Merge pull request #18 from PerfectThymeTech/marvinbuss/update_acr

Update Infrastructure Configuration
PerfectThymeTech · Jan 15, 2024 · 67af963 · 67af963
2 parents 64fda71 + 9b1e695
commit 67af963
Show file tree

Hide file tree

Showing 4 changed files with 146 additions and 12 deletions.
diff --git a/code/terraform/containerregistry.tf b/code/terraform/containerregistry.tf
@@ -9,8 +9,8 @@ resource "azurerm_container_registry" "container_registry" {
 
   admin_enabled              = true
   anonymous_pull_enabled     = false
-  data_endpoint_enabled      = false
-  export_policy_enabled      = true
+  data_endpoint_enabled      = true
+  export_policy_enabled      = false
   network_rule_bypass_option = "AzureServices"
   network_rule_set = [
     {
@@ -20,11 +20,11 @@ resource "azurerm_container_registry" "container_registry" {
     }
   ]
   public_network_access_enabled = false
-  quarantine_policy_enabled     = true
+  quarantine_policy_enabled     = false
   retention_policy = [
     {
       days    = 7
-      enabled = true
+      enabled = false
     }
   ]
   sku = "Premium"

diff --git a/code/terraform/locals.tf b/code/terraform/locals.tf
@@ -9,6 +9,31 @@ locals {
 
   default_machine_learning_workspace_image_builder_compute_name = "imagebuilder001"
   default_machine_learning_workspace_outbound_rules = {
+    # Required pypi dependencies to be able to install libraries
+    "pypi001" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "pypi.org"
+      status      = "Active"
+    },
+    "pypi002" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "pythonhosted.org"
+      status      = "Active"
+    },
+    "pypi003" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "*.pythonhosted.org"
+      status      = "Active"
+    },
+    "pypi004" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "pypi.python.org"
+      status      = "Active"
+    },
     "anaconda001" = {
       type        = "FQDN"
       category    = "UserDefined"
@@ -27,12 +52,6 @@ locals {
       destination = "*.anaconda.org"
       status      = "Active"
     },
-    "pypi001" = {
-      type        = "FQDN"
-      category    = "UserDefined"
-      destination = "pypi.org"
-      status      = "Active"
-    },
     "r001" = {
       type        = "FQDN"
       category    = "UserDefined"
@@ -57,6 +76,7 @@ locals {
       destination = "*.tensorflow.org"
       status      = "Active"
     },
+    # Required for VSCode features. Dependencies are documented here: https://code.visualstudio.com/docs/setup/network#_common-hostnames
     "vscode001" = {
       type        = "FQDN"
       category    = "UserDefined"
@@ -117,18 +137,120 @@ locals {
       destination = "default.exp-tas.com"
       status      = "Active"
     },
+    "vscode011" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "code.visualstudio.com"
+      status      = "Active"
+    },
+    "vscode012" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "*.gallery.vsassets.io"
+      status      = "Active"
+    },
+    "vscode013" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "vscode.search.windows.net"
+      status      = "Active"
+    },
+    "vscode014" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "vsmarketplacebadges.dev"
+      status      = "Active"
+    },
+    "vscode015" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "vscode.download.prss.microsoft.com"
+      status      = "Active"
+    },
+    "vscode016" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "download.visualstudio.microsoft.com"
+      status      = "Active"
+    },
+    "vscode017" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "vscode-sync.trafficmanager.net"
+      status      = "Active"
+    },
+    "vscode018" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "vscode.dev"
+      status      = "Active"
+    },
+    "vscode019" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "*.vscode-unpkg.net"
+      status      = "Active"
+    },
     "maven001" = {
       type        = "FQDN"
       category    = "UserDefined"
       destination = "*.maven.org"
       status      = "Active"
     },
+    # Required for some prompt flow features where this public storage account is being used which is owned by Azure Open AI
     "openai001" = {
       type        = "FQDN"
       category    = "UserDefined"
       destination = "openaipublic.blob.core.windows.net"
       status      = "Active"
     },
+    "docker001" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "docker.io"
+      status      = "Active"
+    },
+    "docker002" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "*.docker.io"
+      status      = "Active"
+    },
+    "docker003" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "*.docker.com"
+      status      = "Active"
+    },
+    "docker004" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "production.cloudflare.docker.com"
+      status      = "Active"
+    },
+    "docker005" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "cdn.auth0.com"
+      status      = "Active"
+    },
+    "azure001" = {
+      type     = "ServiceTag"
+      category = "UserDefined"
+      destination = {
+        "serviceTag" : "AzureOpenDatasets",
+        "protocol" : "TCP",
+        "portRanges" : "443",
+        "action" : "Allow"
+      },
+      status = "Active"
+    },
+    "huggingface001" = {
+      type        = "FQDN"
+      category    = "UserDefined"
+      destination = "cdn-lfs.huggingface.co"
+      status      = "Active"
+    },
     "${azurerm_storage_account.storage.name}-table" = {
       type     = "PrivateEndpoint"
       category = "UserDefined"

diff --git a/code/terraform/roleassignments_uai.tf b/code/terraform/roleassignments_uai.tf
@@ -10,6 +10,18 @@ resource "azurerm_role_assignment" "uai_role_assignment_container_registry_contr
   principal_id         = azurerm_user_assigned_identity.user_assigned_identity.principal_id
 }
 
+resource "azurerm_role_assignment" "uai_role_assignment_container_registry_acrpull" {
+  scope                = azurerm_container_registry.container_registry.id
+  role_definition_name = "AcrPull"
+  principal_id         = azurerm_user_assigned_identity.user_assigned_identity.principal_id
+}
+
+resource "azurerm_role_assignment" "uai_role_assignment_container_registry_acrpush" {
+  scope                = azurerm_container_registry.container_registry.id
+  role_definition_name = "AcrPush"
+  principal_id         = azurerm_user_assigned_identity.user_assigned_identity.principal_id
+}
+
 resource "azurerm_role_assignment" "uai_role_assignment_storage_contributor" {
   scope                = azurerm_storage_account.storage.id
   role_definition_name = "Contributor"

diff --git a/code/terraform/storage.tf b/code/terraform/storage.tf
@@ -25,8 +25,8 @@ resource "azurerm_storage_account" "storage" {
     }
     cors_rule { # Required for Azure ML
       allowed_headers    = ["*"]
-      allowed_methods    = ["GET", "HEAD"]
-      allowed_origins    = ["https://mlworkspace.azure.ai", "https://ml.azure.com", "https://*.ml.azure.com"]
+      allowed_methods    = ["HEAD", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "GET"]
+      allowed_origins    = ["https://mlworkspace.azure.ai", "https://ml.azure.com", "https://*.ml.azure.com", "https://ai.azure.com", "https://*.ai.azure.com"]
       exposed_headers    = ["*"]
       max_age_in_seconds = 1800
     }