Instantly share code, notes, and snippets.

@mazgi /terraform.tf.md Secret
Last active Mar 5, 2018

Embed
What would you like to do?
Terraform for Amazon SageMaker
# --------------------------------
# IAM Role for SageMaker

resource "aws_iam_role" "sagemaker-role" {
  name = "sagemaker-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "sagemaker.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "sagemaker-role-attachment" {
  role       = "${aws_iam_role.sagemaker-role.name}"
  policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
}

# --------------------------------
# IAM Group for SageMaker

resource "aws_iam_group" "sagemaker-group" {
  name = "sagemaker-group"
}

resource "aws_iam_group_policy_attachment" "sagemaker-group-attachment-AmazonSageMakerFullAccess" {
  group      = "${aws_iam_group.sagemaker-group.name}"
  policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
}

resource "aws_iam_group_policy_attachment" "sagemaker-group-attachment-AmazonEC2FullAccess" {
  group      = "${aws_iam_group.sagemaker-group.name}"
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}

resource "aws_iam_group_policy_attachment" "sagemaker-group-attachment-IAMReadOnlyAccess" {
  group      = "${aws_iam_group.sagemaker-group.name}"
  policy_arn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
}

resource "aws_iam_group_policy_attachment" "sagemaker-group-attachment-IAMUserChangePassword" {
  group      = "${aws_iam_group.sagemaker-group.name}"
  policy_arn = "arn:aws:iam::aws:policy/IAMUserChangePassword"
}

resource "aws_iam_group_membership" "sagemaker-group-membership" {
  name  = "sagemaker-group-membership"
  group = "${aws_iam_group.sagemaker-group.name}"

  users = "${var.sagemaker_users}"
}

# --------------------------------
# IAM Users for SageMaker

resource "aws_iam_user" "sagemaker-users" {
  name          = "${var.sagemaker_users[count.index]}"
  force_destroy = true
  count         = "${length(var.sagemaker_users)}"
}

resource "aws_iam_user_login_profile" "sagemaker-users" {
  user    = "${var.sagemaker_users[count.index]}"
  pgp_key = "${file("foo.gpg.base64")}"
  count   = "${length(var.sagemaker_users)}"
}

output "sagemaker-user-passwords" {
  value = ["${aws_iam_user_login_profile.sagemaker-users.*.encrypted_password}"]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment