Merge pull request #659 from VipulMascarenhas/update_ai_policies_2

Update AI Hub Policies

Author: gargnipungarg

VERSION

@@ -1 +1 @@
-4.0
+4.1

ai-hub/ai-document-converter/policies/terraform/model_deployment.tf

@@ -68,8 +68,9 @@ resource "oci_datascience_model_deployment" "ai_deployment" {
   freeform_tags = {
     "ai-hub-solution-name"       = "PDF to markdown conversion"
     "ai_solution_playground_url" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/"
-    "ai_solution_mcp_endpoint" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/mcp"
-    "ai_solution_api_endpoint_list_apis" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/api/convert"
+    "ai_solution_mcp_endpoint" = "/predictWithResponseStream/mcp/"
+    "ai_solution_api_endpoint" = "/predict/api/convert"
+    "ai_solution_readme" = "https://github.com/oracle-samples/oci-data-science-ai-samples/blob/main/ai-hub/ai-document-converter/README.md"
   }
 
   depends_on = [oci_identity_policy.ai_solution_policies]

ai-hub/ai-document-converter/policies/terraform/policies.tf

@@ -1,26 +1,25 @@
 resource "oci_identity_dynamic_group" "ai_solution_group" {
+  count = use_existing_dynamic_group_and_policies ? 0 : 1
   compartment_id = var.tenancy_ocid
   description    = "Dynamic Group for AI Solution"
   name           = "ai_solution_group-${random_string.randomstring.result}"
   matching_rule  = "any { all {resource.type='datasciencemodeldeployment',resource.compartment.id='${var.data_science_project_compartment_id}'}, all {resource.type='apigateway',resource.compartment.id='${var.compartment_id}'},all {resource.type='computecontainerinstance',resource.compartment.id='${var.vcn_compartment_id}'},all {resource.type='datasciencejobrun', resource.compartment.id='${var.data_science_project_compartment_id}'}}"
 }
 
-locals {
-  policies = [
-    "allow service datascience to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage secret-family in compartment id ${var.vault_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to use logging-family in compartment id ${var.log_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage data-science-family in compartment id ${var.data_science_project_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage generative-ai-family in tenancy",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to read repos in tenancy"
-  ]
-}
-
 resource "oci_identity_policy" "ai_solution_policies" {
+    count = use_existing_dynamic_group_and_policies ? 0 : 1
     compartment_id = "${var.tenancy_ocid}"
     description    = "Dynamic group policies for AI Solution"
     name           = "ai_solution_policies-${random_string.randomstring.result}"
-    statements     = local.policies
+    statements     = [
+    "allow service datascience to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to manage secret-family in compartment id ${var.vault_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to use logging-family in compartment id ${var.log_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to manage data-science-family in compartment id ${var.data_science_project_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to manage generative-ai-family in tenancy",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to read repos in tenancy",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to use objects in compartment id ${var.compartment_id}"
+  ]
     depends_on = [oci_identity_dynamic_group.ai_solution_group]
 }

ai-hub/ai-document-converter/policies/terraform/schema.yaml

@@ -31,6 +31,7 @@ variableGroups:
     variables:
       - compartment_id
       - availability_domain
+      - use_existing_dynamic_group_and_policies
   - title: "Network"
     variables:
       - vcn_compartment_id
@@ -83,6 +84,12 @@ variables:
     description: The availability domain in which to create Compute resources.
     dependsOn:
       compartmentId: ${compartment_id}
+  use_existing_dynamic_group_and_policies:
+    type: boolean
+    title: Use existing Dynamic Group and Policies
+    required: true
+    default: false
+    description: If checked, the stack will not create additional Dynamic Group and Policies and expect required Dynamic Group and Policies to be present
   #Network Configuration
   vcn_compartment_id:
     type: oci:identity:compartment:id

ai-hub/ai-document-converter/policies/terraform/variables.tf

@@ -86,6 +86,12 @@ variable "key_id" {
   default     = "none"
 }
 
+variable "use_existing_dynamic_group_and_policies" {
+  type        = bool
+  description = "Use existing Dynamic Group and Policies"
+  default     = true
+}
+
 # ------------------------- Environment variables required for Document Extraction Application ----------------------------- #
 
 # The following variables will be used by deployment.

ai-hub/ai-translation/policies/terraform/model_deployment.tf

@@ -72,8 +72,9 @@ resource "oci_datascience_model_deployment" "ai_deployment" {
   freeform_tags = {
     "ai-hub-solution-name" = "LLM based translation"
     "ai_solution_playground_url" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/"
-    "ai_solution_mcp_endpoint" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/mcp"
-    "ai_solution_api_endpoint_list_apis" = "https://${oci_apigateway_gateway.ai_application_oci_apigateway_gateway.hostname}/api/translate"
+    "ai_solution_mcp_endpoint" = "/predictWithResponseStream/mcp/"
+    "ai_solution_api_endpoint" = "/predictWithResponseStream/api/translate"
+    "ai_solution_readme" = "https://github.com/oracle-samples/oci-data-science-ai-samples/blob/main/ai-hub/ai-translation/README.md"
   }
 
 }

ai-hub/ai-translation/policies/terraform/policies.tf

@@ -1,27 +1,26 @@
 resource "oci_identity_dynamic_group" "ai_solution_group" {
+  count = use_existing_dynamic_group_and_policies ? 0 : 1  
   compartment_id = var.tenancy_ocid
   description    = "Dynamic Group for AI Solution"
   name           = "ai_solution_group-${random_string.randomstring.result}"
   matching_rule  = "any { all {resource.type='datasciencemodeldeployment',resource.compartment.id='${var.data_science_project_compartment_id}'}, all {resource.type='apigateway',resource.compartment.id='${var.compartment_ocid}'},all {resource.type='computecontainerinstance',resource.compartment.id='${var.vcn_compartment_id}'},all {resource.type='datasciencejobrun', resource.compartment.id='${var.data_science_project_compartment_id}'}}"
 }
 
-locals {
-  policies = [
-    "allow service datascience to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage secret-family in compartment id ${var.vault_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to use logging-family in compartment id ${var.log_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage data-science-family in compartment id ${var.data_science_project_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage generative-ai-family in tenancy",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to manage generative-ai-family in compartment id ${var.data_science_project_compartment_id}",
-    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group.name} to read repos in tenancy"
-  ]
-}
-
 resource "oci_identity_policy" "ai_solution_policies" {
+    count = use_existing_dynamic_group_and_policies ? 0 : 1
     compartment_id = "${var.tenancy_ocid}"
     description    = "Dynamic group policies for AI Solution"
     name           = "ai_solution_policies-${random_string.randomstring.result}"
-    statements     = local.policies
+    statements     = [
+    "allow service datascience to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to manage secret-family in compartment id ${var.vault_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to use virtual-network-family in compartment id ${var.vcn_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to use logging-family in compartment id ${var.log_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to manage data-science-family in compartment id ${var.data_science_project_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to manage generative-ai-family in tenancy",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to manage generative-ai-family in compartment id ${var.data_science_project_compartment_id}",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to read repos in tenancy",
+    "allow dynamic-group ${oci_identity_dynamic_group.ai_solution_group[0].name} to use objects in compartment id ${var.compartment_ocid}"
+  ]
     depends_on = [oci_identity_dynamic_group.ai_solution_group]
 }

ai-hub/ai-translation/policies/terraform/schema.yaml

@@ -22,6 +22,7 @@ variableGroups:
     variables:
       - compartment_ocid
       - availability_domain
+      - use_existing_dynamic_group_and_policies
       - data_science_project_compartment_id
       - project_ocid
       - log_compartment_id
@@ -116,6 +117,12 @@ variables:
     required: false
     title: Log OCID
     description: Log OCID.
+  use_existing_dynamic_group_and_policies:
+    type: boolean
+    title: Use existing Dynamic Group and Policies
+    required: true
+    default: false
+    description: If checked, the stack will not create additional Dynamic Group and Policies and expect required Dynamic Group and Policies to be present
   # Application
   data_science_project_compartment_id:
     type: oci:identity:compartment:id

ai-hub/ai-translation/policies/terraform/variables.tf

@@ -77,6 +77,12 @@ variable "key_id" {
   default     = "none"
 }
 
+variable "use_existing_dynamic_group_and_policies" {
+  type        = bool
+  description = "Use existing Dynamic Group and Policies"
+  default     = true
+}
+
 variable "data_science_project_compartment_id" {
   description = "Compartment in which Data Science Project is present"
   type        = string