Resource Hierarchy for AI Platform Access Control

Question

Pulumi · Accepted Answer

To set up a resource hierarchy for AI Platform Access Control, you need to define a structure that clearly differentiates permissions and access controls at different levels of the organization. This can include organization policies, management groups, and role-based access control (RBAC) depending on the cloud provider you're using.

Assuming we are using Google Cloud Platform (GCP) as the cloud provider for an AI Platform, we would typically manage resource hierarchy with organization policies and RBAC roles using Google Cloud resources like `gcp.orgpolicy.Policy` for organization policies, and `google-native.compute/beta.ServiceAttachmentIamMember` for managing access control on specific resources.

Here is a Pulumi program that creates an organization policy and sets up service attachment IAM members to define access control in a hierarchical way:

```python
import pulumi
import pulumi_gcp as gcp
import pulumi_google_native.compute.beta as compute_beta

# Organization-level policy that restricts sharing of AI Platform resources
# outside the organization.
org_policy = gcp.orgpolicy.Policy("aiPlatformRestrictSharingPolicy",
    constraint="constraints/iam.allowedPolicyMemberDomains",
    boolean_policy=gcp.orgpolicy.PolicyBooleanPolicyArgs(
        enforced=True,
    ),
    parent=f"organizations/{gcp_organization_id}",
)

# IAM member binding for the AI Platform's service attachment,
# granting specific roles to a service account.
service_attachment_iam_member = compute_beta.ServiceAttachmentIamMember("aiPlatformServiceAttachmentIamMember",
    service_attachment="projects/my-project/regions/us-central1/serviceAttachments/my-service-attachment",
    role="roles/editor",
    member="serviceAccount:my-service-account@my-project.iam.gserviceaccount.com",
)

# Export the organization policy ID and service attachment IAM member ID
pulumi.export("policy_id", org_policy.name)
pulumi.export("service_attachment_iam_member_id", service_attachment_iam_member.name)
```

In the code above:

- We create an organization policy using `gcp.orgpolicy.Policy` ([GCP docs](https://www.pulumi.com/registry/packages/gcp/api-docs/orgpolicy/policy/)) that enforces a restriction on sharing AI Platform resources only within the organization by setting the `constraint` to `constraints/iam.allowedPolicyMemberDomains` and making it `enforced`.

- We then create a service attachment IAM member using `compute_beta.ServiceAttachmentIamMember` ([GCP docs](https://www.pulumi.com/registry/packages/google-native/api-docs/compute/beta/serviceattachmentiammember/)) that binds a `serviceAccount` to a `role` on a specific service attachment, effectively setting who has what level of access to the AI Platform resources.

- Finally, we export both the organization policy ID and the service attachment IAM member ID using `pulumi.export`. These exported values can be used in other parts of your infrastructure as needed.

This structure ensures that AI Platform resources are used in compliance with your organization's access and compliance standards. You can add more policies or IAM member bindings to create a comprehensive resource hierarchy to protect and manage your AI Platform environment effectively.