diff --git a/solutions/vertexai/ai-experimentation/CHANGELOG.md b/solutions/vertexai/ai-experimentation/CHANGELOG.md new file mode 100644 index 000000000..e69de29bb diff --git a/solutions/vertexai/ai-experimentation/Kptfile b/solutions/vertexai/ai-experimentation/Kptfile new file mode 100644 index 000000000..b8c3681fa --- /dev/null +++ b/solutions/vertexai/ai-experimentation/Kptfile @@ -0,0 +1,16 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: ai-sandbox-project + annotations: + config.kubernetes.io/local-config: "true" +info: + description: | + Landing zone v2 subpackage. + Depends on `experimentation/core-landing-zone`. + + Package to create an AI Sandbox project, enables AI APIs in a single project. +pipeline: + mutators: + - image: gcr.io/kpt-fn/apply-setters:v0.2 + configPath: setters.yaml diff --git a/solutions/vertexai/ai-experimentation/README.md b/solutions/vertexai/ai-experimentation/README.md new file mode 100644 index 000000000..e6b68f2a8 --- /dev/null +++ b/solutions/vertexai/ai-experimentation/README.md @@ -0,0 +1,15 @@ +# AI Sandbox + +AI Sandbox Package +Depends on package `client-landing-zone` + +This package deploys a project that is configured to run vertex AI in order to support experimentation and it's accocciated configurations. + +--- +Resources List: +- Project +- Organization Policy +- Services +- IAM Bindings + +Target Cloud [Profile](https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md): Profile 1 \ No newline at end of file diff --git a/solutions/vertexai/ai-experimentation/policies.yaml b/solutions/vertexai/ai-experimentation/policies.yaml new file mode 100644 index 000000000..6c38bd20a --- /dev/null +++ b/solutions/vertexai/ai-experimentation/policies.yaml @@ -0,0 +1,14 @@ +### Org Policies required for Project +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: ResourceManagerPolicy +metadata: + name: ai-sandbox-allow-resource-locations # kpt-set: ${project-id}-allow-resource-locations + namespace: policies +spec: + constraint: "constraints/gcp.resourceLocations" + listPolicy: + allow: + all: true + projectRef: + name: project-id # kpt-set: ${project-id} + namespace: projects # kpt-set: ${namespace} diff --git a/solutions/vertexai/ai-experimentation/project-iam.yaml b/solutions/vertexai/ai-experimentation/project-iam.yaml new file mode 100644 index 000000000..2390b90f2 --- /dev/null +++ b/solutions/vertexai/ai-experimentation/project-iam.yaml @@ -0,0 +1,56 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +######### +--- +### Vertex AI Admin +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: iampolicymember-vertexai # kpt-set: vertexai-${project-id}-permissions + namespace: projects # kpt-set: ${namespace} +spec: + member: group:vertexai-admins.domain.com # kpt-set: ${user-group} + role: roles/aiplatform.admin + resourceRef: + kind: Project + namespace: projects # kpt-set: ${namespace} + name: project-id # kpt-set: ${project-id} +--- +### Document Warehouse Admin +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: iampolicymember-docwarehouse-projlevel # kpt-set: docwarehouse-${project-id}-permissions + namespace: projects # kpt-set: ${namespace} +spec: + member: group:aisandbox-admins.domain.com # kpt-set: ${user-group} + role: roles/contentwarehouse.admin + resourceRef: + kind: Project + namespace: projects # kpt-set: ${namespace} + name: project-id # kpt-set: ${project-id} +--- +## Document Warehouse Admin +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: iampolicymember-docai-projlevel # kpt-set: docai-${project-id}-permissions + namespace: projects # kpt-set: ${namespace} +spec: + member: group:aisandbox-admins.domain.com # kpt-set: ${user-group} + role: roles/documentai.admin + resourceRef: + kind: Project + namespace: projects # kpt-set: ${namespace} + name: project-id # kpt-set: ${project-id} diff --git a/solutions/vertexai/ai-experimentation/project.yaml b/solutions/vertexai/ai-experimentation/project.yaml new file mode 100644 index 000000000..6f5674293 --- /dev/null +++ b/solutions/vertexai/ai-experimentation/project.yaml @@ -0,0 +1,29 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +######### +# Project +apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 +kind: Project +metadata: + name: project-id # kpt-set: ${project-id} + namespace: projects # kpt-set: ${namespace} + annotations: + cnrm.cloud.google.com/auto-create-network: "false" +spec: + name: project-id # kpt-set: ${project-id} + billingAccountRef: + external: "AAAAAA-BBBBBB-CCCCCC" # kpt-set: ${project-billing-id} + folderRef: + external: "0000000" # kpt-set: ${project-parent-folder} +--- diff --git a/solutions/vertexai/ai-experimentation/services.yaml b/solutions/vertexai/ai-experimentation/services.yaml new file mode 100644 index 000000000..aff0c3b22 --- /dev/null +++ b/solutions/vertexai/ai-experimentation/services.yaml @@ -0,0 +1,166 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +######### +# IAM API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-iam # kpt-set: ${project-id}-iam + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: iam.googleapis.com +--- +# Resource Manager API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-resourcemanager # kpt-set: ${project-id}-resourcemanager + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: cloudresourcemanager.googleapis.com +--- +# Billing API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-billing # kpt-set: ${project-id}-billing + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: cloudbilling.googleapis.com +--- +# Service Usage API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-serviceusage # kpt-set: ${project-id}-serviceusage + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: serviceusage.googleapis.com +--- +# AI Platform API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-vertexai # kpt-set: ${project-id}-vertexai + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: aiplatform.googleapis.com +--- +# Doc AI API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-documentai # kpt-set: ${project-id}-documentai + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: documentai.googleapis.com +--- +# Document AI Warehouse API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-contentwarehouse # kpt-set: ${project-id}-contentwarehouse + namespace: projects # kpt-set: ${namespace} + annotations: + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: contentwarehouse.googleapis.com +--- +# Discover Engine API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-discover-engine # kpt-set: ${project-id}-discover-engine + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: discoveryengine.googleapis.com +--- +# Cloud Storage API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-cloud-storage # kpt-set: ${project-id}-cloud-storage + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: storage.googleapis.com +--- +# BigQuery API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-bigquery # kpt-set: ${project-id}-bigquery + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: bigquery.googleapis.com +--- +# Cloud Natural Language API +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: project-id-nlp # kpt-set: ${project-id}-nlp + namespace: projects # kpt-set: ${namespace} + annotations: + config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${namespace}/Project/${project-id} + cnrm.cloud.google.com/deletion-policy: "abandon" + cnrm.cloud.google.com/disable-dependent-services: "false" + cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} +spec: + resourceID: language.googleapis.com diff --git a/solutions/vertexai/ai-experimentation/setters.yaml b/solutions/vertexai/ai-experimentation/setters.yaml new file mode 100644 index 000000000..f4fab297e --- /dev/null +++ b/solutions/vertexai/ai-experimentation/setters.yaml @@ -0,0 +1,67 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +######### +apiVersion: v1 +kind: ConfigMap +metadata: + name: setters + annotations: + config.kubernetes.io/local-config: "true" +data: + ########################## + # Instructions + ########################## + # + # Follow instructions specific to each section. + # Project IDs must follow the rules below, additionally, + # if a gatekeeper policy is used to enforce specific naming conventions, refer to its documentation. + # - All IDs should be universally unique. + # - Must be 6 to 30 characters in length. + # - Can only contain lowercase letters, numbers, and hyphens. + # - Must start with a letter. + # - Cannot end with a hyphen. + # - Cannot be in use or previously used; this includes deleted projects. + # - Cannot contain restricted strings, such as google and ssl. + # + ########################## + # General Settings Values + ########################## + # + # + # + ########################## + # Client + ########################## + # + # + # Name of the group email that will act as admin for the project + # See https://cloud.google.com/iam/docs/groups-in-cloud-console#creating for creating groups + # + user-group: group:aisandbox-admins@domain.com + ########################## + # Project + ########################## + # + # project id for the client project to be created, following rules and conventions + project-id: client-project-12345 + # Billing Account ID to be associated with this project + project-billing-id: "AAAAAA-BBBBBB-CCCCCC" + # GCP folder to use as parent to this project, use folder ID. + project-parent-folder: "00000000" + namespace: projects # change to -projects if not using an experimental landing zone + # + # + ########################## + # End of Configurations + ##########################