azurermMachineLearningWorkspace
Manages a Azure Machine Learning Workspace
\~> NOTE: For examples on how to set up the Azure Machine Learning workspace, together with compute and integrated services, see Terraform Quickstart
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_2",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "workspacestorageaccount",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermApplicationInsightsExample =
new azurerm.applicationInsights.ApplicationInsights(this, "example_4", {
application_type: "web",
location: azurermResourceGroupExample.location,
name: "workspace-example-ai",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermApplicationInsightsExample.overrideLogicalId("example");
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_5",
{
location: azurermResourceGroupExample.location,
name: "workspaceexamplekeyvault",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermMachineLearningWorkspaceExample =
new azurerm.machineLearningWorkspace.MachineLearningWorkspace(
this,
"example_6",
{
application_insights_id: azurermApplicationInsightsExample.id,
identity: [
{
type: "SystemAssigned",
},
],
key_vault_id: azurermKeyVaultExample.id,
location: azurermResourceGroupExample.location,
name: "example-workspace",
resource_group_name: azurermResourceGroupExample.name,
storage_account_id: azurermStorageAccountExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMachineLearningWorkspaceExample.overrideLogicalId("example");
Example Usage with Data encryption
\~> NOTE: The Key Vault must enable purge protection.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [
{
key_vault: [
{
purge_soft_delete_on_destroy: false,
},
],
},
],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_2",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "workspacestorageaccount",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermApplicationInsightsExample =
new azurerm.applicationInsights.ApplicationInsights(this, "example_4", {
application_type: "web",
location: azurermResourceGroupExample.location,
name: "workspace-example-ai",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermApplicationInsightsExample.overrideLogicalId("example");
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_5",
{
location: azurermResourceGroupExample.location,
name: "workspaceexamplekeyvault",
purge_protection_enabled: true,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyExample =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example_6", {
key_permissions: ["Create", "Get", "Delete", "Purge", "GetRotationPolicy"],
key_vault_id: azurermKeyVaultExample.id,
object_id: dataAzurermClientConfigCurrent.objectId,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultAccessPolicyExample.overrideLogicalId("example");
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_7",
{
depends_on: [
`\${${azurermKeyVaultExample.fqn}}`,
`\${${azurermKeyVaultAccessPolicyExample.fqn}}`,
],
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "workspaceexamplekeyvaultkey",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermMachineLearningWorkspaceExample =
new azurerm.machineLearningWorkspace.MachineLearningWorkspace(
this,
"example_8",
{
application_insights_id: azurermApplicationInsightsExample.id,
encryption: [
{
key_id: azurermKeyVaultKeyExample.id,
key_vault_id: azurermKeyVaultExample.id,
},
],
identity: [
{
type: "SystemAssigned",
},
],
key_vault_id: azurermKeyVaultExample.id,
location: azurermResourceGroupExample.location,
name: "example-workspace",
resource_group_name: azurermResourceGroupExample.name,
storage_account_id: azurermStorageAccountExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMachineLearningWorkspaceExample.overrideLogicalId("example");
Example Usage with User Assigned Identity and Data Encryption
\~> NOTE: The Key Vault must enable purge protection.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as azuread from "./.gen/providers/azuread";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, azuread.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [
{
key_vault: [
{
purge_soft_delete_on_destroy: false,
},
],
},
],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_2",
{
account_replication_type: "GRS",
account_tier: "Standard",
location: azurermResourceGroupExample.location,
name: "examplestorageaccount",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermUserAssignedIdentityExample =
new azurerm.userAssignedIdentity.UserAssignedIdentity(this, "example_3", {
location: azurermResourceGroupExample.location,
name: "example-identity",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermUserAssignedIdentityExample.overrideLogicalId("example");
const dataAzureadServicePrincipalTest =
new azuread.dataAzureadServicePrincipal.DataAzureadServicePrincipal(
this,
"test",
{
display_name: "Azure Cosmos DB",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermApplicationInsightsExample =
new azurerm.applicationInsights.ApplicationInsights(this, "example_6", {
