Policy updates required for RDMA clusters and deploying to different compartments added to admin deployment and docs. (#65)

Author: dkennetzoracle

docs/api_documentation.md

@@ -9,6 +9,7 @@
 | Parameter                                    | Type    | Required | Description                                                                                                                                                                                                                                                                                                                                                                       |
 | -------------------------------------------- | ------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | recipe_id                                    | string  | Yes      | One of the following: `llm_inference_nvidia`, `lora_finetune_nvidia`, or `mlcommons_lora_finetune_nvidia`                                                                                                                                                                                                                                                                         |
+| recipe_compartment_ocid                      | string  | No       | The OCID of the compartment where the blueprint should be deployed. Note, this will require additional policy scope for blueprints to use resources such as object storage in this compartment.                                 | 
 | deployment_name                              | string  | Yes      | Any deployment name to identify the deployment details easily. Must be unique from other recipe deployments.                                                                                                                                                                                                                                                                      |
 | recipe_mode                                  | string  | Yes      | One of the following: `service`, `job`, `update`, or `shared_node_pool`. Enter `service` for inference recipe deployments, `job` for fine-tuning recipe deployments, `update` for updating existing deployments (currently only supported for MIG), and `shared_node_pool` for creating a shared node pool. |
 | recipe_node_labels                           | object[string][string]  | No       | Additional labels to apply to a node pool in the form `{"label": "value"}`                                                                                                                                                                                                                                                                                                        |

docs/custom_blueprints/blueprint_json_schema.json

@@ -35,6 +35,9 @@
           "recipe_id": {
             "type": "string"
           },
+          "recipe_compartment_ocid": {
+            "type": "string"
+          },
           "deployment_name": {
             "type": "string"
           },

docs/iam_policies.md

@@ -34,6 +34,9 @@ More info on dynamic groups can be found here: https://docs.oracle.com/en-us/iaa
 ```
 Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to inspect all-resources in tenancy
 Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to manage all-resources in compartment {comparment_name}
+Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to {CLUSTER_JOIN} in compartment {compartment_name}
+Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to manage volumes in TENANCY where request.principal.type = 'cluster'
+Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to manage volume-attachments in TENANCY where request.principal.type = 'cluster'
 ```
 
 **Option #2: Fine-Grain Access:**
@@ -98,4 +101,8 @@ Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to inspect compartme
 Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to manage cluster-node-pools in compartment {compartment_name}
 
 Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to {CLUSTER_JOIN} in compartment {compartment_name}
+
+Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to manage volumes in TENANCY where request.principal.type = 'cluster'
+
+Allow dynamic-group 'IdentityDomainName'/'DynamicGroupName' to manage volume-attachments in TENANCY where request.principal.type = 'cluster'
 ```

oci_ai_blueprints_terraform/policies.tf

@@ -24,8 +24,11 @@ resource "oci_identity_policy" "oke_instances_tenancy_policy" {
   statements = [
     "Allow dynamic-group 'Default'/'${oci_identity_dynamic_group.dyn_group[0].name}' to manage all-resources in compartment ${data.oci_identity_compartment.oci_compartment.name}",
     "Allow dynamic-group 'Default'/'${oci_identity_dynamic_group.dyn_group[0].name}' to use all-resources in tenancy",
+    "Allow dynamic-group 'Default'/'${oci_identity_dynamic_group.dyn_group[0].name}' to {CLUSTER_JOIN} in compartment ${data.oci_identity_compartment.oci_compartment.name}",
+    "Allow dynamic-group 'Default'/'${oci_identity_dynamic_group.dyn_group[0].name}' to manage volumes in TENANCY where request.principal.type = 'cluster'",
+    "Allow dynamic-group 'Default'/'${oci_identity_dynamic_group.dyn_group[0].name}' to manage volume-attachments in TENANCY where request.principal.type = 'cluster'"
   ]
   freeform_tags = local.corrino_tags
   count         = var.policy_creation_enabled ? 1 : 0
   depends_on    = [oci_identity_dynamic_group.dyn_group]
-}
+}