adding ml-application examples

Author: miro-novak

README.md

@@ -42,6 +42,10 @@ Distributed training support with Jobs for machine learning for faster and more
 
 Pipelines are essential for complex machine learning and data science tasks as they streamline and automate the model building and deployment process, enabling faster and more consistent results. They could be used when there is a need to build, train, and deploy complex models with multiple components and steps, and when there is a need to automate the machine learning process to reduce manual labor and errors. The Oracle Cloud Infrastructure [Data Science Pipelines](https://docs.oracle.com/en-us/iaas/data-science/using/pipelines-about.htm) services helps automates and streamlines the process of building and deploying machine learning pipelines.
 
+### [ML Applications](ml-applications/)
+
+[ML Applications](https://docs.oracle.com/en-us/iaas/data-science/using/ml-apps-about.htm) is a self-contained representation of ML use cases in Data Science. It delivers a robust MLOps platform for AI/ML delivery. It standardizes the packaging and deployment of AI/ML functionality, enabling you to build, deploy, and operate machine learning as a service. With ML Applications, you can leverage Data Science to implement AI/ML use cases and provision them into production for your applications or customers. By shortening the development lifecycle from months to weeks, ML Applications quickens the time to market while reducing operational complexity and total cost of ownership. It provides an end-to-end platform for deploying, validating, and promoting ML solutions through every stage - from development and QA to preproduction and production.
+
 ### [Data Labeling Examples](data_labeling_examples/)
 
 The [data labeling service](https://docs.oracle.com/en-us/iaas/data-labeling/data-labeling/using/home.htm) helps identify properties (labels) of documents, text, and images (records) and annotates (labels) them with those properties. This section contains Python and Java scripts to annotate bulk numbers of records in OCI Data Labeling Service (DLS).

ml-applications/sample-project-policies/.gitignore

@@ -0,0 +1,9 @@
+.venv
+**/.venv
+.env
+**/.env
+ml-application/target/**
+.idea/**
+**/.terraform*
+**/.terraform/**
+**/terraform.tfstate.backup

ml-applications/sample-project-policies/README.md

@@ -0,0 +1,29 @@
+Environments Creation
+======================
+
+For creation/update of ML Application environment use standard Terraform commands.
+
+| WARNING: For production usage, it is highly recommended to configure remote state files                                                                       |
+|:--------------------------------------------------------------------------------|
+
+
+Go to environment specific directory (e.g. {project_root}/infrastructure/environments/dev) and use following commands:
+
+To initialize terraform (just for the first time):
+```bash
+terraform init
+```
+To create/update infrastructure:
+```bash
+terraform apply -var-file input_variables.tfvars
+```
+To remove infrastructure:
+```bash
+terraform destroy -var-file input_variables.tfvars
+```
+
+FAQ
+__________________________
+- **Can policies for ML Applications be created in non-root compartment?**
+  - No, they cannot because policies contain some statements which must be in root compartment ("Endorse" statements and statements with "in tenancy" scope). 
+  - Note: These statements could be separated into another policy which would be in root and rest of the policies could be created in non-root compartment.

ml-applications/sample-project-policies/environments/README.md

@@ -0,0 +1,18 @@
+Deployment Environments
+==========================
+Each directory represents one deployment environment. Each environment has its main.tf which reference modules based on 
+requirements for given environment and input_variables.tfvars containing parameter values.
+
+Feel free to copy/rename example environments to configure your own deployment environments.
+
+Example environments:
+- **dev** 
+  - Simple deployment environment suitable mainly for quick PoC
+  - Creates single compartment, tags for tenant isolation and necessary policies for ML App and ML App developers/operators
+- **dev-multiapp**
+  - Production ready deployment environment prepared for multiple ML Applications developed by multiple teams (having their IAM groups in same or in remote tenancy like Boat tenancy)
+  - Creates:
+    - Environment root compartment and compartment each application in it
+    - Compartment for resources shared across all applications (like Vault)
+    - Policies for ML App runtime as well as policies for each development team. Policies ensures ML App Instance (Saas tenant) isolation, application isolation and they follow least privilege principle.
+    - Tags necessary for tenant isolation and shared resources. These tags are used by policies to ensure  

ml-applications/sample-project-policies/environments/dev-multiapp/input_variables.tfvars

@@ -0,0 +1,16 @@
+# ML Application provider tenancy ID (where ML Application and underlying resources are supposed to be located)
+tenancy_id = "ocid1.tenancy.oc1..aaaaaaaafwgqzxcwlkkpl5i334qpv62s375upsw2j4ufgcizfnnhjd4l55ia"
+# OCI home region - policies can only be created in the home region
+region = "us-ashburn-1"
+# OCI Profile (defined in OCI config file)
+oci_config_profile = "DEFAULT"
+
+# Name of deployment environment for ML App
+environment_name = "dev"
+
+# Compartment ID of already existing subnet which should be reused for ML Application (leave empty string if you are going to create new subnet in application compartment later)
+external_subnet_compartment_id = ""
+
+
+
+

ml-applications/sample-project-policies/environments/dev-multiapp/main.tf

@@ -0,0 +1,26 @@
+module "app_list" {
+  source = "../../shared_modules/application_list"
+}
+
+module "multiapp-environment" {
+  source = "../../shared_modules/multip_app_environment"
+  environment_name = var.environment_name
+  environment_root_compartment_name_prefix = "ml-apps"
+  parent_compartment_id = var.tenancy_id
+  tenancy_id = var.tenancy_id
+  external_subnet_compartment_id = var.external_subnet_compartment_id
+  network_in_shared_resources = false
+  applications = module.app_list.applications
+}
+
+output "application_compartment_ids" {
+  value = module.multiapp-environment.application_compartment_ids
+}
+
+output "environment_compartment_id" {
+  value = module.multiapp-environment.environment_compartment_id
+}
+
+output "shared_compartment_id" {
+  value = module.multiapp-environment.shared_compartment_id
+}

ml-applications/sample-project-policies/environments/dev-multiapp/provider.tf

@@ -0,0 +1,4 @@
+provider "oci" {
+  region = var.region
+  config_file_profile = var.oci_config_profile
+}

ml-applications/sample-project-policies/environments/dev-multiapp/variables.tf

@@ -0,0 +1,23 @@
+variable "tenancy_id" {
+  type     = string
+  nullable = false
+}
+variable "external_subnet_compartment_id" {
+  description = "If an existing subnet should be reused for ML App, provide compartment where the subnet is located. If not provided, there is expectation that subnet for ML App will be created in compartment where ML App is located."
+  type        = string
+  default     = ""
+  nullable    = false
+}
+variable "environment_name" {
+  type     = string
+  nullable = false
+}
+variable "region" {
+  type     = string
+  nullable = false
+}
+variable "oci_config_profile" {
+  type     = string
+  default  = "DEFAULT"
+  nullable = false
+}

ml-applications/sample-project-policies/environments/dev/input_variables.tfvars

@@ -0,0 +1,22 @@
+# ML Application provider tenancy ID (where ML Application and underlying resources are supposed to be located)
+tenancy_id = "ocid1.tenancy.oc1..aaaaaaaafwgqzxcwlkkpl5i334qpv62s375upsw2j4ufgcizfnnhjd4l55ia"
+# OCI home region - policies can only be created in the home region
+region = "us-ashburn-1"
+# OCI Profile (defined in OCI config file), if not provided DEFAULT is used
+oci_config_profile = "DEFAULT"
+
+# ML Application name
+application_name = "fetalrisk"
+
+# Name of deployment environment for ML App
+environment_name = "dev"
+
+# Compartment ID of already existing subnet which should be reused for ML Application (leave empty string if you are going to create new subnet in application compartment later)
+subnet_compartment_id = ""
+
+# ID of application team members group (if empty string no policies for application team members is created)
+app_team_group_id = ""
+
+
+
+

