Forem: Suhas Mallesh The latest articles on Forem by Suhas Mallesh (@suhas_mallesh). https://forem.com/suhas_mallesh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1474157%2F5e769652-5647-4b11-8f73-4ee069123fc2.jpeg Forem: Suhas Mallesh https://forem.com/suhas_mallesh en Azure ML Pipelines + Azure DevOps: CI/CD for ML with Terraform ๐Ÿ” Suhas Mallesh Sat, 25 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/azure-ml-pipelines-azure-devops-cicd-for-ml-with-terraform-16oo https://forem.com/suhas_mallesh/azure-ml-pipelines-azure-devops-cicd-for-ml-with-terraform-16oo <p>Manual ML retraining is a reliability risk. Azure ML Pipelines orchestrates the ML workflow while Azure DevOps automates testing, validation, and deployment on every code push. Here's how to build the full CI/CD stack with Terraform.</p> <p>Through Series 5, we've built the workspace, deployed endpoints, and set up the feature store. The final piece is automation. Right now, retraining means a data scientist manually submits a job, checks the accuracy, and updates the endpoint. That's a bottleneck.</p> <p>Azure ML Pipelines (SDK v2) orchestrates the ML workflow as reusable components connected into a DAG - preprocessing, training, evaluation, conditional registration. Azure DevOps provides the CI/CD layer: unit tests, pipeline submission, and gated deployment on every code merge. Terraform provisions everything. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ The CI/CD Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Code push to Azure Repos / GitHub โ†“ Azure DevOps Pipeline trigger fires โ†“ Stage 1 (CI): lint โ†’ unit tests โ†’ validate components โ†“ Stage 2 (CD): submit Azure ML Pipeline job โ†“ Azure ML Pipeline: preprocess โ†’ train โ†’ evaluate โ†’ condition โ†“ Pass: register model โ†’ manual approval gate โ†’ deploy endpoint Fail: pipeline exits with error notification </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>Azure ML Pipeline</strong></td> <td>Reusable component DAG (the ML workflow)</td> </tr> <tr> <td><strong>Azure DevOps</strong></td> <td>CI/CD: test, validate, submit pipeline on code push</td> </tr> <tr> <td><strong>Schedule (SDK v2)</strong></td> <td>Recurring pipeline runs for continuous retraining</td> </tr> <tr> <td><strong>Model Registry</strong></td> <td>Version and approve trained models</td> </tr> <tr> <td><strong>Approval Gate</strong></td> <td>Human review before production deployment</td> </tr> </tbody> </table></div> <h2> ๐Ÿ”ง Terraform: CI/CD Infrastructure </h2> <h3> Service Principal for DevOps </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># devops/service_principal.tf</span> <span class="nx">data</span> <span class="s2">"azuread_client_config"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="nx">resource</span> <span class="s2">"azuread_application"</span> <span class="s2">"devops"</span> <span class="p">{</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-devops-sp"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azuread_service_principal"</span> <span class="s2">"devops"</span> <span class="p">{</span> <span class="nx">client_id</span> <span class="p">=</span> <span class="nx">azuread_application</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">client_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azuread_service_principal_password"</span> <span class="s2">"devops"</span> <span class="p">{</span> <span class="nx">service_principal_id</span> <span class="p">=</span> <span class="nx">azuread_service_principal</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># DevOps SP needs Contributor on the ML workspace</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"devops_ml"</span> <span class="p">{</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"Contributor"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">azuread_service_principal</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">object_id</span> <span class="p">}</span> </code></pre> </div> <h3> Storage for Pipeline Artifacts </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># devops/pipeline_storage.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_container"</span> <span class="s2">"pipeline_artifacts"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"pipeline-artifacts"</span> <span class="nx">storage_account_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">container_access_type</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="p">}</span> </code></pre> </div> <h3> Azure DevOps Project and Service Connection (via azuredevops provider) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># devops/azuredevops.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">azuredevops</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"microsoft/azuredevops"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 1.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azuredevops_project"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-platform"</span> <span class="nx">visibility</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">version_control</span> <span class="p">=</span> <span class="s2">"Git"</span> <span class="nx">work_item_template</span> <span class="p">=</span> <span class="s2">"Agile"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azuredevops_serviceendpoint_azurerm"</span> <span class="s2">"ml_workspace"</span> <span class="p">{</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">azuredevops_project</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_endpoint_name</span> <span class="p">=</span> <span class="s2">"azure-ml-connection"</span> <span class="nx">credentials</span> <span class="p">{</span> <span class="nx">serviceprincipalid</span> <span class="p">=</span> <span class="nx">azuread_application</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">client_id</span> <span class="nx">serviceprincipalkey</span> <span class="p">=</span> <span class="nx">azuread_service_principal_password</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"AzureCloud"</span> <span class="nx">resource_group</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subscription_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_client_config</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">subscription_id</span> <span class="nx">subscription_name</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_subscription</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">display_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azuredevops_build_definition"</span> <span class="s2">"ml_pipeline"</span> <span class="p">{</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">azuredevops_project</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-pipeline"</span> <span class="nx">ci_trigger</span> <span class="p">{</span> <span class="nx">use_yaml</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">repository</span> <span class="p">{</span> <span class="nx">repo_type</span> <span class="p">=</span> <span class="s2">"GitHub"</span> <span class="nx">repo_id</span> <span class="p">=</span> <span class="s2">"${var.github_owner}/${var.github_repo}"</span> <span class="nx">branch_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">deploy_branch</span> <span class="nx">yml_path</span> <span class="p">=</span> <span class="s2">"azure-devops/ml-pipeline.yml"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ENVIRONMENT"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="nx">variable</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"WORKSPACE_NAME"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">is_secret</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> ๐Ÿ”ง Azure DevOps Pipeline YAML </h2> <p>This file lives in your repo and runs on every push to the deploy branch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># azure-devops/ml-pipeline.yml</span> <span class="na">trigger</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">SUBSCRIPTION_ID</span><span class="pi">:</span> <span class="s">$(subscriptionId)</span> <span class="na">RESOURCE_GROUP</span><span class="pi">:</span> <span class="s">$(resourceGroup)</span> <span class="na">WORKSPACE_NAME</span><span class="pi">:</span> <span class="s">$(workspaceName)</span> <span class="na">ENVIRONMENT</span><span class="pi">:</span> <span class="s">$(environment)</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Test</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">Validate"</span> <span class="na">jobs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job</span><span class="pi">:</span> <span class="s">Test</span> <span class="na">pool</span><span class="pi">:</span> <span class="na">vmImage</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ubuntu-latest"</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">UsePythonVersion@0</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">versionSpec</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.11"</span> <span class="pi">-</span> <span class="na">script</span><span class="pi">:</span> <span class="s">pip install -r requirements.txt</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Install</span><span class="nv"> </span><span class="s">dependencies"</span> <span class="pi">-</span> <span class="na">script</span><span class="pi">:</span> <span class="s">python -m pytest pipelines/tests/ -v</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Run</span><span class="nv"> </span><span class="s">unit</span><span class="nv"> </span><span class="s">tests"</span> <span class="pi">-</span> <span class="na">script</span><span class="pi">:</span> <span class="s">python pipelines/validate_components.py</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Validate</span><span class="nv"> </span><span class="s">component</span><span class="nv"> </span><span class="s">definitions"</span> <span class="pi">-</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">CD</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Submit</span><span class="nv"> </span><span class="s">ML</span><span class="nv"> </span><span class="s">Pipeline"</span> <span class="na">dependsOn</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">succeeded()</span> <span class="na">jobs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job</span><span class="pi">:</span> <span class="s">SubmitPipeline</span> <span class="na">pool</span><span class="pi">:</span> <span class="na">vmImage</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ubuntu-latest"</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">AzureCLI@2</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Submit</span><span class="nv"> </span><span class="s">Azure</span><span class="nv"> </span><span class="s">ML</span><span class="nv"> </span><span class="s">Pipeline"</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">azureSubscription</span><span class="pi">:</span> <span class="s2">"</span><span class="s">azure-ml-connection"</span> <span class="na">scriptType</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bash"</span> <span class="na">scriptLocation</span><span class="pi">:</span> <span class="s2">"</span><span class="s">inlineScript"</span> <span class="na">inlineScript</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">az ml job create \</span> <span class="s">--file pipelines/training-pipeline.yml \</span> <span class="s">--workspace-name $(WORKSPACE_NAME) \</span> <span class="s">--resource-group $(RESOURCE_GROUP) \</span> <span class="s">--subscription $(SUBSCRIPTION_ID) \</span> <span class="s">--stream</span> <span class="pi">-</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">Approval</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Manual</span><span class="nv"> </span><span class="s">Approval</span><span class="nv"> </span><span class="s">Gate"</span> <span class="na">dependsOn</span><span class="pi">:</span> <span class="s">CD</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">succeeded()</span> <span class="na">jobs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">deployment</span><span class="pi">:</span> <span class="s">ApproveDeployment</span> <span class="na">environment</span><span class="pi">:</span> <span class="s2">"</span><span class="s">$(ENVIRONMENT)-ml-approval"</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">runOnce</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">AzureCLI@2</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Deploy</span><span class="nv"> </span><span class="s">approved</span><span class="nv"> </span><span class="s">model</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">endpoint"</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">azureSubscription</span><span class="pi">:</span> <span class="s2">"</span><span class="s">azure-ml-connection"</span> <span class="na">scriptType</span><span class="pi">:</span> <span class="s2">"</span><span class="s">bash"</span> <span class="na">scriptLocation</span><span class="pi">:</span> <span class="s2">"</span><span class="s">inlineScript"</span> <span class="na">inlineScript</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">python scripts/deploy_approved_model.py \</span> <span class="s">--workspace $(WORKSPACE_NAME) \</span> <span class="s">--resource-group $(RESOURCE_GROUP) \</span> <span class="s">--endpoint-name $(ENVIRONMENT)-my-endpoint</span> </code></pre> </div> <h2> ๐Ÿ Azure ML Pipeline Definition (SDK v2) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># pipelines/training_pipeline.py </span> <span class="kn">from</span> <span class="n">azure.ai.ml</span> <span class="kn">import</span> <span class="n">MLClient</span><span class="p">,</span> <span class="n">Input</span><span class="p">,</span> <span class="n">Output</span> <span class="kn">from</span> <span class="n">azure.ai.ml.dsl</span> <span class="kn">import</span> <span class="n">pipeline</span> <span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">CommandComponent</span><span class="p">,</span> <span class="n">RecurrenceTrigger</span><span class="p">,</span> <span class="n">JobSchedule</span><span class="p">,</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="n">ml_client</span> <span class="o">=</span> <span class="nc">MLClient</span><span class="p">(</span> <span class="nc">DefaultAzureCredential</span><span class="p">(),</span> <span class="n">subscription_id</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">workspace_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Define components </span><span class="n">preprocess</span> <span class="o">=</span> <span class="nc">CommandComponent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">preprocess</span><span class="sh">"</span><span class="p">,</span> <span class="n">command</span><span class="o">=</span><span class="sh">"</span><span class="s">python preprocess.py --input ${{inputs.raw_data}} --output ${{outputs.processed_data}}</span><span class="sh">"</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="sh">"</span><span class="s">azureml:sklearn-env:1</span><span class="sh">"</span><span class="p">,</span> <span class="n">inputs</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">raw_data</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">uri_folder</span><span class="sh">"</span><span class="p">}},</span> <span class="n">outputs</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">processed_data</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">uri_folder</span><span class="sh">"</span><span class="p">}},</span> <span class="p">)</span> <span class="n">train</span> <span class="o">=</span> <span class="nc">CommandComponent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">train</span><span class="sh">"</span><span class="p">,</span> <span class="n">command</span><span class="o">=</span><span class="sh">"</span><span class="s">python train.py --data ${{inputs.data}} --model-output ${{outputs.model}} --accuracy-output ${{outputs.accuracy}}</span><span class="sh">"</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="sh">"</span><span class="s">azureml:sklearn-env:1</span><span class="sh">"</span><span class="p">,</span> <span class="n">inputs</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">uri_folder</span><span class="sh">"</span><span class="p">}},</span> <span class="n">outputs</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">model</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">uri_folder</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">accuracy</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">uri_file</span><span class="sh">"</span><span class="p">}},</span> <span class="p">)</span> <span class="nd">@pipeline</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">training-pipeline</span><span class="sh">"</span><span class="p">,</span> <span class="n">compute</span><span class="o">=</span><span class="sh">"</span><span class="s">cpu-cluster</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">training_pipeline</span><span class="p">(</span><span class="n">raw_data</span><span class="p">:</span> <span class="nc">Input</span><span class="p">(</span><span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">uri_folder</span><span class="sh">"</span><span class="p">)):</span> <span class="n">preprocess_step</span> <span class="o">=</span> <span class="nf">preprocess</span><span class="p">(</span><span class="n">raw_data</span><span class="o">=</span><span class="n">raw_data</span><span class="p">)</span> <span class="n">train_step</span> <span class="o">=</span> <span class="nf">train</span><span class="p">(</span><span class="n">data</span><span class="o">=</span><span class="n">preprocess_step</span><span class="p">.</span><span class="n">outputs</span><span class="p">.</span><span class="n">processed_data</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">model</span><span class="sh">"</span><span class="p">:</span> <span class="n">train_step</span><span class="p">.</span><span class="n">outputs</span><span class="p">.</span><span class="n">model</span><span class="p">}</span> <span class="c1"># Submit pipeline </span><span class="n">pipeline_job</span> <span class="o">=</span> <span class="nf">training_pipeline</span><span class="p">(</span> <span class="n">raw_data</span><span class="o">=</span><span class="nc">Input</span><span class="p">(</span><span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">azureml://datastores/workspaceblobstore/paths/data/</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="n">ml_client</span><span class="p">.</span><span class="n">jobs</span><span class="p">.</span><span class="nf">create_or_update</span><span class="p">(</span><span class="n">pipeline_job</span><span class="p">,</span> <span class="n">experiment_name</span><span class="o">=</span><span class="sh">"</span><span class="s">training-runs</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Scheduled Recurring Training (SDK v2) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="n">RecurrenceTrigger</span><span class="p">,</span> <span class="n">JobSchedule</span> <span class="n">schedule</span> <span class="o">=</span> <span class="nc">JobSchedule</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">environment</span><span class="si">}</span><span class="s">-daily-training</span><span class="sh">"</span><span class="p">,</span> <span class="n">trigger</span><span class="o">=</span><span class="nc">RecurrenceTrigger</span><span class="p">(</span><span class="n">frequency</span><span class="o">=</span><span class="sh">"</span><span class="s">day</span><span class="sh">"</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">start_time</span><span class="o">=</span><span class="sh">"</span><span class="s">2026-01-01T02:00:00</span><span class="sh">"</span><span class="p">),</span> <span class="n">create_job</span><span class="o">=</span><span class="n">pipeline_job</span><span class="p">,</span> <span class="p">)</span> <span class="n">ml_client</span><span class="p">.</span><span class="n">schedules</span><span class="p">.</span><span class="nf">begin_create_or_update</span><span class="p">(</span><span class="n">schedule</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">deploy_branch</span> <span class="err">=</span> <span class="s2">"develop"</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">deploy_branch</span> <span class="err">=</span> <span class="s2">"main"</span> </code></pre> </div> <p>Approval gates in Azure DevOps are configured per environment in the UI: <strong>Pipelines โ†’ Environments โ†’ prod-ml-approval โ†’ Approvals and checks</strong>. Add team members as required approvers before any production deployment proceeds.</p> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Use SDK v2 only.</strong> SDK v1 reached end-of-support in March 2025 and will fully stop working in June 2026. All pipelines should use <code>azure-ai-ml</code> (SDK v2) and CLI v2.</p> <p><strong>Service principal secrets need rotation.</strong> The <code>azuread_service_principal_password</code> expires. Use federated identity (OIDC) in Azure DevOps for a secretless authentication alternative that doesn't require rotation.</p> <p><strong>AzureML Job Wait task for long-running jobs.</strong> Training jobs can take hours. Use the <code>AzureML Job Wait</code> task in Azure DevOps to hold the pipeline until the ML job completes before proceeding to the approval stage.</p> <p><strong>Component versioning.</strong> Register components in the Azure ML registry with versions. This ensures pipeline runs are reproducible - you know exactly which version of each component ran for any historical job.</p> <p><strong>Schedules live in the workspace, not Terraform.</strong> Azure ML job schedules are created via SDK v2 or CLI v2 and live in the workspace. They're not managed by Terraform directly. Include schedule creation in your DevOps pipeline's deploy stage.</p> <h2> โญ๏ธ Series 5 Complete! </h2> <p>This is <strong>Post 4</strong> of the <strong>Azure ML Pipelines &amp; MLOps with Terraform</strong> series, and the <strong>final post of Series 5</strong>.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko">Azure ML Workspace</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-online-endpoints-deploy-your-model-to-production-with-terraform-4730">Azure ML Online Endpoints</a> ๐Ÿš€</li> <li> <strong>Post 3:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-feature-store-with-terraform-managed-feature-materialization-for-training-and-inference-o38">Azure ML Feature Store</a> ๐Ÿ—ƒ๏ธ</li> <li> <strong>Post 4:</strong> Azure ML Pipelines + Azure DevOps (you are here) ๐Ÿ”</li> </ul> <p><em>Your ML workflow is automated. Azure DevOps tests and validates on every push. Azure ML Pipelines runs the DAG. Models that pass evaluation register automatically. Manual approval gates protect production. All provisioned with Terraform.</em> ๐Ÿ”</p> <p><em>Thanks for following the full Series 5! Series 6 coming soon.</em> ๐Ÿ’ฌ</p> azure ai devops machinelearning Vertex AI Pipelines + Cloud Build: CI/CD for ML on GCP with Terraform ๐Ÿ” Suhas Mallesh Fri, 24 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/vertex-ai-pipelines-cloud-build-cicd-for-ml-on-gcp-with-terraform-57j8 https://forem.com/suhas_mallesh/vertex-ai-pipelines-cloud-build-cicd-for-ml-on-gcp-with-terraform-57j8 <p>Manual ML retraining doesn't scale. Vertex AI Pipelines orchestrates your ML DAG while Cloud Build automates testing, compiling, and deploying updated pipelines on every code push. Here's how to wire it all together with Terraform.</p> <p>Through Series 5, we've built the Workbench, deployed endpoints, and set up the Feature Store. The final piece is automation. Right now, retraining means a data scientist manually runs a notebook, checks metrics, and updates the endpoint. That's a bottleneck and a reliability risk.</p> <p>GCP's ML CI/CD stack uses two services together: <strong>Vertex AI Pipelines</strong> orchestrates the ML workflow (preprocessing, training, evaluation, registration) as a managed DAG. <strong>Cloud Build</strong> provides the CI/CD layer that tests your pipeline code, compiles it, uploads it to GCS, and runs it on a schedule or trigger. Terraform provisions the infrastructure for both. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ The CI/CD Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Code push to GitHub/Cloud Source Repos โ†“ Cloud Build trigger fires โ†“ Cloud Build: run tests โ†’ compile KFP pipeline โ†’ upload to GCS โ†“ Cloud Scheduler: daily trigger โ†’ run Vertex AI Pipeline โ†“ Pipeline DAG: preprocess โ†’ train โ†’ evaluate โ†’ condition โ†“ Pass: register model โ†’ approve โ†’ deploy to endpoint Fail: pipeline exits with error </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>Vertex AI Pipelines</strong></td> <td>Managed KFP pipeline execution (the ML DAG)</td> </tr> <tr> <td><strong>Cloud Build</strong></td> <td>CI/CD: test, compile, upload pipeline on code push</td> </tr> <tr> <td><strong>Cloud Scheduler</strong></td> <td>Trigger pipeline on a cron schedule</td> </tr> <tr> <td><strong>GCS</strong></td> <td>Store compiled pipeline specs (<code>.json</code>)</td> </tr> <tr> <td><strong>Vertex AI Model Registry</strong></td> <td>Version and approve trained models</td> </tr> </tbody> </table></div> <h2> ๐Ÿ”ง Terraform: CI/CD Infrastructure </h2> <h3> APIs and Service Account </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipelines/apis.tf</span> <span class="nx">resource</span> <span class="s2">"google_project_service"</span> <span class="s2">"required"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span> <span class="s2">"aiplatform.googleapis.com"</span><span class="p">,</span> <span class="s2">"cloudbuild.googleapis.com"</span><span class="p">,</span> <span class="s2">"cloudscheduler.googleapis.com"</span><span class="p">,</span> <span class="s2">"storage.googleapis.com"</span><span class="p">,</span> <span class="s2">"artifactregistry.googleapis.com"</span><span class="p">,</span> <span class="p">])</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"pipeline_runner"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-pipeline-runner"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Vertex AI Pipeline Runner"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"pipeline_roles"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span> <span class="s2">"roles/aiplatform.user"</span><span class="p">,</span> <span class="s2">"roles/storage.objectAdmin"</span><span class="p">,</span> <span class="s2">"roles/bigquery.dataEditor"</span><span class="p">,</span> <span class="s2">"roles/bigquery.jobUser"</span><span class="p">,</span> <span class="p">])</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.pipeline_runner.email}"</span> <span class="p">}</span> </code></pre> </div> <h3> GCS Bucket for Pipeline Artifacts </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipelines/storage.tf</span> <span class="nx">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"pipeline_root"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_id}-${var.environment}-pipeline-root"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="err">!</span><span class="p">=</span> <span class="s2">"prod"</span> <span class="nx">versioning</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"pipeline_specs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_id}-${var.environment}-pipeline-specs"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="err">!</span><span class="p">=</span> <span class="s2">"prod"</span> <span class="p">}</span> </code></pre> </div> <h3> Cloud Build Trigger </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipelines/cloudbuild.tf</span> <span class="nx">resource</span> <span class="s2">"google_cloudbuild_trigger"</span> <span class="s2">"pipeline_deploy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-pipeline-deploy"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">github</span> <span class="p">{</span> <span class="nx">owner</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">github_owner</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">github_repo</span> <span class="nx">push</span> <span class="p">{</span> <span class="nx">branch</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">deploy_branch</span> <span class="c1"># e.g. "main" for prod, "develop" for dev</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"cloudbuild/pipeline-deploy.yaml"</span> <span class="nx">substitutions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">_ENVIRONMENT</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">_PIPELINE_ROOT</span> <span class="p">=</span> <span class="s2">"gs://${google_storage_bucket.pipeline_root.name}"</span> <span class="nx">_PIPELINE_SPECS_GCS</span> <span class="p">=</span> <span class="s2">"gs://${google_storage_bucket.pipeline_specs.name}/specs/"</span> <span class="nx">_REGION</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">_PROJECT_ID</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">_SA_EMAIL</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">pipeline_runner</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">cloudbuild_sa</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h3> Cloud Scheduler: Run on Schedule </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipelines/scheduler.tf</span> <span class="nx">resource</span> <span class="s2">"google_cloud_scheduler_job"</span> <span class="s2">"pipeline_schedule"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-training-pipeline"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">schedule</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pipeline_schedule</span> <span class="c1"># e.g. "0 2 * * *"</span> <span class="nx">time_zone</span> <span class="p">=</span> <span class="s2">"UTC"</span> <span class="nx">http_target</span> <span class="p">{</span> <span class="nx">uri</span> <span class="p">=</span> <span class="s2">"https://${var.region}-aiplatform.googleapis.com/v1/projects/${var.project_id}/locations/${var.region}/pipelineJobs"</span> <span class="nx">http_method</span> <span class="p">=</span> <span class="s2">"POST"</span> <span class="nx">body</span> <span class="p">=</span> <span class="nx">base64encode</span><span class="p">(</span><span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">displayName</span> <span class="p">=</span> <span class="s2">"${var.environment}-training-run"</span> <span class="nx">pipelineSpec</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">templateUri</span> <span class="p">=</span> <span class="s2">"gs://${google_storage_bucket.pipeline_specs.name}/specs/training-pipeline.json"</span> <span class="nx">runtimeConfig</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">gcsOutputDirectory</span> <span class="p">=</span> <span class="s2">"gs://${google_storage_bucket.pipeline_root.name}/runs/"</span> <span class="nx">parameterValues</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">data_gcs_uri</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_data_uri</span> <span class="nx">model_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">serviceAccount</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">pipeline_runner</span><span class="p">.</span><span class="nx">email</span> <span class="p">}))</span> <span class="nx">oauth_token</span> <span class="p">{</span> <span class="nx">service_account_email</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">pipeline_runner</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> ๐Ÿ”ง Cloud Build Config (cloudbuild/pipeline-deploy.yaml) </h2> <p>This file lives in your repo and runs on every push to the deploy branch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># cloudbuild/pipeline-deploy.yaml</span> <span class="na">steps</span><span class="pi">:</span> <span class="c1"># Step 1: Install dependencies</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">python:3.11"</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="s">pip</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">install"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-r"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">requirements.txt"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--user"</span><span class="pi">]</span> <span class="c1"># Step 2: Run unit tests on pipeline components</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">python:3.11"</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="s">python</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-m"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pytest"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pipelines/tests/"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-v"</span><span class="pi">]</span> <span class="c1"># Step 3: Compile the Vertex AI Pipeline</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">python:3.11"</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="s">python</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pipelines/compile.py"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--output"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/workspace/training-pipeline.json"</span><span class="pi">]</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">PROJECT_ID=$PROJECT_ID"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">REGION=$_REGION"</span> <span class="c1"># Step 4: Upload compiled pipeline spec to GCS</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gcr.io/cloud-builders/gsutil"</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">cp"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/workspace/training-pipeline.json"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">${_PIPELINE_SPECS_GCS}training-pipeline.json"</span><span class="pi">]</span> <span class="c1"># Step 5: (Optional) Run a quick end-to-end test on dev</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">python:3.11"</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="s">python</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pipelines/run.py"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--pipeline-spec"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">${_PIPELINE_SPECS_GCS}training-pipeline.json"</span><span class="pi">]</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ENVIRONMENT=$_ENVIRONMENT"</span> <span class="na">id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">e2e-test"</span> <span class="na">substitutions</span><span class="pi">:</span> <span class="na">_ENVIRONMENT</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">_PIPELINE_SPECS_GCS</span><span class="pi">:</span> <span class="s">gs://my-bucket/specs/</span> <span class="na">_REGION</span><span class="pi">:</span> <span class="s">us-central1</span> </code></pre> </div> <h2> ๐Ÿ KFP Pipeline Definition </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># pipelines/compile.py </span> <span class="kn">from</span> <span class="n">kfp</span> <span class="kn">import</span> <span class="n">dsl</span><span class="p">,</span> <span class="n">compiler</span> <span class="kn">from</span> <span class="n">kfp.dsl</span> <span class="kn">import</span> <span class="n">component</span> <span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">aiplatform</span> <span class="nd">@component</span><span class="p">(</span><span class="n">base_image</span><span class="o">=</span><span class="sh">"</span><span class="s">python:3.11</span><span class="sh">"</span><span class="p">,</span> <span class="n">packages_to_install</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">scikit-learn</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pandas</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">preprocess</span><span class="p">(</span><span class="n">data_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">output_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="kn">import</span> <span class="n">pandas</span> <span class="k">as</span> <span class="n">pd</span> <span class="n">df</span> <span class="o">=</span> <span class="n">pd</span><span class="p">.</span><span class="nf">read_parquet</span><span class="p">(</span><span class="n">data_uri</span><span class="p">)</span> <span class="c1"># ... preprocessing logic ... </span> <span class="n">df</span><span class="p">.</span><span class="nf">to_parquet</span><span class="p">(</span><span class="n">output_uri</span><span class="p">)</span> <span class="nd">@component</span><span class="p">(</span><span class="n">base_image</span><span class="o">=</span><span class="sh">"</span><span class="s">python:3.11</span><span class="sh">"</span><span class="p">,</span> <span class="n">packages_to_install</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">scikit-learn</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">train</span><span class="p">(</span><span class="n">data_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">model_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="c1"># ... training logic ... </span> <span class="c1"># Returns accuracy </span> <span class="k">return</span> <span class="n">accuracy</span> <span class="nd">@component</span><span class="p">(</span><span class="n">base_image</span><span class="o">=</span><span class="sh">"</span><span class="s">python:3.11</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">register_model</span><span class="p">(</span><span class="n">model_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">accuracy</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">project</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">region</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">model_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="n">project</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="n">region</span><span class="p">)</span> <span class="n">model</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="n">Model</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span> <span class="n">display_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">,</span> <span class="n">artifact_uri</span><span class="o">=</span><span class="n">model_uri</span><span class="p">,</span> <span class="n">serving_container_image_uri</span><span class="o">=</span><span class="sh">"</span><span class="s">us-docker.pkg.dev/vertex-ai/prediction/sklearn-cpu.1-3:latest</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="nd">@dsl.pipeline</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">training-pipeline</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">training_pipeline</span><span class="p">(</span> <span class="n">project_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">region</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">data_gcs_uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">model_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">accuracy_threshold</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="mf">0.85</span><span class="p">,</span> <span class="p">):</span> <span class="n">preprocess_task</span> <span class="o">=</span> <span class="nf">preprocess</span><span class="p">(</span><span class="n">data_uri</span><span class="o">=</span><span class="n">data_gcs_uri</span><span class="p">,</span> <span class="n">output_uri</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">gs://pipeline-root/processed/</span><span class="sh">"</span><span class="p">)</span> <span class="n">train_task</span> <span class="o">=</span> <span class="nf">train</span><span class="p">(</span><span class="n">data_uri</span><span class="o">=</span><span class="n">preprocess_task</span><span class="p">.</span><span class="n">output</span><span class="p">,</span> <span class="n">model_uri</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">gs://pipeline-root/model/</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="n">dsl</span><span class="p">.</span><span class="nc">If</span><span class="p">(</span><span class="n">train_task</span><span class="p">.</span><span class="n">output</span> <span class="o">&gt;=</span> <span class="n">accuracy_threshold</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AccuracyGate</span><span class="sh">"</span><span class="p">):</span> <span class="nf">register_model</span><span class="p">(</span> <span class="n">model_uri</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">gs://pipeline-root/model/</span><span class="sh">"</span><span class="p">,</span> <span class="n">accuracy</span><span class="o">=</span><span class="n">train_task</span><span class="p">.</span><span class="n">output</span><span class="p">,</span> <span class="n">project</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="n">region</span><span class="p">,</span> <span class="n">model_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">compiler</span><span class="p">.</span><span class="nc">Compiler</span><span class="p">().</span><span class="nf">compile</span><span class="p">(</span><span class="n">training_pipeline</span><span class="p">,</span> <span class="sh">"</span><span class="s">training-pipeline.json</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">deploy_branch</span> <span class="err">=</span> <span class="s2">"develop"</span> <span class="nx">pipeline_schedule</span> <span class="err">=</span> <span class="s2">"0 6 * * *"</span> <span class="c1"># Daily at 6am UTC</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"my-model-dev"</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">deploy_branch</span> <span class="err">=</span> <span class="s2">"main"</span> <span class="nx">pipeline_schedule</span> <span class="err">=</span> <span class="s2">"0 2 * * *"</span> <span class="c1"># Daily at 2am UTC</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"my-model"</span> </code></pre> </div> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Two separate pipelines.</strong> Cloud Build is the CI/CD pipeline for your code. Vertex AI Pipelines is the ML orchestration DAG. They serve different purposes and run independently.</p> <p><strong>Compile on every push.</strong> The Cloud Build step compiles the KFP pipeline from Python code to JSON on every merge. This catches pipeline definition errors early and ensures GCS always has the latest spec.</p> <p><strong>Pipeline spec versioning.</strong> Upload compiled specs with a version suffix (commit hash or timestamp) alongside <code>latest</code>. This enables rollback to any previous pipeline version: <code>training-pipeline-abc123.json</code>.</p> <p><strong>Cloud Scheduler vs Eventarc.</strong> Cloud Scheduler runs pipelines on a fixed cron. For event-driven triggers (new data in GCS), use Eventarc to trigger a Cloud Function that submits the pipeline job.</p> <p><strong>Service account for Cloud Build.</strong> Give the Cloud Build trigger a dedicated service account with <code>roles/aiplatform.user</code> and <code>roles/storage.objectAdmin</code>. Avoid using the default Cloud Build SA which has overly broad permissions.</p> <h2> โญ๏ธ Series 5 Complete! </h2> <p>This is <strong>Post 4</strong> of the <strong>GCP ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6">Vertex AI Workbench</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-endpoints-deploy-your-model-to-production-with-terraform-17f">Vertex AI Endpoints</a> ๐Ÿš€</li> <li> <strong>Post 3:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-feature-store-with-terraform-bigquery-offline-bigtable-online-serving-4n7g">Vertex AI Feature Store</a> ๐Ÿ—ƒ๏ธ</li> <li> <strong>Post 4:</strong> Vertex AI Pipelines + Cloud Build (you are here) ๐Ÿ”</li> </ul> <p><em>Your ML workflow is automated. Cloud Build tests and compiles your pipeline on every code push. Cloud Scheduler runs it on a cron. Vertex AI Pipelines executes the DAG. Models that pass evaluation register automatically. All provisioned with Terraform.</em> ๐Ÿ”</p> <p><em>Found this helpful? Follow for the next series!</em> ๐Ÿ’ฌ</p> googlecloud ai devops machinelearning Agentic AWS - Day 2: Amazon Bedrock AgentCore Runtime Suhas Mallesh Fri, 24 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/agentic-aws-day-2-amazon-bedrock-agentcore-runtime-5489 https://forem.com/suhas_mallesh/agentic-aws-day-2-amazon-bedrock-agentcore-runtime-5489 <p><strong>Series:</strong> Agentic AWS | <strong>Post:</strong> 2 of 6 | <strong>Cloud:</strong> AWS</p> <h2> Why Agents Need Their Own Runtime </h2> <p>A Lambda function times out in 15 minutes. An EC2 instance charges you whether the agent is thinking or idle. An ECS task requires container orchestration expertise before you write a single line of agent logic.</p> <p>AI agents have fundamentally different runtime requirements - they run for minutes to hours, maintain session context across tool calls, need isolated execution per user, and must scale from zero to many concurrent sessions without pre-provisioning.</p> <p>AgentCore Runtime is a serverless execution environment purpose-built for exactly this workload. It hosts your agent code in ARM64 containers with up to 8-hour execution windows, full session isolation, built-in observability, and native support for both HTTP and the A2A (Agent-to-Agent) protocol. You bring the agent logic; Runtime handles everything else.</p> <p>In Post 1 we built an AgentCore Gateway that exposes an order-status Lambda as an MCP tool. This post deploys the agent itself - the process that calls that gateway, reasons with Claude, and serves user requests - onto AgentCore Runtime via Terraform and container deployment.</p> <h2> Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client (curl / SDK) | | HTTPS + JWT auth v AgentCore Runtime endpoint | (session-isolated container per user) v Agent container (Python + Strands SDK) | | MCP streamable HTTP + SigV4 v AgentCore Gateway (from Post 1) | v Lambda: order-status-tool </code></pre> </div> <p>Each user session gets its own isolated container instance. Session state - conversation history, in-flight tool calls - lives in that container for the duration of the session. When the session idles past the timeout, the container is reaped and you stop paying.</p> <h2> Agent Code </h2> <p>The agent runs as a long-lived HTTP server inside the container. AgentCore Runtime routes requests to it via the <code>/invocations</code> endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># agent/main.py </span><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">from</span> <span class="n">http.server</span> <span class="kn">import</span> <span class="n">HTTPServer</span><span class="p">,</span> <span class="n">BaseHTTPRequestHandler</span> <span class="kn">from</span> <span class="n">strands</span> <span class="kn">import</span> <span class="n">Agent</span> <span class="kn">from</span> <span class="n">strands.tools.mcp</span> <span class="kn">import</span> <span class="n">MCPClient</span> <span class="kn">from</span> <span class="n">mcp.client.streamable_http</span> <span class="kn">import</span> <span class="n">streamablehttp_client</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.auth</span> <span class="kn">import</span> <span class="n">SigV4Auth</span> <span class="kn">from</span> <span class="n">botocore.awsrequest</span> <span class="kn">import</span> <span class="n">AWSRequest</span> <span class="n">GATEWAY_ENDPOINT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">GATEWAY_ENDPOINT</span><span class="sh">"</span><span class="p">]</span> <span class="n">AWS_REGION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">AWS_REGION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="n">MODEL_ID</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">MODEL_ID</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">anthropic.claude-3-5-sonnet-20241022-v2:0</span><span class="sh">"</span><span class="p">)</span> <span class="n">session_creds</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nc">Session</span><span class="p">().</span><span class="nf">get_credentials</span><span class="p">().</span><span class="nf">resolve</span><span class="p">()</span> <span class="k">def</span> <span class="nf">signed_headers</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">SigV4 signed headers for AgentCore Gateway inbound IAM auth.</span><span class="sh">"""</span> <span class="n">request</span> <span class="o">=</span> <span class="nc">AWSRequest</span><span class="p">(</span><span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="n">url</span><span class="o">=</span><span class="n">url</span><span class="p">)</span> <span class="nc">SigV4Auth</span><span class="p">(</span><span class="n">session_creds</span><span class="p">,</span> <span class="sh">"</span><span class="s">bedrock</span><span class="sh">"</span><span class="p">,</span> <span class="n">AWS_REGION</span><span class="p">).</span><span class="nf">add_auth</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="nf">dict</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">build_agent</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">Agent</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Connect to AgentCore Gateway, load available tools, and return a Strands Agent ready to handle requests. </span><span class="sh">"""</span> <span class="n">headers</span> <span class="o">=</span> <span class="nf">signed_headers</span><span class="p">(</span><span class="n">GATEWAY_ENDPOINT</span><span class="p">)</span> <span class="n">mcp_client</span> <span class="o">=</span> <span class="nc">MCPClient</span><span class="p">(</span> <span class="k">lambda</span><span class="p">:</span> <span class="nf">streamablehttp_client</span><span class="p">(</span><span class="n">GATEWAY_ENDPOINT</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="p">)</span> <span class="n">tools</span> <span class="o">=</span> <span class="k">await</span> <span class="n">mcp_client</span><span class="p">.</span><span class="nf">get_tools</span><span class="p">()</span> <span class="k">return</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="n">MODEL_ID</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="n">tools</span><span class="p">,</span> <span class="n">system_prompt</span><span class="o">=</span><span class="p">(</span> <span class="sh">"</span><span class="s">You are a helpful order support agent. </span><span class="sh">"</span> <span class="sh">"</span><span class="s">Use your tools to look up order status and shipping details. </span><span class="sh">"</span> <span class="sh">"</span><span class="s">Always confirm the order ID before making tool calls.</span><span class="sh">"</span> <span class="p">),</span> <span class="p">)</span> <span class="c1"># Build agent once at container startup - reused across requests in the session </span><span class="n">agent</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">build_agent</span><span class="p">())</span> <span class="k">class</span> <span class="nc">AgentHandler</span><span class="p">(</span><span class="n">BaseHTTPRequestHandler</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> AgentCore Runtime expects a POST /invocations endpoint. Request body: {</span><span class="sh">"</span><span class="s">prompt</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">user message</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">session_id</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="s">} Response body: {</span><span class="sh">"</span><span class="s">response</span><span class="sh">"</span><span class="s">: </span><span class="sh">"</span><span class="s">agent reply</span><span class="sh">"</span><span class="s">} </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">do_POST</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">path</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">/invocations</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_response</span><span class="p">(</span><span class="mi">404</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">end_headers</span><span class="p">()</span> <span class="k">return</span> <span class="n">length</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Length</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">rfile</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">prompt</span> <span class="o">=</span> <span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">prompt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">agent</span><span class="p">.</span><span class="nf">invoke_async</span><span class="p">(</span><span class="n">prompt</span><span class="p">))</span> <span class="n">response_body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">response</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="n">message</span><span class="p">})</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_response</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">end_headers</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">wfile</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">response_body</span><span class="p">.</span><span class="nf">encode</span><span class="p">())</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">error_body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)})</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_response</span><span class="p">(</span><span class="mi">500</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">end_headers</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">wfile</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">error_body</span><span class="p">.</span><span class="nf">encode</span><span class="p">())</span> <span class="k">def</span> <span class="nf">log_message</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="nb">format</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">):</span> <span class="c1"># AgentCore Runtime captures stdout/stderr to CloudWatch </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="nf">address_string</span><span class="p">()</span><span class="si">}</span><span class="s">] </span><span class="si">{</span><span class="nb">format</span> <span class="o">%</span> <span class="n">args</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">port</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">PORT</span><span class="sh">"</span><span class="p">,</span> <span class="mi">8080</span><span class="p">))</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">AgentCore Runtime agent listening on port </span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">server</span> <span class="o">=</span> <span class="nc">HTTPServer</span><span class="p">((</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="p">),</span> <span class="n">AgentHandler</span><span class="p">)</span> <span class="n">server</span><span class="p">.</span><span class="nf">serve_forever</span><span class="p">()</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># agent/Dockerfile</span> <span class="k">FROM</span><span class="s"> public.ecr.aws/amazonlinux/amazonlinux:2023-minimal</span> <span class="k">RUN </span>dnf <span class="nb">install</span> <span class="nt">-y</span> python3.12 python3.12-pip <span class="o">&amp;&amp;</span> dnf clean all <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip3.12 <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="k">COPY</span><span class="s"> main.py .</span> <span class="c"># AgentCore Runtime routes traffic to port 8080 by default</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["python3.12", "main.py"]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># agent/requirements.txt strands-agents&gt;=0.1.0 mcp&gt;=1.0.0 boto3&gt;=1.35.0 </code></pre> </div> <h2> Terraform Infrastructure </h2> <h3> Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"project_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"agentic-aws"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"gateway_endpoint"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AgentCore Gateway MCP endpoint URL (output from Post 1 stack)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"gateway_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AgentCore Gateway ARN for IAM policy (output from Post 1 stack)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"idle_session_timeout_seconds"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Seconds before an idle session container is reaped"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1800</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"max_session_lifetime_seconds"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Hard ceiling on session duration (max 28800 = 8 hours)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">7200</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"container_cpu"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"vCPU units for the agent container (1024 = 1 vCPU)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1024</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"container_memory_mb"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Memory in MB for the agent container"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">2048</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># dev.tfvars</span> <span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">idle_session_timeout_seconds</span> <span class="err">=</span> <span class="mi">600</span> <span class="c1"># 10 min - aggressive cleanup in dev</span> <span class="nx">max_session_lifetime_seconds</span> <span class="err">=</span> <span class="mi">3600</span> <span class="c1"># 1 hour ceiling in dev</span> <span class="nx">container_cpu</span> <span class="err">=</span> <span class="mi">512</span> <span class="nx">container_memory_mb</span> <span class="err">=</span> <span class="mi">1024</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># prod.tfvars</span> <span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">idle_session_timeout_seconds</span> <span class="err">=</span> <span class="mi">1800</span> <span class="c1"># 30 min idle tolerance</span> <span class="nx">max_session_lifetime_seconds</span> <span class="err">=</span> <span class="mi">28800</span> <span class="c1"># Full 8-hour window</span> <span class="nx">container_cpu</span> <span class="err">=</span> <span class="mi">1024</span> <span class="nx">container_memory_mb</span> <span class="err">=</span> <span class="mi">2048</span> </code></pre> </div> <h3> ECR Repository </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ecr.tf</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_repository"</span> <span class="s2">"agent"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-agent-${var.environment}"</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"MUTABLE"</span> <span class="nx">image_scanning_configuration</span> <span class="p">{</span> <span class="nx">scan_on_push</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">encryption_configuration</span> <span class="p">{</span> <span class="nx">encryption_type</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_lifecycle_policy"</span> <span class="s2">"agent"</span> <span class="p">{</span> <span class="nx">repository</span> <span class="p">=</span> <span class="nx">aws_ecr_repository</span><span class="p">.</span><span class="nx">agent</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">rules</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">rulePriority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Keep last 10 images"</span> <span class="nx">selection</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">tagStatus</span> <span class="p">=</span> <span class="s2">"any"</span> <span class="nx">countType</span> <span class="p">=</span> <span class="s2">"imageCountMoreThan"</span> <span class="nx">countNumber</span> <span class="p">=</span> <span class="mi">10</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"expire"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecr_repository_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_ecr_repository</span><span class="p">.</span><span class="nx">agent</span><span class="p">.</span><span class="nx">repository_url</span> <span class="p">}</span> </code></pre> </div> <h3> IAM for Runtime </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># iam.tf</span> <span class="c1"># Execution role - assumed by AgentCore Runtime service</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"runtime_execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-runtime-exec-${var.environment}"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"bedrock.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"runtime_permissions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"runtime-permissions"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">runtime_execution</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"BedrockModelAccess"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"bedrock:InvokeModel"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:bedrock:${var.aws_region}::foundation-model/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AgentCoreGatewayAccess"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"bedrock:InvokeAgentCoreGateway"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gateway_arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"CloudWatchLogs"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:logs:${var.aws_region}:*:log-group:/aws/bedrock-agentcore/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"ECRPull"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:GetAuthorizationToken"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> AgentCore Runtime Resource </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># runtime.tf</span> <span class="nx">resource</span> <span class="s2">"aws_bedrockagentcore_agent_runtime"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-runtime-${var.environment}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Agentic AWS order support agent runtime"</span> <span class="c1"># Container image deployed to ECR</span> <span class="nx">runtime_artifact</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">container_image</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">uri</span> <span class="p">=</span> <span class="s2">"${aws_ecr_repository.agent.repository_url}:latest"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IAM role the runtime assumes</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">runtime_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># Environment variables injected into every container instance</span> <span class="nx">environment_variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">GATEWAY_ENDPOINT</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gateway_endpoint</span> <span class="nx">AWS_REGION</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="nx">MODEL_ID</span> <span class="p">=</span> <span class="s2">"anthropic.claude-3-5-sonnet-20241022-v2:0"</span> <span class="p">}</span> <span class="c1"># Session lifecycle controls</span> <span class="nx">session_idle_timeout_in_seconds</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">idle_session_timeout_seconds</span> <span class="nx">max_session_duration_in_seconds</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_session_lifetime_seconds</span> <span class="c1"># Protocol: HTTP for standard request/response, A2A for multi-agent</span> <span class="nx">server_protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="c1"># JWT authorizer - validates tokens before requests reach the container</span> <span class="c1"># Remove authorizer_configuration block for unauthenticated dev testing</span> <span class="nx">authorizer_configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">jwt</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">discovery_url</span> <span class="p">=</span> <span class="s2">"https://cognito-idp.${var.aws_region}.amazonaws.com/${aws_cognito_user_pool.agents.id}/.well-known/openid-configuration"</span> <span class="nx">allowed_audience</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"agentcore-runtime-${var.environment}"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Resource limits per container instance</span> <span class="nx">compute_configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">container_cpu</span> <span class="nx">memory</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">container_memory_mb</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_role_policy</span><span class="p">.</span><span class="nx">runtime_permissions</span><span class="p">]</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"runtime_endpoint"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"HTTPS endpoint to invoke the agent"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_bedrockagentcore_agent_runtime</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">endpoint_url</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"runtime_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_bedrockagentcore_agent_runtime</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h3> Cognito for JWT Auth </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># cognito.tf</span> <span class="nx">resource</span> <span class="s2">"aws_cognito_user_pool"</span> <span class="s2">"agents"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-agents-${var.environment}"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cognito_user_pool_client"</span> <span class="s2">"runtime_client"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"runtime-client-${var.environment}"</span> <span class="nx">user_pool_id</span> <span class="p">=</span> <span class="nx">aws_cognito_user_pool</span><span class="p">.</span><span class="nx">agents</span><span class="p">.</span><span class="nx">id</span> <span class="nx">generate_secret</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">allowed_oauth_flows</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"client_credentials"</span><span class="p">]</span> <span class="nx">allowed_oauth_flows_user_pool_client</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">allowed_oauth_scopes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"agentcore-runtime-${var.environment}/invoke"</span><span class="p">]</span> <span class="nx">explicit_auth_flows</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ALLOW_USER_SRP_AUTH"</span><span class="p">,</span> <span class="s2">"ALLOW_REFRESH_TOKEN_AUTH"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cognito_user_pool_domain"</span> <span class="s2">"agents"</span> <span class="p">{</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"${var.project_name}-agents-${var.environment}"</span> <span class="nx">user_pool_id</span> <span class="p">=</span> <span class="nx">aws_cognito_user_pool</span><span class="p">.</span><span class="nx">agents</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cognito_token_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"https://${aws_cognito_user_pool_domain.agents.domain}.auth.${var.aws_region}.amazoncognito.com/oauth2/token"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cognito_client_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cognito_user_pool_client</span><span class="p">.</span><span class="nx">runtime_client</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h2> Build and Deploy </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Terraform apply (provisions ECR + Runtime, outputs ECR URL)</span> terraform init terraform apply <span class="nt">-var-file</span><span class="o">=</span>dev.tfvars <span class="nv">ECR_URL</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> ecr_repository_url<span class="si">)</span> <span class="nv">RUNTIME_ENDPOINT</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> runtime_endpoint<span class="si">)</span> <span class="c"># 2. Build and push container image</span> <span class="c"># CRITICAL: target linux/arm64 - AgentCore Runtime is ARM64</span> aws ecr get-login-password <span class="nt">--region</span> us-east-1 | <span class="se">\</span> docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> <span class="nv">$ECR_URL</span> docker build <span class="se">\</span> <span class="nt">--platform</span> linux/arm64 <span class="se">\</span> <span class="nt">-t</span> <span class="nv">$ECR_URL</span>:latest <span class="se">\</span> ./agent docker push <span class="nv">$ECR_URL</span>:latest <span class="c"># 3. Get a JWT token from Cognito (client credentials flow)</span> <span class="nv">TOKEN</span><span class="o">=</span><span class="si">$(</span>aws cognito-idp initiate-auth <span class="se">\</span> <span class="nt">--auth-flow</span> USER_SRP_AUTH <span class="se">\</span> <span class="nt">--client-id</span> <span class="si">$(</span>terraform output <span class="nt">-raw</span> cognito_client_id<span class="si">)</span> <span class="se">\</span> <span class="nt">--query</span> <span class="s2">"AuthenticationResult.IdToken"</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="c"># 4. Invoke the agent</span> curl <span class="nt">-X</span> POST <span class="nv">$RUNTIME_ENDPOINT</span>/invocations <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"prompt": "Where is order ORD-1234?", "session_id": "user-abc"}'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"response"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Order ORD-1234 is currently in transit with FedEx. Tracking number 794601234567. Estimated delivery April 17, 2026."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> How Session Isolation Works </h2> <p>When a request arrives with <code>session_id: "user-abc"</code>, AgentCore Runtime routes it to the container instance bound to that session. If no instance exists yet, Runtime cold-starts one. Subsequent requests with the same session ID hit the same container - so the agent's in-memory conversation history persists across turns.</p> <p>Two users with different session IDs get completely separate container instances. There is no shared memory, no shared state, no cross-contamination between sessions. This is the key property that makes AgentCore Runtime safe for multi-tenant production workloads without any application-level session management code.</p> <p>When <code>idle_session_timeout_seconds</code> elapses with no requests, Runtime tears down the container. The next request for that session ID cold-starts a fresh instance. For stateful workflows that need memory to survive session teardown, Post 3 covers AgentCore Memory.</p> <h2> ARM64 Architecture - The Critical Gotcha </h2> <p>AgentCore Runtime runs on ARM64. Building your dependencies on an x86 machine produces silent import errors at runtime. Always build with <code>--platform linux/arm64</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Wrong - builds for your Mac or x86 CI runner</span> docker build <span class="nt">-t</span> my-agent <span class="nb">.</span> <span class="c"># Correct - explicit ARM64 target</span> docker build <span class="nt">--platform</span> linux/arm64 <span class="nt">-t</span> my-agent <span class="nb">.</span> </code></pre> </div> <p>If your CI pipeline runs on x86, add <code>--platform linux/arm64</code> to every <code>docker build</code> command and ensure your base image has ARM64 variants available (the <code>amazonlinux:2023-minimal</code> image used above does).</p> <h2> Decision Framework </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Configuration</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Dev / testing</td> <td>No JWT authorizer, short idle timeout (10 min)</td> <td>Saves cost, no token management overhead</td> </tr> <tr> <td>Production</td> <td>JWT authorizer (Cognito or OIDC), 30 min idle</td> <td>Token validated before container is hit</td> </tr> <tr> <td>Short workflows (&lt; 30 min)</td> <td><code>max_session_lifetime_seconds = 1800</code></td> <td>Limit blast radius on runaway agents</td> </tr> <tr> <td>Long-running research tasks</td> <td><code>max_session_lifetime_seconds = 28800</code></td> <td>Full 8-hour window</td> </tr> <tr> <td>Multi-agent orchestration</td> <td><code>server_protocol = "A2A"</code></td> <td>Runtime acts as an A2A server; other agents can call it</td> </tr> <tr> <td>VPC isolation required</td> <td>Add <code>network_mode = "VPC"</code> + subnet/SG config</td> <td>Traffic stays off public internet</td> </tr> <tr> <td>Large ML deps (&gt; 250MB)</td> <td>Container deployment</td> <td>ZIP limit is 250MB; containers support up to 1GB</td> </tr> </tbody> </table></div> <h2> Production Additions </h2> <p><strong>VPC mode</strong> - Add <code>network_mode = "VPC"</code> with <code>vpc_subnet_ids</code> and <code>vpc_security_group_ids</code> to keep agent traffic inside your VPC. Combine with PrivateLink to reach AgentCore Gateway without public egress.</p> <p><strong>Observability</strong> - AgentCore Runtime emits token usage, session duration, latency, and error rates to CloudWatch automatically. No SDK instrumentation needed. For richer traces, add OpenTelemetry export to Datadog, LangFuse, or Langsmith from your agent code.</p> <p><strong>Secrets</strong> - Pass sensitive values (API keys, DB passwords) via AWS Secrets Manager, not environment variables. Environment variables are visible in the console. Fetch secrets at container startup with <code>boto3.client("secretsmanager")</code>.</p> <p><strong>A2A protocol</strong> - Set <code>server_protocol = "A2A"</code> to expose the runtime as an Agent-to-Agent server. Other AgentCore Runtime agents can then call it as a sub-agent. Post 6 in this series builds a full multi-agent system on this capability.</p> <h2> What's Next </h2> <p>Post 3 covers <strong>AgentCore Memory</strong> - persistent context that survives session teardown. Without it, every new session starts from zero. Memory adds short-term (within session), long-term (across sessions), and episodic (experience-based learning) storage, all managed, with no vector database to provision.</p> <p>The Runtime you built here connects to AgentCore Memory with a single configuration addition - no changes to agent code required.</p> <h2> Key Takeaways </h2> <ul> <li>AgentCore Runtime provides session-isolated, serverless containers for agent workloads - up to 8-hour execution windows with no pre-provisioned infrastructure</li> <li>Always build container images targeting <code>linux/arm64</code> - Runtime is ARM64 and silent import errors will bite you on x86 builds</li> <li>Idle session timeout and max lifetime are the two most important cost controls - set them aggressively in dev</li> <li>JWT authorization (Cognito or any OIDC provider) sits in front of the container - your agent code handles no auth logic</li> <li> <code>server_protocol = "A2A"</code> turns the runtime into a callable sub-agent for multi-agent orchestration patterns</li> </ul> <p><em>Series: Agentic AWS | Next: Post 3 - AgentCore Memory</em></p> aws ai agents terraform SageMaker Pipelines: CI/CD for ML with Terraform ๐Ÿ” Suhas Mallesh Thu, 23 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/sagemaker-pipelines-cicd-for-ml-with-terraform-4pkh https://forem.com/suhas_mallesh/sagemaker-pipelines-cicd-for-ml-with-terraform-4pkh <p>Manual model retraining is a reliability risk. SageMaker Pipelines automates the full ML lifecycle - preprocessing, training, evaluation, conditional registration, and deployment. Here's how to build it with Terraform and the Pipelines SDK.</p> <p>Through Series 5, we've built the workspace, deployed endpoints, and set up the feature store. The missing piece is automation. Right now, retraining means someone manually running a notebook, evaluating results, and updating the endpoint. That doesn't scale and it's a reliability risk.</p> <p>SageMaker Pipelines brings CI/CD discipline to ML: preprocessing, training, evaluation, conditional model registration, and endpoint deployment run automatically on a schedule or triggered by new data. Each pipeline run is tracked, reproducible, and auditable. Terraform provisions the infrastructure; the Pipelines SDK defines the DAG. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ Pipeline Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Trigger (EventBridge schedule or S3 event) โ†“ ProcessingStep โ†’ preprocess raw data โ†“ TrainingStep โ†’ train model on processed data โ†“ ProcessingStep โ†’ evaluate model metrics โ†“ ConditionStep โ†’ if accuracy &gt; threshold โ†“ โ†“ RegisterModel FailStep โ†“ EventBridge โ†’ model approved โ†’ deploy to endpoint </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>ProcessingStep</strong></td> <td>Data preprocessing, feature engineering, evaluation</td> </tr> <tr> <td><strong>TrainingStep</strong></td> <td>Model training with SageMaker Training Jobs</td> </tr> <tr> <td><strong>ConditionStep</strong></td> <td>Gate on metric threshold before registering</td> </tr> <tr> <td><strong>ModelStep</strong></td> <td>Register model version in Model Registry</td> </tr> <tr> <td><strong>EventBridge</strong></td> <td>Trigger deployment on model approval</td> </tr> </tbody> </table></div> <h2> ๐Ÿ”ง Terraform: Pipeline Infrastructure </h2> <h3> IAM Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipeline/iam.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"pipeline_execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-pipeline-execution"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"sagemaker.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachments_exclusive"</span> <span class="s2">"pipeline"</span> <span class="p">{</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">pipeline_execution</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arns</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"</span><span class="p">,</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonS3FullAccess"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Model Package Group (Model Registry) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipeline/registry.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_model_package_group"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">model_package_group_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">model_package_group_description</span> <span class="p">=</span> <span class="s2">"Model registry for ${var.model_name}"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> The Pipeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipeline/pipeline.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_pipeline"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">pipeline_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-pipeline"</span> <span class="nx">pipeline_display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">pipeline_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">pipeline_definition</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span> <span class="s2">"${path.module}/pipeline_definition.json"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">pipeline_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span> <span class="nx">model_group_name</span> <span class="p">=</span> <span class="nx">aws_sagemaker_model_package_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">model_package_group_name</span> <span class="nx">training_image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_image_uri</span> <span class="nx">processing_image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">processing_image_uri</span> <span class="nx">data_bucket</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_bucket</span> <span class="nx">output_bucket</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">output_bucket</span> <span class="nx">accuracy_threshold</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">accuracy_threshold</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> EventBridge: Scheduled Trigger </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipeline/trigger.tf</span> <span class="nx">resource</span> <span class="s2">"aws_scheduler_schedule"</span> <span class="s2">"pipeline_trigger"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-pipeline-trigger"</span> <span class="nx">flexible_time_window</span> <span class="p">{</span> <span class="nx">mode</span> <span class="p">=</span> <span class="s2">"OFF"</span> <span class="p">}</span> <span class="nx">schedule_expression</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pipeline_schedule</span> <span class="c1"># e.g. "cron(0 2 * * ? *)"</span> <span class="nx">target</span> <span class="p">{</span> <span class="nx">arn</span> <span class="p">=</span> <span class="s2">"arn:aws:sagemaker:${var.region}:${data.aws_caller_identity.current.account_id}:pipeline/${aws_sagemaker_pipeline.this.pipeline_name}"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">scheduler</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">sagemaker_pipeline_parameters</span> <span class="p">{</span> <span class="nx">pipeline_parameter_list</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"InputDataUri"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"s3://${var.data_bucket}/latest/"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> EventBridge: Auto-Deploy on Model Approval </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># pipeline/deployment_trigger.tf</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_rule"</span> <span class="s2">"model_approval"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-model-approved"</span> <span class="nx">event_pattern</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"aws.sagemaker"</span><span class="p">]</span> <span class="nx">detail-type</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"SageMaker Model Package State Change"</span><span class="p">]</span> <span class="nx">detail</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ModelPackageGroupName</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_sagemaker_model_package_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">model_package_group_name</span><span class="p">]</span> <span class="nx">ModelApprovalStatus</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"Approved"</span><span class="p">]</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_event_target"</span> <span class="s2">"deploy_lambda"</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_event_rule</span><span class="p">.</span><span class="nx">model_approval</span><span class="p">.</span><span class="nx">name</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="s2">"deploy-approved-model"</span> <span class="nx">arn</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">deploy_model</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>When a model is approved in the registry, EventBridge triggers a Lambda that updates the SageMaker endpoint to the new model version.</p> <h2> ๐Ÿ Pipeline Definition (Pipelines SDK) </h2> <p>Terraform stores the pipeline definition as a JSON file generated by the SDK:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># generate_pipeline.py </span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">sagemaker.workflow.pipeline</span> <span class="kn">import</span> <span class="n">Pipeline</span> <span class="kn">from</span> <span class="n">sagemaker.workflow.steps</span> <span class="kn">import</span> <span class="n">ProcessingStep</span><span class="p">,</span> <span class="n">TrainingStep</span> <span class="kn">from</span> <span class="n">sagemaker.workflow.model_step</span> <span class="kn">import</span> <span class="n">ModelStep</span> <span class="kn">from</span> <span class="n">sagemaker.workflow.conditions</span> <span class="kn">import</span> <span class="n">ConditionGreaterThanOrEqualTo</span> <span class="kn">from</span> <span class="n">sagemaker.workflow.condition_step</span> <span class="kn">import</span> <span class="n">ConditionStep</span> <span class="kn">from</span> <span class="n">sagemaker.workflow.parameters</span> <span class="kn">import</span> <span class="n">ParameterString</span> <span class="kn">from</span> <span class="n">sagemaker.sklearn.processing</span> <span class="kn">import</span> <span class="n">SKLearnProcessor</span> <span class="kn">from</span> <span class="n">sagemaker.estimator</span> <span class="kn">import</span> <span class="n">Estimator</span> <span class="kn">from</span> <span class="n">sagemaker.workflow.functions</span> <span class="kn">import</span> <span class="n">JsonGet</span> <span class="n">role</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ROLE_ARN</span><span class="sh">"</span> <span class="n">session</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="c1"># Pipeline parameters </span><span class="n">input_data</span> <span class="o">=</span> <span class="nc">ParameterString</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">InputDataUri</span><span class="sh">"</span><span class="p">,</span> <span class="n">default_value</span><span class="o">=</span><span class="sh">"</span><span class="s">s3://bucket/data/</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Step 1: Preprocessing </span><span class="n">preprocessor</span> <span class="o">=</span> <span class="nc">SKLearnProcessor</span><span class="p">(</span> <span class="n">framework_version</span><span class="o">=</span><span class="sh">"</span><span class="s">1.2-1</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="n">role</span><span class="p">,</span> <span class="n">instance_type</span><span class="o">=</span><span class="sh">"</span><span class="s">ml.m5.large</span><span class="sh">"</span><span class="p">,</span> <span class="n">instance_count</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="p">)</span> <span class="n">step_process</span> <span class="o">=</span> <span class="nc">ProcessingStep</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Preprocess</span><span class="sh">"</span><span class="p">,</span> <span class="n">processor</span><span class="o">=</span><span class="n">preprocessor</span><span class="p">,</span> <span class="n">inputs</span><span class="o">=</span><span class="p">[...],</span> <span class="n">outputs</span><span class="o">=</span><span class="p">[...],</span> <span class="n">code</span><span class="o">=</span><span class="sh">"</span><span class="s">scripts/preprocess.py</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Step 2: Training </span><span class="n">estimator</span> <span class="o">=</span> <span class="nc">Estimator</span><span class="p">(</span> <span class="n">image_uri</span><span class="o">=</span><span class="sh">"</span><span class="s">TRAINING_IMAGE</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="n">role</span><span class="p">,</span> <span class="n">instance_type</span><span class="o">=</span><span class="sh">"</span><span class="s">ml.m5.xlarge</span><span class="sh">"</span><span class="p">,</span> <span class="n">instance_count</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">output_path</span><span class="o">=</span><span class="sh">"</span><span class="s">s3://output-bucket/models/</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">step_train</span> <span class="o">=</span> <span class="nc">TrainingStep</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Train</span><span class="sh">"</span><span class="p">,</span> <span class="n">estimator</span><span class="o">=</span><span class="n">estimator</span><span class="p">,</span> <span class="n">inputs</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">train</span><span class="sh">"</span><span class="p">:</span> <span class="n">step_process</span><span class="p">.</span><span class="n">properties</span><span class="p">.</span><span class="n">ProcessingOutputConfig</span><span class="p">.</span><span class="n">Outputs</span><span class="p">[</span><span class="sh">"</span><span class="s">train</span><span class="sh">"</span><span class="p">].</span><span class="n">S3Output</span><span class="p">.