application_type: "web",
location: azurermResourceGroupExample.location,
name: "example-ai",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermApplicationInsightsExample.overrideLogicalId("example");
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_7",
{
location: azurermResourceGroupExample.location,
name: "example-keyvalut",
purge_protection_enabled: true,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyExampleCosmosdb =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(
this,
"example-cosmosdb",
{
depends_on: [
dataAzureadServicePrincipalTest,
dataAzurermClientConfigCurrent,
],
key_permissions: ["Get", "Recover", "UnwrapKey", "WrapKey"],
key_vault_id: azurermKeyVaultExample.id,
object_id: dataAzureadServicePrincipalTest.objectId,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(
this,
"example-identity",
{
key_permissions: ["WrapKey", "UnwrapKey", "Get", "Recover"],
key_vault_id: azurermKeyVaultExample.id,
object_id: azurermUserAssignedIdentityExample.principalId,
secret_permissions: [
"Get",
"List",
"Set",
"Delete",
"Recover",
"Backup",
"Restore",
],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
const azurermKeyVaultAccessPolicyExampleSp =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example-sp", {
key_permissions: [
"Get",
"Create",
"Recover",
"Delete",
"Purge",
"GetRotationPolicy",
],
key_vault_id: azurermKeyVaultExample.id,
object_id: dataAzurermClientConfigCurrent.objectId,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
});
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_11",
{
depends_on: [
`\${${azurermKeyVaultExample.fqn}}`,
`\${${azurermKeyVaultAccessPolicyExampleSp.fqn}}`,
],
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "example-keyvaultkey",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermRoleAssignmentExampleRole1 =
new azurerm.roleAssignment.RoleAssignment(this, "example-role1", {
principal_id: azurermUserAssignedIdentityExample.principalId,
role_definition_name: "Contributor",
scope: azurermKeyVaultExample.id,
});
const azurermRoleAssignmentExampleRole2 =
new azurerm.roleAssignment.RoleAssignment(this, "example-role2", {
principal_id: azurermUserAssignedIdentityExample.principalId,
role_definition_name: "Storage Blob Data Contributor",
scope: azurermStorageAccountExample.id,
});
const azurermRoleAssignmentExampleRole3 =
new azurerm.roleAssignment.RoleAssignment(this, "example-role3", {
principal_id: azurermUserAssignedIdentityExample.principalId,
role_definition_name: "Contributor",
scope: azurermStorageAccountExample.id,
});
const azurermRoleAssignmentExampleRole4 =
new azurerm.roleAssignment.RoleAssignment(this, "example-role4", {
principal_id: azurermUserAssignedIdentityExample.principalId,
role_definition_name: "Contributor",
scope: azurermApplicationInsightsExample.id,
});
const azurermMachineLearningWorkspaceExample =
new azurerm.machineLearningWorkspace.MachineLearningWorkspace(
this,
"example_16",
{
application_insights_id: azurermApplicationInsightsExample.id,
depends_on: [
`\${${azurermRoleAssignmentExampleRole1.fqn}}`,
`\${${azurermRoleAssignmentExampleRole2.fqn}}`,
`\${${azurermRoleAssignmentExampleRole3.fqn}}`,
`\${${azurermRoleAssignmentExampleRole4.fqn}}`,
`\${${azurermKeyVaultAccessPolicyExampleCosmosdb.fqn}}`,
],
encryption: [
{
key_id: azurermKeyVaultKeyExample.id,
key_vault_id: azurermKeyVaultExample.id,
user_assigned_identity_id: azurermUserAssignedIdentityExample.id,
},
],
high_business_impact: true,
identity: [
{
identity_ids: [azurermUserAssignedIdentityExample.id],
type: "UserAssigned",
},
],
key_vault_id: azurermKeyVaultExample.id,
location: azurermResourceGroupExample.location,
name: "example-workspace",
primary_user_assigned_identity: azurermUserAssignedIdentityExample.id,
resource_group_name: azurermResourceGroupExample.name,
storage_account_id: azurermStorageAccountExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermMachineLearningWorkspaceExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name
- (Required) Specifies the name of the Machine Learning Workspace. Changing this forces a new resource to be created. -
resourceGroupName
- (Required) Specifies the name of the Resource Group in which the Machine Learning Workspace should exist. Changing this forces a new resource to be created. -
location
- (Required) Specifies the supported Azure location where the Machine Learning Workspace should exist. Changing this forces a new resource to be created. -
applicationInsightsId
- (Required) The ID of the Application Insights associated with this Machine Learning Workspace. Changing this forces a new resource to be created. -
keyVaultId
- (Required) The ID of key vault associated with this Machine Learning Workspace. Changing this forces a new resource to be created. -
storageAccountId
- (Required) The ID of the Storage Account associated with this Machine Learning Workspace. Changing this forces a new resource to be created.