ml-applications/sample-project-policies/environments/dev/main.tf

@@ -0,0 +1,74 @@
+module "identity_ml_app_tags" {
+  source = "../../shared_modules/identity_ml_app_tags"
+  namespace_suffix = var.application_name
+  environment_name = var.environment_name
+  compartment_id = var.tenancy_id
+}
+
+resource "oci_identity_compartment" "app" {
+  depends_on = [module.identity_ml_app_tags]
+
+  name           = "ml-app-${var.application_name}-${var.environment_name}"
+  description    = "Compartment for ML Application '${var.application_name}'"
+  compartment_id = var.tenancy_id
+
+  defined_tags = {"${module.identity_ml_app_tags.mlapp_env_namespace}.${module.identity_ml_app_tags.compartment_type_tag}" = "${module.identity_ml_app_tags.compartment_type_app}"}
+  freeform_tags = {
+    # For app deployments to be able to get environment specific tag namespace
+    "MlApplicationTagNamespaceName" = "${module.identity_ml_app_tags.mlapps_namespace}"
+  }
+}
+
+module "identity_ml_app_runtime_policies" {
+  source = "../../shared_modules/identity_ml_app_runtime"
+  depends_on = [oci_identity_compartment.app]
+
+  tenancy_id = var.tenancy_id
+  app_compartment_id = oci_identity_compartment.app.id
+  policy_name_suffix = var.application_name
+  environment_name = var.environment_name
+  external_subnet_compartment_id = var.subnet_compartment_id
+
+  mlapps_tag_namespace = module.identity_ml_app_tags.mlapps_namespace
+  mlapp_env_tag_namespace = module.identity_ml_app_tags.mlapp_env_namespace
+  mlapp_instance_id_tag = module.identity_ml_app_tags.mlapp_instance_tag
+  compartment_type_tag = module.identity_ml_app_tags.compartment_type_tag
+}
+
+module "identity_ml_app_enablement" {
+  source = "../../shared_modules/identity_ml_app_enablement"
+  depends_on = [oci_identity_compartment.app]
+
+  policy_name_suffix = var.application_name
+  environment_name = var.environment_name
+  tenancy_id = var.tenancy_id
+  mlapp_env_tag_namespace = module.identity_ml_app_tags.mlapp_env_namespace
+  compartment_type_tag = module.identity_ml_app_tags.compartment_type_tag
+}
+
+module "identity_ml_app_operators" {
+  count = var.app_team_group_id != "" ? 1 : 0 # This will be created only if dev team group ID is provided
+  source = "../../shared_modules/identity_ml_app_operators"
+  depends_on = [oci_identity_compartment.app]
+
+  tenancy_id = var.tenancy_id
+  app_compartment_id = oci_identity_compartment.app.id
+  app_team_group_id = var.app_team_group_id
+  application_name = var.application_name
+  environment_naming_suffix = var.environment_name
+  app_team_group_tenancy_id = var.app_team_group_tenancy_id
+}
+
+output "tenancy_id" {
+  value = var.tenancy_id
+}
+
+output "environment_compartment_id" {
+  value = oci_identity_compartment.app.id
+}
+
+output "mlapps_tag_namespace" {
+  value = module.identity_ml_app_tags.mlapps_namespace
+}
+
+

ml-applications/sample-project-policies/environments/dev/provider.tf

@@ -0,0 +1,4 @@
+provider "oci" {
+  region = var.region
+  config_file_profile = var.oci_config_profile
+}

ml-applications/sample-project-policies/environments/dev/variables.tf

@@ -0,0 +1,36 @@
+variable "application_name" {
+  type     = string
+  nullable = false
+}
+variable "tenancy_id" {
+  type     = string
+  nullable = false
+}
+variable "subnet_compartment_id" {
+  description = "If an existing subnet should be reused for ML App, provide compartment where the subnet is located. If not provided, there is expectation that subnet for ML App will be created in compartment where ML App is located."
+  type        = string
+  default     = ""
+  nullable    = false
+}
+variable "app_team_group_id" {
+  type     = string
+  nullable = false
+  default  = ""
+}
+variable "app_team_group_tenancy_id" {
+  type    = string
+  default = ""
+}
+variable "environment_name" {
+  type     = string
+  nullable = false
+}
+variable "region" {
+  type     = string
+  nullable = false
+}
+variable "oci_config_profile" {
+  type     = string
+  default = "DEFAULT"
+  nullable = false
+}

ml-applications/sample-project-policies/shared_modules/application_list/main.tf

@@ -0,0 +1,27 @@
+locals {
+  # List of applications with their attributes
+  applications = [
+    {
+      name = "fetal-risk",
+      # operator_boat_group_id = "xxx",
+      operator_group_id = "ocid1.group.oc1..xxx",
+      # provide only if the tenancy is different from tenancy where ML App is located. DO NOT PROVIDE tenancy of ML Application here.
+      group_tenancy_id = null,
+    },
+    {
+      name = "cardiovascular-risk",
+      operator_group_id = "ocid1.group.oc1..yyy", #"yyy",
+      # provide only if the tenancy is different from tenancy where ML App is located. DO NOT PROVIDE tenancy of ML Application here.
+      group_tenancy_id = null,
+    },
+    # other applications ....
+  ]
+}
+
+output "applications" {
+  value = local.applications
+}
+
+
+
+

ml-applications/sample-project-policies/shared_modules/identity_ml_app_enablement/README.md

