Close Menu

    Deploy Amazon SageMaker Projects with Terraform Cloud

    Amazon SageMaker Projects empower data scientists to self-serve Amazon Web Services (AWS) tooling and infrastructure to organize all entities of the machine learning (ML) lifecycle, and further enable organizations to standardize and constrain the resources available to their data science teams in pre-packaged templates.

    For AWS customers using Terraform to define and manage their infrastructure-as-code (IaC), the current best practice for enabling Amazon SageMaker Projects carries a dependency on AWS CloudFormation to facilitate integration between AWS Service Catalog and Terraform. This blocks enterprise customers whose IT governance prohibit use of vendor-specific IaC such as CloudFormation from using Terraform Cloud.

    This post outlines how you can enable SageMaker Projects with Terraform Cloud, removing the CloudFormation dependency.

    AWS Service Catalog engine for Terraform Cloud

    SageMaker Projects are directly mapped to AWS Service Catalog products. To obviate the use of CloudFormation, these products must be designated as Terraform products that use the AWS Service Catalog Engine (SCE) for Terraform Cloud. This module, actively maintained by Hashicorp, contains AWS-native infrastructure for integrating Service Catalog with Terraform Cloud so that your Service Catalog products are deployed using the Terraform Cloud platform.

    By following the steps in this post, you can use the Service Catalog engine to deploy SageMaker Projects directly from Terraform Cloud.

    Prerequisites

    To successfully deploy the example, you must have the following:

    1. An AWS account with the necessary permissions to create and manage SageMaker Projects and Service Catalog products. See the Service Catalog documentation for more information on Service Catalog permissions.
    2. An existing Amazon SageMaker Studio domain with an associated Amazon SageMaker user profile. The SageMaker Studio domain must have SageMaker Projects enabled. See Use quick setup for Amazon SageMaker AI.
    3. A Unix terminal with the AWS Command Line Interface (AWS CLI) and Terraform installed. See the Installing or updating to the latest version of the AWS CLIand the Install Terraform for more information about installation.
    4. An existing Terraform Cloud account with the necessary permissions to create and manage workspaces. See the following tutorials to quickly create your own account:
      1. HCP Terraform – intro and sign Up
      2. Log In to HCP Terraform from the CLI

    See Terraform teams and organizations documentation for more information about Terraform Cloud permissions.

    Deployment steps

    1. Clone the sagemaker-custom-project-templates repository from the AWS Samples GitHub to your local machine, update the submodules, and navigate to the mlops-terraform-cloud directory. 
      $ git clone https://github.com/aws-samples/sagemaker-custom-project-templates.git
$ cd sagemaker-custom-project_templates
$ git submodule update --init --recursive
$ cd mlops-terraform-cloud

    The preceding code base above creates a Service Catalog portfolio, adds the SageMaker Project template as a Service Catalog product to the portfolio, allows the SageMaker Studio role to access the Service Catalog product, and adds the necessary tags to make the product visible in SageMaker Studio. See Create Custom Project Templates in the SageMaker Projects Documentation for more information about this process.

    1. Login to your Terraform Cloud account 
      $ terraform login

    This prompts your browser to sign into your HCP account and generates a security token. Copy this security token and paste it back into your terminal.

    1. Navigate to your AWS account and retrieve the SageMaker user role Amazon Resource Name (ARN) for the SageMaker user profile associated with your SageMaker Studio domain. This role is used to grant SageMaker Studio users permissions to create and manage SageMaker Projects.
      • In the AWS Management Console for Amazon SageMaker, choose Domains from the navigation pane
        Amazon SageMaker home screen highlighting machine learning workflow options and quick-start configurations for users and organizations
      • Select your studio domain
        Amazon SageMaker Domains management screen with one InService domain, emphasizing shared environment for team collaboration
      • Under User Profiles, select your user profile
        Amazon SageMaker Domain management interface showing user profiles tab with configuration options and launch controls
      • In the User Details, copy the ARN
        SageMaker lead-data-scientist profile configuration with IAM role and creation details
    2. Create a tfvars file with the necessary variables for the Terraform Cloud workspace 
      $ cp terraform.tfvars.example terraform.tfvars
    3. Set the appropriate values in the newly created tfvars file. The following variables are required: 
      tfc_organization = "my-tfc-organization"
tfc_team = "aws-service-catalog"
token_rotation_interval_in_days = 30
sagemaker_user_role_arns = ["arn:aws:iam::XXXXXXXXXXX:role/service-role/AmazonSageMaker-ExecutionRole"]

    Make sure that your desired Terraform Cloud (TFC) organization has the proper entitlements and that your tfc_team is unique for this deployment. See the Terraform Organizations Overview for more information on creating organizations.

    1. Initialize the Terraform Cloud workspace 
      $ terraform init
    2. Apply the Terraform Cloud workspace 
      $ terraform apply
    3. Go back to the SageMaker console using the user profile associated with the SageMaker user role ARN that you copied previously and choose Open Studio application
      SageMaker Studio welcome screen highlighting integrated ML development environment with login options
    4. In the navigation pane, choose Deployments and then choose Projects
      SageMaker Studio home interface highlighting ML workflow options, including JupyterLab and Code Editor, with Projects section emphasized for model deployment
    5. Choose Create project, select the mlops-tf-cloud-example product and then choose Next
      SageMaker Studio project creation workflow showing template selection step with Organization templates tab and MLOps workflow automation option
    6. In Project details, enter a unique name for the template and (option) enter a project description. Choose Create
      SageMaker project setup interface on Project details step, showcasing naming conventions, description field, and tagging options for MLOps workflow
    7. In a separate tab or window, go back to your Terraform Cloud account’s Workspaces and you’ll see a workspace being provisioned directly from your SageMaker Project deployment. The naming convention of the Workspace will be <ACCOUNT_ID>-<SAGEMAKER_PROJECT_ID>
      Terraform workspaces dashboard showing status counts and one workspace with Applied status

    Further customization

    This example can be modified to include custom Terraform in your SageMaker Project template. To do so, define your Terraform in the mlops-product/product directory. When ready to deploy, be sure to archive and compress this Terraform using the following command:

    $ cd mlops-product
$ tar -czf product.tar.gz product

    Cleanup

    To remove the resources deployed by this example, run the following from the project directory:

    $ terraform destroy

    Conclusion

    In this post you defined, deployed, and provisioned a SageMaker Project custom template purely in Terraform. With no dependencies on other IaC tools, you can now enable SageMaker Projects strictly within your Terraform Enterprise infrastructure.

    About the author

    Max Copeland is a Machine Learning Engineer for AWS, leading customer engagements spanning ML-Ops, data science, data engineering, and generative AI.

    Source: Read More 

    Related Posts

    Leave A Reply