ml template

brown9804 · brown9804 · commit 65030d09b886 · 2026-02-17T11:34:08.000-06:00
diff --git a/8_ai-ml/machine-learning/README.md b/8_ai-ml/machine-learning/README.md
@@ -0,0 +1,22 @@
+# Terraform Template - Azure Machine Learning Workspace
+
+Costa Rica
+
+[![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/)
+[brown9804](https://github.com/brown9804)
+
+Last updated: 2026-02-16
+
+------------------------------------------
+
+> This template creates an Azure Machine Learning workspace and its common dependencies (Storage Account, Key Vault, Application Insights, Container Registry).
+
+## Usage
+
+```sh
+az login
+terraform init -upgrade
+terraform validate
+terraform plan
+terraform apply -auto-approve
+```
diff --git a/8_ai-ml/machine-learning/main.tf b/8_ai-ml/machine-learning/main.tf
@@ -0,0 +1,165 @@
+data "azurerm_client_config" "current" {}
+
+resource "azapi_resource" "resource_group" {
+  type      = "Microsoft.Resources/resourceGroups@2022-09-01"
+  name      = var.resource_group_name
+  location  = var.location
+  parent_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
+
+  body = jsonencode({
+    tags = var.tags
+  })
+
+  response_export_values = [
+    "id",
+    "name"
+  ]
+}
+
+resource "random_string" "suffix" {
+  length  = var.random_suffix_length
+  upper   = false
+  special = false
+  numeric = true
+
+  keepers = {
+    resource_group_name = var.resource_group_name
+    location            = var.location
+    workspace_base      = var.workspace_name
+  }
+}
+
+locals {
+  suffix        = var.append_random_suffix ? random_string.suffix.result : ""
+  hyphen_suffix = var.append_random_suffix ? "-${local.suffix}" : ""
+
+  workspace_name = "${var.workspace_name}${local.hyphen_suffix}"
+
+  storage_account_name_raw = lower("${var.storage_account_name_prefix}${local.suffix}")
+  storage_account_name     = substr(join("", regexall("[a-z0-9]", local.storage_account_name_raw)), 0, 24)
+
+  key_vault_name_raw = lower("${var.key_vault_name_prefix}${local.suffix}")
+  key_vault_name     = substr(join("", regexall("[a-z0-9-]", local.key_vault_name_raw)), 0, 24)
+
+  container_registry_name_raw = lower("${var.container_registry_name_prefix}${local.suffix}")
+  container_registry_name     = substr(join("", regexall("[a-z0-9]", local.container_registry_name_raw)), 0, 50)
+
+  application_insights_name = "${var.application_insights_name_prefix}${local.hyphen_suffix}"
+}
+
+resource "azurerm_storage_account" "sa" {
+  name                     = local.storage_account_name
+  resource_group_name      = var.resource_group_name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  shared_access_key_enabled       = false
+  default_to_oauth_authentication = true
+
+  tags = var.tags
+
+  depends_on = [
+    azapi_resource.resource_group
+  ]
+
+  lifecycle {
+    precondition {
+      condition     = length(local.storage_account_name) >= 3
+      error_message = "Generated storage account name is too short. Adjust storage_account_name_prefix/random_suffix_length."
+    }
+  }
+}
+
+resource "azurerm_key_vault" "kv" {
+  name                = local.key_vault_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  sku_name  = "standard"
+
+  soft_delete_retention_days    = 7
+  purge_protection_enabled      = false
+  enable_rbac_authorization     = true
+  public_network_access_enabled = true
+
+  tags = var.tags
+
+  depends_on = [
+    azapi_resource.resource_group
+  ]
+
+  lifecycle {
+    precondition {
+      condition     = length(local.key_vault_name) >= 3
+      error_message = "Generated key vault name is too short. Adjust key_vault_name_prefix/random_suffix_length."
+    }
+  }
+}
+
+resource "azurerm_application_insights" "appi" {
+  name                = local.application_insights_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  application_type    = "web"
+
+  lifecycle {
+    ignore_changes = [
+      workspace_id
+    ]
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    azapi_resource.resource_group
+  ]
+}
+
+resource "azurerm_container_registry" "acr" {
+  name                = local.container_registry_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  sku                 = "Basic"
+  admin_enabled       = false
+
+  tags = var.tags
+
+  depends_on = [
+    azapi_resource.resource_group
+  ]
+
+  lifecycle {
+    precondition {
+      condition     = length(local.container_registry_name) >= 5
+      error_message = "Generated container registry name is too short. Adjust container_registry_name_prefix/random_suffix_length."
+    }
+  }
+}
+
+resource "azurerm_machine_learning_workspace" "mlw" {
+  name                = local.workspace_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  application_insights_id = azurerm_application_insights.appi.id
+  key_vault_id            = azurerm_key_vault.kv.id
+  storage_account_id      = azurerm_storage_account.sa.id
+  container_registry_id   = azurerm_container_registry.acr.id
+
+  public_network_access_enabled = var.public_network_access_enabled
+
+  dynamic "identity" {
+    for_each = var.enable_system_assigned_identity ? [1] : []
+    content {
+      type = "SystemAssigned"
+    }
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    azapi_resource.resource_group
+  ]
+}
diff --git a/8_ai-ml/machine-learning/outputs.tf b/8_ai-ml/machine-learning/outputs.tf
@@ -0,0 +1,29 @@
+output "resource_group_id" {
+  description = "The resource ID of the Resource Group."