</span><span class="n">S3Uri</span><span class="p">},</span> <span class="p">)</span> <span class="c1"># Step 3: Evaluation </span><span class="n">step_eval</span> <span class="o">=</span> <span class="nc">ProcessingStep</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Evaluate</span><span class="sh">"</span><span class="p">,</span> <span class="n">processor</span><span class="o">=</span><span class="n">preprocessor</span><span class="p">,</span> <span class="n">inputs</span><span class="o">=</span><span class="p">[...],</span> <span class="n">outputs</span><span class="o">=</span><span class="p">[...],</span> <span class="n">code</span><span class="o">=</span><span class="sh">"</span><span class="s">scripts/evaluate.py</span><span class="sh">"</span><span class="p">,</span> <span class="n">property_files</span><span class="o">=</span><span class="p">[</span><span class="n">evaluation_report</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Step 4: Conditional registration </span><span class="n">accuracy_condition</span> <span class="o">=</span> <span class="nc">ConditionGreaterThanOrEqualTo</span><span class="p">(</span> <span class="n">left</span><span class="o">=</span><span class="nc">JsonGet</span><span class="p">(</span><span class="n">step_name</span><span class="o">=</span><span class="n">step_eval</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">property_file</span><span class="o">=</span><span class="n">evaluation_report</span><span class="p">,</span> <span class="n">json_path</span><span class="o">=</span><span class="sh">"</span><span class="s">metrics.accuracy</span><span class="sh">"</span><span class="p">),</span> <span class="n">right</span><span class="o">=</span><span class="mf">0.85</span><span class="p">,</span> <span class="c1"># Threshold - override with var.accuracy_threshold </span><span class="p">)</span> <span class="n">step_register</span> <span class="o">=</span> <span class="nc">ModelStep</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">RegisterModel</span><span class="sh">"</span><span class="p">,</span> <span class="n">step_args</span><span class="o">=</span><span class="n">model</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span> <span class="n">content_types</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">],</span> <span class="n">response_types</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">],</span> <span class="n">inference_instances</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">ml.m5.xlarge</span><span class="sh">"</span><span class="p">],</span> <span class="n">model_package_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">MODEL_GROUP_NAME</span><span class="sh">"</span><span class="p">,</span> <span class="n">approval_status</span><span class="o">=</span><span class="sh">"</span><span class="s">PendingManualApproval</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="n">step_condition</span> <span class="o">=</span> <span class="nc">ConditionStep</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">CheckAccuracy</span><span class="sh">"</span><span class="p">,</span> <span class="n">conditions</span><span class="o">=</span><span class="p">[</span><span class="n">accuracy_condition</span><span class="p">],</span> <span class="n">if_steps</span><span class="o">=</span><span class="p">[</span><span class="n">step_register</span><span class="p">],</span> <span class="n">else_steps</span><span class="o">=</span><span class="p">[],</span> <span class="p">)</span> <span class="c1"># Build pipeline </span><span class="n">pipeline</span> <span class="o">=</span> <span class="nc">Pipeline</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">PIPELINE_NAME</span><span class="sh">"</span><span class="p">,</span> <span class="n">parameters</span><span class="o">=</span><span class="p">[</span><span class="n">input_data</span><span class="p">],</span> <span class="n">steps</span><span class="o">=</span><span class="p">[</span><span class="n">step_process</span><span class="p">,</span> <span class="n">step_train</span><span class="p">,</span> <span class="n">step_eval</span><span class="p">,</span> <span class="n">step_condition</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Export definition for Terraform </span><span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">pipeline_definition.json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dump</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">pipeline</span><span class="p">.</span><span class="nf">definition</span><span class="p">()),</span> <span class="n">f</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> </code></pre> </div> <p>Run this script to generate <code>pipeline_definition.json</code>, then reference it in the <code>aws_sagemaker_pipeline</code> Terraform resource.</p> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">accuracy_threshold</span> <span class="err">=</span> <span class="mf">0.80</span> <span class="nx">pipeline_schedule</span> <span class="err">=</span> <span class="s2">"cron(0 6 * * ? *)"</span> <span class="c1"># Daily at 6am</span> <span class="nx">training_image_uri</span> <span class="err">=</span> <span class="s2">"123456789012.dkr.ecr.us-east-1.amazonaws.com/training:dev"</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">accuracy_threshold</span> <span class="err">=</span> <span class="mf">0.90</span> <span class="nx">pipeline_schedule</span> <span class="err">=</span> <span class="s2">"cron(0 2 * * ? *)"</span> <span class="c1"># Daily at 2am</span> <span class="nx">training_image_uri</span> <span class="err">=</span> <span class="s2">"123456789012.dkr.ecr.us-east-1.amazonaws.com/training:v2.1.0"</span> </code></pre> </div> <p><strong>Higher accuracy thresholds in prod.</strong> A model that clears 80% in dev might need 90% before auto-registering in prod. The <code>ConditionStep</code> enforces this gate automatically.</p> <h2> ๐Ÿ”ง The CI/CD Flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. EventBridge fires on schedule โ†“ 2. SageMaker Pipeline starts โ†“ 3. Preprocessing job runs โ†“ 4. Training job runs โ†“ 5. Evaluation job computes accuracy โ†“ 6a. accuracy &gt;= threshold โ†’ RegisterModel (PendingManualApproval) 6b. accuracy &lt; threshold โ†’ Pipeline fails with clear error โ†“ 7. Human reviews model in Model Registry โ†“ 8. Approved โ†’ EventBridge fires โ†“ 9. Lambda updates SageMaker Endpoint to new model </code></pre> </div> <p>Manual approval at step 7 is optional. Set <code>approval_status = "Approved"</code> in the registration step for fully automated deployments.</p> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Pipeline definition is JSON.</strong> The <code>aws_sagemaker_pipeline</code> resource takes a JSON string. Generate it with the SDK, store it as a file, and use <code>templatefile()</code> to inject Terraform variable values (role ARNs, bucket names, image URIs).</p> <p><strong>Each pipeline run is versioned.</strong> Every execution is logged with its inputs, outputs, and metrics. Use the SageMaker Studio Pipelines tab to inspect any historical run.</p> <p><strong>Container images must exist before <code>terraform apply</code>.</strong> The pipeline references training and processing container images. Build and push them to ECR before running Terraform.</p> <p><strong>The Model Registry is the gate.</strong> <code>PendingManualApproval</code> gives your team a human review step before deployment. <code>Approved</code> auto-deploys. Choose based on your risk tolerance per environment.</p> <p><strong>Lambda for deployment.</strong> The EventBridge-to-deployment pattern uses a Lambda to call the SageMaker API and update the endpoint. Keep the Lambda simple - just a boto3 call to update the endpoint config and create a new endpoint version.</p> <h2> โญ๏ธ Series 5 Complete! </h2> <p>This is <strong>Post 4</strong> of the <strong>ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805">SageMaker Studio Domain</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-endpoints-deploy-your-model-to-production-with-terraform-mpp">SageMaker Endpoints</a> ๐Ÿš€</li> <li> <strong>Post 3:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-feature-store-with-terraform-centralized-ml-features-for-training-and-inference-8n7">SageMaker Feature Store</a> ๐Ÿ—ƒ๏ธ</li> <li> <strong>Post 4:</strong> SageMaker Pipelines - CI/CD for ML (you are here) ๐Ÿ”</li> </ul> <p><em>Your ML workflow is automated. Scheduled retraining, metric-gated model registration, human approval gates, and automatic endpoint updates. From raw data to production, every step is tracked, reproducible, and auditable.</em> ๐Ÿ”</p> <p><em>Found this helpful? Follow for the next series!</em> ๐Ÿ’ฌ</p> aws devops machinelearning ai Agentic AWS - Day 1: Amazon Bedrock AgentCore Gateway Suhas Mallesh Thu, 23 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/agentic-aws-day-1-amazon-bedrock-agentcore-gateway-555l https://forem.com/suhas_mallesh/agentic-aws-day-1-amazon-bedrock-agentcore-gateway-555l <p><strong>Series:</strong> Agentic AWS | <strong>Post:</strong> 1 of 6 | <strong>Cloud:</strong> AWS</p> <h2> The Problem with DIY MCP Tool Servers </h2> <p>Every production AI agent needs tools - APIs, Lambda functions, internal services. Before AgentCore Gateway, connecting those tools to an agent meant writing your own MCP server, managing OAuth flows, handling protocol translation, building throttling, and wiring up observability. That is weeks of undifferentiated work before a single line of agent logic.</p> <p>AgentCore Gateway eliminates that entirely. It is a fully managed MCP server that converts Lambda functions and OpenAPI specs into agent-ready tools - with built-in auth, routing, and semantic tool discovery - in zero code.</p> <p>This post provisions an AgentCore Gateway via Terraform, registers a Lambda function as a tool target, and connects a Bedrock-powered agent to it using the MCP streamable HTTP transport.</p> <h2> Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Bedrock Agent (Python + MCP client) | | streamable HTTP (MCP protocol) v AgentCore Gateway &lt;-- IAM inbound auth | | IAM role assumption v Lambda Target: order-status-tool | v DynamoDB (mock order table) </code></pre> </div> <p>The gateway handles inbound authentication (IAM or OAuth), routes MCP requests to the correct target, translates between MCP and the Lambda invocation protocol, and returns tool results back to the agent.</p> <h2> Terraform Infrastructure </h2> <h3> Provider and Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># versions.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.80"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.6"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region for deployment"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Deployment environment (dev or prod)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"project_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Project prefix for resource naming"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"agentic-aws"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"semantic_search_enabled"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Enable semantic tool search index on the gateway"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"lambda_memory_mb"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Lambda memory allocation in MB"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">256</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># dev.tfvars</span> <span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">semantic_search_enabled</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">lambda_memory_mb</span> <span class="err">=</span> <span class="mi">256</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># prod.tfvars</span> <span class="nx">aws_region</span> <span class="err">=</span> <span class="s2">"us-east-1"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">semantic_search_enabled</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">lambda_memory_mb</span> <span class="err">=</span> <span class="mi">512</span> </code></pre> </div> <h3> Lambda Tool - Order Status </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># lambda.tf</span> <span class="c1"># IAM role for the Lambda function</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"order_tool_lambda"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-order-tool-lambda-${var.environment}"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"lambda_basic"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">order_tool_lambda</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"lambda_dynamodb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dynamodb-read"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">order_tool_lambda</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"dynamodb:GetItem"</span><span class="p">,</span> <span class="s2">"dynamodb:Query"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_dynamodb_table</span><span class="p">.</span><span class="nx">orders</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Lambda function (zip from local source)</span> <span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"order_tool"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"${path.module}/lambda/order_tool"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"${path.module}/.build/order_tool.zip"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"order_tool"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-order-tool-${var.environment}"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">order_tool_lambda</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">order_tool</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">order_tool</span><span class="p">.</span><span class="nx">output_base64sha256</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.12"</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"handler.lambda_handler"</span> <span class="nx">memory_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">lambda_memory_mb</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">environment</span> <span class="p">{</span> <span class="nx">variables</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ORDERS_TABLE</span> <span class="p">=</span> <span class="nx">aws_dynamodb_table</span><span class="p">.</span><span class="nx">orders</span><span class="p">.</span><span class="nx">name</span> <span class="nx">ENVIRONMENT</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Mock orders table</span> <span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"orders"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-orders-${var.environment}"</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"order_id"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"order_id"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> AgentCore Gateway and Target </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># gateway.tf</span> <span class="c1"># IAM role that AgentCore Gateway assumes to invoke Lambda</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"gateway_execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-gateway-exec-${var.environment}"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"bedrock.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"gateway_invoke_lambda"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"invoke-order-tool"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">gateway_execution</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">order_tool</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># AgentCore Gateway</span> <span class="nx">resource</span> <span class="s2">"aws_bedrock_agent_core_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-gateway-${var.environment}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Agentic AWS - order management tool gateway"</span> <span class="c1"># Inbound auth: IAM - agents must sign requests with SigV4</span> <span class="nx">authorizer_configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS_IAM"</span> <span class="p">}</span> <span class="c1"># Enable semantic tool search in prod for large tool sets</span> <span class="nx">search_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">semantic_search_enabled</span> <span class="err">?</span> <span class="s2">"SEMANTIC"</span> <span class="err">:</span> <span class="s2">"LEXICAL"</span> <span class="p">}</span> <span class="c1"># Lambda target - registers the order tool with the gateway</span> <span class="nx">resource</span> <span class="s2">"aws_bedrock_agent_core_gateway_target"</span> <span class="s2">"order_tool"</span> <span class="p">{</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_bedrock_agent_core_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"order-status-target"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Retrieves order status and shipment details"</span> <span class="nx">target_configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">lambda</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">lambda_arn</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">order_tool</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">execution_role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">gateway_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IAM policy allowing the Bedrock agent caller to invoke the gateway</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"invoke_gateway"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-invoke-gateway-${var.environment}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allows agent runtime to call AgentCore Gateway"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"bedrock:InvokeAgentCoreGateway"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_bedrock_agent_core_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Outputs consumed by the Python agent</span> <span class="nx">output</span> <span class="s2">"gateway_endpoint"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"MCP streamable HTTP endpoint for the gateway"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_bedrock_agent_core_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">endpoint_url</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"gateway_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Gateway ARN for IAM policy references"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_bedrock_agent_core_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h2> Lambda Tool Implementation </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># lambda/order_tool/handler.py </span><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">boto3.dynamodb.conditions</span> <span class="kn">import</span> <span class="n">Key</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ORDERS_TABLE</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">get_order_status</span><span class="p">(</span><span class="n">order_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Retrieve order status from DynamoDB.</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">get_item</span><span class="p">(</span><span class="n">Key</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">order_id</span><span class="p">})</span> <span class="n">item</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Item</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Order </span><span class="si">{</span><span class="n">order_id</span><span class="si">}</span><span class="s"> not found</span><span class="sh">"</span><span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span><span class="p">[</span><span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">carrier</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">carrier</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">tracking_number</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tracking_number</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">estimated_delivery</span><span class="sh">"</span><span class="p">:</span> <span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">estimated_delivery</span><span class="sh">"</span><span class="p">),</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">context</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> AgentCore Gateway invokes Lambda with a standard tool call structure. The </span><span class="sh">'</span><span class="s">tool_name</span><span class="sh">'</span><span class="s"> field identifies which tool to execute. </span><span class="sh">'</span><span class="s">tool_input</span><span class="sh">'</span><span class="s"> contains the parameters. </span><span class="sh">"""</span> <span class="n">tool_name</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">tool_input</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tool_input</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="k">if</span> <span class="n">tool_name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">get_order_status</span><span class="sh">"</span><span class="p">:</span> <span class="n">order_id</span> <span class="o">=</span> <span class="n">tool_input</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">order_id</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">order_id is required</span><span class="sh">"</span><span class="p">}</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">get_order_status</span><span class="p">(</span><span class="n">order_id</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Unknown tool: </span><span class="si">{</span><span class="n">tool_name</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_result</span><span class="sh">"</span><span class="p">:</span> <span class="n">result</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>The Lambda receives a normalized tool call envelope from AgentCore Gateway regardless of the upstream protocol. Your function does not need to understand MCP.</p> <h2> Python Agent - Connecting via MCP </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># agent.py </span><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">mcp</span> <span class="kn">import</span> <span class="n">ClientSession</span> <span class="kn">from</span> <span class="n">mcp.client.streamable_http</span> <span class="kn">import</span> <span class="n">streamablehttp_client</span> <span class="kn">from</span> <span class="n">botocore.auth</span> <span class="kn">import</span> <span class="n">SigV4Auth</span> <span class="kn">from</span> <span class="n">botocore.awsrequest</span> <span class="kn">import</span> <span class="n">AWSRequest</span> <span class="kn">from</span> <span class="n">botocore.credentials</span> <span class="kn">import</span> <span class="n">Credentials</span> <span class="kn">import</span> <span class="n">httpx</span> <span class="n">GATEWAY_ENDPOINT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">GATEWAY_ENDPOINT</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># from Terraform output </span><span class="n">AWS_REGION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">AWS_REGION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="n">MODEL_ID</span> <span class="o">=</span> <span class="sh">"</span><span class="s">anthropic.claude-3-5-sonnet-20241022-v2:0</span><span class="sh">"</span> <span class="n">bedrock</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">bedrock-runtime</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="n">AWS_REGION</span><span class="p">)</span> <span class="n">session_creds</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nc">Session</span><span class="p">().</span><span class="nf">get_credentials</span><span class="p">().</span><span class="nf">resolve</span><span class="p">()</span> <span class="k">def</span> <span class="nf">signed_headers</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">method</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate SigV4 signed headers for AgentCore Gateway inbound IAM auth.</span><span class="sh">"""</span> <span class="n">request</span> <span class="o">=</span> <span class="nc">AWSRequest</span><span class="p">(</span><span class="n">method</span><span class="o">=</span><span class="n">method</span><span class="p">,</span> <span class="n">url</span><span class="o">=</span><span class="n">url</span><span class="p">)</span> <span class="nc">SigV4Auth</span><span class="p">(</span><span class="n">session_creds</span><span class="p">,</span> <span class="sh">"</span><span class="s">bedrock</span><span class="sh">"</span><span class="p">,</span> <span class="n">AWS_REGION</span><span class="p">).</span><span class="nf">add_auth</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="nf">dict</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">run_agent</span><span class="p">(</span><span class="n">user_query</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Connect to AgentCore Gateway, discover available tools, and run a Bedrock-powered agent loop. </span><span class="sh">"""</span> <span class="n">headers</span> <span class="o">=</span> <span class="nf">signed_headers</span><span class="p">(</span><span class="n">GATEWAY_ENDPOINT</span><span class="p">)</span> <span class="k">async</span> <span class="k">with</span> <span class="nf">streamablehttp_client</span><span class="p">(</span><span class="n">GATEWAY_ENDPOINT</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="nf">as </span><span class="p">(</span><span class="n">read</span><span class="p">,</span> <span class="n">write</span><span class="p">,</span> <span class="n">_</span><span class="p">):</span> <span class="k">async</span> <span class="k">with</span> <span class="nc">ClientSession</span><span class="p">(</span><span class="n">read</span><span class="p">,</span> <span class="n">write</span><span class="p">)</span> <span class="k">as</span> <span class="n">mcp_session</span><span class="p">:</span> <span class="k">await</span> <span class="n">mcp_session</span><span class="p">.</span><span class="nf">initialize</span><span class="p">()</span> <span class="c1"># Discover tools registered on the gateway </span> <span class="n">tools_response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">mcp_session</span><span class="p">.</span><span class="nf">list_tools</span><span class="p">()</span> <span class="n">tools</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">t</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="n">t</span><span class="p">.</span><span class="n">description</span><span class="p">,</span> <span class="sh">"</span><span class="s">input_schema</span><span class="sh">"</span><span class="p">:</span> <span class="n">t</span><span class="p">.</span><span class="n">inputSchema</span><span class="p">,</span> <span class="p">}</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">tools_response</span><span class="p">.</span><span class="n">tools</span> <span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Discovered </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">tools</span><span class="p">)</span><span class="si">}</span><span class="s"> tools: </span><span class="si">{</span><span class="p">[</span><span class="n">t</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">tools</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">messages</span> <span class="o">=</span> <span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_query</span><span class="p">}]</span> <span class="c1"># Agentic loop </span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">bedrock</span><span class="p">.</span><span class="nf">invoke_model</span><span class="p">(</span> <span class="n">modelId</span><span class="o">=</span><span class="n">MODEL_ID</span><span class="p">,</span> <span class="n">contentType</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">anthropic_version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">bedrock-2023-05-31</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">max_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1024</span><span class="p">,</span> <span class="sh">"</span><span class="s">tools</span><span class="sh">"</span><span class="p">:</span> <span class="n">tools</span><span class="p">,</span> <span class="sh">"</span><span class="s">messages</span><span class="sh">"</span><span class="p">:</span> <span class="n">messages</span><span class="p">,</span> <span class="p">}),</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">].</span><span class="nf">read</span><span class="p">())</span> <span class="n">stop_reason</span> <span class="o">=</span> <span class="n">result</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">stop_reason</span><span class="sh">"</span><span class="p">)</span> <span class="n">content</span> <span class="o">=</span> <span class="n">result</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="c1"># Append assistant turn </span> <span class="n">messages</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">assistant</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">content</span><span class="p">})</span> <span class="k">if</span> <span class="n">stop_reason</span> <span class="o">==</span> <span class="sh">"</span><span class="s">end_turn</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># Extract final text response </span> <span class="k">for</span> <span class="n">block</span> <span class="ow">in</span> <span class="n">content</span><span class="p">:</span> <span class="k">if</span> <span class="n">block</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">Agent: </span><span class="si">{</span><span class="n">block</span><span class="p">[</span><span class="sh">'</span><span class="s">text</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">break</span> <span class="k">if</span> <span class="n">stop_reason</span> <span class="o">==</span> <span class="sh">"</span><span class="s">tool_use</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_results</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">block</span> <span class="ow">in</span> <span class="n">content</span><span class="p">:</span> <span class="k">if</span> <span class="n">block</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">)</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">tool_use</span><span class="sh">"</span><span class="p">:</span> <span class="k">continue</span> <span class="n">tool_name</span> <span class="o">=</span> <span class="n">block</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="n">tool_input</span> <span class="o">=</span> <span class="n">block</span><span class="p">[</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">]</span> <span class="n">tool_use_id</span> <span class="o">=</span> <span class="n">block</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> -&gt; Calling tool: </span><span class="si">{</span><span class="n">tool_name</span><span class="si">}</span><span class="s">(</span><span class="si">{</span><span class="n">tool_input</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Invoke tool via AgentCore Gateway MCP </span> <span class="n">mcp_result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">mcp_session</span><span class="p">.