move policies

pirocheto · pirocheto · commit e9e3c1b5771d · 2025-02-10T12:06:04.000+01:00
diff --git a/terraform/modules/aws-sagemaker-serverless-hf-pytorch-inference-model-deployment/main.tf b/terraform/modules/aws-sagemaker-serverless-hf-pytorch-inference-model-deployment/main.tf
@@ -1,88 +1,10 @@
 data "aws_caller_identity" "current" {}
 
-data "aws_region" "current" {}
-
 locals {
-  account_id     = data.aws_caller_identity.current.account_id
   ecr_image_name = "763104351884.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/huggingface-pytorch-inference"
   ecr_image_tag  = "${var.pytorch_version}-transformers${var.transformers_version}-cpu-${var.python_version}-ubuntu${var.ubuntu_version}"
 }
 
-
-resource "aws_iam_role" "model_execution_role" {
-  name = "sagemaker-${var.model_name}-execution-role"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Principal = {
-          Service = "sagemaker.amazonaws.com"
-        }
-        Action = "sts:AssumeRole"
-      },
-    ]
-  })
-}
-
-resource "aws_iam_policy" "s3_policy" {
-  name = "sagemaker-${var.model_name}-s3-policy"
-
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "s3:GetObject",
-          "s3:ListBucket",
-        ],
-        "Resource" : "arn:aws:s3:::${var.model_bucket_name}/*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_policy" "ecr_policy" {
-  name = "sagemaker-${var.model_name}-ecr-policy"
-
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ecr:GetAuthorizationToken",
-          "ecr:BatchCheckLayerAvailability",
-          "ecr:GetDownloadUrlForLayer",
-          "ecr:GetRepositoryPolicy",
-          "ecr:DescribeRepositories",
-          "ecr:ListImages",
-          "ecr:DescribeImages",
-          "ecr:BatchGetImage",
-          "ecr:GetLifecyclePolicy",
-          "ecr:GetLifecyclePolicyPreview",
-          "ecr:ListTagsForResource",
-          "ecr:DescribeImageScanFindings",
-        ],
-        "Resource" : "arn:aws:ecr:${data.aws_region.current.name}:*:repository/*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
-  policy_arn = aws_iam_policy.s3_policy.arn
-  role       = aws_iam_role.model_execution_role.name
-}
-
-resource "aws_iam_role_policy_attachment" "ecr_policy_attachment" {
-  policy_arn = aws_iam_policy.ecr_policy.arn
-  role       = aws_iam_role.model_execution_role.name
-}
-
-
 resource "aws_sagemaker_model" "model" {
   name               = var.model_name
   execution_role_arn = aws_iam_role.model_execution_role.arn
diff --git a/terraform/modules/aws-sagemaker-serverless-hf-pytorch-inference-model-deployment/policies.tf b/terraform/modules/aws-sagemaker-serverless-hf-pytorch-inference-model-deployment/policies.tf
@@ -0,0 +1,74 @@
+data "aws_region" "current" {}
+
+resource "aws_iam_role" "model_execution_role" {
+  name = "sagemaker-${var.model_name}-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "sagemaker.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_policy" "s3_policy" {
+  name = "sagemaker-${var.model_name}-s3-policy"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:GetObject",
+          "s3:ListBucket",
+        ],
+        "Resource" : "arn:aws:s3:::${var.model_bucket_name}/*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "ecr_policy" {
+  name = "sagemaker-${var.model_name}-ecr-policy"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ecr:GetAuthorizationToken",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetRepositoryPolicy",
+          "ecr:DescribeRepositories",
+          "ecr:ListImages",
+          "ecr:DescribeImages",
+          "ecr:BatchGetImage",
+          "ecr:GetLifecyclePolicy",
+          "ecr:GetLifecyclePolicyPreview",
+          "ecr:ListTagsForResource",
+          "ecr:DescribeImageScanFindings",
+        ],
+        "Resource" : "arn:aws:ecr:${data.aws_region.current.name}:*:repository/*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "s3_policy_attachment" {
+  policy_arn = aws_iam_policy.s3_policy.arn
+  role       = aws_iam_role.model_execution_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "ecr_policy_attachment" {
+  policy_arn = aws_iam_policy.ecr_policy.arn
+  role       = aws_iam_role.model_execution_role.name
+}
