for sagemaker

sagemaker.tf

# Configure the AWS provider
provider "aws" {
  region = "us-east-1" # Choose your desired AWS region
}

# -----------------------------------------------------------------------------
# SageMaker Notebook Instance
# This is a classic way to interact with SageMaker for development and experimentation.
# -----------------------------------------------------------------------------

resource "aws_sagemaker_notebook_instance" "my_notebook_instance" {
  name          = "my-terraform-notebook"
  role_arn      = aws_iam_role.sagemaker_notebook_role.arn
  instance_type = "ml.t2.medium" # Choose an appropriate instance type
  volume_size_in_gb = 50 # Increase if you need more storage

  tags = {
    Name        = "Terraform-Managed-Notebook"
    Environment = "Development"
  }
}

# IAM Role for SageMaker Notebook Instance
resource "aws_iam_role" "sagemaker_notebook_role" {
  name = "sagemaker-notebook-role-terraform"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Effect = "Allow",
        Principal = {
          Service = "sagemaker.amazonaws.com"
        }
      }
    ]
  })
}

# Attach AmazonSageMakerFullAccess policy (for simplicity, use a more granular policy in production)
resource "aws_iam_role_policy_attachment" "sagemaker_notebook_policy_attach" {
  role       = aws_iam_role.sagemaker_notebook_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
}

# -----------------------------------------------------------------------------
# SageMaker Model Deployment (Simple Example)
# This demonstrates deploying a pre-trained model (or a placeholder) for inference.
# -----------------------------------------------------------------------------

# S3 Bucket to store model artifacts
resource "aws_s3_bucket" "model_artifacts_bucket" {
  bucket = "my-sagemaker-model-artifacts-${lower(random_string.suffix.result)}"
  acl    = "private"

  tags = {
    Name = "SageMakerModelArtifacts"
  }
}

# Random string for unique S3 bucket name
resource "random_string" "suffix" {
  length  = 8
  special = false
  upper   = false
  numeric = true
}

# Placeholder for model artifact (you'd upload your actual model.tar.gz here)
# For a real scenario, you'd have a model.tar.gz file (e.g., from training)
# and upload it to this S3 bucket manually or via a CI/CD pipeline.
# For this example, we'll just create the bucket and use a dummy URL.
# In a real setup, `model_data_url` would point to your actual model artifact.

resource "aws_sagemaker_model" "my_ml_model" {
  name               = "my-simple-ml-model"
  execution_role_arn = aws_iam_role.sagemaker_model_role.arn

  primary_container {
    image          = "763104351884.dkr.ecr.us-east-1.amazonaws.com/sagemaker-scikit-learn:0.23-1-cpu-py3" # Example Scikit-learn image
    model_data_url = "${aws_s3_bucket.model_artifacts_bucket.url}/model.tar.gz" # Placeholder for your model
  }

  tags = {
    Name        = "Terraform-Managed-ML-Model"
    Environment = "Production"
  }
}

# IAM Role for SageMaker Model execution (inference)
resource "aws_iam_role" "sagemaker_model_role" {
  name = "sagemaker-model-role-terraform"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Effect = "Allow",
        Principal = {
          Service = "sagemaker.amazonaws.com"
        }
      }
    ]
  })
}

# Policy to allow SageMaker to access model artifacts in S3
resource "aws_iam_policy" "sagemaker_model_s3_access_policy" {
  name        = "sagemaker-model-s3-access-policy-terraform"
  description = "Allows SageMaker model to read from its S3 artifact bucket"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "s3:GetObject",
          "s3:ListBucket"
        ],
        Resource = [
          aws_s3_bucket.model_artifacts_bucket.arn,
          "${aws_s3_bucket.model_artifacts_bucket.arn}/*"
        ]
      },
      {
        Effect = "Allow",
        Action = "ecr:GetAuthorizationToken",
        Resource = "*"
      },
      {
        Effect = "Allow",
        Action = [
          "ecr:BatchCheckLayerAvailability",
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage"
        ],
        Resource = "arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/sagemaker-scikit-learn"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "sagemaker_model_s3_attach" {
  role       = aws_iam_role.sagemaker_model_role.name
  policy_arn = aws_iam_policy.sagemaker_model_s3_access_policy.arn
}

# SageMaker Endpoint Configuration
resource "aws_sagemaker_endpoint_configuration" "my_ml_endpoint_config" {
  name = "my-ml-endpoint-config"

  production_variants {
    variant_name           = "AllTraffic"
    model_name             = aws_sagemaker_model.my_ml_model.name
    initial_instance_count = 1
    instance_type          = "ml.t2.medium" # Or ml.m5.large, etc.
    initial_variant_weight = 1.0
  }

  tags = {
    Name = "Terraform-Managed-EndpointConfig"
  }
}

# SageMaker Endpoint
resource "aws_sagemaker_endpoint" "my_ml_endpoint" {
  name                 = "my-ml-endpoint"
  endpoint_config_name = aws_sagemaker_endpoint_configuration.my_ml_endpoint_config.name

  tags = {
    Name        = "Terraform-Managed-Endpoint"
    Environment = "Production"
  }
}

# Data sources for dynamic ARN construction
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}