::$STACKNAME" | ||
- name: Prepare Release Notes | ||
run: | | ||
# | ||
printf '%s\n' '${{ steps.create_stacks.outputs.prefix }} Stack - v${{ steps.create_stacks.outputs.release }}' >release.md | ||
printf '%s\n' '' '## [![Deploy to Oracle Cloud][magic_button]][magic_stack]' >>release.md | ||
printf '%s\n' '' '' >>release.md | ||
printf '%s\n' '' '[magic_button]: https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg' >>release.md | ||
printf '%s\n' '' '[magic_stack]: https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/${{ github.repository }}/releases/download/${{ steps.create_stacks.outputs.release }}/${{ steps.create_stacks.outputs.prefix }}.zip' >>release.md | ||
- name: Create Release | ||
run: gh release create ${{ steps.create_stacks.outputs.release }} --generate-notes -F release.md ${{ steps.create_stacks.outputs.assets }} | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
resource "oci_identity_dynamic_group" "aqua-dynamic-group" { | ||
count = local.is_admin_policies_only ? 0 : 1 | ||
compartment_id = var.tenancy_ocid | ||
description = "Data Science Aqua Dynamic Group" | ||
name = var.aqua_dg_name | ||
matching_rule = local.is_resource_policy_required? local.aqua_dg_match: local.aqua_admin_only_dg_match | ||
} | ||
|
||
resource "oci_identity_dynamic_group" "distributed_training_job_runs" { | ||
count = local.is_resource_policy_required ? 1 : 0 | ||
compartment_id = var.tenancy_ocid | ||
description = "Data Science Distributed Training Job Runs Group" | ||
name = var.distributed_training_dg_name | ||
matching_rule = "any {all {resource.type='datasciencejobrun',resource.compartment.id='${var.compartment_ocid}'}}" | ||
} | ||
|
||
|
||
locals { | ||
is_admin_policies_only = var.deployment_type == "Only admin policies" | ||
is_resource_policy_only = var.deployment_type == "Only resource policies" | ||
is_all_policies = var.deployment_type == "All policies" | ||
is_resource_policy_required = var.deployment_type != "Only admin policies" | ||
// Aqua dg matching rules | ||
aqua_admin_only_dg_match = "all {resource.type='datasciencenotebooksession'}" | ||
aqua_dg_match = "any {all {resource.type='datasciencenotebooksession',resource.compartment.id='${var.compartment_ocid}'}, all {resource.type='datasciencemodeldeployment',resource.compartment.id='${var.compartment_ocid}'}, all {resource.type='datasciencejobrun',resource.compartment.id='${var.compartment_ocid}'}}" | ||
is_compartment_tenancy = length(regexall(".*tenancy.*", var.compartment_ocid)) > 0 | ||
compartment_policy_string = local.is_compartment_tenancy ? "tenancy" : "compartment id ${var.compartment_ocid}" | ||
policy_tenancy = local.is_resource_policy_only? var.compartment_ocid : var.tenancy_ocid | ||
// Contains only necessary admin policies. These policies will be created in the tenancy. When the user selects "Only admin policies" these policies will be created. | ||
aqua_admin_only_policies = local.is_admin_policies_only?[ | ||
"Define tenancy datascience as ocid1.tenancy.oc1..aaaaaaaax5hdic7ya6r5rxsgpifff4l6xdxzltnrncdzp3m75ubbvzqqzn3q", | ||
"Endorse any-user to read data-science-models in tenancy datascience where ALL {target.compartment.name='service-managed-models'}", | ||
"Endorse any-user to inspect data-science-models in tenancy datascience where ALL {target.compartment.name='service-managed-models'}", | ||
"Endorse any-user to read object in tenancy datascience where ALL {target.compartment.name='service-managed-models', target.bucket.name='service-managed-models'}", | ||
]:[] | ||
|
||
tenancy_map = ({ | ||
oc1: "ocid1.tenancy.oc1..aaaaaaaax5hdic7ya6r5rxsgpifff4l6xdxzltnrncdzp3m75ubbvzqqzn3q" | ||
oc8: "ocid1.tenancy.oc8..aaaaaaaa2nxkxxix6ngdcifswvrezlmuylejvse4x6oa2ub4wfaduyz547wa" | ||
}) | ||
user_realm = element(split(".", var.tenancy_ocid), 2) | ||
service_tenancy_ocid = lookup(local.tenancy_map, local.user_realm, "UNKNOWN") | ||
|
||
// These are encompassing policies that will be created in the tenancy. When the user selects "All policies" these policies will be created. | ||
aqua_all_policies = local.is_all_policies? [ | ||
"Define tenancy datascience as ${local.service_tenancy_ocid}", | ||
"Endorse any-user to read data-science-models in tenancy datascience where ALL {target.compartment.name='service-managed-models'}", | ||
"Endorse any-user to inspect data-science-models in tenancy datascience where ALL {target.compartment.name='service-managed-models'}", | ||
"Endorse any-user to read object in tenancy datascience where ALL {target.compartment.name='service-managed-models', target.bucket.name='service-managed-models'}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-model-deployments in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-models in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to use logging-family in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-jobs in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-job-runs in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to use virtual-network-family in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to read resource-availability in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-projects in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-notebook-sessions in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-modelversionsets in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to read buckets in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to read objectstorage-namespaces in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to inspect compartments in tenancy" | ||
]:[] | ||
|
||
// Aqua resource only policies. These policies will be created in a specific compartment. When the user selects "Only resource policies" these policies will be created. | ||
aqua_resource_only_policies = local.is_resource_policy_only? [ | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-model-deployments in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-models in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to use logging-family in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-jobs in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-job-runs in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to use virtual-network-family in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to read resource-availability in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-projects in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-notebook-sessions in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage data-science-modelversionsets in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to read buckets in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to read objectstorage-namespaces in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to inspect compartments in ${local.compartment_policy_string}" | ||
]:[] | ||
|
||
policies_to_use = local.is_admin_policies_only ? local.aqua_admin_only_policies : local.is_resource_policy_only ? local.aqua_resource_only_policies : local.aqua_all_policies | ||
|
||
all_buckets = concat(var.user_model_buckets, var.user_data_buckets) | ||
bucket_names = join(", ", formatlist("target.bucket.name='%s'", local.all_buckets)) | ||
bucket_names_oss = join(", ", formatlist("all{target.bucket.name='%s', any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'}}", local.all_buckets)) | ||
dt_jr_policies = local.is_resource_policy_required?[ | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.distributed_training_job_runs[0].id} to use logging-family in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.distributed_training_job_runs[0].id} to manage data-science-models in ${local.compartment_policy_string}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.distributed_training_job_runs[0].id} to read data-science-jobs in ${local.compartment_policy_string}" | ||
]: [] | ||
dt_jr_policies_target_buckets = local.is_resource_policy_required? [ | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.distributed_training_job_runs[0].id} to manage objects in ${local.compartment_policy_string} where any {${local.bucket_names}}", | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.distributed_training_job_runs[0].id} to read buckets in ${local.compartment_policy_string} where any {${local.bucket_names}}" | ||
]: [] | ||
aqua_policies_target_buckets = local.is_resource_policy_required?[ | ||
"Allow dynamic-group id ${oci_identity_dynamic_group.aqua-dynamic-group[0].id} to manage object-family in ${local.compartment_policy_string} where any {${local.bucket_names_oss}}" | ||
]:[] | ||
|
||
} | ||
|
||
resource "oci_identity_policy" "aqua-policy" { | ||
compartment_id = local.policy_tenancy | ||
description = "Data Science Aqua Policies" | ||
name = var.aqua_policy_name | ||
statements = length(local.bucket_names) > 0 ? concat(local.policies_to_use, local.aqua_policies_target_buckets): local.policies_to_use | ||
} | ||
|
||
resource "oci_identity_policy" "distributed_training_job_runs_policy" { | ||
count = local.is_resource_policy_required ? 1 : 0 | ||
compartment_id = local.policy_tenancy | ||
description = "Distributed Training Job Runs Policies" | ||
name = var.distributed_training_policy_name | ||
statements = length(local.bucket_names) > 0 ? concat(local.dt_jr_policies, local.dt_jr_policies_target_buckets) : local.dt_jr_policies | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
output "deployment_type" { | ||
value = var.deployment_type | ||
} | ||
|
||
output "aqua_info" { | ||
value = "https://docs.oracle.com/en-us/iaas/data-science/using/ai-quick-actions.htm" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
|
||
terraform { | ||
required_version = ">= 1.0" | ||
} | ||
|
||
provider "oci" { | ||
region = var.region | ||
tenancy_ocid = var.tenancy_ocid | ||
# auth = "SecurityToken" | ||
# config_file_profile = "DEFAULT" | ||
} | ||
|
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
#************************************* | ||
# IAM Specific | ||
#************************************* | ||
variable "aqua_policy_name" { | ||
default = "DataScienceAquaPolicies" | ||
} | ||
|
||
variable "aqua_dg_name" { | ||
default = "DataScienceAquaDynamicGroup" | ||
} | ||
|
||
variable "distributed_training_dg_name" { | ||
default = "DistributedTrainingJobRunsDynamicGroup" | ||
} | ||
|
||
variable "distributed_training_policy_name" { | ||
default = "DistributedTrainingJobRunsPolicies" | ||
} | ||
|
||
#************************************* | ||
# TF Requirements | ||
#************************************* | ||
variable "tenancy_ocid" { | ||
} | ||
variable "region" { | ||
} | ||
variable "compartment_ocid" { | ||
} | ||
variable "user_model_buckets" { | ||
default = [] | ||
type = list(string) | ||
description = "List buckets for storing fine tuning models and evaluation. Important: To save fine-tuned models, versioning has to be enabled in the selected Object Storage bucket." | ||
} | ||
variable "user_data_buckets" { | ||
default = [] | ||
type = list(string) | ||
description = "List buckets for storing dataset used for fine tuning and evaluation." | ||
} | ||
|
||
variable "deployment_type" { | ||
type = string | ||
description = "Type of deployment" | ||
validation { | ||
condition = contains(["All policies", "Only admin policies", "Only resource policies"], var.deployment_type) | ||
error_message = "The deployment_type must be one of: 'All policies', 'Only admin policies', 'Only resource policies'." | ||
} | ||
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.