本文內容
在本文中,您將了解如何使用 Terraform 設定檔來建立和管理 Azure Machine Learning 工作區。 Terraform 的範本型設定檔讓您能夠以可重複且可預測的方式定義、建立和設定 Azure 資源。 Terraform 會追蹤資源狀態,而且可以清除和終結資源。
Terraform 設定是定義了部署所需資源的文件。 設定中也可以指定部署變數。 變數可用來在使用設定時提供輸入值。
必要條件
限制
建立新的工作區時,您可以自動建立工作區所需的服務,或使用現有的服務。 若要使用有別於工作區的不同 Azure 訂閱的現有服務 ,您必須在包含這些服務的訂閱中註冊 Azure Machine Learning 命名空間。 例如,若要在訂閱 A (使用訂閱 B 的儲存體帳戶) 中建立工作區,則必須先在訂閱 B 中註冊 Azure Machine Learning 命名空間,然後才能在工作區使用儲存體帳戶。
Azure Machine Learning 的資源提供者為 Microsoft.MachineLearningServices 。 如需如何檢查是否已註冊及如何註冊的相關資訊,請參閱《Azure 資源提供者和類型 》一文。
重要
這僅適用於建立工作區期間所提供的資源;Azure 儲存體帳戶、Azure Container Register、Azure Key Vault 和 Application Insights。
提示
當您建立工作區時,會建立 Azure Application Insights 執行個體。 建立叢集後,您可以視需要刪除 Application Insights 執行個體。 刪除叢集會限制從工作區收集的資訊,且可能會使問題的疑難排解變得較為困難。 若您刪除工作區所建立的 Application Insights 執行個體,即無法在不刪除和重新建立工作區的情況下重新建立該執行個體 。
如需關於使用 Application Insights 執行個體的詳細資訊,請參閱監視和收集 Machine Learning Web 服務端點的資料 。
宣告 Azure 提供者
建立宣告 Azure 提供者的 Terraform 設定檔:
建立名為 main.tf 的新檔案。 如果使用 Azure Cloud Shell,請使用 Bash:
code main.tf
將下列程式碼貼到編輯器中:
main.tf :
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "default" {
name = "${random_pet.prefix.id}-rg"
location = var.location
}
resource "random_pet" "prefix" {
prefix = var.prefix
length = 2
}
resource "random_integer" "suffix" {
min = 10000000
max = 99999999
}
儲存檔案 (<Ctrl>S ) 並結束編輯器 (<Ctrl>Q )。
部署工作區
您可以使用下列 Terraform 設定來建立 Azure Machine Learning 工作區。 當您建立 Azure Machine Learning 工作區時,需要不同的其他服務來作為相依性。 此範本也會將這些相關聯的資源指定給工作區 。 視您的需求而定,您可以選擇使用範本來建立具有公用或私人網路連線能力的資源。
Azure 中的某些資源需要全域唯一的名稱。 使用下列範本來部署資源之前,請先將 name 變數設定為唯一值。
variables.tf :
variable "environment" {
type = string
description = "Name of the environment"
default = "dev"
}
variable "location" {
type = string
description = "Location of the resources"
default = "eastus"
}
variable "prefix" {
type = string
description = "Prefix of the resource name"
default = "ml"
}
workspace.tf :
# Dependent resources for Azure Machine Learning
resource "azurerm_application_insights" "default" {
name = "${random_pet.prefix.id}-appi"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
application_type = "web"
}
resource "azurerm_key_vault" "default" {
name = "${var.prefix}${var.environment}${random_integer.suffix.result}kv"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = false
}
resource "azurerm_storage_account" "default" {
name = "${var.prefix}${var.environment}${random_integer.suffix.result}st"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
account_tier = "Standard"
account_replication_type = "GRS"
allow_nested_items_to_be_public = false
}
resource "azurerm_container_registry" "default" {
name = "${var.prefix}${var.environment}${random_integer.suffix.result}cr"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
sku = "Premium"
admin_enabled = true
}
# Machine Learning workspace
resource "azurerm_machine_learning_workspace" "default" {
name = "${random_pet.prefix.id}-mlw"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
application_insights_id = azurerm_application_insights.default.id
key_vault_id = azurerm_key_vault.default.id
storage_account_id = azurerm_storage_account.default.id
container_registry_id = azurerm_container_registry.default.id
public_network_access_enabled = true
identity {
type = "SystemAssigned"
}
}
下列設定會使用 Azure Private Link 端點在隔離的網路環境中建立工作區。 私人 DNS 區域 會包含進來,以便能在虛擬網路內解析網域名稱。
Azure 中的某些資源需要全域唯一的名稱。 使用下列範本來部署資源之前,請先將 resourceprefix 變數設定為唯一值。
針對 Azure Container Registry 和 Azure Machine Learning 使用私人連結端點時,不能使用 Azure Container Registry 工作來建置環境 映像。 相反地,您可以使用 Azure Machine Learning 計算叢集來建置映像。 若要設定使用的叢集名稱,請設定 image_build_compute_name 引數。 您可以進行設定,以使用 public_network_access_enabled 引數向具有私人連結端點的工作區允許公用存取權 。
variables.tf :
variable "name" {
type = string
description = "Name of the deployment"
default = "examplehost"
}
variable "environment" {
type = string
description = "Name of the environment"
default = "dev"
}
variable "location" {
type = string
description = "Location of the resources"
default = "East US"
}
variable "vnet_address_space" {
type = list(string)
description = "Address space of the virtual network"
default = ["10.0.0.0/16"]
}
variable "training_subnet_address_space" {
type = list(string)
description = "Address space of the training subnet"
default = ["10.0.1.0/24"]
}
variable "aks_subnet_address_space" {
type = list(string)
description = "Address space of the aks subnet"
default = ["10.0.2.0/23"]
}
variable "ml_subnet_address_space" {
type = list(string)
description = "Address space of the ML workspace subnet"
default = ["10.0.0.0/24"]
}
variable "dsvm_subnet_address_space" {
type = list(string)
description = "Address space of the DSVM subnet"
default = ["10.0.4.0/24"]
}
variable "bastion_subnet_address_space" {
type = list(string)
description = "Address space of the bastion subnet"
default = ["10.0.5.0/24"]
}
variable "image_build_compute_name" {
type = string
description = "Name of the compute cluster to be created and set to build docker images"
default = "image-builder"
}
# DSVM Variables
variable "dsvm_name" {
type = string
description = "Name of the Data Science VM"
default = "vmdsvm01"
}
variable "dsvm_admin_username" {
type = string
description = "Admin username of the Data Science VM"
default = "azureadmin"
}
variable "dsvm_host_password" {
type = string
description = "Password for the admin username of the Data Science VM"
default = "ChangeMe123!"
sensitive = true
}
workspace.tf :
# Dependent resources for Azure Machine Learning
resource "azurerm_application_insights" "default" {
name = "appi-${var.name}-${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
application_type = "web"
}
resource "random_string" "kv_prefix" {
length = 4
upper = false
special = false
numeric = false
}
resource "azurerm_key_vault" "default" {
name = "kv-${random_string.kv_prefix.result}-${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
purge_protection_enabled = true
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}
resource "random_string" "sa_prefix" {
length = 4
upper = false
special = false
numeric = false
}
resource "azurerm_storage_account" "default" {
name = "st${random_string.sa_prefix.result}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
account_tier = "Standard"
account_replication_type = "GRS"
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
}
}
resource "azurerm_container_registry" "default" {
name = "cr${var.name}${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
sku = "Premium"
admin_enabled = true
network_rule_set {
default_action = "Deny"
}
public_network_access_enabled = false
}
# Machine Learning workspace
resource "azurerm_machine_learning_workspace" "default" {
name = "mlw-${var.name}-${var.environment}"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
application_insights_id = azurerm_application_insights.default.id
key_vault_id = azurerm_key_vault.default.id
storage_account_id = azurerm_storage_account.default.id
container_registry_id = azurerm_container_registry.default.id
identity {
type = "SystemAssigned"
}
# Args of use when using an Azure Private Link configuration
public_network_access_enabled = false
image_build_compute_name = var.image_build_compute_name
depends_on = [
azurerm_private_endpoint.kv_ple,
azurerm_private_endpoint.st_ple_blob,
azurerm_private_endpoint.storage_ple_file,
azurerm_private_endpoint.cr_ple,
azurerm_subnet.snet-training
]
}
# Private endpoints
resource "azurerm_private_endpoint" "kv_ple" {
name = "ple-${var.name}-${var.environment}-kv"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.dnsvault.id]
}
private_service_connection {
name = "psc-${var.name}-kv"
private_connection_resource_id = azurerm_key_vault.default.id
subresource_names = ["vault"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "st_ple_blob" {
name = "ple-${var.name}-${var.environment}-st-blob"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.dnsstorageblob.id]
}
private_service_connection {
name = "psc-${var.name}-st"
private_connection_resource_id = azurerm_storage_account.default.id
subresource_names = ["blob"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "storage_ple_file" {
name = "ple-${var.name}-${var.environment}-st-file"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.dnsstoragefile.id]
}
private_service_connection {
name = "psc-${var.name}-st"
private_connection_resource_id = azurerm_storage_account.default.id
subresource_names = ["file"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "cr_ple" {
name = "ple-${var.name}-${var.environment}-cr"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.dnscontainerregistry.id]
}
private_service_connection {
name = "psc-${var.name}-cr"
private_connection_resource_id = azurerm_container_registry.default.id
subresource_names = ["registry"]
is_manual_connection = false
}
}
resource "azurerm_private_endpoint" "mlw_ple" {
name = "ple-${var.name}-${var.environment}-mlw"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
subnet_id = azurerm_subnet.snet-workspace.id
private_dns_zone_group {
name = "private-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.dnsazureml.id, azurerm_private_dns_zone.dnsnotebooks.id]
}
private_service_connection {
name = "psc-${var.name}-mlw"
private_connection_resource_id = azurerm_machine_learning_workspace.default.id
subresource_names = ["amlworkspace"]
