AWS

There are steps in this guide where Truefoundry team will have to be involved. Please reach out to support@truefoundry.com to get the credentials.

Setting up TrueFoundry control plane on your own cloud involves creating the infrastructure to support the platform and then installing the platform itself.

Setting up Infrastructure

Requirements

All the compute plane requirements must be met in order to install the control plane. Below are the additional requirements for the control plane:

Requirements	Description	Reason for Requirement
Postgres RDS	Postgres >= 13	The database is used by Truefoundry control plane to store all its metadata
S3 bucket	Any S3 bucket reachable from control-plane	This is used by control-plane to store the intermediate code while building the docker image
Egress Access for TruefoundryAuth	Egress access to https://auth.truefoundry.com and analytics.truefoundry.com	This is needed to verify the users logging into the Truefoundry platform for licensing purposes
Additional Truefoundry information	Additional information for control plane deployment which will be provided by Truefoundry team	This includes tenant name, licence key, and image pull secret
DNS	Domain for control plane and service endpoints	One endpoint to point to the control plane service (e.g., platform.example.com) The control-plane URL must be reachable from the compute-plane. The developers will need to access the Truefoundry UI at the provided domain
User/ServiceAccount to provision the infrastructure	Set of permissions needed to provision the infrastructure for Truefoundry control-plane. Detailed here	Required to set up and manage the infrastructure components

Permissions Required

For the control plane, we will be using the following permissions:

export REGION="" # us-east-1
export ACCOUNT_ID="" #123524493244
export CLUSTER_NAME=""

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "rds:AddTagsToResource",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "rds:DeleteTenantDatabase",
                "iam:AddRoleToInstanceProfile",
                "rds:CreateDBInstance",
                "rds:DescribeDBInstances",
                "rds:RemoveTagsFromResource",
                "rds:CreateTenantDatabase",
                "iam:TagInstanceProfile",
                "rds:DeleteDBInstance"
            ],
            "Resource": [
                "arn:aws:iam::$ACCOUNT_ID:instance-profile/*",
                "arn:aws:rds:$REGION:$ACCOUNT_ID:db:$CLUSTER_NAME*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "rds:AddTagsToResource",
                "rds:DeleteDBSubnetGroup",
                "rds:DescribeDBSubnetGroups",
                "iam:DeleteOpenIDConnectProvider",
                "iam:GetOpenIDConnectProvider",
                "rds:CreateDBSubnetGroup",
                "rds:ListTagsForResource",
                "rds:RemoveTagsFromResource",
                "iam:TagOpenIDConnectProvider",
                "iam:CreateOpenIDConnectProvider",
                "rds:CreateDBInstance",
                "rds:DeleteDBInstance"
            ],
            "Resource": [
                "arn:aws:rds:$REGION:$ACCOUNT_ID:subgrp:$CLUSTER_NAME*",
                "arn:aws:iam::$ACCOUNT_ID:oidc-provider/*"
            ]
        },
        {
            "Sid": "VisualEditor9",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:$REGION:$ACCOUNT_ID:db:*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:CreatePolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:DeletePolicy",
                "iam:TagPolicy"
            ],
            "Resource": [
                "arn:aws:iam::$ACCOUNT_ID:policy/tfy-*",
                "arn:aws:iam::$ACCOUNT_ID:policy/truefoundry-*",
                "arn:aws:iam::$ACCOUNT_ID:policy/AmazonEKS_Karpenter_Controller_Policy*",
                "arn:aws:iam::$ACCOUNT_ID:policy/AmazonEKS_CNI_Policy*",
                "arn:aws:iam::$ACCOUNT_ID:policy/AmazonEKS_AWS_Load_Balancer_Controller*",
                "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "elasticfilesystem:*",
                "iam:GetRole",
                "s3:ListAllMyBuckets",
                "kms:*",
                "ec2:*",
                "s3:ListBucket",
                "route53:AssociateVPCWithHostedZone",
                "sts:GetCallerIdentity",
                "eks:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:$REGION:$ACCOUNT_ID:table/$CLUSTER_NAME*"
        },
        {
            "Sid": "VisualEditor5",
            "Effect": "Allow",
            "Action": "iam:*",
            "Resource": [
                "arn:aws:iam::$ACCOUNT_ID:role/$CLUSTER_NAME*",
                "arn:aws:iam::$ACCOUNT_ID:role/$CLUSTER_NAME*"
            ]
        },
        {
            "Sid": "VisualEditor6",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::$CLUSTER_NAME*/*",
                "arn:aws:s3:::$CLUSTER_NAME*/*",
                "arn:aws:s3:::$CLUSTER_NAME*",
                "arn:aws:s3:::$CLUSTER_NAME*",
                "arn:aws:s3:::$CLUSTER_NAME*",
                "arn:aws:s3:::$CLUSTER_NAME*/*"
            ]
        },
        {
            "Sid": "VisualEditor7",
            "Effect": "Allow",
            "Action": "events:*",
            "Resource": "arn:aws:events:$REGION:$ACCOUNT_ID:rule/$CLUSTER_NAME*"
        },
        {
            "Sid": "VisualEditor8",
            "Effect": "Allow",
            "Action": "sqs:*",
            "Resource": "arn:aws:sqs:$REGION:$ACCOUNT_ID:$CLUSTER_NAME*"
        }
    ]
}

Overview GCP

On this page

Setting up Infrastructure
Requirements
Permissions Required

Getting Started

Train and Deploy Models

Service Deployment

Job Deployment

Workflow Deployment

Async Service Deployment

Volumes

ML Repository

Secret Management

Access Control

Platform

Deploying On Your Own Cloud

HOW TOs

There are steps in this guide where Truefoundry team will have to be involved. Please reach out to support@truefoundry.com to get the credentials.

Setting up Infrastructure

Requirements

Permissions Required

Getting Started

Train and Deploy Models

Service Deployment

Job Deployment

Workflow Deployment

Async Service Deployment

Volumes

ML Repository

Secret Management

Access Control

Platform

Deploying On Your Own Cloud

HOW TOs

​There are steps in this guide where Truefoundry team will have to be involved. Please reach out to support@truefoundry.com to get the credentials.

​Setting up Infrastructure

​Requirements

​Permissions Required

There are steps in this guide where Truefoundry team will have to be involved. Please reach out to support@truefoundry.com to get the credentials.

Setting up Infrastructure

Requirements

Permissions Required