Feature: Enable/Disable SagemakerServicecatalogPortfolio

[ndewijer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In certain scenarios where a SageMaker domain and users are created fully via Terraform where notebook sharing is enabled, the users it provisions fail to fully initialise. The user profile is created and terraform succeeds but in the AWS console, its status will be "Failed."

The used resources are:

• aws_sagemaker_domain
• aws_sagemaker_user_profile

This is due to a missing imported AWS Service Catalog Portfolio. When the domain gets setup by hand via the console, this portfolio is imported in the background but this is not done via the Terraform resources.

There are two API's to enable and disable the portfolio which are: https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_EnableSagemakerServicecatalogPortfolio.html https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DisableSagemakerServicecatalogPortfolio.html

So a workaround is in place by using a local-exec and using the aws cli with the following commands: aws sagemaker enable-sagemaker-servicecatalog-portfolio --region $region aws sagemaker disable-sagemaker-servicecatalog-portfolio --region $region

To make the provider more complete, we should be able to do this with native resources in the provider.

this could be done by adding it as an option within aws_sagemaker_domain or as a seperate resource called aws_sagemaker_servicecatalog_portfolio (as example)

New or Affected Resource(s)

Option A:

• aws_sagemaker_servicecatalog_portfolio

Option B:

• aws_sagemaker_domain

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sagemaker/enable-sagemaker-servicecatalog-portfolio.html
• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sagemaker/disable-sagemaker-servicecatalog-portfolio.html

• 0000

[dod38fr]

In my case, I also need to associate principal with the portfolio. E.g.:

    response = sc_client.associate_principal_with_portfolio(
        PortfolioId=portfolio_id,
        PrincipalARN=STUDIO_ROLE_ARN,
        PrincipalType='IAM'
    )

I don't know if this should be handled with this ticket or if another ticket is needed.

[github-actions[bot]]

This functionality has been released in v4.38.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.