+  value       = azapi_resource.resource_group.id
+}
+
+output "machine_learning_workspace_id" {
+  description = "The resource ID of the Azure Machine Learning workspace."
+  value       = azurerm_machine_learning_workspace.mlw.id
+}
+
+output "machine_learning_workspace_name" {
+  description = "The name of the Azure Machine Learning workspace."
+  value       = azurerm_machine_learning_workspace.mlw.name
+}
+
+output "storage_account_name" {
+  description = "The generated storage account name used by the workspace."
+  value       = azurerm_storage_account.sa.name
+}
+
+output "key_vault_name" {
+  description = "The generated key vault name used by the workspace."
+  value       = azurerm_key_vault.kv.name
+}
+
+output "container_registry_name" {
+  description = "The generated container registry name used by the workspace."
+  value       = azurerm_container_registry.acr.name
+}
diff --git a/8_ai-ml/machine-learning/provider.tf b/8_ai-ml/machine-learning/provider.tf
@@ -0,0 +1,43 @@
+terraform {
+  required_version = ">= 1.8, < 2.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.116"
+    }
+
+    azapi = {
+      source  = "Azure/azapi"
+      version = "~> 1.13"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+    key_vault {
+      purge_soft_delete_on_destroy    = false
+      recover_soft_deleted_key_vaults = true
+    }
+  }
+
+  # Required when the environment/policies disable Storage Account shared-key auth.
+  # This makes the AzureRM provider use Azure AD for storage data-plane operations.
+  storage_use_azuread = true
+
+  # Uses the current Azure CLI context (az login + az account set)
+  skip_provider_registration = false
+}
+
+provider "azapi" {
+  # Uses the current Azure CLI context (az login + az account set)
+}
diff --git a/8_ai-ml/machine-learning/terraform.tfvars b/8_ai-ml/machine-learning/terraform.tfvars
@@ -0,0 +1,21 @@
+resource_group_name = "rg-ai-ml-dev"
+location            = "eastus"
+
+append_random_suffix = true
+random_suffix_length = 6
+
+workspace_name = "mlw-dev"
+
+storage_account_name_prefix      = "stml"
+key_vault_name_prefix            = "kvml"
+container_registry_name_prefix   = "acrml"
+application_insights_name_prefix = "appi-ml"
+
+public_network_access_enabled   = true
+enable_system_assigned_identity = true
+
+tags = {
+  env  = "dev"
+  area = "ai-ml"
+  iac  = "terraform"
+}
diff --git a/8_ai-ml/machine-learning/variables.tf b/8_ai-ml/machine-learning/variables.tf
@@ -0,0 +1,88 @@
+variable "resource_group_name" {
+  description = "The name of the Azure Resource Group to deploy into. This template will create the RG if it does not exist (idempotent ARM PUT)."
+  type        = string
+
+  validation {
+    condition     = length(trimspace(var.resource_group_name)) > 0
+    error_message = "resource_group_name must not be empty."
+  }
+}
+
+variable "location" {
+  description = "The Azure region for the deployment."
+  type        = string
+
+  validation {
+    condition     = length(trimspace(var.location)) > 0
+    error_message = "location must not be empty."
+  }
+}
+
+variable "append_random_suffix" {
+  description = "Whether to append a random suffix to names to reduce naming collisions."
+  type        = bool
+  default     = true
+}
+
+variable "random_suffix_length" {
+  description = "Length of the random suffix appended when append_random_suffix is true."
+  type        = number
+  default     = 6
+
+  validation {
+    condition     = var.random_suffix_length >= 4 && var.random_suffix_length <= 16
+    error_message = "random_suffix_length must be between 4 and 16."
+  }
+}
+
+variable "workspace_name" {
+  description = "Base name of the Azure Machine Learning workspace. If append_random_suffix is true, the final name will be '<base>-<suffix>'."
+  type        = string
+
+  validation {
+    condition     = length(trimspace(var.workspace_name)) >= 3 && length(var.workspace_name) <= 64
+    error_message = "workspace_name must be between 3 and 64 characters."
+  }
+}
+
+variable "storage_account_name_prefix" {
+  description = "Prefix used to generate the Storage Account name for the AML workspace (will be sanitized to meet naming rules)."
+  type        = string
+  default     = "stml"
+}
+
+variable "key_vault_name_prefix" {
+  description = "Prefix used to generate the Key Vault name for the AML workspace (will be sanitized to meet naming rules)."
+  type        = string
+  default     = "kvml"
+}
+
+variable "container_registry_name_prefix" {
+  description = "Prefix used to generate the Container Registry name for the AML workspace (will be sanitized to meet naming rules)."
+  type        = string
+  default     = "acrml"
+}
+
+variable "application_insights_name_prefix" {
+  description = "Prefix used to generate the Application Insights name for the AML workspace."
+  type        = string
+  default     = "appi-ml"
+}
+
+variable "public_network_access_enabled" {
+  description = "Whether public network access is enabled for the Azure Machine Learning workspace."
+  type        = bool
+  default     = true
+}
+
+variable "enable_system_assigned_identity" {
+  description = "Whether to enable a System Assigned Managed Identity on the Azure Machine Learning workspace."
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "A map of tags to assign to resources."
+  type        = map(string)
+  default     = {}
+}