</span><span class="nf">call_tool</span><span class="p">(</span><span class="n">tool_name</span><span class="p">,</span> <span class="n">tool_input</span><span class="p">)</span> <span class="n">tool_output</span> <span class="o">=</span> <span class="n">mcp_result</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span> <span class="k">if</span> <span class="n">mcp_result</span><span class="p">.</span><span class="n">content</span> <span class="k">else</span> <span class="sh">""</span> <span class="n">tool_results</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">tool_result</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_use_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_use_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_output</span><span class="p">,</span> <span class="p">})</span> <span class="n">messages</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_results</span><span class="p">})</span> <span class="k">else</span><span class="p">:</span> <span class="k">break</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="kn">import</span> <span class="n">sys</span> <span class="n">query</span> <span class="o">=</span> <span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">1</span> <span class="k">else</span> <span class="sh">"</span><span class="s">What is the status of order ORD-1234?</span><span class="sh">"</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">run_agent</span><span class="p">(</span><span class="n">query</span><span class="p">))</span> </code></pre> </div> <p>Run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">GATEWAY_ENDPOINT</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> gateway_endpoint<span class="si">)</span> python agent.py <span class="s2">"Where is my order ORD-1234?"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Discovered 1 tools: ['get_order_status'] -&gt; Calling tool: get_order_status({'order_id': 'ORD-1234'}) Agent: Your order ORD-1234 is currently in transit with FedEx. Tracking number: 794601234567. Estimated delivery: April 17, 2026. </code></pre> </div> <h2> How AgentCore Gateway Handles the Heavy Lifting </h2> <p>When the Python agent calls <code>mcp_session.call_tool("get_order_status", ...)</code>, the following happens inside AgentCore Gateway automatically:</p> <p><strong>Inbound auth</strong> - The gateway validates the SigV4 signature against IAM. No valid credentials, no access. In production you can switch this to OAuth (Cognito, Okta, Auth0) with no change to your Lambda code.</p> <p><strong>Protocol translation</strong> - The MCP tool call is converted to a normalized Lambda invocation envelope. Your Lambda never sees raw MCP.</p> <p><strong>Routing</strong> - The gateway resolves which target owns <code>get_order_status</code> and invokes it. As you add more targets, the gateway routes by tool name automatically.</p> <p><strong>Outbound auth</strong> - The gateway assumes the <code>gateway_execution</code> IAM role you configured and invokes Lambda with it. Your Lambda never handles credentials.</p> <p><strong>Semantic search (prod)</strong> - With <code>semantic_search_enabled = true</code>, the gateway builds a vector index of all tool descriptions. The agent can call <code>search_tools("find shipping info")</code> to dynamically discover the right tool rather than enumerating all of them - essential when you have dozens of tools.</p> <h2> Decision Framework </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Target Type</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Custom business logic, no existing API</td> <td>Lambda</td> <td>Full control, any language</td> </tr> <tr> <td>Existing REST API with OpenAPI spec</td> <td>OpenAPI target</td> <td>Zero code, spec-driven</td> </tr> <tr> <td>Existing MCP server (third-party)</td> <td>MCP server target</td> <td>GA Oct 2025 - connect existing servers</td> </tr> <tr> <td>Inbound auth: service-to-service</td> <td>IAM (SigV4)</td> <td>Simplest, no token management</td> </tr> <tr> <td>Inbound auth: user-delegated flows</td> <td>OAuth (Cognito/Okta)</td> <td>3LO for user context</td> </tr> <tr> <td>Small tool set (&lt; 20 tools)</td> <td>Lexical search</td> <td>Faster, cheaper</td> </tr> <tr> <td>Large tool set (&gt; 20 tools)</td> <td>Semantic search</td> <td>Better accuracy, slight cost</td> </tr> </tbody> </table></div> <h2> Production Additions </h2> <p>A few things to layer in before real traffic:</p> <ul> <li> <strong>VPC integration</strong> - AgentCore Gateway supports VPC and PrivateLink (GA Oct 2025). Add <code>vpc_configuration</code> to the gateway resource to keep traffic off the public internet.</li> <li> <strong>CloudWatch observability</strong> - AgentCore Observability emits token usage, latency, and error rates to CloudWatch automatically. No configuration needed.</li> <li> <strong>Policy guardrails</strong> - AgentCore Policy can intercept tool calls before they execute and evaluate them against Cedar rules. Useful for "never issue refunds over $500 without human approval" type controls. Post 4 in this series covers Identity; Policy integrates directly with the gateway.</li> <li> <strong>Multiple targets</strong> - Add more <code>aws_bedrock_agent_core_gateway_target</code> resources to the same gateway. Each target can have its own auth config and tool set. One gateway endpoint, many services.</li> </ul> <h2> What's Next </h2> <p>Post 2 covers <strong>AgentCore Runtime</strong> - the serverless execution environment where you deploy the agent itself. Runtime adds 8-hour execution windows, session isolation, A2A protocol support, and built-in observability for the agent process, not just the tool calls.</p> <p>The gateway you built here connects directly to an AgentCore Runtime-hosted agent with no changes to the gateway configuration.</p> <h2> Key Takeaways </h2> <ul> <li>AgentCore Gateway converts Lambda functions and OpenAPI specs into MCP-compliant tools with zero code changes to your functions</li> <li>Inbound IAM auth (SigV4) is the right starting point; OAuth is a drop-in upgrade for user-delegated scenarios</li> <li>Semantic tool search pays off at scale - enable it in prod when you have more than 20 tools</li> <li>The gateway handles auth, routing, and protocol translation; your Lambda handles only business logic</li> <li>One gateway manages multiple targets - you get a single MCP endpoint for your entire tool estate</li> </ul> <p><em>Series: Agentic AWS | Next: Post 2 - AgentCore Runtime</em></p> aws ai agents terraform Azure ML Feature Store with Terraform: Managed Feature Materialization for Training and Inference ๐Ÿ—ƒ๏ธ Suhas Mallesh Fri, 17 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/azure-ml-feature-store-with-terraform-managed-feature-materialization-for-training-and-inference-o38 https://forem.com/suhas_mallesh/azure-ml-feature-store-with-terraform-managed-feature-materialization-for-training-and-inference-o38 <p>Azure ML Feature Store is a specialized workspace that manages feature engineering, offline materialization to storage, and online serving with Redis. Terraform provisions the infrastructure, SDK defines feature sets. Here's how to build it.</p> <p>In the previous posts, we set up the ML workspace and deployed endpoints. Now we need consistent features feeding those endpoints. Training uses historical features from batch sources. Inference needs the latest values in real time. When these diverge, your model's accuracy degrades silently.</p> <p>Azure ML Feature Store is implemented as a special type of Azure ML workspace (<code>kind = "FeatureStore"</code>). It manages feature transformation pipelines, materializes features to offline storage (ADLS/Blob) and an online store (Redis), and provides point-in-time feature retrieval for training. Terraform provisions the infrastructure; the SDK defines entities, feature sets, and materialization schedules. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ Feature Store Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Feature Store</strong></td> <td>Specialized ML workspace with <code>kind = "FeatureStore"</code> </td> </tr> <tr> <td><strong>Entity</strong></td> <td>Logical key (e.g., customer_id, account_id) shared across feature sets</td> </tr> <tr> <td><strong>Feature Set</strong></td> <td>Collection of features with transformation code and source definition</td> </tr> <tr> <td><strong>Offline Store</strong></td> <td>ADLS/Blob storage for materialized historical features</td> </tr> <tr> <td><strong>Online Store</strong></td> <td>Redis cache for low-latency inference lookups</td> </tr> <tr> <td><strong>Materialization</strong></td> <td>Spark jobs that compute and sync features on a schedule</td> </tr> </tbody> </table></div> <p>The key concept: feature sets include transformation code. Raw data goes in, computed features come out. The same transformation runs for both offline materialization (training) and online materialization (inference), eliminating training-serving skew.</p> <h2> ๐Ÿ”ง Terraform: Provision Feature Store Infrastructure </h2> <h3> Feature Store Workspace </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/workspace.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_workspace"</span> <span class="s2">"feature_store"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-feature-store"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">application_insights_id</span> <span class="p">=</span> <span class="nx">azurerm_application_insights</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key_vault_id</span> <span class="p">=</span> <span class="nx">azurerm_key_vault</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"FeatureStore"</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>kind = "FeatureStore"</code></strong> is the critical setting. This creates a workspace optimized for feature management rather than general ML development.</p> <h3> Offline Materialization Store </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/offline_store.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"offline_store"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}fsoffline${random_string.suffix.result}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">storage_replication</span> <span class="nx">is_hns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># ADLS Gen2</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_container"</span> <span class="s2">"features"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"features"</span> <span class="nx">storage_account_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">offline_store</span><span class="p">.</span><span class="nx">id</span> <span class="nx">container_access_type</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>is_hns_enabled = true</code></strong> enables ADLS Gen2 hierarchical namespace, which is required for efficient feature materialization with Parquet files.</p> <h3> Online Store (Redis Cache) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/online_store.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_redis_cache"</span> <span class="s2">"online_store"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_online_store</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-fs-redis"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">redis_capacity</span> <span class="nx">family</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">redis_family</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">redis_sku</span> <span class="nx">minimum_tls_version</span> <span class="p">=</span> <span class="s2">"1.2"</span> <span class="nx">redis_configuration</span> <span class="p">{</span> <span class="nx">maxmemory_policy</span> <span class="p">=</span> <span class="s2">"allkeys-lru"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>The online store is optional. Enable it when you need low-latency feature lookups during inference. Skip it in dev if you only need offline features for training.</p> <h3> Compute for Materialization </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/compute.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_compute_cluster"</span> <span class="s2">"materialization"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-materialization"</span> <span class="nx">machine_learning_workspace_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">materialization_vm_size</span> <span class="nx">vm_priority</span> <span class="p">=</span> <span class="s2">"LowPriority"</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">scale_settings</span> <span class="p">{</span> <span class="nx">min_node_count</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">materialization_max_nodes</span> <span class="nx">scale_down_nodes_after_idle_duration</span> <span class="p">=</span> <span class="s2">"PT5M"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>Materialization jobs run as Spark pipelines on this compute cluster. <code>min_node_count = 0</code> means you pay nothing when no materialization is running.</p> <h2> ๐Ÿ Define Entities and Feature Sets (SDK) </h2> <p>Terraform provisions infrastructure. The SDK defines the feature engineering logic:</p> <h3> Create an Entity </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml</span> <span class="kn">import</span> <span class="n">MLClient</span> <span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="n">FeatureStoreEntity</span><span class="p">,</span> <span class="n">DataColumn</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="n">fs_client</span> <span class="o">=</span> <span class="nc">MLClient</span><span class="p">(</span> <span class="nc">DefaultAzureCredential</span><span class="p">(),</span> <span class="n">subscription_id</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">workspace_name</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-feature-store</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">account_entity</span> <span class="o">=</span> <span class="nc">FeatureStoreEntity</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="n">index_columns</span><span class="o">=</span><span class="p">[</span><span class="nc">DataColumn</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">)],</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Account entity for transaction features</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_store_entities</span><span class="p">.</span><span class="nf">begin_create_or_update</span><span class="p">(</span><span class="n">account_entity</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <p>Entities define shared join keys. Multiple feature sets can reference the same entity, ensuring consistent joins.</p> <h3> Define Feature Set with Transformation Code </h3> <p>Feature set specification (YAML):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># featuresets/transactions/spec/FeaturesetSpec.yaml</span> <span class="na">$schema</span><span class="pi">:</span> <span class="s">https://azuremlschemas.azureedge.net/latest/featureSetSpec.schema.json</span> <span class="na">source</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">parquet</span> <span class="na">path</span><span class="pi">:</span> <span class="s">abfss://data@storage.dfs.core.windows.net/transactions/</span> <span class="na">timestamp_column</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">timestamp</span> <span class="na">feature_transformation_code</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./transformation_code</span> <span class="na">transformer_class</span><span class="pi">:</span> <span class="s">transaction_transform.TransactionFeatureTransformer</span> <span class="na">features</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">transaction_count_7d</span> <span class="na">type</span><span class="pi">:</span> <span class="s">integer</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">avg_transaction_amount_7d</span> <span class="na">type</span><span class="pi">:</span> <span class="s">float</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">total_spend_3d</span> <span class="na">type</span><span class="pi">:</span> <span class="s">float</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">max_transaction_amount</span> <span class="na">type</span><span class="pi">:</span> <span class="s">float</span> <span class="na">index_columns</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">accountID</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> </code></pre> </div> <p>Transformation code (Spark):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># transformation_code/transaction_transform.py </span><span class="kn">from</span> <span class="n">pyspark.sql</span> <span class="kn">import</span> <span class="n">DataFrame</span> <span class="kn">from</span> <span class="n">pyspark.sql</span> <span class="kn">import</span> <span class="n">functions</span> <span class="k">as</span> <span class="n">F</span> <span class="kn">from</span> <span class="n">pyspark.sql.window</span> <span class="kn">import</span> <span class="n">Window</span> <span class="k">class</span> <span class="nc">TransactionFeatureTransformer</span><span class="p">:</span> <span class="k">def</span> <span class="nf">transform</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">raw_data</span><span class="p">:</span> <span class="n">DataFrame</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">DataFrame</span><span class="p">:</span> <span class="n">window_7d</span> <span class="o">=</span> <span class="n">Window</span><span class="p">.</span><span class="nf">partitionBy</span><span class="p">(</span><span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">).</span><span class="nf">orderBy</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">).</span><span class="nf">rangeBetween</span><span class="p">(</span><span class="o">-</span><span class="mi">7</span><span class="o">*</span><span class="mi">86400</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">window_3d</span> <span class="o">=</span> <span class="n">Window</span><span class="p">.</span><span class="nf">partitionBy</span><span class="p">(</span><span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">).</span><span class="nf">orderBy</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">).</span><span class="nf">rangeBetween</span><span class="p">(</span><span class="o">-</span><span class="mi">3</span><span class="o">*</span><span class="mi">86400</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="n">raw_data</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span> <span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="n">F</span><span class="p">.</span><span class="nf">count</span><span class="p">(</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_7d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">transaction_count_7d</span><span class="sh">"</span><span class="p">),</span> <span class="n">F</span><span class="p">.</span><span class="nf">avg</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_7d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">avg_transaction_amount_7d</span><span class="sh">"</span><span class="p">),</span> <span class="n">F</span><span class="p">.</span><span class="nf">sum</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_3d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">total_spend_3d</span><span class="sh">"</span><span class="p">),</span> <span class="n">F</span><span class="p">.</span><span class="nf">max</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_7d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">max_transaction_amount</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <h3> Register and Materialize </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="n">FeatureSet</span><span class="p">,</span> <span class="n">FeatureSetSpecification</span> <span class="n">transaction_fset</span> <span class="o">=</span> <span class="nc">FeatureSet</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">7-day and 3-day rolling transaction aggregations</span><span class="sh">"</span><span class="p">,</span> <span class="n">entities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">azureml:account:1</span><span class="sh">"</span><span class="p">],</span> <span class="n">specification</span><span class="o">=</span><span class="nc">FeatureSetSpecification</span><span class="p">(</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">./featuresets/transactions/spec</span><span class="sh">"</span> <span class="p">),</span> <span class="n">tags</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">data_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">nonPII</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_sets</span><span class="p">.</span><span class="nf">begin_create_or_update</span><span class="p">(</span><span class="n">transaction_fset</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <h3> Configure Materialization Schedule </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">MaterializationSettings</span><span class="p">,</span> <span class="n">MaterializationComputeResource</span><span class="p">,</span> <span class="n">RecurrenceTrigger</span><span class="p">,</span> <span class="p">)</span> <span class="n">materialization</span> <span class="o">=</span> <span class="nc">MaterializationSettings</span><span class="p">(</span> <span class="n">resource</span><span class="o">=</span><span class="nc">MaterializationComputeResource</span><span class="p">(</span><span class="n">instance_type</span><span class="o">=</span><span class="sh">"</span><span class="s">Standard_E8s_v3</span><span class="sh">"</span><span class="p">),</span> <span class="n">schedule</span><span class="o">=</span><span class="nc">RecurrenceTrigger</span><span class="p">(</span><span class="n">frequency</span><span class="o">=</span><span class="sh">"</span><span class="s">Hour</span><span class="sh">"</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="mi">6</span><span class="p">),</span> <span class="n">offline_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">online_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">fset</span> <span class="o">=</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_sets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">)</span> <span class="n">fset</span><span class="p">.</span><span class="n">materialization_settings</span> <span class="o">=</span> <span class="n">materialization</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_sets</span><span class="p">.</span><span class="nf">begin_create_or_update</span><span class="p">(</span><span class="n">fset</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">enable_online_store</span> <span class="err">=</span> <span class="kc">false</span> <span class="c1"># No Redis in dev</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"LRS"</span> <span class="nx">materialization_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_E4s_v3"</span> <span class="nx">materialization_max_nodes</span> <span class="err">=</span> <span class="mi">2</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">enable_online_store</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">redis_sku</span> <span class="err">=</span> <span class="s2">"Standard"</span> <span class="nx">redis_capacity</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">redis_family</span> <span class="err">=</span> <span class="s2">"C"</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"GRS"</span> <span class="nx">materialization_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_E8s_v3"</span> <span class="nx">materialization_max_nodes</span> <span class="err">=</span> <span class="mi">8</span> </code></pre> </div> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Feature store is a workspace.</strong> It's implemented as <code>kind = "FeatureStore"</code> on <code>azurerm_machine_learning_workspace</code>. It needs the same dependencies (storage, KV, App Insights) as a regular workspace.</p> <p><strong>Transformation code runs as Spark.</strong> Feature transformations execute on the materialization compute cluster using PySpark. Test your transformations locally with a Spark session before registering.</p> <p><strong>Entities enforce consistent joins.</strong> Define entities once (e.g., "account" with key "accountID") and reuse across feature sets. This prevents mismatched join keys between teams.</p> <p><strong>Materialization costs.</strong> Each scheduled run spins up the compute cluster, runs the Spark job, and writes to storage. LowPriority VMs reduce cost. <code>min_node_count = 0</code> ensures you pay nothing between runs.</p> <p><strong>Redis cost for online store.</strong> Standard Redis starts at ~$40/month. Premium with replication is ~$200/month. Skip online store in dev unless you're testing real-time inference.</p> <p><strong>Feature set versioning.</strong> Feature sets are versioned. Changing the transformation logic? Create version "2". This maintains backward compatibility for models still using version "1".</p> <h2> โญ๏ธ What's Next </h2> <p>This is <strong>Post 3</strong> of the <strong>Azure ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko">Azure ML Workspace</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-online-endpoints-deploy-your-model-to-production-with-terraform-4730">Azure ML Online Endpoints</a> ๐Ÿš€</li> <li> <strong>Post 3:</strong> Azure ML Feature Store (you are here) ๐Ÿ—ƒ๏ธ</li> <li> <strong>Post 4:</strong> Azure ML Pipelines + Azure DevOps</li> </ul> <p><em>Your features have a home. ADLS for offline training, Redis for online inference, Spark transformations that run the same code for both. No training-serving skew. Versioned feature sets with scheduled materialization, all provisioned with Terraform.</em> ๐Ÿ—ƒ๏ธ</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> ๐Ÿ’ฌ</p> azure machinelearning ai devops Vertex AI Feature Store with Terraform: BigQuery Offline + Bigtable Online Serving ๐Ÿ—ƒ๏ธ Suhas Mallesh Thu, 16 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/vertex-ai-feature-store-with-terraform-bigquery-offline-bigtable-online-serving-4n7g https://forem.com/suhas_mallesh/vertex-ai-feature-store-with-terraform-bigquery-offline-bigtable-online-serving-4n7g <p>Feature Store on GCP uses BigQuery as the offline store and Bigtable for low-latency online serving. Feature groups register your data, feature views sync it to the online store. Here's how to provision the full stack with Terraform.</p> <p>In the previous posts, we set up Workbench for development and deployed endpoints for inference. But the features feeding those models need a home. Training uses historical features from BigQuery. Inference needs the latest values with sub-millisecond latency. When these two sources diverge, you get training-serving skew.</p> <p>Vertex AI Feature Store bridges this gap. <strong>BigQuery</strong> is the offline store - your features live in tables you already manage. <strong>Bigtable</strong> is the online store - an auto-scaling, low-latency serving layer that syncs from BigQuery on a schedule. You don't copy data to a separate system. Feature Store reads directly from BigQuery and syncs to Bigtable for serving. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ Feature Store Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Feature Group</strong></td> <td>Registers a BigQuery table as a feature source</td> </tr> <tr> <td><strong>Feature</strong></td> <td>Individual column within a feature group</td> </tr> <tr> <td><strong>Feature Online Store</strong></td> <td>Bigtable instance for real-time serving</td> </tr> <tr> <td><strong>Feature View</strong></td> <td>Defines which features sync to the online store</td> </tr> <tr> <td><strong>Data Sync</strong></td> <td>Scheduled or continuous sync from BigQuery to Bigtable</td> </tr> </tbody> </table></div> <p>The key insight: BigQuery is already your offline store. You don't move data. Feature Store registers your existing BigQuery tables, then syncs selected features to Bigtable for online serving.</p> <h2> ๐Ÿ”ง Terraform: Create the Feature Online Store </h2> <h3> APIs </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/apis.tf</span> <span class="nx">resource</span> <span class="s2">"google_project_service"</span> <span class="s2">"required"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span> <span class="s2">"aiplatform.googleapis.com"</span><span class="p">,</span> <span class="s2">"bigtable.googleapis.com"</span><span class="p">,</span> <span class="s2">"bigtableadmin.googleapis.com"</span><span class="p">,</span> <span class="s2">"bigquery.googleapis.com"</span><span class="p">,</span> <span class="p">])</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <h3> Feature Online Store (Bigtable-backed) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/online_store.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_online_store"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-feature-store"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">bigtable</span> <span class="p">{</span> <span class="nx">auto_scaling</span> <span class="p">{</span> <span class="nx">min_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bigtable_min_nodes</span> <span class="nx">max_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bigtable_max_nodes</span> <span class="nx">cpu_utilization_target</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bigtable_cpu_target</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Bigtable autoscaling</strong> adjusts nodes based on CPU utilization. Set <code>cpu_utilization_target</code> to 50-60% for production workloads. The store scales up automatically during traffic spikes and scales down during quiet periods.</p> <h3> Feature Group (Register BigQuery Source) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/feature_group.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group"</span> <span class="s2">"customer_features"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-customer-features"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">big_query</span> <span class="p">{</span> <span class="nx">big_query_source</span> <span class="p">{</span> <span class="nx">input_uri</span> <span class="p">=</span> <span class="s2">"bq://${var.project_id}.${var.dataset_id}.${var.customer_features_table}"</span> <span class="p">}</span> <span class="nx">entity_id_columns</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"customer_id"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"customer"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>entity_id_columns</code></strong> defines the primary key for feature lookups. This is what you use to retrieve features for a specific customer during inference.</p> <h3> Register Individual Features </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/features.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group_feature"</span> <span class="s2">"total_purchases"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"total_purchases"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_group</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group_feature"</span> <span class="s2">"avg_order_value"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"avg_order_value"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_group</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group_feature"</span> <span class="s2">"days_since_last_purchase"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"days_since_last_purchase"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_group</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> </code></pre> </div> <p>Each feature maps to a column in your BigQuery table. Registering features enables metadata tracking, drift monitoring, and controlled syncing to the online store.</p> <h3> Feature View (Sync to Online Store) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/feature_view.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_online_store_featureview"</span> <span class="s2">"customer_view"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-customer-view"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_online_store</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_online_store</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">sync_config</span> <span class="p">{</span> <span class="nx">cron</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">sync_schedule</span> <span class="p">}</span> <span class="nx">feature_registry_source</span> <span class="p">{</span> <span class="nx">feature_groups</span> <span class="p">{</span> <span class="nx">feature_group_id</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">feature_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_vertex_ai_feature_group_feature</span><span class="p">.</span><span class="nx">total_purchases</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">google_vertex_ai_feature_group_feature</span><span class="p">.</span><span class="nx">avg_order_value</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">google_vertex_ai_feature_group_feature</span><span class="p">.</span><span class="nx">days_since_last_purchase</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The feature view selects which features from which groups sync to the online store. The <code>cron</code> schedule controls how frequently BigQuery data is synced to Bigtable.</p> <h2> ๐Ÿ“ BigQuery Source Table Structure </h2> <p>Your BigQuery table needs an entity ID column and a feature timestamp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="nv">`project.ml_features.customer_features`</span> <span class="p">(</span> <span class="n">customer_id</span> <span class="n">STRING</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">feature_timestamp</span> <span class="nb">TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">total_purchases</span> <span class="n">INT64</span><span class="p">,</span> <span class="n">avg_order_value</span> <span class="n">FLOAT64</span><span class="p">,</span> <span class="n">days_since_last_purchase</span> <span class="n">INT64</span><span class="p">,</span> <span class="n">account_age_days</span> <span class="n">INT64</span><span class="p">,</span> <span class="n">is_premium</span> <span class="nb">BOOL</span> <span class="p">);</span> </code></pre> </div> <p>Feature Store reads this table directly. The <code>feature_timestamp</code> column enables point-in-time queries for training. The online store always serves the latest snapshot.</p> <h2> ๐Ÿ Read Features (SDK) </h2> <h3> Online Store (Real-Time Inference) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">aiplatform</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="sh">"</span><span class="s">my-project</span><span class="sh">"</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">)</span> <span class="n">feature_online_store</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nc">FeatureOnlineStore</span><span class="p">(</span><span class="sh">"</span><span class="s">prod-feature-store</span><span class="sh">"</span><span class="p">)</span> <span class="n">feature_view</span> <span class="o">=</span> <span class="n">feature_online_store</span><span class="p">.</span><span class="nf">get_feature_view</span><span class="p">(</span><span class="sh">"</span><span class="s">prod-customer-view</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Fetch features for a specific customer </span><span class="n">response</span> <span class="o">=</span> <span class="n">feature_view</span><span class="p">.</span><span class="nf">fetch_feature_values</span><span class="p">(</span> <span class="n">entity_ids</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">cust-12345</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">for</span> <span class="n">entity</span> <span class="ow">in</span> <span class="n">response</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="n">entity</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">())</span> <span class="c1"># {'customer_id': 'cust-12345', 'total_purchases': 47, 'avg_order_value': 89.5, ...} </span></code></pre> </div> <h3> Offline Store (Training via BigQuery) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">bigquery</span> <span class="n">client</span> <span class="o">=</span> <span class="n">bigquery</span><span class="p">.</span><span class="nc">Client</span><span class="p">()</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> SELECT customer_id, total_purchases, avg_order_value, is_premium FROM `project.ml_features.customer_features` WHERE feature_timestamp BETWEEN </span><span class="sh">'</span><span class="s">2025-01-01</span><span class="sh">'</span><span class="s"> AND </span><span class="sh">'</span><span class="s">2025-12-31</span><span class="sh">'</span><span class="s"> </span><span class="sh">"""</span> <span class="n">training_df</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">query</span><span class="p">).</span><span class="nf">to_dataframe</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Training data: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">training_df</span><span class="p">)</span><span class="si">}</span><span class="s"> rows</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>No separate offline store to manage. Query BigQuery directly with standard SQL.</p> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">bigtable_min_nodes</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">bigtable_max_nodes</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">bigtable_cpu_target</span> <span class="err">=</span> <span class="mi">80</span> <span class="nx">sync_schedule</span> <span class="err">=</span> <span class="s2">"0 */6 * * *"</span> <span class="c1"># Every 6 hours</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">bigtable_min_nodes</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">bigtable_max_nodes</span> <span class="err">=</span> <span class="mi">5</span> <span class="nx">bigtable_cpu_target</span> <span class="err">=</span> <span class="mi">50</span> <span class="nx">sync_schedule</span> <span class="err">=</span> <span class="s2">"0 * * * *"</span> <span class="c1"># Every hour</span> </code></pre> </div> <p><strong>Sync frequency vs freshness:</strong> Hourly sync means online features can be up to 1 hour stale. For near-real-time features, use continuous data sync (requires Bigtable online serving and BigQuery source in specific regions).</p> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>BigQuery is the source of truth.</strong> Unlike other feature stores where you ingest data into a proprietary system, Vertex AI Feature Store reads from BigQuery. Your existing ETL pipelines that write to BigQuery already feed the feature store.</p> <p><strong>Bigtable minimum cost.</strong> Even at 1 node, Bigtable costs roughly $0.65/hour (~$470/month). For dev environments, consider whether you need online serving at all, or if BigQuery direct queries suffice.</p> <p><strong>Optimized online serving is deprecated.</strong> As of May 2026, only Bigtable online serving is supported. Don't use <code>optimized {}</code> in new deployments. Migrate existing optimized stores to Bigtable.</p> <p><strong>Sync latency.</strong> Scheduled sync has an inherent delay based on your cron schedule. Continuous sync is near-real-time but only available in specific regions (us, eu, us-central1).</p> <p><strong>Feature monitoring.</strong> Register features through feature groups to enable drift detection and anomaly monitoring. Without registration, you lose this observability.</p> <p><strong>Bigtable serving latency.</strong> Expect ~30ms server-side latency at moderate load (~100 QPS). Client-side latency adds 5ms+. This is fast enough for most inference use cases but not sub-millisecond.</p> <h2> โญ๏ธ What's Next </h2> <p>This is <strong>Post 3</strong> of the <strong>GCP ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6">Vertex AI Workbench</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-endpoints-deploy-your-model-to-production-with-terraform-17f">Vertex AI Endpoints - Deploy to Prod</a> ๐Ÿš€</li> <li> <strong>Post 3:</strong> Vertex AI Feature Store (you are here) ๐Ÿ—ƒ๏ธ</li> <li> <strong>Post 4:</strong> Vertex AI Pipelines + Cloud Build</li> </ul> <p><em>Your features have a home. BigQuery for offline training, Bigtable for online serving, automatic sync between them. No data duplication. No training-serving skew. Your existing BigQuery tables are the source of truth, all provisioned with Terraform.</em> ๐Ÿ—ƒ๏ธ</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> ๐Ÿ’ฌ</p> gcp terraform mlops ai SageMaker Feature Store with Terraform: Centralized ML Features for Training and Inference ๐Ÿ—ƒ๏ธ Suhas Mallesh Wed, 15 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/sagemaker-feature-store-with-terraform-centralized-ml-features-for-training-and-inference-8n7 https://forem.com/suhas_mallesh/sagemaker-feature-store-with-terraform-centralized-ml-features-for-training-and-inference-8n7 <p>Features used for training must match features used for inference, or your model breaks silently. SageMaker Feature Store keeps them in sync with online (real-time) and offline (historical) stores. Here's how to provision it with Terraform.</p> <p>In the previous posts, we set up the workspace and deployed endpoints. But there's a critical gap: features. Every ML model needs consistent, reliable feature data for both training (batch, historical) and inference (real-time, latest values). When training features and serving features diverge, you get training-serving skew, and your model's accuracy degrades silently.</p> <p>SageMaker Feature Store solves this with a dual-store architecture. The <strong>online store</strong> provides low-latency access to the latest feature values for real-time inference. The <strong>offline store</strong> keeps the full history in S3 (Parquet format) for training and batch inference. When you write a feature, both stores sync automatically. One source of truth. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ Feature Store Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Feature Group</strong></td> <td>A collection of related features (like a table)</td> </tr> <tr> <td><strong>Online Store</strong></td> <td>Low-latency key-value store for real-time lookups</td> </tr> <tr> <td><strong>Offline Store</strong></td> <td>Historical data in S3 (Parquet) for training</td> </tr> <tr> <td><strong>Record Identifier</strong></td> <td>Primary key for feature lookups</td> </tr> <tr> <td><strong>Event Time</strong></td> <td>Timestamp for point-in-time correctness</td> </tr> <tr> <td><strong>Glue Data Catalog</strong></td> <td>Auto-created metadata catalog for Athena queries</td> </tr> </tbody> </table></div> <p>The online store always holds the latest snapshot. The offline store is append-only, keeping every version of every record. This enables point-in-time queries for training: "What did this customer's features look like 30 days ago?"</p> <h2> ๐Ÿ”ง Terraform: Create Feature Groups </h2> <h3> IAM Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/iam.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"feature_store"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-feature-store"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"sagemaker.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"feature_store_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"feature-store-s3-glue"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span><span class="p">,</span> <span class="s2">"s3:GetBucketLocation"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"${var.offline_store_bucket_arn}"</span><span class="p">,</span> <span class="s2">"${var.offline_store_bucket_arn}/*"</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"glue:CreateTable"</span><span class="p">,</span> <span class="s2">"glue:UpdateTable"</span><span class="p">,</span> <span class="s2">"glue:GetTable"</span><span class="p">,</span> <span class="s2">"glue:GetDatabase"</span><span class="p">,</span> <span class="s2">"glue:CreateDatabase"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Feature Group Definition </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/feature_groups.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_feature_group"</span> <span class="s2">"customer_features"</span> <span class="p">{</span> <span class="nx">feature_group_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-customer-features"</span> <span class="nx">record_identifier_feature_name</span> <span class="p">=</span> <span class="s2">"customer_id"</span> <span class="nx">event_time_feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># Feature schema</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"customer_id"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"total_purchases"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"avg_order_value"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"days_since_last_purchase"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"account_age_days"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"is_premium"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="c1"># Enable both online and offline stores</span> <span class="nx">online_store_config</span> <span class="p">{</span> <span class="nx">enable_online_store</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">security_config</span> <span class="p">{</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">offline_store_config</span> <span class="p">{</span> <span class="nx">s3_storage_config</span> <span class="p">{</span> <span class="nx">s3_uri</span> <span class="p">=</span> <span class="s2">"s3://${var.offline_store_bucket}/${var.environment}/feature-store"</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="p">}</span> <span class="nx">table_format</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">offline_table_format</span> <span class="c1"># "Glue" or "Iceberg"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Domain</span> <span class="p">=</span> <span class="s2">"customer"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Three feature types:</strong> <code>String</code>, <code>Fractional</code> (float), and <code>Integral</code> (integer). Everything else maps to String.</p> <p><strong><code>table_format</code>:</strong> Choose <code>Glue</code> (default, Hive-compatible) or <code>Iceberg</code> (better for upserts and time travel). Iceberg is recommended for production workloads that need ACID transactions.</p> <h3> Multiple Feature Groups </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_sagemaker_feature_group"</span> <span class="s2">"transaction_features"</span> <span class="p">{</span> <span class="nx">feature_group_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-transaction-features"</span> <span class="nx">record_identifier_feature_name</span> <span class="p">=</span> <span class="s2">"transaction_id"</span> <span class="nx">event_time_feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"transaction_id"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"amount"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"merchant_category"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"is_international"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">online_store_config</span> <span class="p">{</span> <span class="nx">enable_online_store</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">offline_store_config</span> <span class="p">{</span> <span class="nx">s3_storage_config</span> <span class="p">{</span> <span class="nx">s3_uri</span> <span class="p">=</span> <span class="s2">"s3://${var.offline_store_bucket}/${var.environment}/feature-store"</span> <span class="p">}</span> <span class="nx">table_format</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">offline_table_format</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> ๐Ÿ Ingest Features (SDK) </h2> <p>Terraform defines the schema. The SDK ingests the data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">featurestore_runtime</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sagemaker-featurestore-runtime</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Write a single record (real-time) </span><span class="n">featurestore_runtime</span><span class="p">.</span><span class="nf">put_record</span><span class="p">(</span> <span class="n">FeatureGroupName</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-customer-features</span><span class="sh">"</span><span class="p">,</span> <span class="n">Record</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">customer_id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">cust-12345</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">event_time</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">total_purchases</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">47</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">avg_order_value</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">89.50</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">days_since_last_purchase</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">3</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">account_age_days</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">730</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">is_premium</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">},</span> <span class="p">],</span> <span class="p">)</span> </code></pre> </div> <h3> Read Features for Inference (Online Store) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Real-time feature lookup (single-digit ms latency) </span><span class="n">response</span> <span class="o">=</span> <span class="n">featurestore_runtime</span><span class="p">.</span><span class="nf">get_record</span><span class="p">(</span> <span class="n">FeatureGroupName</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-customer-features</span><span class="sh">"</span><span class="p">,</span> <span class="n">RecordIdentifierValueAsString</span><span class="o">=</span><span class="sh">"</span><span class="s">cust-12345</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">features</span> <span class="o">=</span> <span class="p">{</span><span class="n">r</span><span class="p">[</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">]:</span> <span class="n">r</span><span class="p">[</span><span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Record</span><span class="sh">"</span><span class="p">]}</span> <span class="nf">print</span><span class="p">(</span><span class="n">features</span><span class="p">)</span> <span class="c1"># {'customer_id': 'cust-12345', 'total_purchases': '47', ...} </span></code></pre> </div> <h3> Query Features for Training (Offline Store via Athena) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="n">athena</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">athena</span><span class="sh">"</span><span class="p">)</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> SELECT customer_id, total_purchases, avg_order_value, is_premium FROM </span><span class="sh">"</span><span class="s">sagemaker_featurestore</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="s">prod-customer-features</span><span class="sh">"</span><span class="s"> WHERE event_time &lt;= 1700000000 </span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="n">athena</span><span class="p">.</span><span class="nf">start_query_execution</span><span class="p">(</span> <span class="n">QueryString</span><span class="o">=</span><span class="n">query</span><span class="p">,</span> <span class="n">QueryExecutionContext</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Database</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">sagemaker_featurestore</span><span class="sh">"</span><span class="p">},</span> <span class="n">ResultConfiguration</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">OutputLocation</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">s3://my-bucket/athena-results/</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> </code></pre> </div> <p>The offline store is automatically cataloged in Glue. Query with Athena for point-in-time training datasets.</p> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">offline_table_format</span> <span class="err">=</span> <span class="s2">"Glue"</span> <span class="c1"># Simpler for dev</span> <span class="nx">kms_key_arn</span> <span class="err">=</span> <span class="kc">null</span> <span class="c1"># No encryption in dev</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">offline_table_format</span> <span class="err">=</span> <span class="s2">"Iceberg"</span> <span class="c1"># ACID transactions, time travel</span> <span class="nx">kms_key_arn</span> <span class="err">=</span> <span class="s2">"arn:aws:kms:us-east-1:123456789012:key/abc-123"</span> </code></pre> </div> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Offline store has a ~15 minute delay.</strong> Data written via <code>PutRecord</code> appears in the online store immediately but takes up to 15 minutes to land in the offline store (S3). Don't rely on the offline store for near-real-time analytics.</p> <p><strong>Feature groups are mutable.</strong> You can add new features to an existing feature group using the <code>UpdateFeatureGroup</code> API. You cannot remove or rename existing features.</p> <p><strong>Online store costs.</strong> The online store charges per read and write unit. High-throughput inference with thousands of feature lookups per second adds up. Monitor costs and batch lookups where possible using <code>BatchGetRecord</code>.</p> <p><strong>Point-in-time correctness.</strong> Always use <code>event_time</code> for training queries. Querying without time filtering risks data leakage, where future data appears in your training set.</p> <p><strong>KMS encryption for both stores.</strong> The online and offline stores support separate KMS keys. In production, encrypt both. The Glue Data Catalog metadata is not encrypted by Feature Store, manage it separately.</p> <p><strong>Schema planning matters.</strong> Feature types (<code>String</code>, <code>Fractional</code>, <code>Integral</code>) cannot be changed after creation. Plan your schema carefully. Use <code>String</code> for anything you're unsure about, since it's the most flexible.</p> <h2> โญ๏ธ What's Next </h2> <p>This is <strong>Post 3</strong> of the <strong>ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805">SageMaker Studio Domain</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-endpoints-deploy-your-model-to-production-with-terraform-mpp">SageMaker Endpoints - Deploy to Prod</a> ๐Ÿš€</li> <li> <strong>Post 3:</strong> SageMaker Feature Store (you are here) ๐Ÿ—ƒ๏ธ</li> <li> <strong>Post 4:</strong> SageMaker Pipelines - CI/CD for ML</li> </ul> <p><em>Your features have a home. Online store for real-time inference, offline store for training, automatic sync between them. No more training-serving skew. No more duplicated feature pipelines. One source of truth, all in Terraform.</em> ๐Ÿ—ƒ๏ธ</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> ๐Ÿ’ฌ</p> aws terraform ai machinelearning Azure ML Online Endpoints: Deploy Your Model to Production with Terraform ๐Ÿš€ Suhas Mallesh Mon, 13 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/azure-ml-online-endpoints-deploy-your-model-to-production-with-terraform-4730 https://forem.com/suhas_mallesh/azure-ml-online-endpoints-deploy-your-model-to-production-with-terraform-4730 <p>Your model is trained. Now deploy it to a managed online endpoint with traffic splitting for canary rollouts, autoscaling, health probes, and data collection. Here's how to deploy Azure ML endpoints with Terraform using azapi.</p> <p>In the <a href="https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko">previous post</a>, we set up the Azure ML workspace - the hub for experiments, models, and compute. Now comes the production side: taking a trained model and deploying it to a managed online endpoint that your applications can call for real-time predictions.</p> <p>Azure ML online endpoints involve two resources: an <strong>Endpoint</strong> (the stable HTTPS URL with auth and traffic routing) and one or more <strong>Deployments</strong> (the model + compute behind it). Since the <code>azurerm</code> provider doesn't have native online endpoint resources yet, we use <code>azapi</code> to provision them directly via the Azure API. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ The Two-Layer Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Endpoint (HTTPS URL, auth mode, traffic split) โ†“ Deployment(s) (model, instance type, scaling, probes) </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>What It Defines</th> </tr> </thead> <tbody> <tr> <td><strong>Endpoint</strong></td> <td>Stable URL, auth mode (key/AAD), traffic routing</td> </tr> <tr> <td><strong>Deployment</strong></td> <td>Model reference, instance type, scale settings, health probes</td> </tr> </tbody> </table></div> <p>The endpoint URL stays fixed. You deploy new model versions as new deployments, shift traffic gradually, and delete old deployments after validation.</p> <h2> ๐Ÿ”ง Terraform: Create the Online Endpoint </h2> <h3> The Endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/main.tf</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"online_endpoint"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">authMode</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">auth_mode</span> <span class="nx">publicNetworkAccess</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_network_access</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Production endpoint for ${var.model_name}"</span> <span class="nx">traffic</span> <span class="p">=</span> <span class="p">{</span> <span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">deployment_name</span><span class="p">)</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>authMode</code></strong> controls how clients authenticate: <code>Key</code> for API key auth (simpler), <code>AADToken</code> for Azure AD auth (more secure, no key rotation needed). Use <code>AADToken</code> in production.</p> <h3> The Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/deployment.tf</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"deployment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">deployment_name</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">online_endpoint</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Managed"</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_uri</span> <span class="nx">environmentId</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment_id</span> <span class="nx">instanceType</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">appInsightsEnabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">scaleSettings</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">scaleType</span> <span class="p">=</span> <span class="s2">"Default"</span> <span class="nx">minInstances</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">min_instances</span> <span class="nx">maxInstances</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_instances</span> <span class="p">}</span> <span class="nx">livenessProbe</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">initialDelay</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">period</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="s2">"PT2S"</span> <span class="nx">failureThreshold</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">successThreshold</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">readinessProbe</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">initialDelay</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">period</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="s2">"PT2S"</span> <span class="nx">failureThreshold</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">successThreshold</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">requestSettings</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">requestTimeout</span> <span class="p">=</span> <span class="s2">"PT5S"</span> <span class="nx">maxConcurrentRequestsPerInstance</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_concurrent_requests</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="nx">Version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_version</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key deployment properties:</strong></p> <ul> <li> <code>model</code> references the registered model in the workspace (e.g., <code>azureml:fraud-detector:2</code>)</li> <li> <code>environmentId</code> references a curated or custom environment with your dependencies</li> <li> <code>scaleSettings</code> controls autoscaling from <code>minInstances</code> to <code>maxInstances</code> </li> <li> <code>livenessProbe</code> and <code>readinessProbe</code> configure health checks</li> <li> <code>requestSettings</code> controls timeout and concurrency per instance</li> </ul> <h2> ๐Ÿ“ Traffic Splitting for Canary Deployments </h2> <p>Deploy a new model version alongside the existing one, then gradually shift traffic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Endpoint with two deployments and traffic split</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"online_endpoint"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">authMode</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">auth_mode</span> <span class="nx">traffic</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"blue"</span> <span class="p">=</span> <span class="mi">90</span> <span class="c1"># Current stable version</span> <span class="s2">"green"</span> <span class="p">=</span> <span class="mi">10</span> <span class="c1"># New canary version</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Blue deployment (current version)</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"blue"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"blue"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">online_endpoint</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="c1"># ... deployment config for v1</span> <span class="p">}</span> <span class="c1"># Green deployment (new version)</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"green"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"green"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">online_endpoint</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="c1"># ... deployment config for v2</span> <span class="p">}</span> </code></pre> </div> <p><strong>Canary rollout workflow:</strong> Deploy green with 10% traffic. Monitor error rates and latency. If healthy, update traffic to <code>"green" = 100</code>, then delete blue. If unhealthy, set <code>"blue" = 100</code> to roll back instantly.</p> <h3> Mirror Traffic for Shadow Testing </h3> <p>Test a new deployment without affecting users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">body</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">authMode</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">auth_mode</span> <span class="nx">traffic</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"blue"</span> <span class="p">=</span> <span class="mi">100</span> <span class="c1"># All live traffic to blue</span> <span class="p">}</span> <span class="nx">mirrorTraffic</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"green"</span> <span class="p">=</span> <span class="mi">10</span> <span class="c1"># Copy 10% of requests to green (responses discarded)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Mirror traffic sends a copy of live requests to the green deployment, but responses are discarded. This lets you validate the new model's behavior under real traffic patterns without any user impact.</p> <h2> ๐Ÿ“ Data Collection for Model Monitoring </h2> <p>Enable request/response logging to catch model drift:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">body</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Managed"</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_uri</span> <span class="nx">instanceType</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">appInsightsEnabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dataCollector</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">collections</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">model_inputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dataCollectionMode</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">dataId</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_asset_id</span> <span class="nx">samplingRate</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">sampling_rate</span> <span class="p">}</span> <span class="nx">model_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dataCollectionMode</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">dataId</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_asset_id</span> <span class="nx">samplingRate</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">sampling_rate</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">requestLogging</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">captureHeaders</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"Content-Type"</span><span class="p">,</span> <span class="s2">"x-request-id"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">rollingRate</span> <span class="p">=</span> <span class="s2">"Hour"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Data collection captures model inputs and outputs to a registered data asset. Use it for drift detection, fairness monitoring, and retraining triggers.</p> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">deployment_name</span> <span class="err">=</span> <span class="s2">"blue"</span> <span class="nx">model_uri</span> <span class="err">=</span> <span class="s2">"azureml:fraud-detector:2"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"Standard_DS2_v2"</span> <span class="nx">min_instances</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">max_instances</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">max_concurrent_requests</span> <span class="err">=</span> <span class="mi">5</span> <span class="nx">auth_mode</span> <span class="err">=</span> <span class="s2">"Key"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="s2">"Enabled"</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">deployment_name</span> <span class="err">=</span> <span class="s2">"blue"</span> <span class="nx">model_uri</span> <span class="err">=</span> <span class="s2">"azureml:fraud-detector:2"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">min_instances</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">max_instances</span> <span class="err">=</span> <span class="mi">8</span> <span class="nx">max_concurrent_requests</span> <span class="err">=</span> <span class="mi">10</span> <span class="nx">auth_mode</span> <span class="err">=</span> <span class="s2">"AADToken"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="s2">"Disabled"</span> </code></pre> </div> <h2> ๐Ÿงช Invoke the Endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml</span> <span class="kn">import</span> <span class="n">MLClient</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="n">ml_client</span> <span class="o">=</span> <span class="nc">MLClient</span><span class="p">(</span> <span class="nc">DefaultAzureCredential</span><span class="p">(),</span> <span class="n">subscription_id</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">workspace_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">ml_client</span><span class="p">.</span><span class="n">online_endpoints</span><span class="p">.</span><span class="nf">invoke</span><span class="p">(</span> <span class="n">endpoint_name</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-fraud-detector</span><span class="sh">"</span><span class="p">,</span> <span class="n">deployment_name</span><span class="o">=</span><span class="sh">"</span><span class="s">blue</span><span class="sh">"</span><span class="p">,</span> <span class="n">request_file</span><span class="o">=</span><span class="sh">"</span><span class="s">sample_request.json</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <p>Or via REST:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="se">\</span> <span class="s2">"https://prod-fraud-detector.eastus.inference.ml.azure.com/score"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"data": [[0.5, 1.2, 3.4, 0.8]]}'</span> </code></pre> </div> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong><code>azapi</code> is required.</strong> The <code>azurerm</code> provider doesn't have native <code>azurerm_machine_learning_online_endpoint</code> or <code>azurerm_machine_learning_online_deployment</code> resources. Use <code>azapi_resource</code> with the <code>Microsoft.MachineLearningServices</code> API.</p> <p><strong>Deployment creation takes 8-15 minutes.</strong> Provisioning VMs, pulling containers, loading models, and running health probes takes time. Plan for this in CI/CD pipelines.</p> <p><strong>Register models before deploying.</strong> The <code>model</code> field references a registered model in the workspace Model Registry (format: <code>azureml:model-name:version</code>). Register models via the SDK or CLI before running <code>terraform apply</code>.</p> <p><strong>Use AADToken in production.</strong> API keys work but require rotation. AAD token auth integrates with managed identity, eliminating key management entirely.</p> <p><strong>Scale to zero is not supported for managed endpoints.</strong> Unlike serverless compute, managed online endpoints require at least one instance running. If you need scale-to-zero, consider serverless endpoints (currently in preview).</p> <p><strong>Mirror traffic before canary.</strong> Mirror first (responses discarded, no user impact) to validate the model handles real request shapes correctly. Then switch to traffic splitting for a live canary test.</p> <h2> โญ๏ธ What's Next </h2> <p>This is <strong>Post 2</strong> of the <strong>Azure ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko">Azure ML Workspace</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> Azure ML Online Endpoints (you are here) ๐Ÿš€</li> <li> <strong>Post 3:</strong> Azure ML Feature Store</li> <li> <strong>Post 4:</strong> Azure ML Pipelines + Azure DevOps</li> </ul> <p><em>Your model is in production. Managed online endpoint with autoscaling, blue/green traffic splitting, mirror traffic for shadow testing, and data collection for drift monitoring. From workspace to production, all in Terraform.</em> ๐Ÿš€</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> ๐Ÿ’ฌ</p> azure ai devops machinelearning Vertex AI Endpoints: Deploy Your Model to Production with Terraform ๐Ÿš€ Suhas Mallesh Sun, 12 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/vertex-ai-endpoints-deploy-your-model-to-production-with-terraform-17f https://forem.com/suhas_mallesh/vertex-ai-endpoints-deploy-your-model-to-production-with-terraform-17f <p>Your model is trained. Now deploy it to a scalable endpoint with autoscaling, traffic splitting for canary rollouts, and request-response logging. Here's how to deploy Vertex AI endpoints with Terraform.</p> <p>In the <a href="https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6">previous post</a>, we set up the Vertex AI Workbench - the workspace where your team trains models. Now comes the production side: taking a trained model and deploying it to an endpoint that your applications can call for real-time predictions.</p> <p>Vertex AI uses a three-step deployment: upload a <strong>Model</strong> to the Model Registry, create an <strong>Endpoint</strong> (the HTTPS URL), then <strong>deploy</strong> the model to the endpoint with compute resources. Terraform provisions the endpoint and configures autoscaling, traffic splitting, and logging. The SDK handles model upload and deployment. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ The Deployment Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Model Registry (uploaded model + container) โ†“ Endpoint (HTTPS URL, traffic routing) โ†“ Deployed Model (machine type, replicas, autoscaling) </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Defines</th> </tr> </thead> <tbody> <tr> <td><strong>Model</strong></td> <td>Container image + model artifacts in GCS</td> </tr> <tr> <td><strong>Endpoint</strong></td> <td>Stable HTTPS prediction URL</td> </tr> <tr> <td><strong>Deployed Model</strong></td> <td>Machine type, replica count, autoscaling</td> </tr> <tr> <td><strong>Traffic Split</strong></td> <td>Percentage routing between model versions</td> </tr> </tbody> </table></div> <p>The endpoint URL stays stable across model versions. You update the deployed model behind it without changing your application code.</p> <h2> ๐Ÿ”ง Terraform: Create the Endpoint </h2> <h3> Endpoint Resource </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/main.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-endpoint"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Production endpoint for ${var.model_name}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Endpoint with Private Network (Production) </h3> <p>For production, deploy with a private endpoint inside your VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-endpoint"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">network</span> <span class="p">=</span> <span class="s2">"projects/${data.google_project.this.number}/global/networks/${var.vpc_network_name}"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">google_service_networking_connection</span><span class="p">.</span><span class="nx">vertex_vpc</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_service_networking_connection"</span> <span class="s2">"vertex_vpc"</span> <span class="p">{</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_network_id</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"servicenetworking.googleapis.com"</span> <span class="nx">reserved_peering_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="nx">google_compute_global_address</span><span class="p">.</span><span class="nx">vertex_range</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_global_address"</span> <span class="s2">"vertex_range"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-vertex-range"</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"VPC_PEERING"</span> <span class="nx">address_type</span> <span class="p">=</span> <span class="s2">"INTERNAL"</span> <span class="nx">prefix_length</span> <span class="p">=</span> <span class="mi">16</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_network_id</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> </code></pre> </div> <h3> Prediction Logging to BigQuery </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_bigquery_dataset"</span> <span class="s2">"predictions"</span> <span class="p">{</span> <span class="nx">dataset_id</span> <span class="p">=</span> <span class="s2">"${var.environment}_prediction_logs"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint"</span> <span class="s2">"logged"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-endpoint"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">predict_request_response_logging_config</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_prediction_logging</span> <span class="nx">sampling_rate</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">logging_sample_rate</span> <span class="nx">bigquery_destination</span> <span class="p">{</span> <span class="nx">output_uri</span> <span class="p">=</span> <span class="s2">"bq://${var.project_id}.${google_bigquery_dataset.predictions.dataset_id}.request_response"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Log a sample of prediction requests and responses to BigQuery for model monitoring, drift detection, and debugging.</p> <h2> ๐Ÿ Model Upload and Deployment (SDK) </h2> <p>Terraform creates the endpoint. The Vertex AI SDK uploads the model and deploys it with compute resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># deploy.py </span> <span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">aiplatform</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">deploy_config.json</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">config</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span> <span class="n">project</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">project_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">location</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">region</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Upload model to Model Registry </span><span class="n">model</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="n">Model</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span> <span class="n">display_name</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">model_name</span><span class="sh">"</span><span class="p">],</span> <span class="n">artifact_uri</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">model_artifact_uri</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># gs://bucket/model/ </span> <span class="n">serving_container_image_uri</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">serving_image</span><span class="sh">"</span><span class="p">],</span> <span class="n">serving_container_predict_route</span><span class="o">=</span><span class="sh">"</span><span class="s">/predict</span><span class="sh">"</span><span class="p">,</span> <span class="n">serving_container_health_route</span><span class="o">=</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Get the Terraform-created endpoint </span><span class="n">endpoint</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nc">Endpoint</span><span class="p">(</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">endpoint_resource_name</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Deploy model to endpoint </span><span class="n">model</span><span class="p">.</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">machine_type</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">machine_type</span><span class="sh">"</span><span class="p">],</span> <span class="n">min_replica_count</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">min_replicas</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_replica_count</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">max_replicas</span><span class="sh">"</span><span class="p">],</span> <span class="n">traffic_percentage</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">deploy_request_timeout</span><span class="o">=</span><span class="mi">1800</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Model deployed to: </span><span class="si">{</span><span class="n">endpoint</span><span class="p">.</span><span class="n">resource_name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Terraform Config Output for SDK </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/config.tf</span> <span class="nx">resource</span> <span class="s2">"local_file"</span> <span class="s2">"deploy_config"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"${path.module}/deploy_config.json"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">model_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">model_artifact_uri</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_artifact_uri</span> <span class="nx">serving_image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">serving_container_image</span> <span class="nx">endpoint_resource_name</span> <span class="p">=</span> <span class="nx">google_vertex_ai_endpoint</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">min_replicas</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">min_replicas</span> <span class="nx">max_replicas</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_replicas</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> ๐Ÿ“ Traffic Splitting for Canary Deployments </h2> <p>Deploy a new model version alongside the existing one and gradually shift traffic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Canary: deploy new version with 10% traffic </span><span class="n">new_model</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="n">Model</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span> <span class="n">display_name</span><span class="o">=</span><span class="sh">"</span><span class="s">fraud-detector-v3</span><span class="sh">"</span><span class="p">,</span> <span class="n">artifact_uri</span><span class="o">=</span><span class="sh">"</span><span class="s">gs://ml-models/fraud-detector/v3/</span><span class="sh">"</span><span class="p">,</span> <span class="n">serving_container_image_uri</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">serving_image</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">new_model</span><span class="p">.</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">machine_type</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">machine_type</span><span class="sh">"</span><span class="p">],</span> <span class="n">min_replica_count</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">max_replica_count</span><span class="o">=</span><span class="mi">4</span><span class="p">,</span> <span class="n">traffic_percentage</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="c1"># 10% to new model </span><span class="p">)</span> <span class="c1"># After validation, shift 100% to new model </span><span class="n">endpoint</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">traffic_split</span><span class="o">=</span><span class="p">{</span> <span class="n">new_model</span><span class="p">.</span><span class="nb">id</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>The endpoint URL doesn't change. Your application sends predictions to the same endpoint while you shift traffic from the old model to the new one.</p> <h2> ๐Ÿ“ Model Garden Deployment (Terraform-Only) </h2> <p>For open models from Model Garden (Gemma, Llama, PaLiGemma), use the newer Terraform resource that handles everything in one step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint_with_model_garden_deployment"</span> <span class="s2">"gemma"</span> <span class="p">{</span> <span class="nx">publisher_model_name</span> <span class="p">=</span> <span class="s2">"publishers/google/models/gemma3@gemma-3-1b-it"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">model_config</span> <span class="p">{</span> <span class="nx">accept_eula</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">deploy_config</span> <span class="p">{</span> <span class="nx">dedicated_resources</span> <span class="p">{</span> <span class="nx">machine_spec</span> <span class="p">{</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="s2">"g2-standard-12"</span> <span class="nx">accelerator_type</span> <span class="p">=</span> <span class="s2">"NVIDIA_L4"</span> <span class="nx">accelerator_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">min_replica_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>One resource creates the endpoint, uploads the model, and deploys it. This works for Model Garden models only - custom models still need the endpoint + SDK pattern.</p> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">machine_type</span> <span class="err">=</span> <span class="s2">"n1-standard-4"</span> <span class="nx">min_replicas</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">max_replicas</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">enable_prediction_logging</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">logging_sample_rate</span> <span class="err">=</span> <span class="mf">0.0</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">machine_type</span> <span class="err">=</span> <span class="s2">"n1-standard-8"</span> <span class="nx">min_replicas</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">max_replicas</span> <span class="err">=</span> <span class="mi">10</span> <span class="nx">enable_prediction_logging</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">logging_sample_rate</span> <span class="err">=</span> <span class="mf">0.1</span> <span class="c1"># Log 10% of requests</span> </code></pre> </div> <h2> ๐Ÿงช Invoke the Endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">aiplatform</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="sh">"</span><span class="s">my-project</span><span class="sh">"</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">)</span> <span class="n">endpoint</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nc">Endpoint</span><span class="p">(</span><span class="sh">"</span><span class="s">ENDPOINT_ID</span><span class="sh">"</span><span class="p">)</span> <span class="n">prediction</span> <span class="o">=</span> <span class="n">endpoint</span><span class="p">.</span><span class="nf">predict</span><span class="p">(</span> <span class="n">instances</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">features</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">3.4</span><span class="p">,</span> <span class="mf">0.8</span><span class="p">]}]</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">prediction</span><span class="p">.</span><span class="n">predictions</span><span class="p">)</span> </code></pre> </div> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Endpoint creation is fast, deployment is slow.</strong> Creating an endpoint takes seconds. Deploying a model (provisioning VMs, loading containers, health checks) takes 10-20 minutes. Plan for this in your CI/CD pipeline.</p> <p><strong>Autoscaling uses replica count.</strong> Set <code>min_replica_count</code> to your baseline and <code>max_replica_count</code> to your peak. Vertex AI scales based on CPU utilization and request queue depth automatically.</p> <p><strong>GPU quota must be requested.</strong> NVIDIA L4, T4, A100 accelerators require quota increases. Request early in your project setup.</p> <p><strong>Model Registry keeps versions.</strong> Every <code>Model.upload</code> creates a new version in the registry. Old versions remain available for rollback. Use the <code>traffic_split</code> to redirect traffic back to a previous version if needed.</p> <p><strong>Prediction logging costs.</strong> BigQuery logging at 10% sampling rate is manageable. At 100%, costs scale with request volume. Use sampling for high-traffic endpoints.</p> <h2> โญ๏ธ What's Next </h2> <p>This is <strong>Post 2</strong> of the <strong>GCP ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6">Vertex AI Workbench</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> Vertex AI Endpoints - Deploy to Prod (you are here) ๐Ÿš€</li> <li> <strong>Post 3:</strong> Vertex AI Feature Store</li> <li> <strong>Post 4:</strong> Vertex AI Pipelines + Cloud Build</li> </ul> <p><em>Your model is in production. Stable endpoint URL, autoscaling replicas, traffic splitting for canary rollouts, and prediction logging to BigQuery. From training to production, all in Terraform and Python.</em> ๐Ÿš€</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> ๐Ÿ’ฌ</p> googlecloud ai machinelearning devops SageMaker Endpoints: Deploy Your Model to Production with Terraform ๐Ÿš€ Suhas Mallesh Sat, 11 Apr 2026 00:48:06 +0000 https://forem.com/suhas_mallesh/sagemaker-endpoints-deploy-your-model-to-production-with-terraform-mpp https://forem.com/suhas_mallesh/sagemaker-endpoints-deploy-your-model-to-production-with-terraform-mpp <p>Training a model is half the battle. Deploying it to a scalable, auto-scaling endpoint with blue/green deployment and rollback is the other half. Here's how to deploy SageMaker real-time endpoints with Terraform.</p> <p>In the <a href="https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805">previous post</a>, we set up the SageMaker Studio domain - the workspace where your team trains models. Now comes the production side: taking a trained model and deploying it to a scalable HTTPS endpoint that your applications can call for real-time predictions.</p> <p>SageMaker endpoints involve three Terraform resources: a <strong>Model</strong> (what to serve), an <strong>Endpoint Configuration</strong> (how to serve it), and an <strong>Endpoint</strong> (the live HTTPS URL). Add autoscaling and deployment policies on top, and you have a production-grade inference system. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ The Three-Layer Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Model (container image + model artifacts in S3) โ†“ Endpoint Configuration (instance type, count, variants) โ†“ Endpoint (HTTPS URL, auto-scaling, blue/green deployment) </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>What It Defines</th> </tr> </thead> <tbody> <tr> <td><strong>Model</strong></td> <td>Container image + S3 model artifacts + IAM role</td> </tr> <tr> <td><strong>Endpoint Config</strong></td> <td>Instance type, initial count, production variants</td> </tr> <tr> <td><strong>Endpoint</strong></td> <td>Live endpoint with deployment policy and autoscaling</td> </tr> </tbody> </table></div> <p>Separating these layers means you can update the model without touching the endpoint config, or change instance types without retraining.</p> <h2> ๐Ÿ”ง Terraform: Deploy to Production </h2> <h3> Model Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"model_config"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Model deployment configuration. Change to deploy new models."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">image_uri</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># ECR container image</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># S3 path to model.tar.gz</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">instance_count</span> <span class="p">=</span> <span class="nx">number</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> IAM Role for Model Execution </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/iam.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"sagemaker_execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-sagemaker-inference"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"sagemaker.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"model_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"model-s3-ecr-access"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sagemaker_execution</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${var.model_bucket_arn}/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:GetAuthorizationToken"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> The Model </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/model.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_model"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_config.name}"</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sagemaker_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">primary_container</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">image_uri</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">model_data_url</span> <span class="nx">environment</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">SAGEMAKER_PROGRAM</span> <span class="p">=</span> <span class="s2">"inference.py"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>image</code></strong> is your serving container - either an AWS Deep Learning Container or your custom container from ECR. <strong><code>model_data_url</code></strong> points to <code>model.tar.gz</code> in S3 containing your trained weights and inference code.</p> <h3> Endpoint Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/endpoint_config.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_endpoint_configuration"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_config.name}-config"</span> <span class="nx">production_variants</span> <span class="p">{</span> <span class="nx">variant_name</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="nx">model_name</span> <span class="p">=</span> <span class="nx">aws_sagemaker_model</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">initial_instance_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">instance_count</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">initial_variant_weight</span> <span class="p">=</span> <span class="mf">1.0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>create_before_destroy = true</code></strong> is important. When you update the endpoint config (new model version, different instance type), Terraform creates the new config before deleting the old one. This prevents downtime during updates.</p> <h3> The Endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/endpoint.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_endpoint"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_config.name}"</span> <span class="nx">endpoint_config_name</span> <span class="p">=</span> <span class="nx">aws_sagemaker_endpoint_configuration</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">deployment_config</span> <span class="p">{</span> <span class="nx">blue_green_update_policy</span> <span class="p">{</span> <span class="nx">traffic_routing_configuration</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CANARY"</span> <span class="nx">canary_size</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"INSTANCE_COUNT"</span> <span class="nx">value</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">wait_interval_in_seconds</span> <span class="p">=</span> <span class="mi">300</span> <span class="p">}</span> <span class="nx">maximum_execution_timeout_in_seconds</span> <span class="p">=</span> <span class="mi">1800</span> <span class="nx">termination_wait_in_seconds</span> <span class="p">=</span> <span class="mi">120</span> <span class="p">}</span> <span class="nx">auto_rollback_configuration</span> <span class="p">{</span> <span class="nx">alarms</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_metric_alarm</span><span class="p">.</span><span class="nx">endpoint_errors</span><span class="p">.</span><span class="nx">alarm_name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Canary deployment:</strong> Routes traffic to 1 instance on the new fleet first, waits 5 minutes, then shifts remaining traffic. If the CloudWatch alarm fires during the canary phase, SageMaker automatically rolls back.</p> <h3> Autoscaling </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/autoscaling.tf</span> <span class="nx">resource</span> <span class="s2">"aws_appautoscaling_target"</span> <span class="s2">"endpoint"</span> <span class="p">{</span> <span class="nx">max_capacity</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">autoscaling_max</span> <span class="nx">min_capacity</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">instance_count</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="s2">"endpoint/${aws_sagemaker_endpoint.this.name}/variant/primary"</span> <span class="nx">scalable_dimension</span> <span class="p">=</span> <span class="s2">"sagemaker:variant:DesiredInstanceCount"</span> <span class="nx">service_namespace</span> <span class="p">=</span> <span class="s2">"sagemaker"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_appautoscaling_policy"</span> <span class="s2">"endpoint"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-endpoint-scaling"</span> <span class="nx">policy_type</span> <span class="p">=</span> <span class="s2">"TargetTrackingScaling"</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">.</span><span class="nx">resource_id</span> <span class="nx">scalable_dimension</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">.</span><span class="nx">scalable_dimension</span> <span class="nx">service_namespace</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">.</span><span class="nx">service_namespace</span> <span class="nx">target_tracking_scaling_policy_configuration</span> <span class="p">{</span> <span class="nx">target_value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_invocations_per_instance</span> <span class="nx">predefined_metric_specification</span> <span class="p">{</span> <span class="nx">predefined_metric_type</span> <span class="p">=</span> <span class="s2">"SageMakerVariantInvocationsPerInstance"</span> <span class="p">}</span> <span class="nx">scale_in_cooldown</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">scale_out_cooldown</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>SageMakerVariantInvocationsPerInstance</code></strong> scales based on requests per instance. Set the target to the maximum your instance can handle (determined by load testing). The policy adds instances when traffic exceeds the target and removes them when traffic drops.</p> <h3> Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/monitoring.tf</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_metric_alarm"</span> <span class="s2">"endpoint_errors"</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-endpoint-5xx-errors"</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GreaterThanThreshold"</span> <span class="nx">evaluation_periods</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"Invocation5XXErrors"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"AWS/SageMaker"</span> <span class="nx">period</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">statistic</span> <span class="p">=</span> <span class="s2">"Sum"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">alarm_description</span> <span class="p">=</span> <span class="s2">"Endpoint returning 5xx errors"</span> <span class="nx">alarm_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">sns_alert_topic_arn</span><span class="p">]</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">EndpointName</span> <span class="p">=</span> <span class="nx">aws_sagemaker_endpoint</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">VariantName</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_metric_alarm"</span> <span class="s2">"endpoint_latency"</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-endpoint-high-latency"</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GreaterThanThreshold"</span> <span class="nx">evaluation_periods</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"ModelLatency"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"AWS/SageMaker"</span> <span class="nx">period</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">statistic</span> <span class="p">=</span> <span class="s2">"Average"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">latency_threshold_ms</span> <span class="p">*</span> <span class="mi">1000</span> <span class="c1"># microseconds</span> <span class="nx">alarm_description</span> <span class="p">=</span> <span class="s2">"Model inference latency too high"</span> <span class="nx">alarm_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">sns_alert_topic_arn</span><span class="p">]</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">EndpointName</span> <span class="p">=</span> <span class="nx">aws_sagemaker_endpoint</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">VariantName</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The error alarm also feeds into the blue/green deployment's <code>auto_rollback_configuration</code>. If 5xx errors spike during a deployment, SageMaker automatically rolls back to the previous fleet.</p> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">model_config</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fraud-detector-v2"</span> <span class="nx">image_uri</span> <span class="p">=</span> <span class="s2">"123456789012.dkr.ecr.us-east-1.amazonaws.com/ml-serving:latest"</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="s2">"s3://ml-models-dev/fraud-detector/v2/model.tar.gz"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"ml.t2.medium"</span> <span class="nx">instance_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">autoscaling_max</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">target_invocations_per_instance</span> <span class="err">=</span> <span class="mi">100</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">model_config</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fraud-detector-v2"</span> <span class="nx">image_uri</span> <span class="p">=</span> <span class="s2">"123456789012.dkr.ecr.us-east-1.amazonaws.com/ml-serving:v2.1.0"</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="s2">"s3://ml-models-prod/fraud-detector/v2/model.tar.gz"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"ml.c5.xlarge"</span> <span class="nx">instance_count</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="nx">autoscaling_max</span> <span class="err">=</span> <span class="mi">10</span> <span class="nx">target_invocations_per_instance</span> <span class="err">=</span> <span class="mi">500</span> </code></pre> </div> <p><strong>Deploying a new model version:</strong> Update <code>model_data_url</code> to the new S3 path, run <code>terraform apply</code>. The canary deployment creates a new fleet, validates it, and shifts traffic automatically.</p> <h2> ๐Ÿงช Invoke the Endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sagemaker-runtime</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">invoke_endpoint</span><span class="p">(</span> <span class="n">EndpointName</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-fraud-detector-v2</span><span class="sh">"</span><span class="p">,</span> <span class="n">ContentType</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">Body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">features</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">3.4</span><span class="p">,</span> <span class="mf">0.8</span><span class="p">]})</span> <span class="p">)</span> <span class="n">prediction</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Body</span><span class="sh">"</span><span class="p">].</span><span class="nf">read</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="n">prediction</span><span class="p">)</span> </code></pre> </div> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Load test before setting autoscaling targets.</strong> The <code>target_invocations_per_instance</code> should be based on actual load testing, not guesswork. Use SageMaker Inference Recommender to find the optimal instance type and max throughput.</p> <p><strong>Endpoint creation takes 5-10 minutes.</strong> SageMaker provisions instances, downloads the container, loads the model, and runs health checks. Plan for this in your deployment pipeline.</p> <p><strong>Use <code>create_before_destroy</code> on endpoint configs.</strong> Without it, Terraform deletes the old config before creating the new one, causing downtime.</p> <p><strong>Pin container image tags.</strong> Use versioned tags (<code>v2.1.0</code>) instead of <code>latest</code> in production. This ensures reproducible deployments and meaningful rollbacks.</p> <p><strong>Serverless inference for low traffic.</strong> If your endpoint gets fewer than ~100 requests/hour, consider <code>serverless_config</code> on the endpoint configuration instead of instance-based. It scales to zero and charges per request.</p> <h2> โญ๏ธ What's Next </h2> <p>This is <strong>Post 2</strong> of the <strong>ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805">SageMaker Studio Domain</a> ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> SageMaker Endpoints - Deploy to Prod (you are here) ๐Ÿš€</li> <li> <strong>Post 3:</strong> SageMaker Feature Store</li> <li> <strong>Post 4:</strong> SageMaker Pipelines - CI/CD for ML</li> </ul> <p><em>Your model is in production. Real-time HTTPS endpoint, autoscaling based on traffic, canary deployments with automatic rollback, and monitoring that pages you before customers notice. From notebook to production, all in Terraform.</em> ๐Ÿš€</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> ๐Ÿ’ฌ</p> ai machinelearning devops aws Azure ML Workspace with Terraform: Your ML Platform on Azure ๐Ÿ”ฌ Suhas Mallesh Fri, 03 Apr 2026 07:00:00 +0000 https://forem.com/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko https://forem.com/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko <p>Azure Machine Learning workspace is the hub for all ML activities - experiments, models, endpoints, pipelines. It requires four dependent services. Here's how to provision the entire platform with Terraform including compute instances and clusters.</p> <p>In Series 1-3, we worked with managed AI services - AI Foundry for models, AI Search for RAG, Agent Service for orchestration. Series 5 shifts to custom ML - training your own models, deploying endpoints, managing features, and building CI/CD pipelines.</p> <p>It starts with an Azure Machine Learning workspace. The workspace is the top-level resource for all ML activities: experiments, datasets, models, compute targets, endpoints, and pipelines live here. Unlike a simple resource, the workspace requires four dependent services before it can be created: Storage Account, Key Vault, Application Insights, and Container Registry. Terraform provisions the entire stack. ๐ŸŽฏ</p> <h2> ๐Ÿ—๏ธ Workspace Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Workspace</strong></td> <td>Central hub for ML experiments, models, and pipelines</td> </tr> <tr> <td><strong>Storage Account</strong></td> <td>Default datastore for datasets, model artifacts, logs</td> </tr> <tr> <td><strong>Key Vault</strong></td> <td>Secrets, connection strings, API keys</td> </tr> <tr> <td><strong>Application Insights</strong></td> <td>Experiment tracking, endpoint monitoring</td> </tr> <tr> <td><strong>Container Registry</strong></td> <td>Custom training images, model deployment containers</td> </tr> <tr> <td><strong>Compute Instance</strong></td> <td>Per-user notebook/IDE (JupyterLab, VS Code)</td> </tr> <tr> <td><strong>Compute Cluster</strong></td> <td>Auto-scaling training cluster (CPU or GPU)</td> </tr> </tbody> </table></div> <p>All four dependent services must exist before the workspace. Terraform handles the dependency ordering automatically.</p> <h2> ๐Ÿ”ง Terraform: The Full Workspace Setup </h2> <h3> Dependent Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/dependencies.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}ml${random_string.suffix.result}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">storage_replication</span> <span class="nx">min_tls_version</span> <span class="p">=</span> <span class="s2">"TLS1_2"</span> <span class="nx">allow_nested_items_to_be_public</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_key_vault"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}ml${random_string.suffix.result}kv"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">tenant_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_client_config</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">tenant_id</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"standard"</span> <span class="nx">purge_protection_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_rbac_authorization</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_application_insights"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-insights"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">application_type</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_container_registry"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}ml${random_string.suffix.result}acr"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">sku</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acr_sku</span> <span class="nx">admin_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p><strong>Container Registry is optional but recommended.</strong> Without it, the workspace uses Azure-managed image building. With it, you control custom training images and model serving containers. Set <code>admin_enabled = false</code> and use managed identity instead.</p> <h3> The Workspace </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/workspace.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_workspace"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-workspace"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">application_insights_id</span> <span class="p">=</span> <span class="nx">azurerm_application_insights</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key_vault_id</span> <span class="p">=</span> <span class="nx">azurerm_key_vault</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">container_registry_id</span> <span class="p">=</span> <span class="nx">azurerm_container_registry</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">public_network_access_enabled</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_network_access</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>The workspace creates a system-assigned managed identity that accesses the dependent services. No keys or connection strings to manage.</p> <h3> Compute Instance (Per-User IDE) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/compute_instance.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_compute_instance"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">compute_instances</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">machine_learning_workspace_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">virtual_machine_size</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">vm_size</span> <span class="nx">node_public_ip_enabled</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_network_access</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Team</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">team</span> <span class="nx">User</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Each data scientist gets their own compute instance with JupyterLab and VS Code access. Instances stop and start independently - you only pay when they're running.</p> <h3> Compute Cluster (Training) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/compute_cluster.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_compute_cluster"</span> <span class="s2">"training"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-training"</span> <span class="nx">machine_learning_workspace_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_vm_size</span> <span class="nx">vm_priority</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_vm_priority</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">scale_settings</span> <span class="p">{</span> <span class="nx">min_node_count</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_max_nodes</span> <span class="nx">scale_down_nodes_after_idle_duration</span> <span class="p">=</span> <span class="s2">"PT${var.scale_down_minutes}M"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>min_node_count = 0</code> is the cost control key.</strong> The cluster scales to zero when no training jobs are running. You pay nothing for idle compute. <code>scale_down_nodes_after_idle_duration</code> controls how quickly nodes are released after a job finishes.</p> <p><strong><code>vm_priority = "LowPriority"</code></strong> saves up to 80% on training costs. Low-priority VMs can be evicted, so use them for fault-tolerant training jobs with checkpointing.</p> <h2> ๐Ÿ“ Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"LRS"</span> <span class="nx">acr_sku</span> <span class="err">=</span> <span class="s2">"Basic"</span> <span class="nx">training_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">training_vm_priority</span> <span class="err">=</span> <span class="s2">"Dedicated"</span> <span class="nx">training_max_nodes</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">scale_down_minutes</span> <span class="err">=</span> <span class="mi">15</span> <span class="nx">compute_instances</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"ds-dev-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"GRS"</span> <span class="nx">acr_sku</span> <span class="err">=</span> <span class="s2">"Standard"</span> <span class="nx">training_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_NC6s_v3"</span> <span class="c1"># GPU</span> <span class="nx">training_vm_priority</span> <span class="err">=</span> <span class="s2">"LowPriority"</span> <span class="nx">training_max_nodes</span> <span class="err">=</span> <span class="mi">8</span> <span class="nx">scale_down_minutes</span> <span class="err">=</span> <span class="mi">30</span> <span class="nx">compute_instances</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"ds-lead"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS4_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="s2">"ds-engineer-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="s2">"ds-engineer-2"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Dev:</strong> Public access, LRS storage, small dedicated cluster for quick iteration.<br> <strong>Prod:</strong> Private access, GRS storage, GPU cluster with low-priority VMs for cost-efficient training.</p> <h2> ๐Ÿ”ง RBAC for Team Access </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/rbac.tf</span> <span class="c1"># Data scientists get Contributor on the workspace</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"ds_contributor"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_scientist_principals</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"AzureML Compute Operator"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="c1"># ML engineers get full workspace access</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"mle_contributor"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ml_engineer_principals</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"Contributor"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <p>Use <code>AzureML Compute Operator</code> for data scientists who need to run experiments but shouldn't modify workspace settings. Use <code>Contributor</code> for ML engineers who manage the full lifecycle.</p> <h2> ๐Ÿ”ง Security Hardening </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Control</th> <th>Dev</th> <th>Prod</th> </tr> </thead> <tbody> <tr> <td>Network access</td> <td>Public</td> <td>Private (managed VNet)</td> </tr> <tr> <td>Storage</td> <td>LRS, TLS 1.2</td> <td>GRS, TLS 1.2, no public blob</td> </tr> <tr> <td>Key Vault</td> <td>RBAC auth</td> <td>RBAC auth, purge protection</td> </tr> <tr> <td>Container Registry</td> <td>Basic, no admin</td> <td>Standard, managed identity</td> </tr> <tr> <td>Compute</td> <td>Public IP</td> <td>No public IP, subnet attached</td> </tr> <tr> <td>Identity</td> <td>System-assigned</td> <td>System-assigned + RBAC</td> </tr> </tbody> </table></div> <p>For production, set <code>public_network_access_enabled = false</code> on the workspace and use managed virtual network isolation. All compute instances and clusters run inside a managed VNet with outbound rules controlled by the workspace.</p> <h2> โš ๏ธ Gotchas and Tips </h2> <p><strong>Globally unique names required.</strong> Storage account and ACR names must be globally unique. Use <code>random_string</code> suffixes to avoid conflicts across environments.</p> <p><strong>Container Registry costs.</strong> Basic SKU is $5/month. Standard is $20/month. If you're not building custom training images yet, you can skip the ACR initially and add it later.</p> <p><strong>Compute instance auto-stop.</strong> Unlike clusters, compute instances don't auto-stop by default. Set up an idle shutdown schedule through the workspace settings or Azure Policy to prevent overnight charges.</p> <p><strong>Workspace deletion is complex.</strong> Deleting a workspace doesn't automatically delete dependent resources (storage, KV, ACR). Terraform handles this correctly with <code>depends_on</code>, but manual deletion requires cleaning up each resource individually.</p> <p><strong>SDK v1 is deprecated.</strong> Azure ML SDK v1 reached end-of-support in March 2025. Use SDK v2 (<code>azure-ai-ml</code>) for all new development. Terraform provisions the infrastructure; SDK v2 handles experiments and models.</p> <h2> โญ๏ธ What's Next </h2> <p>This is <strong>Post 1</strong> of the <strong>Azure ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> Azure ML Workspace (you are here) ๐Ÿ”ฌ</li> <li> <strong>Post 2:</strong> Azure ML Online Endpoints - Deploy to Prod</li> <li> <strong>Post 3:</strong> Azure ML Feature Store</li> <li> <strong>Post 4:</strong> Azure ML Pipelines + Azure DevOps</li> </ul> <p><em>Your ML platform is provisioned. Workspace, storage, key vault, ACR, compute instances for notebooks, auto-scaling clusters for training - all in Terraform. The foundation for model development, deployment, and production ML pipelines.</em> ๐Ÿ”ฌ</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> ๐Ÿ’ฌ</p> azure ai machinelearning devops