Private AML: Dockerfile with Nexus config #3424
Conversation
Unit Test Results0 tests 0 ✅ 0s ⏱️ Results for commit a8dfe47. ♻️ This comment has been updated with latest results. |
|
|
||
| ARG TRE_ID | ||
| ARG TRE_LOCATION | ||
| ENV NEXUS_PROXY_URL="https://nexus-${TRE_ID}.${TRE_LOCATION}.cloudapp.azure.com" |
There was a problem hiding this comment.
is this going to need to be updated as per the Gov cloud stuff?
There was a problem hiding this comment.
yep - have updated to set the endpoint based on cloud type
| resource "azurerm_container_registry" "acr" { | ||
| name = local.acr_name | ||
| location = data.azurerm_resource_group.ws.location | ||
| resource_group_name = data.azurerm_resource_group.ws.name | ||
| sku = "Premium" | ||
| admin_enabled = false | ||
| public_network_access_enabled = false | ||
| public_network_access_enabled = var.public_access_enabled |
There was a problem hiding this comment.
as discussed, I suspect this might benefit from a comment
There was a problem hiding this comment.
agreed - have added comment to explain
|
Holding off until @tamirkamara / the crew are back from leave to review from a Gov perspective |
| @@ -55,3 +63,7 @@ output "mcr_tag" { | |||
| output "batch_tag" { | |||
| value = data.azurerm_network_service_tags.batch_tag.id | |||
| } | |||
|
|
|||
| output "azure_endpoint" { | |||
| value = var.azure_environment == "AzureGovCloud" ? "cloudapp.usgovcloudapi.net" : "cloudapp.azure.com" | |||
There was a problem hiding this comment.
- We have a similar condition somewhere else already... but at any case, the suffixes should be brought from TF configuration module we use elsewhere (we might need to add those as outputs there).
- If we need to have this condition in the definition, then I think we'd prefer to use
arm_environmentas that is native to Terraform.
|
I know a lot of time has passed, but adding some thoughts as this might come up again. Is there anything to stop us building this in an ACR "outside" the workspace via CI/CD, then pull/push to the workspace ACR from the RP? |
This is a distant memory for me, but I think that would be doable. I don't think we wanted to add anything more explicit to the general CI pipeline as we wanted it self contained in a WS service. If you were to build in a general, open ACR that would work - but you'd need connectivity from that into the WS ACR, and a way for the RP to pull/push it? |
Resolves #3295
As AML is deployed, it deploys a container registry for its own use. We need to push a customised Docker image into that registry, that contains the nexus config 'baked in', so that nexus will be used to download required packages during AML image builds during training / experimentation runs. Without the nexus config, the compute cluster can not run in network isolation.
What this PR does:
Alternatives considered and discounted: