-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private AML: Dockerfile with Nexus config #3424
base: main
Are you sure you want to change the base?
Conversation
Unit Test Results0 tests 0 ✅ 0s ⏱️ Results for commit a8dfe47. ♻️ This comment has been updated with latest results. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good and makes sense - shame this workaround is needed but seems you've considered every possible alternative!
|
||
ARG TRE_ID | ||
ARG TRE_LOCATION | ||
ENV NEXUS_PROXY_URL="https://nexus-${TRE_ID}.${TRE_LOCATION}.cloudapp.azure.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this going to need to be updated as per the Gov cloud stuff?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep - have updated to set the endpoint based on cloud type
resource "azurerm_container_registry" "acr" { | ||
name = local.acr_name | ||
location = data.azurerm_resource_group.ws.location | ||
resource_group_name = data.azurerm_resource_group.ws.name | ||
sku = "Premium" | ||
admin_enabled = false | ||
public_network_access_enabled = false | ||
public_network_access_enabled = var.public_access_enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as discussed, I suspect this might benefit from a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed - have added comment to explain
Holding off until @tamirkamara / the crew are back from leave to review from a Gov perspective |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tagging @LizaShak for a review as well.
@@ -55,3 +63,7 @@ output "mcr_tag" { | |||
output "batch_tag" { | |||
value = data.azurerm_network_service_tags.batch_tag.id | |||
} | |||
|
|||
output "azure_endpoint" { | |||
value = var.azure_environment == "AzureGovCloud" ? "cloudapp.usgovcloudapi.net" : "cloudapp.azure.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- We have a similar condition somewhere else already... but at any case, the suffixes should be brought from TF configuration module we use elsewhere (we might need to add those as outputs there).
- If we need to have this condition in the definition, then I think we'd prefer to use
arm_environment
as that is native to Terraform.
I know a lot of time has passed, but adding some thoughts as this might come up again. Is there anything to stop us building this in an ACR "outside" the workspace via CI/CD, then pull/push to the workspace ACR from the RP? |
This is a distant memory for me, but I think that would be doable. I don't think we wanted to add anything more explicit to the general CI pipeline as we wanted it self contained in a WS service. If you were to build in a general, open ACR that would work - but you'd need connectivity from that into the WS ACR, and a way for the RP to pull/push it? |
Resolves #3295
As AML is deployed, it deploys a container registry for its own use. We need to push a customised Docker image into that registry, that contains the nexus config 'baked in', so that nexus will be used to download required packages during AML image builds during training / experimentation runs. Without the nexus config, the compute cluster can not run in network isolation.
What this PR does:
Alternatives considered and discounted: