Aws_sagemaker_model: modelPackageArn failed to satisfy constraint

I used the Terraform code below to create a Sagemaker model package group and created a Sagemaker model which is added to the model package group. I encountered the

Error: creating SageMaker model: ValidationException: 1 validation error detected: Value ‘arn:aws:sagemaker:ap-southeast-2:123456789012:model-package-group/dev-my-model-group’ at ‘modelPackageArn’ failed to satisfy constraint: Member must satisfy regular expression pattern: ^arn:aws(-cn|-us-gov)?:sagemaker:[a-z0-9-]{9,16}:[0-9]{12}:model-package/[\S]{1,2048}$

It looks like the model package arn contains “:model-package-group”. However, the arn needed by “aws_sagemaker_model” can only contain “:model-package”. I am not sure if this is a bug or there is an issue in my code.

resource "aws_sagemaker_model_package_group" "sagemaker_model_group" {
  model_package_group_name = var.sagemaker_model_group_name
}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "model_group_role" {
  statement {
    sid       = "AddPermModelPackageGroup"
    actions   = ["sagemaker:DescribeModelPackage", "sagemaker:ListModelPackages"]
    resources = [aws_sagemaker_model_package_group.sagemaker_model_group.arn]
    principals {
      identifiers = [data.aws_caller_identity.current.account_id]
      type        = "AWS"
    }
  }
}

resource "aws_sagemaker_model_package_group_policy" "model_group_policy" {
  model_package_group_name = aws_sagemaker_model_package_group.sagemaker_model_group.model_package_group_name
  resource_policy          = jsonencode(jsondecode(data.aws_iam_policy_document.model_group_role.json))
}

resource "aws_sagemaker_model" "sagemaker_model" {
  name               = var.sagemaker_model_name
  execution_role_arn = aws_iam_role.sagemaker_access_iam_role.arn

  primary_container {
    image              = var.container_image
    model_data_url     = var.model_data_url
    model_package_name = aws_sagemaker_model_package_group.sagemaker_model_group.arn
    mode               = "SingleModel"
  }
}

Hi @johnong100 ,

I’m not very familiar with AWS and sagemaker but reading the documentation that attribute on the aws_sagemaker_model resourceis for a model package ARN not a model package group ARN.

Further investigation lead me to:

[Enhancement]: add ModelPackageName to Sagemaker ContainerDefinition for sagemaker_model · Issue #31533 · hashicorp/terraform-provider-aws (github.com)

Which References:
Use a Model Package to Create a Model - Amazon SageMaker
CreateModel - Amazon SageMaker

Hopefully that will give you some other avenues to investigate.

Hope that helps

Happy Terraforming

Thanks! I found that I could use the following:
https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/sagemaker_model_package