@@ -0,0 +1,5 @@
+Policies for enablement ML Application in Provider's Tenancy
+=====================================================================
+
+This module contains polices for basic enablement of ML Application in given tenancy. It also contains defined tag for 
+tenant isolation.

ml-applications/sample-project-policies/shared_modules/identity_ml_app_enablement/main.tf

@@ -0,0 +1,18 @@
+locals {
+  environment_name_resolved = var.environment_name != null && var.environment_name != "" ? var.environment_name : ""
+  description_suffix = local.environment_name_resolved != "" ? "for environment '${local.environment_name_resolved}'" : "in tenancy"
+  policy_name_suffix = var.policy_name_suffix != null && var.policy_name_suffix != "" ? "${var.policy_name_suffix}_${local.environment_name_resolved}" : local.environment_name_resolved
+}
+
+resource "oci_identity_policy" "ml-application-enablement" {
+  compartment_id = var.tenancy_id
+  description    = "Endorse policies ensuring ML Application enablement '${local.description_suffix}'"
+  name           = "ml_applications_enablement_${local.policy_name_suffix}"
+  statements     = [
+    "Define tenancy DataScienceTenancy as ${local.odsc_service_tenancy_id}",
+    "Endorse any-user to manage orm-stacks in tenancy DataScienceTenancy where all { request.principal.type='datasciencemlapp${local.mlapp_type_suffix}', request.principal.compartment.tag.${var.mlapp_env_tag_namespace}.${var.compartment_type_tag} = 'app' }",
+    "Endorse any-user to manage orm-jobs in tenancy DataScienceTenancy where all { request.principal.type='datasciencemlappimpl${local.mlapp_type_suffix}', request.principal.compartment.tag.${var.mlapp_env_tag_namespace}.${var.compartment_type_tag} = 'app' }",
+    "Endorse any-user to use orm-stacks in tenancy DataScienceTenancy where all { request.principal.type='datasciencemlappimpl${local.mlapp_type_suffix}', request.principal.compartment.tag.${var.mlapp_env_tag_namespace}.${var.compartment_type_tag} = 'app' }",
+  ]
+}
+

ml-applications/sample-project-policies/shared_modules/identity_ml_app_enablement/odsc-env.tf

@@ -0,0 +1,9 @@
+module "odsc_environments" {
+    source = "../odsc_environments"
+    data_science_service_environment = var.data_science_service_environment
+}
+
+locals {
+    odsc_service_tenancy_id = module.odsc_environments.odsc_service_tenancy_id
+    mlapp_type_suffix = module.odsc_environments.mlapp_type_suffix
+}

ml-applications/sample-project-policies/shared_modules/identity_ml_app_enablement/variable.tf

@@ -0,0 +1,42 @@
+# ML Application Provider tenancy ID (tenancy where ML Application will be created)
+variable "tenancy_id" {
+  type = string
+#   nullable = false
+}
+
+variable "policy_name_suffix" {
+  description = "Resource name suffix (like policy name suffix). Environment name is appended to result name suffix: <name_base>_<name_sufix>_<environment_name>"
+  default = ""
+  type     = string
+#   nullable = false
+}
+
+variable "environment_name" {
+  type     = string
+  default = ""
+#   nullable = false
+}
+
+variable "mlapp_env_tag_namespace" {
+  type = string
+  default = "MLApplications"
+#   nullable = false
+}
+
+variable "compartment_type_tag" {
+  description = "Defined tag name used for tenant isolation (resources belonging to certain ML App Instance should be tagged this tag)."
+  type = string
+  default = "CompartmentType"
+#   nullable = false
+}
+
+variable "data_science_service_environment" {
+  description = "Use only if non-production Data Science Service environment should be used (default is production). Allowed values: int, preprod, production"
+  type    = string
+#   nullable = false
+  default = "production"
+  validation {
+    error_message = "Value can be one of: int, preprod, production."
+    condition = can(regex("^(int|preprod|production)$", var.data_science_service_environment))
+  }
+}