add domino repo arn (#4)

dominodatalab · Nov 18, 2024 · 5c832a5 · 5c832a5
1 parent 689843f
commit 5c832a5
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -98,6 +98,7 @@ No modules.
 | [aws_iam_role.domino_sagemaker_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.role_permissions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.read_domino_environments](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.role_permissions_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.role_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -107,6 +108,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_bucket"></a> [bucket](#input\_bucket) | S3 bucket to use for sagemaker deployment model artifacts (in the target AWS account).  Defaults to the value specified by `resource_identifier` plus the suffix `-{aws_account_id}.` | `string` | `null` | no |
+| <a name="input_domino_environments_repository_arn"></a> [domino\_environments\_repository\_arn](#input\_domino\_environments\_repository\_arn) | ARN for the Domino environments repository.  ONLY needed if deploying in the SAME AWS account as Domino. | `string` | n/a | yes |
 | <a name="input_domino_external_deployments_role_arn"></a> [domino\_external\_deployments\_role\_arn](#input\_domino\_external\_deployments\_role\_arn) | ARN for the Domino external deployments IAM role (in the domino AWS account) | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region in which to create the sagemaker resources | `string` | n/a | yes |
 | <a name="input_repository"></a> [repository](#input\_repository) | ECR repository name to use for sagemaker deployment images (in the target AWS account).  Defaults to the value specified by `resource_identifier`. | `string` | `null` | no |

diff --git a/bin/pre-commit/check-aws-partition.sh b/bin/pre-commit/check-aws-partition.sh
@@ -5,7 +5,7 @@ exec 1>&2
 check_aws_partition() {
   declare -A failed_files
   exclude_patterns=("policy/AWSLambdaExecute")
-  exclude_files=("README.md")
+  exclude_files=("README.md" "tests/test.tftest.hcl")
 
   for file in "$@"; do
     if grep -q "arn:aws" "${file}"; then

diff --git a/role_policies.tf b/role_policies.tf
@@ -1,4 +1,22 @@
+data "aws_iam_policy_document" "read_domino_environments" {
+  count = var.domino_environments_repository_arn != null ? 1 : 0
+  statement {
+    sid    = "EcrRegistryReadDominoEnvironments"
+    effect = "Allow"
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer",
+    ]
+    resources = [
+      var.domino_environments_repository_arn,
+      "${var.domino_environments_repository_arn}*",
+    ]
+  }
+}
+
 data "aws_iam_policy_document" "role_permissions_policy" {
+  source_policy_documents = var.domino_environments_repository_arn != null ? [data.aws_iam_policy_document.read_domino_environments[0].json] : []
   statement {
     sid     = "StsAllowSelfAssumeRole"
     effect  = "Allow"

diff --git a/tests/test.tftest.hcl b/tests/test.tftest.hcl
@@ -12,6 +12,7 @@ run "create_resources" {
   variables {
     resource_identifier                  = run.setup_tests.resource_identifier
     domino_external_deployments_role_arn = run.setup_tests.domino_external_deployments_role_arn
+    domino_environments_repository_arn   = "arn:aws:ecr:us-east-1:763104351884:repository/pytorch-inference"
     region                               = "us-east-1"
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -5,12 +5,6 @@ variable "resource_identifier" {
   default     = "domino-sagemaker"
 }
 
-variable "domino_external_deployments_role_arn" {
-  type        = string
-  description = "ARN for the Domino external deployments IAM role (in the domino AWS account)"
-  nullable    = false
-}
-
 variable "region" {
   type        = string
   description = "AWS region in which to create the sagemaker resources"
@@ -41,3 +35,15 @@ variable "role_name" {
   nullable    = true
   default     = null
 }
+
+variable "domino_external_deployments_role_arn" {
+  type        = string
+  description = "ARN for the Domino external deployments IAM role (in the domino AWS account)"
+  nullable    = false
+}
+
+variable "domino_environments_repository_arn" {
+  type        = string
+  description = "ARN for the Domino environments repository.  ONLY needed if deploying in the SAME AWS account as Domino."
+  nullable    = true
+}