-> NOTE: The accountTier
cannot be premium
in order to associate the Storage Account to this Machine Learning Workspace.
-
identity
- (Required) Anidentity
block as defined below. -
containerRegistryId
- (Optional) The ID of the container registry associated with this Machine Learning Workspace. Changing this forces a new resource to be created.
-> NOTE: The adminEnabled
should be true
in order to associate the Container Registry to this Machine Learning Workspace.
-
publicAccessBehindVirtualNetworkEnabled
- (Optional) Enable public access when this Machine Learning Workspace is behind a VNet. Changing this forces a new resource to be created. -
publicNetworkAccessEnabled
- (Optional) Enable public access when this Machine Learning Workspace is behind VNet.
\~> NOTE: publicAccessBehindVirtualNetworkEnabled
is deprecated and will be removed in favour of the property publicNetworkAccessEnabled
.
-
imageBuildComputeName
- (Optional) The compute name for image build of the Machine Learning Workspace. -
description
- (Optional) The description of this Machine Learning Workspace. -
encryption
- (Optional) Anencryption
block as defined below. Changing this forces a new resource to be created. -
friendlyName
- (Optional) Display name for this Machine Learning Workspace. -
highBusinessImpact
- (Optional) Flag to signal High Business Impact (HBI) data in the workspace and reduce diagnostic data collected by the service -
primaryUserAssignedIdentity
- (Optional) The user assigned identity id that represents the workspace identity. -
v1LegacyModeEnabled
- (Optional) Enable V1 API features, enablingv1LegacyMode
may prevent you from using features provided by the v2 API. Defaults tofalse
. -
skuName
- (Optional) SKU/edition of the Machine Learning Workspace, possible values arebasic
. Defaults tobasic
. -
tags
- (Optional) A mapping of tags to assign to the resource.
An identity
block supports the following:
-
type
- (Required) Specifies the type of Managed Service Identity that should be configured on this Machine Learning Workspace. Possible values aresystemAssigned
,userAssigned
,systemAssigned,UserAssigned
(to enable both). -
identityIds
- (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Machine Learning Workspace.
\~> NOTE: This is required when type
is set to userAssigned
or systemAssigned,UserAssigned
.
An encryption
block supports the following:
-
keyVaultId
- (Required) The ID of the keyVault where the customer owned encryption key is present. -
keyId
- (Required) The Key Vault URI to access the encryption key. -
userAssignedIdentityId
- (Optional) The Key Vault URI to access the encryption key.
\~> Note: userAssignedIdentityId
must set whenidentityType
is userAssigned
or service won't be able to find the assigned permissions.
Attributes Reference
The following attributes are exported:
-
id
- The ID of the Machine Learning Workspace. -
discoveryUrl
- The url for the discovery service to identify regional endpoints for machine learning experimentation services.
An identity
block exports the following:
-
principalId
- The Principal ID associated with this Managed Service Identity. -
tenantId
- The Tenant ID associated with this Managed Service Identity.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Machine Learning Workspace.update
- (Defaults to 30 minutes) Used when updating the Machine Learning Workspace.read
- (Defaults to 5 minutes) Used when retrieving the Machine Learning Workspace.delete
- (Defaults to 30 minutes) Used when deleting the Machine Learning Workspace.
Import
Machine Learning Workspace can be imported using the resourceId
, e.g.