Skip to content

Resource: awsSagemakerWorkforce

Provides a SageMaker Workforce resource.

Example Usage

Cognito Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsCognitoUserPoolExample = new aws.cognitoUserPool.CognitoUserPool(
  this,
  "example",
  {
    name: "example",
  }
);
const awsCognitoUserPoolClientExample =
  new aws.cognitoUserPoolClient.CognitoUserPoolClient(this, "example_1", {
    generateSecret: true,
    name: "example",
    userPoolId: awsCognitoUserPoolExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCognitoUserPoolClientExample.overrideLogicalId("example");
const awsCognitoUserPoolDomainExample =
  new aws.cognitoUserPoolDomain.CognitoUserPoolDomain(this, "example_2", {
    domain: "example",
    userPoolId: awsCognitoUserPoolExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsCognitoUserPoolDomainExample.overrideLogicalId("example");
const awsSagemakerWorkforceExample =
  new aws.sagemakerWorkforce.SagemakerWorkforce(this, "example_3", {
    cognitoConfig: {
      clientId: awsCognitoUserPoolClientExample.id,
      userPool: awsCognitoUserPoolDomainExample.userPoolId,
    },
    workforceName: "example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSagemakerWorkforceExample.overrideLogicalId("example");

Oidc Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.sagemakerWorkforce.SagemakerWorkforce(this, "example", {
  oidcConfig: {
    authorizationEndpoint: "https://example.com",
    clientId: "example",
    clientSecret: "example",
    issuer: "https://example.com",
    jwksUri: "https://example.com",
    logoutEndpoint: "https://example.com",
    tokenEndpoint: "https://example.com",
    userInfoEndpoint: "https://example.com",
  },
  workforceName: "example",
});

Argument Reference

The following arguments are supported:

  • workforceName - (Required) The name of the Workforce (must be unique).
  • cognitoConfig - (Optional) Use this parameter to configure an Amazon Cognito private workforce. A single Cognito workforce is created using and corresponds to a single Amazon Cognito user pool. Conflicts with oidcConfig. see Cognito Config details below.
  • oidcConfig - (Optional) Use this parameter to configure a private workforce using your own OIDC Identity Provider. Conflicts with cognitoConfig. see OIDC Config details below.
  • sourceIpConfig - (Optional) A list of IP address ranges Used to create an allow list of IP addresses for a private workforce. By default, a workforce isn't restricted to specific IP addresses. see Source Ip Config details below.
  • workforceVpcConfig - (Optional) configure a workforce using VPC. see Workforce VPC Config details below.

Cognito Config

  • clientId - (Required) The client ID for your Amazon Cognito user pool.
  • userPool - (Required) ID for your Amazon Cognito user pool.

Oidc Config

  • authorizationEndpoint - (Required) The OIDC IdP authorization endpoint used to configure your private workforce.
  • clientId - (Required) The OIDC IdP client ID used to configure your private workforce.
  • clientSecret - (Required) The OIDC IdP client secret used to configure your private workforce.
  • issuer - (Required) The OIDC IdP issuer used to configure your private workforce.
  • jwksUri - (Required) The OIDC IdP JSON Web Key Set (Jwks) URI used to configure your private workforce.
  • logoutEndpoint - (Required) The OIDC IdP logout endpoint used to configure your private workforce.
  • tokenEndpoint - (Required) The OIDC IdP token endpoint used to configure your private workforce.
  • userInfoEndpoint - (Required) The OIDC IdP user information endpoint used to configure your private workforce.

Source Ip Config

  • cidrs - (Required) A list of up to 10 CIDR values.

Workforce VPC Config

  • securityGroupIds - (Optional) The VPC security group IDs. The security groups must be for the same VPC as specified in the subnet.
  • subnets - (Optional) The ID of the subnets in the VPC that you want to connect.
  • vpcId - (Optional) The ID of the VPC that the workforce uses for communication.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The Amazon Resource Name (ARN) assigned by AWS to this Workforce.
  • id - The name of the Workforce.
  • subdomain - The subdomain for your OIDC Identity Provider.
  • workforceVpcConfig0VpcEndpointId - The IDs for the VPC service endpoints of your VPC workforce.

Import

SageMaker Workforces can be imported using the workforceName, e.g.,

$ terraform import aws_sagemaker_workforce.example example