The latest articles on DEV Community by Suhas Mallesh (@suhas_mallesh). https://dev.to/suhas_mallesh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1474157%2F5e769652-5647-4b11-8f73-4ee069123fc2.jpeg https://dev.to/suhas_mallesh en Suhas Mallesh Fri, 17 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/azure-ml-feature-store-with-terraform-managed-feature-materialization-for-training-and-inference-o38 https://dev.to/suhas_mallesh/azure-ml-feature-store-with-terraform-managed-feature-materialization-for-training-and-inference-o38 <p>Azure ML Feature Store is a specialized workspace that manages feature engineering, offline materialization to storage, and online serving with Redis. Terraform provisions the infrastructure, SDK defines feature sets. Here's how to build it.</p> <p>In the previous posts, we set up the ML workspace and deployed endpoints. Now we need consistent features feeding those endpoints. Training uses historical features from batch sources. Inference needs the latest values in real time. When these diverge, your model's accuracy degrades silently.</p> <p>Azure ML Feature Store is implemented as a special type of Azure ML workspace (<code>kind = "FeatureStore"</code>). It manages feature transformation pipelines, materializes features to offline storage (ADLS/Blob) and an online store (Redis), and provides point-in-time feature retrieval for training. Terraform provisions the infrastructure; the SDK defines entities, feature sets, and materialization schedules. 🎯</p> <h2> 🏗️ Feature Store Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Feature Store</strong></td> <td>Specialized ML workspace with <code>kind = "FeatureStore"</code> </td> </tr> <tr> <td><strong>Entity</strong></td> <td>Logical key (e.g., customer_id, account_id) shared across feature sets</td> </tr> <tr> <td><strong>Feature Set</strong></td> <td>Collection of features with transformation code and source definition</td> </tr> <tr> <td><strong>Offline Store</strong></td> <td>ADLS/Blob storage for materialized historical features</td> </tr> <tr> <td><strong>Online Store</strong></td> <td>Redis cache for low-latency inference lookups</td> </tr> <tr> <td><strong>Materialization</strong></td> <td>Spark jobs that compute and sync features on a schedule</td> </tr> </tbody> </table></div> <p>The key concept: feature sets include transformation code. Raw data goes in, computed features come out. The same transformation runs for both offline materialization (training) and online materialization (inference), eliminating training-serving skew.</p> <h2> 🔧 Terraform: Provision Feature Store Infrastructure </h2> <h3> Feature Store Workspace </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/workspace.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_workspace"</span> <span class="s2">"feature_store"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-feature-store"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">application_insights_id</span> <span class="p">=</span> <span class="nx">azurerm_application_insights</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key_vault_id</span> <span class="p">=</span> <span class="nx">azurerm_key_vault</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"FeatureStore"</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>kind = "FeatureStore"</code></strong> is the critical setting. This creates a workspace optimized for feature management rather than general ML development.</p> <h3> Offline Materialization Store </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/offline_store.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"offline_store"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}fsoffline${random_string.suffix.result}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">storage_replication</span> <span class="nx">is_hns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># ADLS Gen2</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_container"</span> <span class="s2">"features"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"features"</span> <span class="nx">storage_account_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">offline_store</span><span class="p">.</span><span class="nx">id</span> <span class="nx">container_access_type</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>is_hns_enabled = true</code></strong> enables ADLS Gen2 hierarchical namespace, which is required for efficient feature materialization with Parquet files.</p> <h3> Online Store (Redis Cache) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/online_store.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_redis_cache"</span> <span class="s2">"online_store"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_online_store</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-fs-redis"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">redis_capacity</span> <span class="nx">family</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">redis_family</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">redis_sku</span> <span class="nx">minimum_tls_version</span> <span class="p">=</span> <span class="s2">"1.2"</span> <span class="nx">redis_configuration</span> <span class="p">{</span> <span class="nx">maxmemory_policy</span> <span class="p">=</span> <span class="s2">"allkeys-lru"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>The online store is optional. Enable it when you need low-latency feature lookups during inference. Skip it in dev if you only need offline features for training.</p> <h3> Compute for Materialization </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/compute.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_compute_cluster"</span> <span class="s2">"materialization"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-materialization"</span> <span class="nx">machine_learning_workspace_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">materialization_vm_size</span> <span class="nx">vm_priority</span> <span class="p">=</span> <span class="s2">"LowPriority"</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">scale_settings</span> <span class="p">{</span> <span class="nx">min_node_count</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">materialization_max_nodes</span> <span class="nx">scale_down_nodes_after_idle_duration</span> <span class="p">=</span> <span class="s2">"PT5M"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>Materialization jobs run as Spark pipelines on this compute cluster. <code>min_node_count = 0</code> means you pay nothing when no materialization is running.</p> <h2> 🐍 Define Entities and Feature Sets (SDK) </h2> <p>Terraform provisions infrastructure. The SDK defines the feature engineering logic:</p> <h3> Create an Entity </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml</span> <span class="kn">import</span> <span class="n">MLClient</span> <span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="n">FeatureStoreEntity</span><span class="p">,</span> <span class="n">DataColumn</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="n">fs_client</span> <span class="o">=</span> <span class="nc">MLClient</span><span class="p">(</span> <span class="nc">DefaultAzureCredential</span><span class="p">(),</span> <span class="n">subscription_id</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">workspace_name</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-feature-store</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">account_entity</span> <span class="o">=</span> <span class="nc">FeatureStoreEntity</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">account</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="n">index_columns</span><span class="o">=</span><span class="p">[</span><span class="nc">DataColumn</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">)],</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Account entity for transaction features</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_store_entities</span><span class="p">.</span><span class="nf">begin_create_or_update</span><span class="p">(</span><span class="n">account_entity</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <p>Entities define shared join keys. Multiple feature sets can reference the same entity, ensuring consistent joins.</p> <h3> Define Feature Set with Transformation Code </h3> <p>Feature set specification (YAML):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># featuresets/transactions/spec/FeaturesetSpec.yaml</span> <span class="na">$schema</span><span class="pi">:</span> <span class="s">https://azuremlschemas.azureedge.net/latest/featureSetSpec.schema.json</span> <span class="na">source</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">parquet</span> <span class="na">path</span><span class="pi">:</span> <span class="s">abfss://data@storage.dfs.core.windows.net/transactions/</span> <span class="na">timestamp_column</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">timestamp</span> <span class="na">feature_transformation_code</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">./transformation_code</span> <span class="na">transformer_class</span><span class="pi">:</span> <span class="s">transaction_transform.TransactionFeatureTransformer</span> <span class="na">features</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">transaction_count_7d</span> <span class="na">type</span><span class="pi">:</span> <span class="s">integer</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">avg_transaction_amount_7d</span> <span class="na">type</span><span class="pi">:</span> <span class="s">float</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">total_spend_3d</span> <span class="na">type</span><span class="pi">:</span> <span class="s">float</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">max_transaction_amount</span> <span class="na">type</span><span class="pi">:</span> <span class="s">float</span> <span class="na">index_columns</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">accountID</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> </code></pre> </div> <p>Transformation code (Spark):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># transformation_code/transaction_transform.py </span><span class="kn">from</span> <span class="n">pyspark.sql</span> <span class="kn">import</span> <span class="n">DataFrame</span> <span class="kn">from</span> <span class="n">pyspark.sql</span> <span class="kn">import</span> <span class="n">functions</span> <span class="k">as</span> <span class="n">F</span> <span class="kn">from</span> <span class="n">pyspark.sql.window</span> <span class="kn">import</span> <span class="n">Window</span> <span class="k">class</span> <span class="nc">TransactionFeatureTransformer</span><span class="p">:</span> <span class="k">def</span> <span class="nf">transform</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">raw_data</span><span class="p">:</span> <span class="n">DataFrame</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">DataFrame</span><span class="p">:</span> <span class="n">window_7d</span> <span class="o">=</span> <span class="n">Window</span><span class="p">.</span><span class="nf">partitionBy</span><span class="p">(</span><span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">).</span><span class="nf">orderBy</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">).</span><span class="nf">rangeBetween</span><span class="p">(</span><span class="o">-</span><span class="mi">7</span><span class="o">*</span><span class="mi">86400</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">window_3d</span> <span class="o">=</span> <span class="n">Window</span><span class="p">.</span><span class="nf">partitionBy</span><span class="p">(</span><span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">).</span><span class="nf">orderBy</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">).</span><span class="nf">rangeBetween</span><span class="p">(</span><span class="o">-</span><span class="mi">3</span><span class="o">*</span><span class="mi">86400</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="n">raw_data</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span> <span class="sh">"</span><span class="s">accountID</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="n">F</span><span class="p">.</span><span class="nf">count</span><span class="p">(</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_7d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">transaction_count_7d</span><span class="sh">"</span><span class="p">),</span> <span class="n">F</span><span class="p">.</span><span class="nf">avg</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_7d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">avg_transaction_amount_7d</span><span class="sh">"</span><span class="p">),</span> <span class="n">F</span><span class="p">.</span><span class="nf">sum</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_3d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">total_spend_3d</span><span class="sh">"</span><span class="p">),</span> <span class="n">F</span><span class="p">.</span><span class="nf">max</span><span class="p">(</span><span class="sh">"</span><span class="s">amount</span><span class="sh">"</span><span class="p">).</span><span class="nf">over</span><span class="p">(</span><span class="n">window_7d</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">"</span><span class="s">max_transaction_amount</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <h3> Register and Materialize </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="n">FeatureSet</span><span class="p">,</span> <span class="n">FeatureSetSpecification</span> <span class="n">transaction_fset</span> <span class="o">=</span> <span class="nc">FeatureSet</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">7-day and 3-day rolling transaction aggregations</span><span class="sh">"</span><span class="p">,</span> <span class="n">entities</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">azureml:account:1</span><span class="sh">"</span><span class="p">],</span> <span class="n">specification</span><span class="o">=</span><span class="nc">FeatureSetSpecification</span><span class="p">(</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">./featuresets/transactions/spec</span><span class="sh">"</span> <span class="p">),</span> <span class="n">tags</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">data_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">nonPII</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_sets</span><span class="p">.</span><span class="nf">begin_create_or_update</span><span class="p">(</span><span class="n">transaction_fset</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <h3> Configure Materialization Schedule </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml.entities</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">MaterializationSettings</span><span class="p">,</span> <span class="n">MaterializationComputeResource</span><span class="p">,</span> <span class="n">RecurrenceTrigger</span><span class="p">,</span> <span class="p">)</span> <span class="n">materialization</span> <span class="o">=</span> <span class="nc">MaterializationSettings</span><span class="p">(</span> <span class="n">resource</span><span class="o">=</span><span class="nc">MaterializationComputeResource</span><span class="p">(</span><span class="n">instance_type</span><span class="o">=</span><span class="sh">"</span><span class="s">Standard_E8s_v3</span><span class="sh">"</span><span class="p">),</span> <span class="n">schedule</span><span class="o">=</span><span class="nc">RecurrenceTrigger</span><span class="p">(</span><span class="n">frequency</span><span class="o">=</span><span class="sh">"</span><span class="s">Hour</span><span class="sh">"</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="mi">6</span><span class="p">),</span> <span class="n">offline_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">online_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">fset</span> <span class="o">=</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_sets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">transactions</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">)</span> <span class="n">fset</span><span class="p">.</span><span class="n">materialization_settings</span> <span class="o">=</span> <span class="n">materialization</span> <span class="n">fs_client</span><span class="p">.</span><span class="n">feature_sets</span><span class="p">.</span><span class="nf">begin_create_or_update</span><span class="p">(</span><span class="n">fset</span><span class="p">).</span><span class="nf">result</span><span class="p">()</span> </code></pre> </div> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">enable_online_store</span> <span class="err">=</span> <span class="kc">false</span> <span class="c1"># No Redis in dev</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"LRS"</span> <span class="nx">materialization_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_E4s_v3"</span> <span class="nx">materialization_max_nodes</span> <span class="err">=</span> <span class="mi">2</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">enable_online_store</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">redis_sku</span> <span class="err">=</span> <span class="s2">"Standard"</span> <span class="nx">redis_capacity</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">redis_family</span> <span class="err">=</span> <span class="s2">"C"</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"GRS"</span> <span class="nx">materialization_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_E8s_v3"</span> <span class="nx">materialization_max_nodes</span> <span class="err">=</span> <span class="mi">8</span> </code></pre> </div> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>Feature store is a workspace.</strong> It's implemented as <code>kind = "FeatureStore"</code> on <code>azurerm_machine_learning_workspace</code>. It needs the same dependencies (storage, KV, App Insights) as a regular workspace.</p> <p><strong>Transformation code runs as Spark.</strong> Feature transformations execute on the materialization compute cluster using PySpark. Test your transformations locally with a Spark session before registering.</p> <p><strong>Entities enforce consistent joins.</strong> Define entities once (e.g., "account" with key "accountID") and reuse across feature sets. This prevents mismatched join keys between teams.</p> <p><strong>Materialization costs.</strong> Each scheduled run spins up the compute cluster, runs the Spark job, and writes to storage. LowPriority VMs reduce cost. <code>min_node_count = 0</code> ensures you pay nothing between runs.</p> <p><strong>Redis cost for online store.</strong> Standard Redis starts at ~$40/month. Premium with replication is ~$200/month. Skip online store in dev unless you're testing real-time inference.</p> <p><strong>Feature set versioning.</strong> Feature sets are versioned. Changing the transformation logic? Create version "2". This maintains backward compatibility for models still using version "1".</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 3</strong> of the <strong>Azure ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko">Azure ML Workspace</a> 🔬</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-online-endpoints-deploy-your-model-to-production-with-terraform-4730">Azure ML Online Endpoints</a> 🚀</li> <li> <strong>Post 3:</strong> Azure ML Feature Store (you are here) 🗃️</li> <li> <strong>Post 4:</strong> Azure ML Pipelines + Azure DevOps</li> </ul> <p><em>Your features have a home. ADLS for offline training, Redis for online inference, Spark transformations that run the same code for both. No training-serving skew. Versioned feature sets with scheduled materialization, all provisioned with Terraform.</em> 🗃️</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> azure machinelearning ai devops Suhas Mallesh Thu, 16 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/vertex-ai-feature-store-with-terraform-bigquery-offline-bigtable-online-serving-4n7g https://dev.to/suhas_mallesh/vertex-ai-feature-store-with-terraform-bigquery-offline-bigtable-online-serving-4n7g <p>Feature Store on GCP uses BigQuery as the offline store and Bigtable for low-latency online serving. Feature groups register your data, feature views sync it to the online store. Here's how to provision the full stack with Terraform.</p> <p>In the previous posts, we set up Workbench for development and deployed endpoints for inference. But the features feeding those models need a home. Training uses historical features from BigQuery. Inference needs the latest values with sub-millisecond latency. When these two sources diverge, you get training-serving skew.</p> <p>Vertex AI Feature Store bridges this gap. <strong>BigQuery</strong> is the offline store - your features live in tables you already manage. <strong>Bigtable</strong> is the online store - an auto-scaling, low-latency serving layer that syncs from BigQuery on a schedule. You don't copy data to a separate system. Feature Store reads directly from BigQuery and syncs to Bigtable for serving. 🎯</p> <h2> 🏗️ Feature Store Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Feature Group</strong></td> <td>Registers a BigQuery table as a feature source</td> </tr> <tr> <td><strong>Feature</strong></td> <td>Individual column within a feature group</td> </tr> <tr> <td><strong>Feature Online Store</strong></td> <td>Bigtable instance for real-time serving</td> </tr> <tr> <td><strong>Feature View</strong></td> <td>Defines which features sync to the online store</td> </tr> <tr> <td><strong>Data Sync</strong></td> <td>Scheduled or continuous sync from BigQuery to Bigtable</td> </tr> </tbody> </table></div> <p>The key insight: BigQuery is already your offline store. You don't move data. Feature Store registers your existing BigQuery tables, then syncs selected features to Bigtable for online serving.</p> <h2> 🔧 Terraform: Create the Feature Online Store </h2> <h3> APIs </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/apis.tf</span> <span class="nx">resource</span> <span class="s2">"google_project_service"</span> <span class="s2">"required"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span> <span class="s2">"aiplatform.googleapis.com"</span><span class="p">,</span> <span class="s2">"bigtable.googleapis.com"</span><span class="p">,</span> <span class="s2">"bigtableadmin.googleapis.com"</span><span class="p">,</span> <span class="s2">"bigquery.googleapis.com"</span><span class="p">,</span> <span class="p">])</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <h3> Feature Online Store (Bigtable-backed) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/online_store.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_online_store"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-feature-store"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">bigtable</span> <span class="p">{</span> <span class="nx">auto_scaling</span> <span class="p">{</span> <span class="nx">min_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bigtable_min_nodes</span> <span class="nx">max_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bigtable_max_nodes</span> <span class="nx">cpu_utilization_target</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">bigtable_cpu_target</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Bigtable autoscaling</strong> adjusts nodes based on CPU utilization. Set <code>cpu_utilization_target</code> to 50-60% for production workloads. The store scales up automatically during traffic spikes and scales down during quiet periods.</p> <h3> Feature Group (Register BigQuery Source) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/feature_group.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group"</span> <span class="s2">"customer_features"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-customer-features"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">big_query</span> <span class="p">{</span> <span class="nx">big_query_source</span> <span class="p">{</span> <span class="nx">input_uri</span> <span class="p">=</span> <span class="s2">"bq://${var.project_id}.${var.dataset_id}.${var.customer_features_table}"</span> <span class="p">}</span> <span class="nx">entity_id_columns</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"customer_id"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"customer"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>entity_id_columns</code></strong> defines the primary key for feature lookups. This is what you use to retrieve features for a specific customer during inference.</p> <h3> Register Individual Features </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/features.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group_feature"</span> <span class="s2">"total_purchases"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"total_purchases"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_group</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group_feature"</span> <span class="s2">"avg_order_value"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"avg_order_value"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_group</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_group_feature"</span> <span class="s2">"days_since_last_purchase"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"days_since_last_purchase"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_group</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> </code></pre> </div> <p>Each feature maps to a column in your BigQuery table. Registering features enables metadata tracking, drift monitoring, and controlled syncing to the online store.</p> <h3> Feature View (Sync to Online Store) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/feature_view.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_feature_online_store_featureview"</span> <span class="s2">"customer_view"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-customer-view"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">feature_online_store</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_online_store</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">sync_config</span> <span class="p">{</span> <span class="nx">cron</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">sync_schedule</span> <span class="p">}</span> <span class="nx">feature_registry_source</span> <span class="p">{</span> <span class="nx">feature_groups</span> <span class="p">{</span> <span class="nx">feature_group_id</span> <span class="p">=</span> <span class="nx">google_vertex_ai_feature_group</span><span class="p">.</span><span class="nx">customer_features</span><span class="p">.</span><span class="nx">name</span> <span class="nx">feature_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_vertex_ai_feature_group_feature</span><span class="p">.</span><span class="nx">total_purchases</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">google_vertex_ai_feature_group_feature</span><span class="p">.</span><span class="nx">avg_order_value</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">google_vertex_ai_feature_group_feature</span><span class="p">.</span><span class="nx">days_since_last_purchase</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The feature view selects which features from which groups sync to the online store. The <code>cron</code> schedule controls how frequently BigQuery data is synced to Bigtable.</p> <h2> 📐 BigQuery Source Table Structure </h2> <p>Your BigQuery table needs an entity ID column and a feature timestamp:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="nv">`project.ml_features.customer_features`</span> <span class="p">(</span> <span class="n">customer_id</span> <span class="n">STRING</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">feature_timestamp</span> <span class="nb">TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">total_purchases</span> <span class="n">INT64</span><span class="p">,</span> <span class="n">avg_order_value</span> <span class="n">FLOAT64</span><span class="p">,</span> <span class="n">days_since_last_purchase</span> <span class="n">INT64</span><span class="p">,</span> <span class="n">account_age_days</span> <span class="n">INT64</span><span class="p">,</span> <span class="n">is_premium</span> <span class="nb">BOOL</span> <span class="p">);</span> </code></pre> </div> <p>Feature Store reads this table directly. The <code>feature_timestamp</code> column enables point-in-time queries for training. The online store always serves the latest snapshot.</p> <h2> 🐍 Read Features (SDK) </h2> <h3> Online Store (Real-Time Inference) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">aiplatform</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="sh">"</span><span class="s">my-project</span><span class="sh">"</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">)</span> <span class="n">feature_online_store</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nc">FeatureOnlineStore</span><span class="p">(</span><span class="sh">"</span><span class="s">prod-feature-store</span><span class="sh">"</span><span class="p">)</span> <span class="n">feature_view</span> <span class="o">=</span> <span class="n">feature_online_store</span><span class="p">.</span><span class="nf">get_feature_view</span><span class="p">(</span><span class="sh">"</span><span class="s">prod-customer-view</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Fetch features for a specific customer </span><span class="n">response</span> <span class="o">=</span> <span class="n">feature_view</span><span class="p">.</span><span class="nf">fetch_feature_values</span><span class="p">(</span> <span class="n">entity_ids</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">cust-12345</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">for</span> <span class="n">entity</span> <span class="ow">in</span> <span class="n">response</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="n">entity</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">())</span> <span class="c1"># {'customer_id': 'cust-12345', 'total_purchases': 47, 'avg_order_value': 89.5, ...} </span></code></pre> </div> <h3> Offline Store (Training via BigQuery) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">bigquery</span> <span class="n">client</span> <span class="o">=</span> <span class="n">bigquery</span><span class="p">.</span><span class="nc">Client</span><span class="p">()</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> SELECT customer_id, total_purchases, avg_order_value, is_premium FROM `project.ml_features.customer_features` WHERE feature_timestamp BETWEEN </span><span class="sh">'</span><span class="s">2025-01-01</span><span class="sh">'</span><span class="s"> AND </span><span class="sh">'</span><span class="s">2025-12-31</span><span class="sh">'</span><span class="s"> </span><span class="sh">"""</span> <span class="n">training_df</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">query</span><span class="p">).</span><span class="nf">to_dataframe</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Training data: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">training_df</span><span class="p">)</span><span class="si">}</span><span class="s"> rows</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>No separate offline store to manage. Query BigQuery directly with standard SQL.</p> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">bigtable_min_nodes</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">bigtable_max_nodes</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">bigtable_cpu_target</span> <span class="err">=</span> <span class="mi">80</span> <span class="nx">sync_schedule</span> <span class="err">=</span> <span class="s2">"0 */6 * * *"</span> <span class="c1"># Every 6 hours</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">bigtable_min_nodes</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">bigtable_max_nodes</span> <span class="err">=</span> <span class="mi">5</span> <span class="nx">bigtable_cpu_target</span> <span class="err">=</span> <span class="mi">50</span> <span class="nx">sync_schedule</span> <span class="err">=</span> <span class="s2">"0 * * * *"</span> <span class="c1"># Every hour</span> </code></pre> </div> <p><strong>Sync frequency vs freshness:</strong> Hourly sync means online features can be up to 1 hour stale. For near-real-time features, use continuous data sync (requires Bigtable online serving and BigQuery source in specific regions).</p> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>BigQuery is the source of truth.</strong> Unlike other feature stores where you ingest data into a proprietary system, Vertex AI Feature Store reads from BigQuery. Your existing ETL pipelines that write to BigQuery already feed the feature store.</p> <p><strong>Bigtable minimum cost.</strong> Even at 1 node, Bigtable costs roughly $0.65/hour (~$470/month). For dev environments, consider whether you need online serving at all, or if BigQuery direct queries suffice.</p> <p><strong>Optimized online serving is deprecated.</strong> As of May 2026, only Bigtable online serving is supported. Don't use <code>optimized {}</code> in new deployments. Migrate existing optimized stores to Bigtable.</p> <p><strong>Sync latency.</strong> Scheduled sync has an inherent delay based on your cron schedule. Continuous sync is near-real-time but only available in specific regions (us, eu, us-central1).</p> <p><strong>Feature monitoring.</strong> Register features through feature groups to enable drift detection and anomaly monitoring. Without registration, you lose this observability.</p> <p><strong>Bigtable serving latency.</strong> Expect ~30ms server-side latency at moderate load (~100 QPS). Client-side latency adds 5ms+. This is fast enough for most inference use cases but not sub-millisecond.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 3</strong> of the <strong>GCP ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6">Vertex AI Workbench</a> 🔬</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-endpoints-deploy-your-model-to-production-with-terraform-17f">Vertex AI Endpoints - Deploy to Prod</a> 🚀</li> <li> <strong>Post 3:</strong> Vertex AI Feature Store (you are here) 🗃️</li> <li> <strong>Post 4:</strong> Vertex AI Pipelines + Cloud Build</li> </ul> <p><em>Your features have a home. BigQuery for offline training, Bigtable for online serving, automatic sync between them. No data duplication. No training-serving skew. Your existing BigQuery tables are the source of truth, all provisioned with Terraform.</em> 🗃️</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> gcp terraform mlops ai Suhas Mallesh Wed, 15 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/sagemaker-feature-store-with-terraform-centralized-ml-features-for-training-and-inference-8n7 https://dev.to/suhas_mallesh/sagemaker-feature-store-with-terraform-centralized-ml-features-for-training-and-inference-8n7 <p>Features used for training must match features used for inference, or your model breaks silently. SageMaker Feature Store keeps them in sync with online (real-time) and offline (historical) stores. Here's how to provision it with Terraform.</p> <p>In the previous posts, we set up the workspace and deployed endpoints. But there's a critical gap: features. Every ML model needs consistent, reliable feature data for both training (batch, historical) and inference (real-time, latest values). When training features and serving features diverge, you get training-serving skew, and your model's accuracy degrades silently.</p> <p>SageMaker Feature Store solves this with a dual-store architecture. The <strong>online store</strong> provides low-latency access to the latest feature values for real-time inference. The <strong>offline store</strong> keeps the full history in S3 (Parquet format) for training and batch inference. When you write a feature, both stores sync automatically. One source of truth. 🎯</p> <h2> 🏗️ Feature Store Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Feature Group</strong></td> <td>A collection of related features (like a table)</td> </tr> <tr> <td><strong>Online Store</strong></td> <td>Low-latency key-value store for real-time lookups</td> </tr> <tr> <td><strong>Offline Store</strong></td> <td>Historical data in S3 (Parquet) for training</td> </tr> <tr> <td><strong>Record Identifier</strong></td> <td>Primary key for feature lookups</td> </tr> <tr> <td><strong>Event Time</strong></td> <td>Timestamp for point-in-time correctness</td> </tr> <tr> <td><strong>Glue Data Catalog</strong></td> <td>Auto-created metadata catalog for Athena queries</td> </tr> </tbody> </table></div> <p>The online store always holds the latest snapshot. The offline store is append-only, keeping every version of every record. This enables point-in-time queries for training: "What did this customer's features look like 30 days ago?"</p> <h2> 🔧 Terraform: Create Feature Groups </h2> <h3> IAM Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/iam.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"feature_store"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-feature-store"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"sagemaker.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"feature_store_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"feature-store-s3-glue"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span><span class="p">,</span> <span class="s2">"s3:GetBucketLocation"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"${var.offline_store_bucket_arn}"</span><span class="p">,</span> <span class="s2">"${var.offline_store_bucket_arn}/*"</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"glue:CreateTable"</span><span class="p">,</span> <span class="s2">"glue:UpdateTable"</span><span class="p">,</span> <span class="s2">"glue:GetTable"</span><span class="p">,</span> <span class="s2">"glue:GetDatabase"</span><span class="p">,</span> <span class="s2">"glue:CreateDatabase"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> Feature Group Definition </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># feature_store/feature_groups.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_feature_group"</span> <span class="s2">"customer_features"</span> <span class="p">{</span> <span class="nx">feature_group_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-customer-features"</span> <span class="nx">record_identifier_feature_name</span> <span class="p">=</span> <span class="s2">"customer_id"</span> <span class="nx">event_time_feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># Feature schema</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"customer_id"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"total_purchases"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"avg_order_value"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"days_since_last_purchase"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"account_age_days"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"is_premium"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="c1"># Enable both online and offline stores</span> <span class="nx">online_store_config</span> <span class="p">{</span> <span class="nx">enable_online_store</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">security_config</span> <span class="p">{</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">offline_store_config</span> <span class="p">{</span> <span class="nx">s3_storage_config</span> <span class="p">{</span> <span class="nx">s3_uri</span> <span class="p">=</span> <span class="s2">"s3://${var.offline_store_bucket}/${var.environment}/feature-store"</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="p">}</span> <span class="nx">table_format</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">offline_table_format</span> <span class="c1"># "Glue" or "Iceberg"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Domain</span> <span class="p">=</span> <span class="s2">"customer"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Three feature types:</strong> <code>String</code>, <code>Fractional</code> (float), and <code>Integral</code> (integer). Everything else maps to String.</p> <p><strong><code>table_format</code>:</strong> Choose <code>Glue</code> (default, Hive-compatible) or <code>Iceberg</code> (better for upserts and time travel). Iceberg is recommended for production workloads that need ACID transactions.</p> <h3> Multiple Feature Groups </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_sagemaker_feature_group"</span> <span class="s2">"transaction_features"</span> <span class="p">{</span> <span class="nx">feature_group_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-transaction-features"</span> <span class="nx">record_identifier_feature_name</span> <span class="p">=</span> <span class="s2">"transaction_id"</span> <span class="nx">event_time_feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">feature_store</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"transaction_id"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"event_time"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"amount"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Fractional"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"merchant_category"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"String"</span> <span class="p">}</span> <span class="nx">feature_definition</span> <span class="p">{</span> <span class="nx">feature_name</span> <span class="p">=</span> <span class="s2">"is_international"</span> <span class="nx">feature_type</span> <span class="p">=</span> <span class="s2">"Integral"</span> <span class="p">}</span> <span class="nx">online_store_config</span> <span class="p">{</span> <span class="nx">enable_online_store</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">offline_store_config</span> <span class="p">{</span> <span class="nx">s3_storage_config</span> <span class="p">{</span> <span class="nx">s3_uri</span> <span class="p">=</span> <span class="s2">"s3://${var.offline_store_bucket}/${var.environment}/feature-store"</span> <span class="p">}</span> <span class="nx">table_format</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">offline_table_format</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 🐍 Ingest Features (SDK) </h2> <p>Terraform defines the schema. The SDK ingests the data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">time</span> <span class="n">featurestore_runtime</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sagemaker-featurestore-runtime</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Write a single record (real-time) </span><span class="n">featurestore_runtime</span><span class="p">.</span><span class="nf">put_record</span><span class="p">(</span> <span class="n">FeatureGroupName</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-customer-features</span><span class="sh">"</span><span class="p">,</span> <span class="n">Record</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">customer_id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">cust-12345</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">event_time</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">total_purchases</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">47</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">avg_order_value</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">89.50</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">days_since_last_purchase</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">3</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">account_age_days</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">730</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">is_premium</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">},</span> <span class="p">],</span> <span class="p">)</span> </code></pre> </div> <h3> Read Features for Inference (Online Store) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Real-time feature lookup (single-digit ms latency) </span><span class="n">response</span> <span class="o">=</span> <span class="n">featurestore_runtime</span><span class="p">.</span><span class="nf">get_record</span><span class="p">(</span> <span class="n">FeatureGroupName</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-customer-features</span><span class="sh">"</span><span class="p">,</span> <span class="n">RecordIdentifierValueAsString</span><span class="o">=</span><span class="sh">"</span><span class="s">cust-12345</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">features</span> <span class="o">=</span> <span class="p">{</span><span class="n">r</span><span class="p">[</span><span class="sh">"</span><span class="s">FeatureName</span><span class="sh">"</span><span class="p">]:</span> <span class="n">r</span><span class="p">[</span><span class="sh">"</span><span class="s">ValueAsString</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Record</span><span class="sh">"</span><span class="p">]}</span> <span class="nf">print</span><span class="p">(</span><span class="n">features</span><span class="p">)</span> <span class="c1"># {'customer_id': 'cust-12345', 'total_purchases': '47', ...} </span></code></pre> </div> <h3> Query Features for Training (Offline Store via Athena) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="n">athena</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">athena</span><span class="sh">"</span><span class="p">)</span> <span class="n">query</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> SELECT customer_id, total_purchases, avg_order_value, is_premium FROM </span><span class="sh">"</span><span class="s">sagemaker_featurestore</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="s">prod-customer-features</span><span class="sh">"</span><span class="s"> WHERE event_time &lt;= 1700000000 </span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="n">athena</span><span class="p">.</span><span class="nf">start_query_execution</span><span class="p">(</span> <span class="n">QueryString</span><span class="o">=</span><span class="n">query</span><span class="p">,</span> <span class="n">QueryExecutionContext</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Database</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">sagemaker_featurestore</span><span class="sh">"</span><span class="p">},</span> <span class="n">ResultConfiguration</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">OutputLocation</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">s3://my-bucket/athena-results/</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> </code></pre> </div> <p>The offline store is automatically cataloged in Glue. Query with Athena for point-in-time training datasets.</p> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">offline_table_format</span> <span class="err">=</span> <span class="s2">"Glue"</span> <span class="c1"># Simpler for dev</span> <span class="nx">kms_key_arn</span> <span class="err">=</span> <span class="kc">null</span> <span class="c1"># No encryption in dev</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">offline_table_format</span> <span class="err">=</span> <span class="s2">"Iceberg"</span> <span class="c1"># ACID transactions, time travel</span> <span class="nx">kms_key_arn</span> <span class="err">=</span> <span class="s2">"arn:aws:kms:us-east-1:123456789012:key/abc-123"</span> </code></pre> </div> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>Offline store has a ~15 minute delay.</strong> Data written via <code>PutRecord</code> appears in the online store immediately but takes up to 15 minutes to land in the offline store (S3). Don't rely on the offline store for near-real-time analytics.</p> <p><strong>Feature groups are mutable.</strong> You can add new features to an existing feature group using the <code>UpdateFeatureGroup</code> API. You cannot remove or rename existing features.</p> <p><strong>Online store costs.</strong> The online store charges per read and write unit. High-throughput inference with thousands of feature lookups per second adds up. Monitor costs and batch lookups where possible using <code>BatchGetRecord</code>.</p> <p><strong>Point-in-time correctness.</strong> Always use <code>event_time</code> for training queries. Querying without time filtering risks data leakage, where future data appears in your training set.</p> <p><strong>KMS encryption for both stores.</strong> The online and offline stores support separate KMS keys. In production, encrypt both. The Glue Data Catalog metadata is not encrypted by Feature Store, manage it separately.</p> <p><strong>Schema planning matters.</strong> Feature types (<code>String</code>, <code>Fractional</code>, <code>Integral</code>) cannot be changed after creation. Plan your schema carefully. Use <code>String</code> for anything you're unsure about, since it's the most flexible.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 3</strong> of the <strong>ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805">SageMaker Studio Domain</a> 🔬</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-endpoints-deploy-your-model-to-production-with-terraform-mpp">SageMaker Endpoints - Deploy to Prod</a> 🚀</li> <li> <strong>Post 3:</strong> SageMaker Feature Store (you are here) 🗃️</li> <li> <strong>Post 4:</strong> SageMaker Pipelines - CI/CD for ML</li> </ul> <p><em>Your features have a home. Online store for real-time inference, offline store for training, automatic sync between them. No more training-serving skew. No more duplicated feature pipelines. One source of truth, all in Terraform.</em> 🗃️</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> aws terraform ai machinelearning Suhas Mallesh Mon, 13 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/azure-ml-online-endpoints-deploy-your-model-to-production-with-terraform-4730 https://dev.to/suhas_mallesh/azure-ml-online-endpoints-deploy-your-model-to-production-with-terraform-4730 <p>Your model is trained. Now deploy it to a managed online endpoint with traffic splitting for canary rollouts, autoscaling, health probes, and data collection. Here's how to deploy Azure ML endpoints with Terraform using azapi.</p> <p>In the <a href="https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko">previous post</a>, we set up the Azure ML workspace - the hub for experiments, models, and compute. Now comes the production side: taking a trained model and deploying it to a managed online endpoint that your applications can call for real-time predictions.</p> <p>Azure ML online endpoints involve two resources: an <strong>Endpoint</strong> (the stable HTTPS URL with auth and traffic routing) and one or more <strong>Deployments</strong> (the model + compute behind it). Since the <code>azurerm</code> provider doesn't have native online endpoint resources yet, we use <code>azapi</code> to provision them directly via the Azure API. 🎯</p> <h2> 🏗️ The Two-Layer Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Endpoint (HTTPS URL, auth mode, traffic split) ↓ Deployment(s) (model, instance type, scaling, probes) </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>What It Defines</th> </tr> </thead> <tbody> <tr> <td><strong>Endpoint</strong></td> <td>Stable URL, auth mode (key/AAD), traffic routing</td> </tr> <tr> <td><strong>Deployment</strong></td> <td>Model reference, instance type, scale settings, health probes</td> </tr> </tbody> </table></div> <p>The endpoint URL stays fixed. You deploy new model versions as new deployments, shift traffic gradually, and delete old deployments after validation.</p> <h2> 🔧 Terraform: Create the Online Endpoint </h2> <h3> The Endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/main.tf</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"online_endpoint"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">authMode</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">auth_mode</span> <span class="nx">publicNetworkAccess</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_network_access</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Production endpoint for ${var.model_name}"</span> <span class="nx">traffic</span> <span class="p">=</span> <span class="p">{</span> <span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">deployment_name</span><span class="p">)</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>authMode</code></strong> controls how clients authenticate: <code>Key</code> for API key auth (simpler), <code>AADToken</code> for Azure AD auth (more secure, no key rotation needed). Use <code>AADToken</code> in production.</p> <h3> The Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/deployment.tf</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"deployment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">deployment_name</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">online_endpoint</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Managed"</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_uri</span> <span class="nx">environmentId</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment_id</span> <span class="nx">instanceType</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">appInsightsEnabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">scaleSettings</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">scaleType</span> <span class="p">=</span> <span class="s2">"Default"</span> <span class="nx">minInstances</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">min_instances</span> <span class="nx">maxInstances</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_instances</span> <span class="p">}</span> <span class="nx">livenessProbe</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">initialDelay</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">period</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="s2">"PT2S"</span> <span class="nx">failureThreshold</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">successThreshold</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">readinessProbe</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">initialDelay</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">period</span> <span class="p">=</span> <span class="s2">"PT10S"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="s2">"PT2S"</span> <span class="nx">failureThreshold</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">successThreshold</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">requestSettings</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">requestTimeout</span> <span class="p">=</span> <span class="s2">"PT5S"</span> <span class="nx">maxConcurrentRequestsPerInstance</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_concurrent_requests</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="nx">Version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_version</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key deployment properties:</strong></p> <ul> <li> <code>model</code> references the registered model in the workspace (e.g., <code>azureml:fraud-detector:2</code>)</li> <li> <code>environmentId</code> references a curated or custom environment with your dependencies</li> <li> <code>scaleSettings</code> controls autoscaling from <code>minInstances</code> to <code>maxInstances</code> </li> <li> <code>livenessProbe</code> and <code>readinessProbe</code> configure health checks</li> <li> <code>requestSettings</code> controls timeout and concurrency per instance</li> </ul> <h2> 📐 Traffic Splitting for Canary Deployments </h2> <p>Deploy a new model version alongside the existing one, then gradually shift traffic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Endpoint with two deployments and traffic split</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"online_endpoint"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">authMode</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">auth_mode</span> <span class="nx">traffic</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"blue"</span> <span class="p">=</span> <span class="mi">90</span> <span class="c1"># Current stable version</span> <span class="s2">"green"</span> <span class="p">=</span> <span class="mi">10</span> <span class="c1"># New canary version</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Blue deployment (current version)</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"blue"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"blue"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">online_endpoint</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="c1"># ... deployment config for v1</span> <span class="p">}</span> <span class="c1"># Green deployment (new version)</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"green"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.MachineLearningServices/workspaces/onlineEndpoints/deployments@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"green"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">online_endpoint</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">location</span> <span class="c1"># ... deployment config for v2</span> <span class="p">}</span> </code></pre> </div> <p><strong>Canary rollout workflow:</strong> Deploy green with 10% traffic. Monitor error rates and latency. If healthy, update traffic to <code>"green" = 100</code>, then delete blue. If unhealthy, set <code>"blue" = 100</code> to roll back instantly.</p> <h3> Mirror Traffic for Shadow Testing </h3> <p>Test a new deployment without affecting users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">body</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">authMode</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">auth_mode</span> <span class="nx">traffic</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"blue"</span> <span class="p">=</span> <span class="mi">100</span> <span class="c1"># All live traffic to blue</span> <span class="p">}</span> <span class="nx">mirrorTraffic</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"green"</span> <span class="p">=</span> <span class="mi">10</span> <span class="c1"># Copy 10% of requests to green (responses discarded)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Mirror traffic sends a copy of live requests to the green deployment, but responses are discarded. This lets you validate the new model's behavior under real traffic patterns without any user impact.</p> <h2> 📐 Data Collection for Model Monitoring </h2> <p>Enable request/response logging to catch model drift:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">body</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Managed"</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_uri</span> <span class="nx">instanceType</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">appInsightsEnabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dataCollector</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">collections</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">model_inputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dataCollectionMode</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">dataId</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_asset_id</span> <span class="nx">samplingRate</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">sampling_rate</span> <span class="p">}</span> <span class="nx">model_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dataCollectionMode</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">dataId</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_asset_id</span> <span class="nx">samplingRate</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">sampling_rate</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">requestLogging</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">captureHeaders</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"Content-Type"</span><span class="p">,</span> <span class="s2">"x-request-id"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">rollingRate</span> <span class="p">=</span> <span class="s2">"Hour"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Data collection captures model inputs and outputs to a registered data asset. Use it for drift detection, fairness monitoring, and retraining triggers.</p> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">deployment_name</span> <span class="err">=</span> <span class="s2">"blue"</span> <span class="nx">model_uri</span> <span class="err">=</span> <span class="s2">"azureml:fraud-detector:2"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"Standard_DS2_v2"</span> <span class="nx">min_instances</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">max_instances</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">max_concurrent_requests</span> <span class="err">=</span> <span class="mi">5</span> <span class="nx">auth_mode</span> <span class="err">=</span> <span class="s2">"Key"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="s2">"Enabled"</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">deployment_name</span> <span class="err">=</span> <span class="s2">"blue"</span> <span class="nx">model_uri</span> <span class="err">=</span> <span class="s2">"azureml:fraud-detector:2"</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">min_instances</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">max_instances</span> <span class="err">=</span> <span class="mi">8</span> <span class="nx">max_concurrent_requests</span> <span class="err">=</span> <span class="mi">10</span> <span class="nx">auth_mode</span> <span class="err">=</span> <span class="s2">"AADToken"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="s2">"Disabled"</span> </code></pre> </div> <h2> 🧪 Invoke the Endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.ml</span> <span class="kn">import</span> <span class="n">MLClient</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="n">ml_client</span> <span class="o">=</span> <span class="nc">MLClient</span><span class="p">(</span> <span class="nc">DefaultAzureCredential</span><span class="p">(),</span> <span class="n">subscription_id</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">resource_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="n">workspace_name</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">ml_client</span><span class="p">.</span><span class="n">online_endpoints</span><span class="p">.</span><span class="nf">invoke</span><span class="p">(</span> <span class="n">endpoint_name</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-fraud-detector</span><span class="sh">"</span><span class="p">,</span> <span class="n">deployment_name</span><span class="o">=</span><span class="sh">"</span><span class="s">blue</span><span class="sh">"</span><span class="p">,</span> <span class="n">request_file</span><span class="o">=</span><span class="sh">"</span><span class="s">sample_request.json</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <p>Or via REST:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="se">\</span> <span class="s2">"https://prod-fraud-detector.eastus.inference.ml.azure.com/score"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"data": [[0.5, 1.2, 3.4, 0.8]]}'</span> </code></pre> </div> <h2> ⚠️ Gotchas and Tips </h2> <p><strong><code>azapi</code> is required.</strong> The <code>azurerm</code> provider doesn't have native <code>azurerm_machine_learning_online_endpoint</code> or <code>azurerm_machine_learning_online_deployment</code> resources. Use <code>azapi_resource</code> with the <code>Microsoft.MachineLearningServices</code> API.</p> <p><strong>Deployment creation takes 8-15 minutes.</strong> Provisioning VMs, pulling containers, loading models, and running health probes takes time. Plan for this in CI/CD pipelines.</p> <p><strong>Register models before deploying.</strong> The <code>model</code> field references a registered model in the workspace Model Registry (format: <code>azureml:model-name:version</code>). Register models via the SDK or CLI before running <code>terraform apply</code>.</p> <p><strong>Use AADToken in production.</strong> API keys work but require rotation. AAD token auth integrates with managed identity, eliminating key management entirely.</p> <p><strong>Scale to zero is not supported for managed endpoints.</strong> Unlike serverless compute, managed online endpoints require at least one instance running. If you need scale-to-zero, consider serverless endpoints (currently in preview).</p> <p><strong>Mirror traffic before canary.</strong> Mirror first (responses discarded, no user impact) to validate the model handles real request shapes correctly. Then switch to traffic splitting for a live canary test.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 2</strong> of the <strong>Azure ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko">Azure ML Workspace</a> 🔬</li> <li> <strong>Post 2:</strong> Azure ML Online Endpoints (you are here) 🚀</li> <li> <strong>Post 3:</strong> Azure ML Feature Store</li> <li> <strong>Post 4:</strong> Azure ML Pipelines + Azure DevOps</li> </ul> <p><em>Your model is in production. Managed online endpoint with autoscaling, blue/green traffic splitting, mirror traffic for shadow testing, and data collection for drift monitoring. From workspace to production, all in Terraform.</em> 🚀</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> azure ai devops machinelearning Suhas Mallesh Sun, 12 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/vertex-ai-endpoints-deploy-your-model-to-production-with-terraform-17f https://dev.to/suhas_mallesh/vertex-ai-endpoints-deploy-your-model-to-production-with-terraform-17f <p>Your model is trained. Now deploy it to a scalable endpoint with autoscaling, traffic splitting for canary rollouts, and request-response logging. Here's how to deploy Vertex AI endpoints with Terraform.</p> <p>In the <a href="https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6">previous post</a>, we set up the Vertex AI Workbench - the workspace where your team trains models. Now comes the production side: taking a trained model and deploying it to an endpoint that your applications can call for real-time predictions.</p> <p>Vertex AI uses a three-step deployment: upload a <strong>Model</strong> to the Model Registry, create an <strong>Endpoint</strong> (the HTTPS URL), then <strong>deploy</strong> the model to the endpoint with compute resources. Terraform provisions the endpoint and configures autoscaling, traffic splitting, and logging. The SDK handles model upload and deployment. 🎯</p> <h2> 🏗️ The Deployment Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Model Registry (uploaded model + container) ↓ Endpoint (HTTPS URL, traffic routing) ↓ Deployed Model (machine type, replicas, autoscaling) </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Defines</th> </tr> </thead> <tbody> <tr> <td><strong>Model</strong></td> <td>Container image + model artifacts in GCS</td> </tr> <tr> <td><strong>Endpoint</strong></td> <td>Stable HTTPS prediction URL</td> </tr> <tr> <td><strong>Deployed Model</strong></td> <td>Machine type, replica count, autoscaling</td> </tr> <tr> <td><strong>Traffic Split</strong></td> <td>Percentage routing between model versions</td> </tr> </tbody> </table></div> <p>The endpoint URL stays stable across model versions. You update the deployed model behind it without changing your application code.</p> <h2> 🔧 Terraform: Create the Endpoint </h2> <h3> Endpoint Resource </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/main.tf</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-endpoint"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Production endpoint for ${var.model_name}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_name</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Endpoint with Private Network (Production) </h3> <p>For production, deploy with a private endpoint inside your VPC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-endpoint"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">network</span> <span class="p">=</span> <span class="s2">"projects/${data.google_project.this.number}/global/networks/${var.vpc_network_name}"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">google_service_networking_connection</span><span class="p">.</span><span class="nx">vertex_vpc</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_service_networking_connection"</span> <span class="s2">"vertex_vpc"</span> <span class="p">{</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_network_id</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"servicenetworking.googleapis.com"</span> <span class="nx">reserved_peering_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="nx">google_compute_global_address</span><span class="p">.</span><span class="nx">vertex_range</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_global_address"</span> <span class="s2">"vertex_range"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-vertex-range"</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"VPC_PEERING"</span> <span class="nx">address_type</span> <span class="p">=</span> <span class="s2">"INTERNAL"</span> <span class="nx">prefix_length</span> <span class="p">=</span> <span class="mi">16</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_network_id</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> </code></pre> </div> <h3> Prediction Logging to BigQuery </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_bigquery_dataset"</span> <span class="s2">"predictions"</span> <span class="p">{</span> <span class="nx">dataset_id</span> <span class="p">=</span> <span class="s2">"${var.environment}_prediction_logs"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint"</span> <span class="s2">"logged"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}-endpoint"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">predict_request_response_logging_config</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_prediction_logging</span> <span class="nx">sampling_rate</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">logging_sample_rate</span> <span class="nx">bigquery_destination</span> <span class="p">{</span> <span class="nx">output_uri</span> <span class="p">=</span> <span class="s2">"bq://${var.project_id}.${google_bigquery_dataset.predictions.dataset_id}.request_response"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Log a sample of prediction requests and responses to BigQuery for model monitoring, drift detection, and debugging.</p> <h2> 🐍 Model Upload and Deployment (SDK) </h2> <p>Terraform creates the endpoint. The Vertex AI SDK uploads the model and deploys it with compute resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># deploy.py </span> <span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">aiplatform</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">deploy_config.json</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">config</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span> <span class="n">project</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">project_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">location</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">region</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Upload model to Model Registry </span><span class="n">model</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="n">Model</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span> <span class="n">display_name</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">model_name</span><span class="sh">"</span><span class="p">],</span> <span class="n">artifact_uri</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">model_artifact_uri</span><span class="sh">"</span><span class="p">],</span> <span class="c1"># gs://bucket/model/ </span> <span class="n">serving_container_image_uri</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">serving_image</span><span class="sh">"</span><span class="p">],</span> <span class="n">serving_container_predict_route</span><span class="o">=</span><span class="sh">"</span><span class="s">/predict</span><span class="sh">"</span><span class="p">,</span> <span class="n">serving_container_health_route</span><span class="o">=</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Get the Terraform-created endpoint </span><span class="n">endpoint</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nc">Endpoint</span><span class="p">(</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">endpoint_resource_name</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Deploy model to endpoint </span><span class="n">model</span><span class="p">.</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">machine_type</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">machine_type</span><span class="sh">"</span><span class="p">],</span> <span class="n">min_replica_count</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">min_replicas</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_replica_count</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">max_replicas</span><span class="sh">"</span><span class="p">],</span> <span class="n">traffic_percentage</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">deploy_request_timeout</span><span class="o">=</span><span class="mi">1800</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Model deployed to: </span><span class="si">{</span><span class="n">endpoint</span><span class="p">.</span><span class="n">resource_name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Terraform Config Output for SDK </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># endpoint/config.tf</span> <span class="nx">resource</span> <span class="s2">"local_file"</span> <span class="s2">"deploy_config"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"${path.module}/deploy_config.json"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">model_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_name}"</span> <span class="nx">model_artifact_uri</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_artifact_uri</span> <span class="nx">serving_image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">serving_container_image</span> <span class="nx">endpoint_resource_name</span> <span class="p">=</span> <span class="nx">google_vertex_ai_endpoint</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">min_replicas</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">min_replicas</span> <span class="nx">max_replicas</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_replicas</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> 📐 Traffic Splitting for Canary Deployments </h2> <p>Deploy a new model version alongside the existing one and gradually shift traffic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Canary: deploy new version with 10% traffic </span><span class="n">new_model</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="n">Model</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span> <span class="n">display_name</span><span class="o">=</span><span class="sh">"</span><span class="s">fraud-detector-v3</span><span class="sh">"</span><span class="p">,</span> <span class="n">artifact_uri</span><span class="o">=</span><span class="sh">"</span><span class="s">gs://ml-models/fraud-detector/v3/</span><span class="sh">"</span><span class="p">,</span> <span class="n">serving_container_image_uri</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">serving_image</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">new_model</span><span class="p">.</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">machine_type</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">machine_type</span><span class="sh">"</span><span class="p">],</span> <span class="n">min_replica_count</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">max_replica_count</span><span class="o">=</span><span class="mi">4</span><span class="p">,</span> <span class="n">traffic_percentage</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="c1"># 10% to new model </span><span class="p">)</span> <span class="c1"># After validation, shift 100% to new model </span><span class="n">endpoint</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">traffic_split</span><span class="o">=</span><span class="p">{</span> <span class="n">new_model</span><span class="p">.</span><span class="nb">id</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>The endpoint URL doesn't change. Your application sends predictions to the same endpoint while you shift traffic from the old model to the new one.</p> <h2> 📐 Model Garden Deployment (Terraform-Only) </h2> <p>For open models from Model Garden (Gemma, Llama, PaLiGemma), use the newer Terraform resource that handles everything in one step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_vertex_ai_endpoint_with_model_garden_deployment"</span> <span class="s2">"gemma"</span> <span class="p">{</span> <span class="nx">publisher_model_name</span> <span class="p">=</span> <span class="s2">"publishers/google/models/gemma3@gemma-3-1b-it"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">model_config</span> <span class="p">{</span> <span class="nx">accept_eula</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">deploy_config</span> <span class="p">{</span> <span class="nx">dedicated_resources</span> <span class="p">{</span> <span class="nx">machine_spec</span> <span class="p">{</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="s2">"g2-standard-12"</span> <span class="nx">accelerator_type</span> <span class="p">=</span> <span class="s2">"NVIDIA_L4"</span> <span class="nx">accelerator_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">min_replica_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>One resource creates the endpoint, uploads the model, and deploys it. This works for Model Garden models only - custom models still need the endpoint + SDK pattern.</p> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">machine_type</span> <span class="err">=</span> <span class="s2">"n1-standard-4"</span> <span class="nx">min_replicas</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">max_replicas</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">enable_prediction_logging</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">logging_sample_rate</span> <span class="err">=</span> <span class="mf">0.0</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">model_name</span> <span class="err">=</span> <span class="s2">"fraud-detector"</span> <span class="nx">machine_type</span> <span class="err">=</span> <span class="s2">"n1-standard-8"</span> <span class="nx">min_replicas</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">max_replicas</span> <span class="err">=</span> <span class="mi">10</span> <span class="nx">enable_prediction_logging</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">logging_sample_rate</span> <span class="err">=</span> <span class="mf">0.1</span> <span class="c1"># Log 10% of requests</span> </code></pre> </div> <h2> 🧪 Invoke the Endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.cloud</span> <span class="kn">import</span> <span class="n">aiplatform</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="sh">"</span><span class="s">my-project</span><span class="sh">"</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">)</span> <span class="n">endpoint</span> <span class="o">=</span> <span class="n">aiplatform</span><span class="p">.</span><span class="nc">Endpoint</span><span class="p">(</span><span class="sh">"</span><span class="s">ENDPOINT_ID</span><span class="sh">"</span><span class="p">)</span> <span class="n">prediction</span> <span class="o">=</span> <span class="n">endpoint</span><span class="p">.</span><span class="nf">predict</span><span class="p">(</span> <span class="n">instances</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">features</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">3.4</span><span class="p">,</span> <span class="mf">0.8</span><span class="p">]}]</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">prediction</span><span class="p">.</span><span class="n">predictions</span><span class="p">)</span> </code></pre> </div> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>Endpoint creation is fast, deployment is slow.</strong> Creating an endpoint takes seconds. Deploying a model (provisioning VMs, loading containers, health checks) takes 10-20 minutes. Plan for this in your CI/CD pipeline.</p> <p><strong>Autoscaling uses replica count.</strong> Set <code>min_replica_count</code> to your baseline and <code>max_replica_count</code> to your peak. Vertex AI scales based on CPU utilization and request queue depth automatically.</p> <p><strong>GPU quota must be requested.</strong> NVIDIA L4, T4, A100 accelerators require quota increases. Request early in your project setup.</p> <p><strong>Model Registry keeps versions.</strong> Every <code>Model.upload</code> creates a new version in the registry. Old versions remain available for rollback. Use the <code>traffic_split</code> to redirect traffic back to a previous version if needed.</p> <p><strong>Prediction logging costs.</strong> BigQuery logging at 10% sampling rate is manageable. At 100%, costs scale with request volume. Use sampling for high-traffic endpoints.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 2</strong> of the <strong>GCP ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6">Vertex AI Workbench</a> 🔬</li> <li> <strong>Post 2:</strong> Vertex AI Endpoints - Deploy to Prod (you are here) 🚀</li> <li> <strong>Post 3:</strong> Vertex AI Feature Store</li> <li> <strong>Post 4:</strong> Vertex AI Pipelines + Cloud Build</li> </ul> <p><em>Your model is in production. Stable endpoint URL, autoscaling replicas, traffic splitting for canary rollouts, and prediction logging to BigQuery. From training to production, all in Terraform and Python.</em> 🚀</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> googlecloud ai machinelearning devops Suhas Mallesh Sat, 11 Apr 2026 00:48:06 +0000 https://dev.to/suhas_mallesh/sagemaker-endpoints-deploy-your-model-to-production-with-terraform-mpp https://dev.to/suhas_mallesh/sagemaker-endpoints-deploy-your-model-to-production-with-terraform-mpp <p>Training a model is half the battle. Deploying it to a scalable, auto-scaling endpoint with blue/green deployment and rollback is the other half. Here's how to deploy SageMaker real-time endpoints with Terraform.</p> <p>In the <a href="https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805">previous post</a>, we set up the SageMaker Studio domain - the workspace where your team trains models. Now comes the production side: taking a trained model and deploying it to a scalable HTTPS endpoint that your applications can call for real-time predictions.</p> <p>SageMaker endpoints involve three Terraform resources: a <strong>Model</strong> (what to serve), an <strong>Endpoint Configuration</strong> (how to serve it), and an <strong>Endpoint</strong> (the live HTTPS URL). Add autoscaling and deployment policies on top, and you have a production-grade inference system. 🎯</p> <h2> 🏗️ The Three-Layer Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Model (container image + model artifacts in S3) ↓ Endpoint Configuration (instance type, count, variants) ↓ Endpoint (HTTPS URL, auto-scaling, blue/green deployment) </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>What It Defines</th> </tr> </thead> <tbody> <tr> <td><strong>Model</strong></td> <td>Container image + S3 model artifacts + IAM role</td> </tr> <tr> <td><strong>Endpoint Config</strong></td> <td>Instance type, initial count, production variants</td> </tr> <tr> <td><strong>Endpoint</strong></td> <td>Live endpoint with deployment policy and autoscaling</td> </tr> </tbody> </table></div> <p>Separating these layers means you can update the model without touching the endpoint config, or change instance types without retraining.</p> <h2> 🔧 Terraform: Deploy to Production </h2> <h3> Model Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"model_config"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Model deployment configuration. Change to deploy new models."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">image_uri</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># ECR container image</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># S3 path to model.tar.gz</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">instance_count</span> <span class="p">=</span> <span class="nx">number</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> IAM Role for Model Execution </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/iam.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"sagemaker_execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-sagemaker-inference"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"sagemaker.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"model_access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"model-s3-ecr-access"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sagemaker_execution</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${var.model_bucket_arn}/*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:GetAuthorizationToken"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> The Model </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/model.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_model"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_config.name}"</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sagemaker_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">primary_container</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">image_uri</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">model_data_url</span> <span class="nx">environment</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">SAGEMAKER_PROGRAM</span> <span class="p">=</span> <span class="s2">"inference.py"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>image</code></strong> is your serving container - either an AWS Deep Learning Container or your custom container from ECR. <strong><code>model_data_url</code></strong> points to <code>model.tar.gz</code> in S3 containing your trained weights and inference code.</p> <h3> Endpoint Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/endpoint_config.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_endpoint_configuration"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_config.name}-config"</span> <span class="nx">production_variants</span> <span class="p">{</span> <span class="nx">variant_name</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="nx">model_name</span> <span class="p">=</span> <span class="nx">aws_sagemaker_model</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">initial_instance_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">instance_count</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">initial_variant_weight</span> <span class="p">=</span> <span class="mf">1.0</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>create_before_destroy = true</code></strong> is important. When you update the endpoint config (new model version, different instance type), Terraform creates the new config before deleting the old one. This prevents downtime during updates.</p> <h3> The Endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/endpoint.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_endpoint"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.model_config.name}"</span> <span class="nx">endpoint_config_name</span> <span class="p">=</span> <span class="nx">aws_sagemaker_endpoint_configuration</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">deployment_config</span> <span class="p">{</span> <span class="nx">blue_green_update_policy</span> <span class="p">{</span> <span class="nx">traffic_routing_configuration</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CANARY"</span> <span class="nx">canary_size</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"INSTANCE_COUNT"</span> <span class="nx">value</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">wait_interval_in_seconds</span> <span class="p">=</span> <span class="mi">300</span> <span class="p">}</span> <span class="nx">maximum_execution_timeout_in_seconds</span> <span class="p">=</span> <span class="mi">1800</span> <span class="nx">termination_wait_in_seconds</span> <span class="p">=</span> <span class="mi">120</span> <span class="p">}</span> <span class="nx">auto_rollback_configuration</span> <span class="p">{</span> <span class="nx">alarms</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_metric_alarm</span><span class="p">.</span><span class="nx">endpoint_errors</span><span class="p">.</span><span class="nx">alarm_name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Canary deployment:</strong> Routes traffic to 1 instance on the new fleet first, waits 5 minutes, then shifts remaining traffic. If the CloudWatch alarm fires during the canary phase, SageMaker automatically rolls back.</p> <h3> Autoscaling </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/autoscaling.tf</span> <span class="nx">resource</span> <span class="s2">"aws_appautoscaling_target"</span> <span class="s2">"endpoint"</span> <span class="p">{</span> <span class="nx">max_capacity</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">autoscaling_max</span> <span class="nx">min_capacity</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">model_config</span><span class="p">.</span><span class="nx">instance_count</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="s2">"endpoint/${aws_sagemaker_endpoint.this.name}/variant/primary"</span> <span class="nx">scalable_dimension</span> <span class="p">=</span> <span class="s2">"sagemaker:variant:DesiredInstanceCount"</span> <span class="nx">service_namespace</span> <span class="p">=</span> <span class="s2">"sagemaker"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_appautoscaling_policy"</span> <span class="s2">"endpoint"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-endpoint-scaling"</span> <span class="nx">policy_type</span> <span class="p">=</span> <span class="s2">"TargetTrackingScaling"</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">.</span><span class="nx">resource_id</span> <span class="nx">scalable_dimension</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">.</span><span class="nx">scalable_dimension</span> <span class="nx">service_namespace</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">endpoint</span><span class="p">.</span><span class="nx">service_namespace</span> <span class="nx">target_tracking_scaling_policy_configuration</span> <span class="p">{</span> <span class="nx">target_value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_invocations_per_instance</span> <span class="nx">predefined_metric_specification</span> <span class="p">{</span> <span class="nx">predefined_metric_type</span> <span class="p">=</span> <span class="s2">"SageMakerVariantInvocationsPerInstance"</span> <span class="p">}</span> <span class="nx">scale_in_cooldown</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">scale_out_cooldown</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>SageMakerVariantInvocationsPerInstance</code></strong> scales based on requests per instance. Set the target to the maximum your instance can handle (determined by load testing). The policy adds instances when traffic exceeds the target and removes them when traffic drops.</p> <h3> Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># inference/monitoring.tf</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_metric_alarm"</span> <span class="s2">"endpoint_errors"</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-endpoint-5xx-errors"</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GreaterThanThreshold"</span> <span class="nx">evaluation_periods</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"Invocation5XXErrors"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"AWS/SageMaker"</span> <span class="nx">period</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">statistic</span> <span class="p">=</span> <span class="s2">"Sum"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">alarm_description</span> <span class="p">=</span> <span class="s2">"Endpoint returning 5xx errors"</span> <span class="nx">alarm_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">sns_alert_topic_arn</span><span class="p">]</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">EndpointName</span> <span class="p">=</span> <span class="nx">aws_sagemaker_endpoint</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">VariantName</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_metric_alarm"</span> <span class="s2">"endpoint_latency"</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-endpoint-high-latency"</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GreaterThanThreshold"</span> <span class="nx">evaluation_periods</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"ModelLatency"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"AWS/SageMaker"</span> <span class="nx">period</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">statistic</span> <span class="p">=</span> <span class="s2">"Average"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">latency_threshold_ms</span> <span class="p">*</span> <span class="mi">1000</span> <span class="c1"># microseconds</span> <span class="nx">alarm_description</span> <span class="p">=</span> <span class="s2">"Model inference latency too high"</span> <span class="nx">alarm_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">sns_alert_topic_arn</span><span class="p">]</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">EndpointName</span> <span class="p">=</span> <span class="nx">aws_sagemaker_endpoint</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">VariantName</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The error alarm also feeds into the blue/green deployment's <code>auto_rollback_configuration</code>. If 5xx errors spike during a deployment, SageMaker automatically rolls back to the previous fleet.</p> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">model_config</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fraud-detector-v2"</span> <span class="nx">image_uri</span> <span class="p">=</span> <span class="s2">"123456789012.dkr.ecr.us-east-1.amazonaws.com/ml-serving:latest"</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="s2">"s3://ml-models-dev/fraud-detector/v2/model.tar.gz"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"ml.t2.medium"</span> <span class="nx">instance_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">autoscaling_max</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">target_invocations_per_instance</span> <span class="err">=</span> <span class="mi">100</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">model_config</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"fraud-detector-v2"</span> <span class="nx">image_uri</span> <span class="p">=</span> <span class="s2">"123456789012.dkr.ecr.us-east-1.amazonaws.com/ml-serving:v2.1.0"</span> <span class="nx">model_data_url</span> <span class="p">=</span> <span class="s2">"s3://ml-models-prod/fraud-detector/v2/model.tar.gz"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"ml.c5.xlarge"</span> <span class="nx">instance_count</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="nx">autoscaling_max</span> <span class="err">=</span> <span class="mi">10</span> <span class="nx">target_invocations_per_instance</span> <span class="err">=</span> <span class="mi">500</span> </code></pre> </div> <p><strong>Deploying a new model version:</strong> Update <code>model_data_url</code> to the new S3 path, run <code>terraform apply</code>. The canary deployment creates a new fleet, validates it, and shifts traffic automatically.</p> <h2> 🧪 Invoke the Endpoint </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sagemaker-runtime</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">invoke_endpoint</span><span class="p">(</span> <span class="n">EndpointName</span><span class="o">=</span><span class="sh">"</span><span class="s">prod-fraud-detector-v2</span><span class="sh">"</span><span class="p">,</span> <span class="n">ContentType</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">Body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">features</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.2</span><span class="p">,</span> <span class="mf">3.4</span><span class="p">,</span> <span class="mf">0.8</span><span class="p">]})</span> <span class="p">)</span> <span class="n">prediction</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Body</span><span class="sh">"</span><span class="p">].</span><span class="nf">read</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="n">prediction</span><span class="p">)</span> </code></pre> </div> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>Load test before setting autoscaling targets.</strong> The <code>target_invocations_per_instance</code> should be based on actual load testing, not guesswork. Use SageMaker Inference Recommender to find the optimal instance type and max throughput.</p> <p><strong>Endpoint creation takes 5-10 minutes.</strong> SageMaker provisions instances, downloads the container, loads the model, and runs health checks. Plan for this in your deployment pipeline.</p> <p><strong>Use <code>create_before_destroy</code> on endpoint configs.</strong> Without it, Terraform deletes the old config before creating the new one, causing downtime.</p> <p><strong>Pin container image tags.</strong> Use versioned tags (<code>v2.1.0</code>) instead of <code>latest</code> in production. This ensures reproducible deployments and meaningful rollbacks.</p> <p><strong>Serverless inference for low traffic.</strong> If your endpoint gets fewer than ~100 requests/hour, consider <code>serverless_config</code> on the endpoint configuration instead of instance-based. It scales to zero and charges per request.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 2</strong> of the <strong>ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805">SageMaker Studio Domain</a> 🔬</li> <li> <strong>Post 2:</strong> SageMaker Endpoints - Deploy to Prod (you are here) 🚀</li> <li> <strong>Post 3:</strong> SageMaker Feature Store</li> <li> <strong>Post 4:</strong> SageMaker Pipelines - CI/CD for ML</li> </ul> <p><em>Your model is in production. Real-time HTTPS endpoint, autoscaling based on traffic, canary deployments with automatic rollback, and monitoring that pages you before customers notice. From notebook to production, all in Terraform.</em> 🚀</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> ai machinelearning devops aws Suhas Mallesh Fri, 03 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko https://dev.to/suhas_mallesh/azure-ml-workspace-with-terraform-your-ml-platform-on-azure-44ko <p>Azure Machine Learning workspace is the hub for all ML activities - experiments, models, endpoints, pipelines. It requires four dependent services. Here's how to provision the entire platform with Terraform including compute instances and clusters.</p> <p>In Series 1-3, we worked with managed AI services - AI Foundry for models, AI Search for RAG, Agent Service for orchestration. Series 5 shifts to custom ML - training your own models, deploying endpoints, managing features, and building CI/CD pipelines.</p> <p>It starts with an Azure Machine Learning workspace. The workspace is the top-level resource for all ML activities: experiments, datasets, models, compute targets, endpoints, and pipelines live here. Unlike a simple resource, the workspace requires four dependent services before it can be created: Storage Account, Key Vault, Application Insights, and Container Registry. Terraform provisions the entire stack. 🎯</p> <h2> 🏗️ Workspace Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Workspace</strong></td> <td>Central hub for ML experiments, models, and pipelines</td> </tr> <tr> <td><strong>Storage Account</strong></td> <td>Default datastore for datasets, model artifacts, logs</td> </tr> <tr> <td><strong>Key Vault</strong></td> <td>Secrets, connection strings, API keys</td> </tr> <tr> <td><strong>Application Insights</strong></td> <td>Experiment tracking, endpoint monitoring</td> </tr> <tr> <td><strong>Container Registry</strong></td> <td>Custom training images, model deployment containers</td> </tr> <tr> <td><strong>Compute Instance</strong></td> <td>Per-user notebook/IDE (JupyterLab, VS Code)</td> </tr> <tr> <td><strong>Compute Cluster</strong></td> <td>Auto-scaling training cluster (CPU or GPU)</td> </tr> </tbody> </table></div> <p>All four dependent services must exist before the workspace. Terraform handles the dependency ordering automatically.</p> <h2> 🔧 Terraform: The Full Workspace Setup </h2> <h3> Dependent Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/dependencies.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_storage_account"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}ml${random_string.suffix.result}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">account_tier</span> <span class="p">=</span> <span class="s2">"Standard"</span> <span class="nx">account_replication_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">storage_replication</span> <span class="nx">min_tls_version</span> <span class="p">=</span> <span class="s2">"TLS1_2"</span> <span class="nx">allow_nested_items_to_be_public</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_key_vault"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}ml${random_string.suffix.result}kv"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">tenant_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">azurerm_client_config</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">tenant_id</span> <span class="nx">sku_name</span> <span class="p">=</span> <span class="s2">"standard"</span> <span class="nx">purge_protection_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_rbac_authorization</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_application_insights"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-insights"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">application_type</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_container_registry"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}ml${random_string.suffix.result}acr"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">sku</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">acr_sku</span> <span class="nx">admin_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p><strong>Container Registry is optional but recommended.</strong> Without it, the workspace uses Azure-managed image building. With it, you control custom training images and model serving containers. Set <code>admin_enabled = false</code> and use managed identity instead.</p> <h3> The Workspace </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/workspace.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_workspace"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-workspace"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">resource_group_name</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">name</span> <span class="nx">application_insights_id</span> <span class="p">=</span> <span class="nx">azurerm_application_insights</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">key_vault_id</span> <span class="p">=</span> <span class="nx">azurerm_key_vault</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">storage_account_id</span> <span class="p">=</span> <span class="nx">azurerm_storage_account</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">container_registry_id</span> <span class="p">=</span> <span class="nx">azurerm_container_registry</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">public_network_access_enabled</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_network_access</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>The workspace creates a system-assigned managed identity that accesses the dependent services. No keys or connection strings to manage.</p> <h3> Compute Instance (Per-User IDE) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/compute_instance.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_compute_instance"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">compute_instances</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">machine_learning_workspace_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">virtual_machine_size</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">vm_size</span> <span class="nx">node_public_ip_enabled</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_network_access</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Team</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">team</span> <span class="nx">User</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Each data scientist gets their own compute instance with JupyterLab and VS Code access. Instances stop and start independently - you only pay when they're running.</p> <h3> Compute Cluster (Training) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/compute_cluster.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_machine_learning_compute_cluster"</span> <span class="s2">"training"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-training"</span> <span class="nx">machine_learning_workspace_id</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">location</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_vm_size</span> <span class="nx">vm_priority</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_vm_priority</span> <span class="nx">identity</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SystemAssigned"</span> <span class="p">}</span> <span class="nx">scale_settings</span> <span class="p">{</span> <span class="nx">min_node_count</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_node_count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">training_max_nodes</span> <span class="nx">scale_down_nodes_after_idle_duration</span> <span class="p">=</span> <span class="s2">"PT${var.scale_down_minutes}M"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>min_node_count = 0</code> is the cost control key.</strong> The cluster scales to zero when no training jobs are running. You pay nothing for idle compute. <code>scale_down_nodes_after_idle_duration</code> controls how quickly nodes are released after a job finishes.</p> <p><strong><code>vm_priority = "LowPriority"</code></strong> saves up to 80% on training costs. Low-priority VMs can be evicted, so use them for fault-tolerant training jobs with checkpointing.</p> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"LRS"</span> <span class="nx">acr_sku</span> <span class="err">=</span> <span class="s2">"Basic"</span> <span class="nx">training_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">training_vm_priority</span> <span class="err">=</span> <span class="s2">"Dedicated"</span> <span class="nx">training_max_nodes</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">scale_down_minutes</span> <span class="err">=</span> <span class="mi">15</span> <span class="nx">compute_instances</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"ds-dev-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">public_network_access</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">storage_replication</span> <span class="err">=</span> <span class="s2">"GRS"</span> <span class="nx">acr_sku</span> <span class="err">=</span> <span class="s2">"Standard"</span> <span class="nx">training_vm_size</span> <span class="err">=</span> <span class="s2">"Standard_NC6s_v3"</span> <span class="c1"># GPU</span> <span class="nx">training_vm_priority</span> <span class="err">=</span> <span class="s2">"LowPriority"</span> <span class="nx">training_max_nodes</span> <span class="err">=</span> <span class="mi">8</span> <span class="nx">scale_down_minutes</span> <span class="err">=</span> <span class="mi">30</span> <span class="nx">compute_instances</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"ds-lead"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS4_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="s2">"ds-engineer-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="s2">"ds-engineer-2"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vm_size</span> <span class="p">=</span> <span class="s2">"Standard_DS3_v2"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Dev:</strong> Public access, LRS storage, small dedicated cluster for quick iteration.<br> <strong>Prod:</strong> Private access, GRS storage, GPU cluster with low-priority VMs for cost-efficient training.</p> <h2> 🔧 RBAC for Team Access </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ml/rbac.tf</span> <span class="c1"># Data scientists get Contributor on the workspace</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"ds_contributor"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">data_scientist_principals</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"AzureML Compute Operator"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="c1"># ML engineers get full workspace access</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"mle_contributor"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ml_engineer_principals</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_machine_learning_workspace</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"Contributor"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <p>Use <code>AzureML Compute Operator</code> for data scientists who need to run experiments but shouldn't modify workspace settings. Use <code>Contributor</code> for ML engineers who manage the full lifecycle.</p> <h2> 🔧 Security Hardening </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Control</th> <th>Dev</th> <th>Prod</th> </tr> </thead> <tbody> <tr> <td>Network access</td> <td>Public</td> <td>Private (managed VNet)</td> </tr> <tr> <td>Storage</td> <td>LRS, TLS 1.2</td> <td>GRS, TLS 1.2, no public blob</td> </tr> <tr> <td>Key Vault</td> <td>RBAC auth</td> <td>RBAC auth, purge protection</td> </tr> <tr> <td>Container Registry</td> <td>Basic, no admin</td> <td>Standard, managed identity</td> </tr> <tr> <td>Compute</td> <td>Public IP</td> <td>No public IP, subnet attached</td> </tr> <tr> <td>Identity</td> <td>System-assigned</td> <td>System-assigned + RBAC</td> </tr> </tbody> </table></div> <p>For production, set <code>public_network_access_enabled = false</code> on the workspace and use managed virtual network isolation. All compute instances and clusters run inside a managed VNet with outbound rules controlled by the workspace.</p> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>Globally unique names required.</strong> Storage account and ACR names must be globally unique. Use <code>random_string</code> suffixes to avoid conflicts across environments.</p> <p><strong>Container Registry costs.</strong> Basic SKU is $5/month. Standard is $20/month. If you're not building custom training images yet, you can skip the ACR initially and add it later.</p> <p><strong>Compute instance auto-stop.</strong> Unlike clusters, compute instances don't auto-stop by default. Set up an idle shutdown schedule through the workspace settings or Azure Policy to prevent overnight charges.</p> <p><strong>Workspace deletion is complex.</strong> Deleting a workspace doesn't automatically delete dependent resources (storage, KV, ACR). Terraform handles this correctly with <code>depends_on</code>, but manual deletion requires cleaning up each resource individually.</p> <p><strong>SDK v1 is deprecated.</strong> Azure ML SDK v1 reached end-of-support in March 2025. Use SDK v2 (<code>azure-ai-ml</code>) for all new development. Terraform provisions the infrastructure; SDK v2 handles experiments and models.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 1</strong> of the <strong>Azure ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> Azure ML Workspace (you are here) 🔬</li> <li> <strong>Post 2:</strong> Azure ML Online Endpoints - Deploy to Prod</li> <li> <strong>Post 3:</strong> Azure ML Feature Store</li> <li> <strong>Post 4:</strong> Azure ML Pipelines + Azure DevOps</li> </ul> <p><em>Your ML platform is provisioned. Workspace, storage, key vault, ACR, compute instances for notebooks, auto-scaling clusters for training - all in Terraform. The foundation for model development, deployment, and production ML pipelines.</em> 🔬</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> azure ai machinelearning devops Suhas Mallesh Thu, 02 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6 https://dev.to/suhas_mallesh/vertex-ai-workbench-with-terraform-your-ml-workspace-on-gcp-4gn6 <p>Vertex AI Workbench is the JupyterLab IDE for ML on GCP - pre-installed ML frameworks, Vertex AI integration, and GPU support out of the box. Here's how to provision instances with Terraform including networking, IAM, auto-shutdown, and custom containers.</p> <p>In Series 1-3, we worked with managed AI services - Vertex AI for models, RAG Engine for retrieval, ADK for agents. Series 5 shifts to custom ML - training your own models, deploying endpoints, managing features, and building ML pipelines.</p> <p>It starts with a development environment. Vertex AI Workbench provides JupyterLab instances backed by Compute Engine VMs, pre-loaded with ML frameworks (TensorFlow, PyTorch, JAX, scikit-learn), the Vertex AI SDK, and direct integration with GCS, BigQuery, and Vertex AI services. Each instance is a full ML workspace. Terraform provisions them consistently across your team. 🎯</p> <h2> 🏗️ Workbench Architecture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Workbench Instance</strong></td> <td>JupyterLab on a Compute Engine VM</td> </tr> <tr> <td><strong>VM Image</strong></td> <td>Pre-built with ML frameworks and Vertex SDK</td> </tr> <tr> <td><strong>Custom Container</strong></td> <td>Your own Docker image with specific dependencies</td> </tr> <tr> <td><strong>Data Disk</strong></td> <td>Persistent storage for notebooks and datasets</td> </tr> <tr> <td><strong>Service Account</strong></td> <td>Controls access to GCS, BigQuery, Vertex AI</td> </tr> <tr> <td><strong>Network</strong></td> <td>VPC, subnet, firewall rules for isolation</td> </tr> </tbody> </table></div> <p>Unlike SageMaker's domain-based approach, Workbench instances are standalone VMs. Each data scientist gets their own instance with full control over machine type, GPU, and installed packages. Terraform standardizes the configuration across the team.</p> <h2> 🔧 Terraform: The Full Workbench Setup </h2> <h3> APIs and Networking </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># workbench/apis.tf</span> <span class="nx">resource</span> <span class="s2">"google_project_service"</span> <span class="s2">"required"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span> <span class="s2">"notebooks.googleapis.com"</span><span class="p">,</span> <span class="s2">"aiplatform.googleapis.com"</span><span class="p">,</span> <span class="s2">"compute.googleapis.com"</span><span class="p">,</span> <span class="s2">"storage.googleapis.com"</span><span class="p">,</span> <span class="s2">"bigquery.googleapis.com"</span><span class="p">,</span> <span class="p">])</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="c1"># VPC for Workbench instances</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-network"</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-subnet"</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">private_ip_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Access Google APIs without public IP</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="c1"># Allow internal traffic for JupyterLab proxy</span> <span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"internal"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-internal"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"8080"</span><span class="p">,</span> <span class="s2">"443"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>private_ip_google_access = true</code></strong> is essential. It lets Workbench instances access Google APIs (GCS, BigQuery, Vertex AI) without a public IP address, keeping your ML environment network-isolated.</p> <h3> Service Account </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># workbench/iam.tf</span> <span class="nx">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"workbench"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-workbench-sa"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Workbench ML Service Account"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="c1"># Access to training data in GCS</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"storage_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/storage.objectUser"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.workbench.email}"</span> <span class="p">}</span> <span class="c1"># Access to Vertex AI for training and prediction</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"vertex_ai_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/aiplatform.user"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.workbench.email}"</span> <span class="p">}</span> <span class="c1"># Access to BigQuery for data exploration</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"bigquery_user"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/bigquery.user"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.workbench.email}"</span> <span class="p">}</span> <span class="c1"># Read Artifact Registry for custom containers</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"artifact_reader"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/artifactregistry.reader"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.workbench.email}"</span> <span class="p">}</span> </code></pre> </div> <h3> Workbench Instance </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># workbench/instance.tf</span> <span class="nx">resource</span> <span class="s2">"google_workbench_instance"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">workbench_instances</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${each.key}"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">gce_setup</span> <span class="p">{</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">machine_type</span> <span class="nx">vm_image</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"cloud-notebooks-managed"</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"workbench-instances"</span> <span class="p">}</span> <span class="c1"># Optional GPU</span> <span class="nx">dynamic</span> <span class="s2">"accelerator_configs"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">gpu_type</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="err">:</span> <span class="p">[]</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">gpu_type</span> <span class="nx">core_count</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">gpu_count</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">disk_type</span> <span class="p">=</span> <span class="s2">"PD_SSD"</span> <span class="nx">disk_size_gb</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">boot_disk_gb</span> <span class="p">}</span> <span class="nx">data_disks</span> <span class="p">{</span> <span class="nx">disk_type</span> <span class="p">=</span> <span class="s2">"PD_SSD"</span> <span class="nx">disk_size_gb</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">data_disk_gb</span> <span class="p">}</span> <span class="nx">network_interfaces</span> <span class="p">{</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">nic_type</span> <span class="p">=</span> <span class="s2">"GVNIC"</span> <span class="p">}</span> <span class="nx">service_accounts</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">workbench</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">idle-timeout-seconds</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">idle_timeout</span> <span class="nx">install-nvidia-driver</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">gpu_type</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="s2">"true"</span> <span class="err">:</span> <span class="s2">"false"</span> <span class="nx">post-startup-script</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">post_startup_script</span> <span class="p">}</span> <span class="nx">enable_ip_forwarding</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">disable_proxy_access</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Enable JupyterLab proxy access</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">team</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">team</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key configuration points:</strong></p> <ul> <li> <code>vm_image.family = "workbench-instances"</code> uses Google's pre-built image with ML frameworks</li> <li> <code>data_disks</code> provides persistent storage separate from the boot disk</li> <li> <code>idle-timeout-seconds</code> in metadata auto-stops the instance after inactivity</li> <li> <code>install-nvidia-driver</code> auto-installs GPU drivers when GPU is attached</li> <li> <code>disable_proxy_access = false</code> enables browser access to JupyterLab via IAP</li> </ul> <h3> Custom Container Alternative </h3> <p>For teams that need specific package versions or private packages, use a custom container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_workbench_instance"</span> <span class="s2">"custom"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-custom-ml"</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">gce_setup</span> <span class="p">{</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="s2">"n1-standard-8"</span> <span class="nx">container_image</span> <span class="p">{</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"${var.region}-docker.pkg.dev/${var.project_id}/ml-images/custom-workbench"</span> <span class="nx">tag</span> <span class="p">=</span> <span class="s2">"latest"</span> <span class="p">}</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">disk_type</span> <span class="p">=</span> <span class="s2">"PD_SSD"</span> <span class="nx">disk_size_gb</span> <span class="p">=</span> <span class="mi">150</span> <span class="p">}</span> <span class="nx">network_interfaces</span> <span class="p">{</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">service_accounts</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">workbench</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Build your container from Google's base image, add your packages, push to Artifact Registry, and reference it in Terraform. Updates are a new tag and <code>terraform apply</code>.</p> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">zone</span> <span class="err">=</span> <span class="s2">"us-central1-a"</span> <span class="nx">workbench_instances</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"data-scientist-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="s2">"n1-standard-4"</span> <span class="nx">gpu_type</span> <span class="p">=</span> <span class="kc">null</span> <span class="c1"># No GPU for dev</span> <span class="nx">gpu_count</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">boot_disk_gb</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">data_disk_gb</span> <span class="p">=</span> <span class="mi">200</span> <span class="nx">idle_timeout</span> <span class="p">=</span> <span class="s2">"3600"</span> <span class="c1"># 1 hour auto-stop</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="nx">post_startup_script</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">zone</span> <span class="err">=</span> <span class="s2">"us-central1-a"</span> <span class="nx">workbench_instances</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"ml-lead"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="s2">"n1-standard-8"</span> <span class="nx">gpu_type</span> <span class="p">=</span> <span class="s2">"NVIDIA_TESLA_T4"</span> <span class="nx">gpu_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">boot_disk_gb</span> <span class="p">=</span> <span class="mi">150</span> <span class="nx">data_disk_gb</span> <span class="p">=</span> <span class="mi">500</span> <span class="nx">idle_timeout</span> <span class="p">=</span> <span class="s2">"7200"</span> <span class="c1"># 2 hour auto-stop</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="nx">post_startup_script</span> <span class="p">=</span> <span class="s2">"gs://my-bucket/scripts/setup.sh"</span> <span class="p">}</span> <span class="s2">"ml-engineer-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="s2">"n1-standard-8"</span> <span class="nx">gpu_type</span> <span class="p">=</span> <span class="s2">"NVIDIA_TESLA_T4"</span> <span class="nx">gpu_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">boot_disk_gb</span> <span class="p">=</span> <span class="mi">150</span> <span class="nx">data_disk_gb</span> <span class="p">=</span> <span class="mi">500</span> <span class="nx">idle_timeout</span> <span class="p">=</span> <span class="s2">"7200"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="nx">post_startup_script</span> <span class="p">=</span> <span class="s2">"gs://my-bucket/scripts/setup.sh"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Cost control through <code>idle_timeout</code>.</strong> GPU instances cost $1-3/hour. A T4 instance left running overnight costs $24-72 in wasted spend. The <code>idle-timeout-seconds</code> metadata auto-stops the VM when JupyterLab kernels are idle.</p> <h2> 🔧 Post-Startup Script for Team Standardization </h2> <p>Standardize packages and configs across all instances:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># scripts/setup.sh - uploaded to GCS</span> <span class="c"># Install team-standard packages</span> pip <span class="nb">install</span> <span class="nt">--upgrade</span> <span class="se">\</span> google-cloud-aiplatform <span class="se">\</span> google-cloud-bigquery <span class="se">\</span> pandas <span class="se">\</span> scikit-learn <span class="se">\</span> xgboost <span class="c"># Clone team shared repos</span> git clone https://github.com/your-org/ml-utils.git /home/jupyter/ml-utils <span class="c"># Set environment variables</span> <span class="nb">echo</span> <span class="s1">'export PROJECT_ID=your-project'</span> <span class="o">&gt;&gt;</span> /home/jupyter/.bashrc <span class="nb">echo</span> <span class="s1">'export REGION=us-central1'</span> <span class="o">&gt;&gt;</span> /home/jupyter/.bashrc </code></pre> </div> <p>Reference it in the instance metadata via <code>post_startup_script</code>. Runs once when the instance starts for the first time.</p> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>User-managed notebooks are deprecated.</strong> As of January 2025, only Workbench Instances (<code>google_workbench_instance</code>) are supported. Don't use <code>google_notebooks_instance</code> - it's legacy.</p> <p><strong>GPU quota must be requested.</strong> T4, V100, A100 GPUs require quota increases in your GCP project. Request early - approval can take 1-2 business days.</p> <p><strong>Instance stops don't lose data.</strong> Stopping a Workbench instance preserves the boot and data disks. You only pay for disk storage when stopped. Starting it again restores your full environment.</p> <p><strong>Use data disks for large datasets.</strong> Boot disks are limited and get recreated on image updates. Store notebooks and datasets on the data disk (<code>/home/jupyter</code>) which persists independently.</p> <p><strong>Private Google Access vs public IP.</strong> With <code>private_ip_google_access = true</code> on the subnet, instances can reach GCS, BigQuery, and Vertex AI without a public IP. Combine with IAP for secure browser access to JupyterLab.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 1</strong> of the <strong>GCP ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> Vertex AI Workbench (you are here) 🔬</li> <li> <strong>Post 2:</strong> Vertex AI Endpoints - Deploy to Prod</li> <li> <strong>Post 3:</strong> Vertex AI Feature Store</li> <li> <strong>Post 4:</strong> Vertex AI Pipelines + Cloud Build</li> </ul> <p><em>Your ML workspace is provisioned. Network-isolated, GPU-ready, auto-shutdown enabled, with standardized packages across your team. The foundation for model training, deployment, and production ML pipelines.</em> 🔬</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> googlecloud ai machinelearning devops Suhas Mallesh Wed, 01 Apr 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805 https://dev.to/suhas_mallesh/sagemaker-studio-domain-with-terraform-your-ml-workspace-on-aws-5805 <p>SageMaker Studio is the IDE for ML on AWS - notebooks, training, deployment, all in one place. Here's how to provision the entire domain with Terraform including VPC, IAM, user profiles, and security hardening.</p> <p>In Series 1-3, we worked with managed AI services - Bedrock for models, Knowledge Bases for RAG, Agents for orchestration. Series 5 shifts to custom ML - training your own models, deploying them to endpoints, managing features, and building CI/CD pipelines.</p> <p>It all starts with a SageMaker Studio Domain. The domain is the foundation for everything in SageMaker - it provides the IDE (JupyterLab, Code Editor), manages user profiles, attaches shared storage (EFS), and controls network access. Think of it as the workspace where your ML team lives. This post provisions the entire setup with Terraform. 🎯</p> <h2> 🏗️ What a SageMaker Domain Contains </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>Domain</strong></td> <td>Top-level resource: VPC config, auth mode, encryption</td> </tr> <tr> <td><strong>User Profile</strong></td> <td>Per-user config: execution role, instance types, apps</td> </tr> <tr> <td><strong>Shared Space</strong></td> <td>Team collaboration spaces with shared notebooks</td> </tr> <tr> <td><strong>EFS Volume</strong></td> <td>Persistent storage for notebooks and data files</td> </tr> <tr> <td><strong>Apps</strong></td> <td>JupyterLab, Code Editor, Canvas, Studio Classic</td> </tr> </tbody> </table></div> <p>One domain per team or environment. User profiles within the domain give each data scientist their own isolated workspace with shared access to the same data and models.</p> <h2> 🔧 Terraform: The Full Domain Setup </h2> <h3> VPC and Networking </h3> <p>SageMaker Studio requires a VPC. For production, use VPC-only mode with private subnets and VPC endpoints:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># network/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"ml"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-vpc"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-private-${count.index}"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># S3 Gateway endpoint (required for SageMaker in VPC-only mode)</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.${var.region}.s3"</span> <span class="nx">route_table_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># SageMaker API interface endpoint</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"sagemaker_api"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.${var.region}.sagemaker.api"</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">id</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">vpc_endpoints</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># SageMaker Runtime interface endpoint</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"sagemaker_runtime"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.${var.region}.sagemaker.runtime"</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">id</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">vpc_endpoints</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"vpc_endpoints"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"${var.environment}-vpce-"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>VPC-only mode blocks all internet access.</strong> You need VPC endpoints for every AWS service SageMaker uses: S3 (gateway), SageMaker API, SageMaker Runtime, and optionally STS, CloudWatch Logs, and ECR for training jobs.</p> <h3> IAM Execution Role </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># iam/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"sagemaker_execution"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-sagemaker-execution"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"sagemaker.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Scoped permissions - not AmazonSageMakerFullAccess</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"sagemaker_core"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"sagemaker-core"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sagemaker_execution</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"${var.data_bucket_arn}"</span><span class="p">,</span> <span class="s2">"${var.data_bucket_arn}/*"</span><span class="p">,</span> <span class="s2">"${var.artifacts_bucket_arn}"</span><span class="p">,</span> <span class="s2">"${var.artifacts_bucket_arn}/*"</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:GetAuthorizationToken"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Avoid <code>AmazonSageMakerFullAccess</code> in production.</strong> It grants broad permissions across S3, ECR, Lambda, and more. Scope your policies to the specific buckets, registries, and services your team needs.</p> <h3> KMS Key for Encryption </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># security/kms.tf</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"sagemaker"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SageMaker Studio EFS and EBS encryption"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">enable_key_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"sagemaker"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/${var.environment}-sagemaker"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">sagemaker</span><span class="p">.</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <h3> The Domain </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># sagemaker/domain.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_domain"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-ml-studio"</span> <span class="nx">auth_mode</span> <span class="p">=</span> <span class="s2">"IAM"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">ml</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">id</span> <span class="c1"># VPC-only mode blocks internet access</span> <span class="nx">app_network_access_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">network_access_type</span> <span class="c1"># Encrypt EFS and EBS volumes</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">sagemaker</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">default_user_settings</span> <span class="p">{</span> <span class="nx">execution_role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sagemaker_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">sagemaker_studio</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">jupyter_lab_app_settings</span> <span class="p">{</span> <span class="nx">default_resource_spec</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">default_instance_type</span> <span class="nx">sagemaker_image_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jupyter_image_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">sharing_settings</span> <span class="p">{</span> <span class="nx">notebook_output_option</span> <span class="p">=</span> <span class="s2">"Allowed"</span> <span class="nx">s3_output_path</span> <span class="p">=</span> <span class="s2">"s3://${var.artifacts_bucket}/sharing"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> User Profiles </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># sagemaker/users.tf</span> <span class="nx">resource</span> <span class="s2">"aws_sagemaker_user_profile"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">user_profiles</span> <span class="nx">domain_id</span> <span class="p">=</span> <span class="nx">aws_sagemaker_domain</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">user_profile_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">user_settings</span> <span class="p">{</span> <span class="nx">execution_role</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">execution_role_arn</span><span class="p">,</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">sagemaker_execution</span><span class="p">.</span><span class="nx">arn</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Team</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">team</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 📐 Environment Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">network_access_type</span> <span class="err">=</span> <span class="s2">"PublicInternetOnly"</span> <span class="c1"># Simpler for dev</span> <span class="nx">default_instance_type</span> <span class="err">=</span> <span class="s2">"ml.t3.medium"</span> <span class="nx">user_profiles</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"data-scientist-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="kc">null</span> <span class="c1"># Uses domain default</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># environments/prod.tfvars</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"prod"</span> <span class="nx">network_access_type</span> <span class="err">=</span> <span class="s2">"VpcOnly"</span> <span class="c1"># Locked down</span> <span class="nx">default_instance_type</span> <span class="err">=</span> <span class="s2">"ml.t3.medium"</span> <span class="nx">user_profiles</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"ds-lead"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="s2">"ds-engineer-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="s2">"ds-engineer-2"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"ml-team"</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Dev uses <code>PublicInternetOnly</code></strong> for easier setup - no VPC endpoints needed, pip install works out of the box. <strong>Prod uses <code>VpcOnly</code></strong> for network isolation - all traffic stays within your VPC, requires VPC endpoints for AWS services.</p> <h2> 🔧 Security Hardening Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Control</th> <th>Dev</th> <th>Prod</th> </tr> </thead> <tbody> <tr> <td>Network access</td> <td>PublicInternetOnly</td> <td>VpcOnly</td> </tr> <tr> <td>EFS encryption</td> <td>KMS key</td> <td>KMS key</td> </tr> <tr> <td>IAM scope</td> <td>Scoped to buckets</td> <td>Least-privilege per team</td> </tr> <tr> <td>Instance types</td> <td>ml.t3.medium</td> <td>Restricted via Service Quotas</td> </tr> <tr> <td>Notebook sharing</td> <td>Allowed (S3 output)</td> <td>Allowed (encrypted S3)</td> </tr> <tr> <td>Auto-shutdown</td> <td>Optional</td> <td>Lifecycle config enforced</td> </tr> </tbody> </table></div> <h2> 🔧 Auto-Shutdown Lifecycle Config (Cost Control) </h2> <p>Idle notebooks burn money. Attach a lifecycle config to auto-shutdown:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_sagemaker_studio_lifecycle_config"</span> <span class="s2">"auto_shutdown"</span> <span class="p">{</span> <span class="nx">studio_lifecycle_config_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-auto-shutdown"</span> <span class="nx">studio_lifecycle_config_app_type</span> <span class="p">=</span> <span class="s2">"JupyterServer"</span> <span class="nx">studio_lifecycle_config_content</span> <span class="p">=</span> <span class="nx">base64encode</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/scripts/auto-shutdown.sh"</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>The script checks for idle kernels and shuts down the notebook instance after a configurable timeout (typically 60-120 minutes of inactivity).</p> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>One domain per region per account (soft limit).</strong> You can request an increase, but the default is one. Use user profiles to separate team members within a single domain.</p> <p><strong>EFS is created automatically.</strong> The domain creates an EFS volume and a home directory per user profile. You don't manage this directly, but you should encrypt it with KMS.</p> <p><strong>VPC endpoint costs add up.</strong> Each interface VPC endpoint costs roughly $7/month plus data processing charges. In VPC-only mode, you may need 5-10 endpoints. Budget $50-100/month for networking in prod.</p> <p><strong>Domain deletion is slow and complex.</strong> Deleting a domain requires deleting all apps, user profiles, and spaces first. Terraform handles this, but <code>terraform destroy</code> can take 15-20 minutes.</p> <p><strong>Instance type quotas.</strong> GPU instances (ml.g5, ml.p4d) require Service Quota increases. Request these early - approval can take days.</p> <h2> ⏭️ What's Next </h2> <p>This is <strong>Post 1</strong> of the <strong>ML Pipelines &amp; MLOps with Terraform</strong> series.</p> <ul> <li> <strong>Post 1:</strong> SageMaker Studio Domain (you are here) 🔬</li> <li> <strong>Post 2:</strong> SageMaker Endpoints - Deploy to Prod</li> <li> <strong>Post 3:</strong> SageMaker Feature Store</li> <li> <strong>Post 4:</strong> SageMaker Pipelines - CI/CD for ML</li> </ul> <p><em>Your ML workspace is provisioned. VPC-isolated, KMS-encrypted, IAM-scoped, with user profiles for every team member. The foundation for everything that follows: model training, deployment, feature engineering, and ML pipelines.</em> 🔬</p> <p><em>Found this helpful? Follow for the full ML Pipelines &amp; MLOps with Terraform series!</em> 💬</p> aws ai machinelearning devops Suhas Mallesh Sat, 28 Mar 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/azure-ai-agent-bing-grounding-real-time-web-search-with-terraform-500e https://dev.to/suhas_mallesh/azure-ai-agent-bing-grounding-real-time-web-search-with-terraform-500e <p>An agent without grounding hallucinates about current events. Bing Grounding gives your Azure AI agent real-time web search with source citations. Here's how to provision the Bing resource, connect it to your Foundry project, and attach it to your agent with Terraform.</p> <p>Through this series, we've built Azure AI agents that can reason, call functions, and coordinate multi-agent workflows. But ask one about today's news, current stock prices, or this week's weather, and it either hallucinates or admits its training data has a cutoff.</p> <p>Bing Grounding connects your agent to real-time web search. When the agent determines it needs current information, it searches Bing, retrieves relevant results, and generates a response grounded in those results with URL citations. The agent decides when to search. Bing provides the facts. Your users get accurate, sourced answers. 🎯</p> <h2> 🏗️ How Bing Grounding Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User: "What's the weather in Seattle today?" ↓ Agent analyzes request → determines it needs current data ↓ Agent invokes Bing Grounding tool ↓ Bing searches the web, returns relevant results ↓ Agent generates response grounded in Bing results ↓ User: "It's 55°F and partly cloudy in Seattle today." [Citation: weather.gov/seattle] </code></pre> </div> <p>The agent doesn't call the Bing API directly. The Foundry Agent Service handles the Bing integration through a connection resource. You provision the Bing resource, create the connection, and attach the tool to your agent.</p> <h2> 🔧 Two Bing Grounding Options </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Scope</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td><strong>Grounding with Bing Search</strong></td> <td>Full public web</td> <td>General current events, weather, news, live data</td> </tr> <tr> <td><strong>Grounding with Bing Custom Search</strong></td> <td>Specific domains you define</td> <td>Restricted searches (e.g., only your docs site, partner sites)</td> </tr> </tbody> </table></div> <p>Bing Search searches the full web. Bing Custom Search lets you restrict results to specific domains, useful when you want grounding but only from trusted sources.</p> <h2> 🔧 Terraform: Provision Bing Grounding </h2> <h3> Step 1: Create the Bing Grounding Resource </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># grounding/bing.tf</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"bing_grounding"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.Bing/accounts@2025-05-01-preview"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-bing-grounding"</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"global"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Grounding"</span> <span class="nx">sku</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"G1"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why <code>azapi</code>?</strong> The Bing Grounding resource isn't available in the <code>azurerm</code> provider yet. The <code>azapi</code> provider gives access to the latest Azure resource types directly.</p> <h3> Step 2: Connect Bing to Your Foundry Project </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># grounding/connection.tf</span> <span class="nx">resource</span> <span class="s2">"azapi_resource"</span> <span class="s2">"bing_connection"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Microsoft.CognitiveServices/accounts/connections@2025-06-01"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-bing-connection"</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">azurerm_cognitive_account</span><span class="p">.</span><span class="nx">ai_foundry</span><span class="p">.</span><span class="nx">id</span> <span class="nx">schema_validation_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">body</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">properties</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"ApiKey"</span> <span class="nx">target</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">bing_grounding</span><span class="p">.</span><span class="nx">output</span><span class="p">.</span><span class="nx">properties</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">authType</span> <span class="p">=</span> <span class="s2">"ApiKey"</span> <span class="nx">isSharedToAll</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">credentials</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">bing_grounding</span><span class="p">.</span><span class="nx">output</span><span class="p">.</span><span class="nx">properties</span><span class="p">.</span><span class="nx">accessKeys</span><span class="p">.</span><span class="nx">key1</span> <span class="p">}</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ApiType</span> <span class="p">=</span> <span class="s2">"Bing"</span> <span class="nx">ResourceId</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">bing_grounding</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This creates a connection between your Foundry project and the Bing resource. The connection ID is what your agent code references when attaching the Bing tool.</p> <h3> Step 3: Output the Connection ID </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># grounding/outputs.tf</span> <span class="nx">resource</span> <span class="s2">"local_file"</span> <span class="s2">"agent_config"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"${path.module}/agent_code/agent_config.json"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">foundry_endpoint</span> <span class="p">=</span> <span class="nx">azurerm_cognitive_account</span><span class="p">.</span><span class="nx">ai_foundry</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">deployment_name</span> <span class="p">=</span> <span class="nx">azurerm_cognitive_deployment</span><span class="p">.</span><span class="nx">agent_model</span><span class="p">.</span><span class="nx">name</span> <span class="nx">agent_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-grounded-agent"</span> <span class="nx">instruction</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">agent_instruction</span> <span class="nx">bing_connection_id</span> <span class="p">=</span> <span class="nx">azapi_resource</span><span class="p">.</span><span class="nx">bing_connection</span><span class="p">.</span><span class="nx">id</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> 🐍 Create Agent with Bing Grounding </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># agent_code/create_agent.py </span> <span class="kn">from</span> <span class="n">azure.ai.agents</span> <span class="kn">import</span> <span class="n">AgentsClient</span> <span class="kn">from</span> <span class="n">azure.ai.agents.models</span> <span class="kn">import</span> <span class="n">BingGroundingTool</span> <span class="kn">from</span> <span class="n">azure.identity</span> <span class="kn">import</span> <span class="n">DefaultAzureCredential</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">agent_config.json</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">config</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">AgentsClient</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">foundry_endpoint</span><span class="sh">"</span><span class="p">],</span> <span class="n">credential</span><span class="o">=</span><span class="nc">DefaultAzureCredential</span><span class="p">(),</span> <span class="p">)</span> <span class="c1"># Create Bing grounding tool from connection </span><span class="n">bing_tool</span> <span class="o">=</span> <span class="nc">BingGroundingTool</span><span class="p">(</span> <span class="n">connection_id</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">bing_connection_id</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Create agent with Bing grounding </span><span class="n">agent</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">create_agent</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">deployment_name</span><span class="sh">"</span><span class="p">],</span> <span class="n">name</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">agent_name</span><span class="sh">"</span><span class="p">],</span> <span class="n">instructions</span><span class="o">=</span><span class="sh">"""</span><span class="s">You are a helpful assistant with access to real-time web search. When answering questions about current events, weather, news, stock prices, or any time-sensitive information, use Bing Search to ground your response. Always include source citations.</span><span class="sh">"""</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="n">bing_tool</span><span class="p">.</span><span class="n">definitions</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Agent created: </span><span class="si">{</span><span class="n">agent</span><span class="p">.</span><span class="nb">id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> 🧪 Query the Grounded Agent </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Create thread and send message </span><span class="n">thread</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">threads</span><span class="p">.</span><span class="nf">create</span><span class="p">()</span> <span class="n">client</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">thread_id</span><span class="o">=</span><span class="n">thread</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="sh">"</span><span class="s">What are the top tech headlines today?</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Run the agent </span><span class="n">run</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">runs</span><span class="p">.</span><span class="nf">create_and_process</span><span class="p">(</span> <span class="n">thread_id</span><span class="o">=</span><span class="n">thread</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">agent_id</span><span class="o">=</span><span class="n">agent</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Get response with citations </span><span class="k">if</span> <span class="n">run</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="sh">"</span><span class="s">completed</span><span class="sh">"</span><span class="p">:</span> <span class="n">messages</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">list</span><span class="p">(</span><span class="n">thread_id</span><span class="o">=</span><span class="n">thread</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">messages</span><span class="p">:</span> <span class="k">if</span> <span class="n">msg</span><span class="p">.</span><span class="n">role</span> <span class="o">==</span> <span class="sh">"</span><span class="s">assistant</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># Print the response text </span> <span class="nf">print</span><span class="p">(</span><span class="n">msg</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span><span class="p">.</span><span class="n">value</span><span class="p">)</span> <span class="c1"># Print URL citations </span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">msg</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span><span class="p">,</span> <span class="sh">"</span><span class="s">annotations</span><span class="sh">"</span><span class="p">):</span> <span class="k">for</span> <span class="n">annotation</span> <span class="ow">in</span> <span class="n">msg</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span><span class="p">.</span><span class="n">annotations</span><span class="p">:</span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">annotation</span><span class="p">,</span> <span class="sh">"</span><span class="s">url_citation</span><span class="sh">"</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Source: </span><span class="si">{</span><span class="n">annotation</span><span class="p">.</span><span class="n">url_citation</span><span class="p">.</span><span class="n">url</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>The response includes inline URL citations. When Bing contributes to the answer, annotations link back to the source websites. These citations must be displayed to end users per Microsoft's Use and Display Requirements.</p> <h2> 📐 Combining Bing Grounding with Other Tools </h2> <p>An agent can have Bing Grounding alongside function calling tools:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.agents.models</span> <span class="kn">import</span> <span class="n">BingGroundingTool</span><span class="p">,</span> <span class="n">FunctionTool</span> <span class="n">bing_tool</span> <span class="o">=</span> <span class="nc">BingGroundingTool</span><span class="p">(</span><span class="n">connection_id</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">bing_connection_id</span><span class="sh">"</span><span class="p">])</span> <span class="n">exchange_rate_tool</span> <span class="o">=</span> <span class="nc">FunctionTool</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">get_exchange_rate</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Get live exchange rates between currencies.</span><span class="sh">"</span><span class="p">,</span> <span class="n">parameters</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">currency_from</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Source currency code</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">currency_to</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Target currency code</span><span class="sh">"</span><span class="p">},</span> <span class="p">},</span> <span class="sh">"</span><span class="s">required</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">currency_from</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">currency_to</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># Agent with both grounding and function tools </span><span class="n">agent</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">create_agent</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">deployment_name</span><span class="sh">"</span><span class="p">],</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">full-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">instructions</span><span class="o">=</span><span class="sh">"""</span><span class="s">You are a helpful assistant. Use Bing Search for current events, news, and general web queries. Use get_exchange_rate for live currency conversion rates. Choose the right tool based on the question.</span><span class="sh">"""</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="n">bing_tool</span><span class="p">.</span><span class="n">definitions</span> <span class="o">+</span> <span class="p">[</span><span class="n">exchange_rate_tool</span><span class="p">],</span> <span class="p">)</span> </code></pre> </div> <p>The agent routes between Bing for general web queries and your custom functions for specific operations. No conflicts between tool types.</p> <h2> 📐 Adding Azure AI Search (Private Docs) </h2> <p>For grounding against both public web and private documents, combine Bing with Azure AI Search:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">azure.ai.agents.models</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">BingGroundingTool</span><span class="p">,</span> <span class="n">AzureAISearchTool</span><span class="p">,</span> <span class="p">)</span> <span class="n">bing_tool</span> <span class="o">=</span> <span class="nc">BingGroundingTool</span><span class="p">(</span><span class="n">connection_id</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">bing_connection_id</span><span class="sh">"</span><span class="p">])</span> <span class="n">search_tool</span> <span class="o">=</span> <span class="nc">AzureAISearchTool</span><span class="p">(</span> <span class="n">index_connection_id</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">search_connection_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">index_name</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">search_index_name</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">agent</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">create_agent</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">deployment_name</span><span class="sh">"</span><span class="p">],</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">fully-grounded-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">instructions</span><span class="o">=</span><span class="sh">"""</span><span class="s">You are a company assistant. Use Bing for current events and public information. Use Azure AI Search for company policies and internal documents. Answer general knowledge questions directly.</span><span class="sh">"""</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="n">bing_tool</span><span class="p">.</span><span class="n">definitions</span> <span class="o">+</span> <span class="n">search_tool</span><span class="p">.</span><span class="n">definitions</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>The agent now has three paths: Bing for public web, AI Search for private docs, and direct answers for general knowledge.</p> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>Citation display is required.</strong> When Bing Grounding contributes to a response, you must display the URL citations to end users. This is a requirement from Microsoft's Use and Display Requirements, not optional.</p> <p><strong>Data crosses compliance boundary.</strong> Bing queries are sent outside the Azure compliance boundary to the Bing service. Assess whether this meets your compliance requirements, especially in regulated industries.</p> <p><strong>Bing Grounding has per-transaction pricing.</strong> Each time the agent invokes the Bing tool, it counts as a grounding transaction. Check the Bing Grounding pricing page for current rates.</p> <p><strong>Agent decides when to search.</strong> The agent uses Bing only when it determines web search is needed. Clear instructions about when to use Bing help prevent unnecessary searches on questions the model can answer from general knowledge.</p> <p><strong>Connection-based architecture.</strong> The Bing resource connects to your Foundry project via a connection resource. If you move to a different project, recreate the connection. The Bing resource itself is reusable across projects.</p> <h2> ⏭️ Series Complete! </h2> <p>This is <strong>Post 4</strong> of the <strong>Azure AI Agents with Terraform</strong> series, and the <strong>final post</strong> of the entire multi-cloud blog series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/deploy-your-first-azure-ai-agent-with-terraform-model-agnostic-and-future-proof-1g72">Deploy First Azure AI Agent</a> 🤖</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/azure-ai-agent-function-calling-connect-your-agent-to-apis-with-terraform-3fg1">Function Calling - Connect to APIs</a> 🔌</li> <li> <strong>Post 3:</strong> <a href="https://dev.to/suhas_mallesh/multi-agent-orchestration-on-azure-workflow-patterns-with-agent-framework-and-terraform-5ge1">Multi-Agent Orchestration</a> 🧠</li> <li> <strong>Post 4:</strong> Agent + Bing Grounding (you are here) 📚</li> </ul> <p><em>Your agent is fully grounded. Bing for real-time web data. AI Search for private documents. Function calling for live APIs. From a simple model endpoint to a production-ready, multi-agent, grounded AI system - all defined in Terraform and Python.</em> 📚</p> azure ai agents devops Suhas Mallesh Fri, 27 Mar 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/vertex-ai-agent-google-search-grounding-real-time-facts-with-adk-and-terraform-2cpj https://dev.to/suhas_mallesh/vertex-ai-agent-google-search-grounding-real-time-facts-with-adk-and-terraform-2cpj <p>An agent without grounding hallucinates about current events. Google Search Grounding and Vertex AI Search give your ADK agent real-time web data and private document access with source citations. Here's how to wire both up with Terraform.</p> <p>Through this series, we've built ADK agents that can reason, call tools, and coordinate with other agents. But ask one about today's stock prices or your company's internal policies, and it either hallucinates or admits it doesn't know. The model's training data has a cutoff, and it has no access to your documents.</p> <p>Grounding fixes this with two built-in ADK tools: <strong>Google Search Grounding</strong> connects your agent to real-time web data - current events, live prices, recent news. <strong>Vertex AI Search Grounding</strong> connects your agent to your private documents - company policies, product specs, internal knowledge bases. Both return source-attributed responses with citations. 🎯</p> <h2> 🏗️ Two Grounding Approaches </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Data Source</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td><strong>Google Search</strong></td> <td>Public web (Google Search index)</td> <td>Current events, live data, general facts</td> </tr> <tr> <td><strong>Vertex AI Search</strong></td> <td>Your private documents (indexed datastore)</td> <td>Company policies, internal docs, product info</td> </tr> </tbody> </table></div> <p>You can use one or both. Google Search handles what's public and current. Vertex AI Search handles what's private and specific to your organization.</p> <h2> 🔧 Google Search Grounding </h2> <p>The simplest grounding option. Add the built-in <code>google_search</code> tool to your agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># agent_source/agent.py </span> <span class="kn">from</span> <span class="n">google.adk.agents</span> <span class="kn">import</span> <span class="n">Agent</span> <span class="kn">from</span> <span class="n">google.adk.models.vertexai</span> <span class="kn">import</span> <span class="n">VertexAi</span> <span class="n">model</span> <span class="o">=</span> <span class="nc">VertexAi</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="n">config</span><span class="p">[</span><span class="sh">"</span><span class="s">model_id</span><span class="sh">"</span><span class="p">])</span> <span class="n">search_agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">search-grounded-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"""</span><span class="s">You are a helpful assistant that provides accurate, current information. When answering questions about recent events, current data, or anything that requires up-to-date information, use Google Search to ground your response. Always cite your sources.</span><span class="sh">"""</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">google_search</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> </code></pre> </div> <p>That's it. One line: <code>tools=["google_search"]</code>. The agent automatically searches the web when it determines the question needs current information.</p> <h3> What the Response Looks Like </h3> <p>When the agent uses Google Search, the response includes <code>groundingMetadata</code> with source URLs, search queries executed, and confidence scores per segment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">for</span> <span class="n">event</span> <span class="ow">in</span> <span class="n">runner</span><span class="p">.</span><span class="nf">run_async</span><span class="p">(</span> <span class="n">user_id</span><span class="o">=</span><span class="sh">"</span><span class="s">user-123</span><span class="sh">"</span><span class="p">,</span> <span class="n">session_id</span><span class="o">=</span><span class="n">session</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">new_message</span><span class="o">=</span><span class="n">types</span><span class="p">.</span><span class="nc">Content</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="n">parts</span><span class="o">=</span><span class="p">[</span><span class="n">types</span><span class="p">.</span><span class="nc">Part</span><span class="p">(</span><span class="n">text</span><span class="o">=</span><span class="sh">"</span><span class="s">What were today</span><span class="sh">'</span><span class="s">s major tech news?</span><span class="sh">"</span><span class="p">)]</span> <span class="p">)</span> <span class="p">):</span> <span class="k">if</span> <span class="n">event</span><span class="p">.</span><span class="n">content</span> <span class="ow">and</span> <span class="n">event</span><span class="p">.</span><span class="n">content</span><span class="p">.</span><span class="n">parts</span><span class="p">:</span> <span class="k">for</span> <span class="n">part</span> <span class="ow">in</span> <span class="n">event</span><span class="p">.</span><span class="n">content</span><span class="p">.</span><span class="n">parts</span><span class="p">:</span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">part</span><span class="p">,</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">)</span> <span class="ow">and</span> <span class="n">part</span><span class="p">.</span><span class="n">text</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="n">part</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="c1"># Access grounding metadata for citations </span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="sh">"</span><span class="s">grounding_metadata</span><span class="sh">"</span><span class="p">):</span> <span class="k">for</span> <span class="n">chunk</span> <span class="ow">in</span> <span class="n">event</span><span class="p">.</span><span class="n">grounding_metadata</span><span class="p">.</span><span class="n">grounding_chunks</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Source: </span><span class="si">{</span><span class="n">chunk</span><span class="p">.</span><span class="n">web</span><span class="p">.</span><span class="n">uri</span><span class="si">}</span><span class="s"> - </span><span class="si">{</span><span class="n">chunk</span><span class="p">.</span><span class="n">web</span><span class="p">.</span><span class="n">title</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><strong>Important:</strong> When using Google Search Grounding in production, you must display the Search Suggestions provided in the response metadata. This is a requirement from Google's terms of service.</p> <h2> 🔧 Vertex AI Search Grounding (Private Documents) </h2> <p>For grounding against your own documents, use the <code>VertexAiSearchTool</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.adk.agents</span> <span class="kn">import</span> <span class="n">Agent</span> <span class="kn">from</span> <span class="n">google.adk.tools</span> <span class="kn">import</span> <span class="n">VertexAiSearchTool</span> <span class="c1"># Your Vertex AI Search datastore path </span><span class="n">DATASTORE_PATH</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">projects/</span><span class="si">{</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">project_id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/locations/global</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">/collections/default_collection</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">/dataStores/</span><span class="si">{</span><span class="n">config</span><span class="p">[</span><span class="sh">'</span><span class="s">datastore_id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">doc_agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">doc-grounded-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"""</span><span class="s">You are a company policy expert. Answer questions about internal policies, procedures, and guidelines using the provided document store. Always cite the source document.</span><span class="sh">"""</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="nc">VertexAiSearchTool</span><span class="p">(</span><span class="n">data_store_id</span><span class="o">=</span><span class="n">DATASTORE_PATH</span><span class="p">)],</span> <span class="p">)</span> </code></pre> </div> <p>The agent queries your indexed documents, retrieves relevant chunks with semantic search, and generates a response grounded in your actual content. Source attributions include document titles and URIs.</p> <h3> Tool Limitation </h3> <p>Both <code>google_search</code> and <code>VertexAiSearchTool</code> are <strong>exclusive tools</strong> - they cannot be combined with other tools in the same agent instance. To use grounding alongside custom function tools, wrap the grounded agent as a sub-agent or use <code>AgentTool</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">google.adk.tools</span> <span class="kn">import</span> <span class="n">AgentTool</span> <span class="c1"># Grounded agent as a tool for the main agent </span><span class="n">search_assistant</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">searcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"</span><span class="s">Search the web for current information when asked.</span><span class="sh">"</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">google_search</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">doc_assistant</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">doc_lookup</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"</span><span class="s">Look up company policies and internal documents.</span><span class="sh">"</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="nc">VertexAiSearchTool</span><span class="p">(</span><span class="n">data_store_id</span><span class="o">=</span><span class="n">DATASTORE_PATH</span><span class="p">)],</span> <span class="p">)</span> <span class="c1"># Main agent uses grounded agents as tools alongside custom tools </span><span class="n">main_agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">assistant</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"""</span><span class="s">You are a helpful assistant. Use the searcher for current events and live data. Use doc_lookup for company policies and internal info. Use get_exchange_rate for currency conversions.</span><span class="sh">"""</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span> <span class="nc">AgentTool</span><span class="p">(</span><span class="n">search_assistant</span><span class="p">),</span> <span class="nc">AgentTool</span><span class="p">(</span><span class="n">doc_assistant</span><span class="p">),</span> <span class="n">get_exchange_rate</span><span class="p">,</span> <span class="p">],</span> <span class="p">)</span> </code></pre> </div> <p>This is the production pattern: dedicated grounding agents wrapped as tools for a main orchestrator agent.</p> <h2> 🔧 Terraform: Infrastructure for Grounding </h2> <h3> APIs and Vertex AI Search Datastore </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># grounding/apis.tf</span> <span class="nx">resource</span> <span class="s2">"google_project_service"</span> <span class="s2">"grounding"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">([</span> <span class="s2">"aiplatform.googleapis.com"</span><span class="p">,</span> <span class="s2">"discoveryengine.googleapis.com"</span><span class="p">,</span> <span class="c1"># For Vertex AI Search</span> <span class="s2">"storage.googleapis.com"</span><span class="p">,</span> <span class="p">])</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">service</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <h3> Vertex AI Search Datastore (for Private Docs) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># grounding/datastore.tf</span> <span class="nx">resource</span> <span class="s2">"google_discovery_engine_data_store"</span> <span class="s2">"docs"</span> <span class="p">{</span> <span class="nx">location</span> <span class="p">=</span> <span class="s2">"global"</span> <span class="nx">data_store_id</span> <span class="p">=</span> <span class="s2">"${var.environment}-company-docs"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Company Documents"</span> <span class="nx">industry_vertical</span> <span class="p">=</span> <span class="s2">"GENERIC"</span> <span class="nx">content_config</span> <span class="p">=</span> <span class="s2">"CONTENT_REQUIRED"</span> <span class="nx">solution_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"SOLUTION_TYPE_SEARCH"</span><span class="p">]</span> <span class="nx">create_advanced_site_search</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> </code></pre> </div> <h3> IAM for Grounding </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># grounding/iam.tf</span> <span class="c1"># Agent SA needs Discovery Engine access for Vertex AI Search</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"discovery_viewer"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/discoveryengine.viewer"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.agent.email}"</span> <span class="p">}</span> </code></pre> </div> <h3> Config with Datastore ID </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># grounding/config.tf</span> <span class="nx">resource</span> <span class="s2">"local_file"</span> <span class="s2">"agent_config"</span> <span class="p">{</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"${path.module}/agent_source/config.json"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">model_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">agent_model</span><span class="p">.</span><span class="nx">id</span> <span class="nx">agent_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-grounded-agent"</span> <span class="nx">datastore_id</span> <span class="p">=</span> <span class="nx">google_discovery_engine_data_store</span><span class="p">.</span><span class="nx">docs</span><span class="p">.</span><span class="nx">data_store_id</span> <span class="nx">instruction</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">agent_instruction</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> 📐 Combining Google Search + Vertex AI Search </h2> <p>The production pattern uses both grounding sources through the sub-agent approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Public data: current events, live information </span><span class="n">web_agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">web_search</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"</span><span class="s">Search the public web for current, real-time information.</span><span class="sh">"</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">google_search</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Private data: company documents, internal policies </span><span class="n">docs_agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">doc_search</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"</span><span class="s">Search company documents for internal policies and procedures.</span><span class="sh">"</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="nc">VertexAiSearchTool</span><span class="p">(</span><span class="n">data_store_id</span><span class="o">=</span><span class="n">DATASTORE_PATH</span><span class="p">)],</span> <span class="p">)</span> <span class="c1"># Orchestrator decides which source to use </span><span class="n">grounded_assistant</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">grounded_assistant</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="n">model</span><span class="p">,</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"""</span><span class="s">You are a knowledgeable assistant. For current events or public information, use web_search. For company policies or internal documents, use doc_search. For general knowledge questions, answer directly.</span><span class="sh">"""</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span> <span class="nc">AgentTool</span><span class="p">(</span><span class="n">web_agent</span><span class="p">),</span> <span class="nc">AgentTool</span><span class="p">(</span><span class="n">docs_agent</span><span class="p">),</span> <span class="p">],</span> <span class="p">)</span> </code></pre> </div> <p>The orchestrator routes to the right grounding source based on the question type. Public questions go to Google Search. Internal questions go to Vertex AI Search. General knowledge questions get answered directly without grounding.</p> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>Exclusive tool limitation.</strong> <code>google_search</code> and <code>VertexAiSearchTool</code> can't be mixed with other tools in the same agent. Use the <code>AgentTool</code> wrapper pattern shown above.</p> <p><strong>Search Suggestions display requirement.</strong> When using Google Search Grounding in production, you must display the <code>searchEntryPoint</code> HTML/CSS from the response metadata. This is not optional.</p> <p><strong>Datastore indexing time.</strong> Vertex AI Search datastores need time to index your documents after upload. Don't test grounding immediately after creating the datastore - wait for indexing to complete.</p> <p><strong>Grounding adds latency.</strong> Each grounded response involves a search query plus retrieval. Expect 1-3 seconds of additional latency compared to non-grounded responses.</p> <p><strong>Confidence scores.</strong> The <code>groundingMetadata</code> includes confidence scores per response segment. Use these to flag low-confidence answers for human review in production.</p> <h2> ⏭️ Series Complete! </h2> <p>This is <strong>Post 4</strong> of the <strong>GCP AI Agents with Terraform</strong> series, and the final GCP post of the entire multi-cloud series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/deploy-your-first-vertex-ai-agent-with-terraform-and-adk-model-agnostic-and-future-proof-1en">Deploy First Vertex AI Agent</a> 🤖</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/vertex-ai-agent-tools-connect-your-agent-to-apis-with-adk-and-terraform-328n">Agent Tools - Connect to APIs</a> 🔌</li> <li> <strong>Post 3:</strong> <a href="https://dev.to/suhas_mallesh/multi-agent-systems-on-gcp-workflow-patterns-with-adk-and-terraform-6dk">Multi-Agent Systems</a> 🧠</li> <li> <strong>Post 4:</strong> Agent + Grounding (you are here) 📚</li> </ul> <p><em>Your agent is now grounded in reality. Google Search for real-time web data. Vertex AI Search for your private documents. Source citations on every response. No hallucinations, just facts.</em> 📚</p> <p><em>Thanks for following the full series! Follow for what comes next.</em> 💬</p> googlecloud ai agents devops Suhas Mallesh Thu, 26 Mar 2026 07:00:00 +0000 https://dev.to/suhas_mallesh/bedrock-agent-knowledge-base-ground-your-agent-in-real-data-with-terraform-2cdg https://dev.to/suhas_mallesh/bedrock-agent-knowledge-base-ground-your-agent-in-real-data-with-terraform-2cdg <p>An agent without grounding makes things up. Associate a Knowledge Base with your Bedrock Agent and every response is backed by your actual documents - with citations. Here's how to wire it up with Terraform.</p> <p>Through this series, we've built Bedrock Agents that can reason, call APIs via action groups, and coordinate with other agents. But ask one a question about your company's policies, and it either hallucinates or admits it doesn't know. The model has no access to your data.</p> <p>Knowledge Base association changes that. When you attach a Knowledge Base to your agent, the agent automatically queries your vector store when it needs domain-specific information. It retrieves relevant chunks, uses them as context, and generates a grounded response with citations back to your source documents. No hallucination. No guessing. Real answers from real data. 🎯</p> <h2> 🏗️ How Agent + Knowledge Base Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User: "What is our return policy for electronics?" ↓ Agent analyzes request → determines it needs domain knowledge ↓ Agent queries Knowledge Base (vector search) ↓ Knowledge Base returns relevant chunks from policies.pdf ↓ Agent generates response grounded in retrieved context ↓ User: "Electronics can be returned within 30 days with original receipt. Items must be in original packaging. [Source: return-policy-2024.pdf, page 3]" </code></pre> </div> <p>The agent decides when to query the Knowledge Base based on the KB instruction you provide. If the question can be answered without domain data (general knowledge, action group results), the agent skips the KB query.</p> <h2> 🔧 What You Need </h2> <p>This post assumes you have:</p> <ol> <li>A Bedrock Agent deployed (from Day 9)</li> <li>A Knowledge Base with synced data (from Series 2, RAG Posts)</li> </ol> <p>We're connecting the two. If you haven't built either, refer back to the earlier posts for the full setup.</p> <h2> 🔧 Terraform: Associate Knowledge Base with Agent </h2> <p>The association is a single Terraform resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># agent/kb_association.tf</span> <span class="nx">resource</span> <span class="s2">"aws_bedrockagent_agent_knowledge_base_association"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">agent_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kb_instruction</span> <span class="nx">knowledge_base_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">knowledge_base_id</span> <span class="nx">knowledge_base_state</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="p">}</span> </code></pre> </div> <p>That's it. One resource. The <code>description</code> field is the most important part - it tells the agent when and how to use the Knowledge Base.</p> <h3> The KB Instruction </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"kb_instruction"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Instruction telling the agent when to use the Knowledge Base"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> Use this knowledge base to answer questions about company policies, product information, and internal procedures. Query the knowledge base when the user asks about policies, returns, warranties, pricing, or any company-specific information. Do not answer these questions from general knowledge. </span><span class="no"> EOT </span><span class="p">}</span> </code></pre> </div> <p><strong>This instruction drives retrieval quality.</strong> A vague instruction like "use this for questions" means the agent queries the KB for everything, wasting tokens on general knowledge questions. A specific instruction like the one above targets retrieval to domain-specific queries only.</p> <h3> Re-Prepare After Association </h3> <p>The agent must be re-prepared after associating a Knowledge Base:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"prepare_after_kb"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">kb_association</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent_knowledge_base_association</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">kb_instruction</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kb_instruction</span> <span class="p">}</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws bedrock-agent prepare-agent --agent-id ${aws_bedrockagent_agent.this.agent_id} --region ${var.region}"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_bedrockagent_agent_knowledge_base_association</span><span class="p">.</span><span class="nx">this</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> IAM: Agent Needs KB Access </h3> <p>The agent's service role needs permission to retrieve from the Knowledge Base:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># agent/iam.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"agent_kb_retrieve"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"kb-retrieve"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">agent</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"bedrock:Retrieve"</span><span class="p">,</span> <span class="s2">"bedrock:RetrieveAndGenerate"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:bedrock:${var.region}:${data.aws_caller_identity.current.account_id}:knowledge-base/${var.knowledge_base_id}"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> 📐 Full Agent with Action Groups + Knowledge Base </h2> <p>Here's the complete picture - an agent with both tools and grounding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># agent/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_bedrockagent_agent"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">agent_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.agent_name}"</span> <span class="nx">agent_resource_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">agent</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">foundation_model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">agent_model</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instruction</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">agent_instruction</span> <span class="nx">prepare_agent</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Prepare manually after KB + action groups</span> <span class="nx">idle_session_ttl_in_seconds</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">idle_session_ttl</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Model</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">agent_model</span><span class="p">.</span><span class="nx">display</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Action group for real-time API calls</span> <span class="nx">resource</span> <span class="s2">"aws_bedrockagent_agent_action_group"</span> <span class="s2">"api_tools"</span> <span class="p">{</span> <span class="nx">action_group_name</span> <span class="p">=</span> <span class="s2">"APITools"</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">agent_id</span> <span class="nx">agent_version</span> <span class="p">=</span> <span class="s2">"DRAFT"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Real-time API operations"</span> <span class="nx">action_group_executor</span> <span class="p">{</span> <span class="nx">lambda</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">api_tools</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">api_schema</span> <span class="p">{</span> <span class="nx">payload</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/schemas/api_tools.json"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Knowledge Base for document grounding</span> <span class="nx">resource</span> <span class="s2">"aws_bedrockagent_agent_knowledge_base_association"</span> <span class="s2">"docs"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">agent_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kb_instruction</span> <span class="nx">knowledge_base_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">knowledge_base_id</span> <span class="nx">knowledge_base_state</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="p">}</span> <span class="c1"># Prepare after everything is wired up</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"prepare_agent"</span> <span class="p">{</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">action_group</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent_action_group</span><span class="p">.</span><span class="nx">api_tools</span><span class="p">.</span><span class="nx">id</span> <span class="nx">kb</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent_knowledge_base_association</span><span class="p">.</span><span class="nx">docs</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws bedrock-agent prepare-agent --agent-id ${aws_bedrockagent_agent.this.agent_id} --region ${var.region}"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_bedrockagent_agent_action_group</span><span class="p">.</span><span class="nx">api_tools</span><span class="p">,</span> <span class="nx">aws_bedrockagent_agent_knowledge_base_association</span><span class="p">.</span><span class="nx">docs</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"time_sleep"</span> <span class="s2">"wait_for_preparation"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">null_resource</span><span class="p">.</span><span class="nx">prepare_agent</span><span class="p">]</span> <span class="nx">create_duration</span> <span class="p">=</span> <span class="s2">"15s"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_bedrockagent_agent_alias"</span> <span class="s2">"live"</span> <span class="p">{</span> <span class="nx">agent_alias_name</span> <span class="p">=</span> <span class="s2">"${var.environment}-live"</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">agent_id</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">time_sleep</span><span class="p">.</span><span class="nx">wait_for_preparation</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>The agent now has two capabilities:</strong> action groups for real-time API calls (live exchange rates, order lookups) and Knowledge Base for document-grounded answers (policies, product info). The agent decides which to use based on the user's question.</p> <h2> 🧪 How the Agent Decides </h2> <p>When a user asks a question, the agent follows this decision flow:</p> <ol> <li> <strong>Can I answer from general knowledge?</strong> If yes, respond directly.</li> <li> <strong>Does this need a tool call?</strong> If the question requires live data (exchange rates, weather), invoke the action group.</li> <li> <strong>Does this need domain knowledge?</strong> If the question is about company-specific information, query the Knowledge Base.</li> <li> <strong>Do I need both?</strong> For complex questions, the agent can combine action group results with KB context.</li> </ol> <p>The KB instruction and action group descriptions guide these decisions. Clear, non-overlapping descriptions produce the best routing.</p> <h2> 📐 Multiple Knowledge Bases </h2> <p>An agent can have multiple Knowledge Bases, each for a different domain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_bedrockagent_agent_knowledge_base_association"</span> <span class="s2">"policies"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">agent_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Use for questions about company policies, returns, and warranties."</span> <span class="nx">knowledge_base_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">policies_kb_id</span> <span class="nx">knowledge_base_state</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_bedrockagent_agent_knowledge_base_association"</span> <span class="s2">"products"</span> <span class="p">{</span> <span class="nx">agent_id</span> <span class="p">=</span> <span class="nx">aws_bedrockagent_agent</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">agent_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Use for questions about product specifications, features, and compatibility."</span> <span class="nx">knowledge_base_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">products_kb_id</span> <span class="nx">knowledge_base_state</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="p">}</span> </code></pre> </div> <p>Each KB instruction should clearly define its domain so the agent routes to the right KB. Overlapping instructions lead to incorrect retrieval.</p> <h2> ⚠️ Gotchas and Tips </h2> <p><strong>KB instruction quality is retrieval quality.</strong> A vague instruction means the agent queries the KB for everything, adding latency and cost to questions it could answer from general knowledge. Be specific about what types of questions should trigger a KB query.</p> <p><strong>Citations come free.</strong> When the agent uses KB context, the response includes source attributions with document names and page numbers. You don't need to build citation logic.</p> <p><strong>KB + action groups don't conflict.</strong> The agent can use both in a single conversation turn. For example: "Check my order status and tell me the return policy" might trigger an action group for order status and a KB query for the return policy.</p> <p><strong>Sync your KB before testing.</strong> The association works immediately, but the agent retrieves from whatever is currently indexed. If you haven't synced your data source recently, you'll get stale or empty results.</p> <p><strong>KB instruction updates require re-preparation.</strong> Changing the <code>description</code> field on the association triggers a Terraform update, but the agent must be re-prepared for the change to take effect.</p> <h2> ⏭️ Series Complete! </h2> <p>This is <strong>Post 4</strong> of the <strong>AWS AI Agents with Terraform</strong> series, and the final post of the entire multi-cloud series.</p> <ul> <li> <strong>Post 1:</strong> <a href="https://dev.to/suhas_mallesh/deploy-your-first-bedrock-agent-with-terraform-model-agnostic-and-future-proof-25k">Deploy First Bedrock Agent</a> 🤖</li> <li> <strong>Post 2:</strong> <a href="https://dev.to/suhas_mallesh/bedrock-agent-action-groups-connect-your-agent-to-apis-with-terraform-5ddc">Action Groups - Connect to APIs</a> 🔌</li> <li> <strong>Post 3:</strong> <a href="https://dev.to/suhas_mallesh/multi-agent-orchestration-on-aws-supervisor-pattern-with-terraform-1e9j">Multi-Agent Orchestration</a> 🧠</li> <li> <strong>Post 4:</strong> Agent + Knowledge Base Grounding (you are here) 📚</li> </ul> <p><em>Your agent is now grounded. It reasons through complex requests, calls APIs for live data, coordinates with specialist agents, and answers domain questions from your actual documents with citations. From a simple endpoint to a fully autonomous, grounded AI agent - all in Terraform.</em> 📚</p> <p><em>Thanks for following the full series! Follow for what comes next.</em> 💬</p> aws ai agents devops