is_manual_connection = false
}
}
# Compute cluster for image building required since the workspace is behind a vnet.
# For more details, see https://docs.microsoft.com/en-us/azure/machine-learning/tutorial-create-secure-workspace#configure-image-builds.
resource "azurerm_machine_learning_compute_cluster" "image-builder" {
name = var.image_build_compute_name
location = azurerm_resource_group.default.location
vm_priority = "LowPriority"
vm_size = "Standard_DS2_v2"
machine_learning_workspace_id = azurerm_machine_learning_workspace.default.id
subnet_resource_id = azurerm_subnet.snet-training.id
scale_settings {
min_node_count = 0
max_node_count = 3
scale_down_nodes_after_idle_duration = "PT15M" # 15 minutes
}
identity {
type = "SystemAssigned"
}
}
network.tf :
# Virtual Network
resource "azurerm_virtual_network" "default" {
name = "vnet-${var.name}-${var.environment}"
address_space = var.vnet_address_space
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
}
resource "azurerm_subnet" "snet-training" {
name = "snet-training"
resource_group_name = azurerm_resource_group.default.name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = var.training_subnet_address_space
enforce_private_link_endpoint_network_policies = true
}
resource "azurerm_subnet" "snet-aks" {
name = "snet-aks"
resource_group_name = azurerm_resource_group.default.name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = var.aks_subnet_address_space
enforce_private_link_endpoint_network_policies = true
}
resource "azurerm_subnet" "snet-workspace" {
name = "snet-workspace"
resource_group_name = azurerm_resource_group.default.name
virtual_network_name = azurerm_virtual_network.default.name
address_prefixes = var.ml_subnet_address_space
enforce_private_link_endpoint_network_policies = true
}
# ...
# For full reference, see: https://github.com/Azure/terraform/blob/master/quickstart/201-machine-learning-moderately-secure/network.tf
有幾個選項可供連線到私人連結端點工作區。 若要深入了解這些選項,請參閱安全地連線到工作區 。
疑難排解
資源提供者錯誤
建立 Azure Machine Learning 工作區或工作區所使用的資源時,您可能會收到類似下列訊息的錯誤:
No registered resource provider found for location {location}The subscription is not registered to use namespace {resource-provider-namespace}
大部分資源提供者都會自動註冊,但並非全部。 如果您收到此訊息,則需要註冊先前提及的提供者。
下表包含 Azure Machine Learning 所需的資源提供者清單:
資源提供者
需要的原因
Microsoft.MachineLearningServices 建立 Azure Machine Learning 工作區。
Microsoft.Storage Azure 儲存體帳戶用來做為工作區的預設儲存體。
Microsoft.ContainerRegistry 工作區會使用 Azure Container Registry 來建置 Docker 映像。
Microsoft.KeyVault 工作區會使用 Azure Key Vault 來儲存秘密。
Microsoft.Notebooks Azure Machine Learning 計算執行個體上的整合式筆記本。
Microsoft.ContainerService 若您打算將已定型的模型部署至 Azure Kubernetes Service。
若您打算搭配 Azure Machine Learning 使用客戶自控金鑰,則必須註冊下列服務提供者:
資源提供者
需要的原因
Microsoft.DocumentDB 記錄工作區中繼資料的 Azure CosmosDB 執行個體。
Microsoft.Search Azure 搜尋可為工作區提供索引編製功能。
如果您打算搭配 Azure Machine Learning 使用受控虛擬網路,則必須註冊 Microsoft.Network 資源提供者。 建立受控虛擬網路的私人端點時,工作區會使用此資源提供者。
如需有關註冊資源提供者的詳細資訊,請參閱解決資源提供者註冊的錯誤 。
下一步