Skip to content

⭐ Add SageMaker clusters, feature groups, model packages, model cards, spaces, user profiles#7149

Merged
tas50 merged 1 commit intomainfrom
feat/sagemaker-resources
Apr 10, 2026
Merged

⭐ Add SageMaker clusters, feature groups, model packages, model cards, spaces, user profiles#7149
tas50 merged 1 commit intomainfrom
feat/sagemaker-resources

Conversation

@tas50
Copy link
Copy Markdown
Member

@tas50 tas50 commented Apr 10, 2026

Summary

  • Add 10 new SageMaker sub-resources: HyperPod clusters (with instance groups and nodes), feature groups (with feature definitions), model packages, model package groups, model cards, spaces, and user profiles
  • Add typed VPC cross-references (vpc()) to model, training job, processing job, and cluster resources
  • Add missing fields to notebook instance details (instanceType, ipAddressType, platformIdentifier, volumeSizeInGB, failureReason, iamRole, securityGroups)
  • Add missing fields to domain (subnets, defaultExecutionRole, ssoLoginUrl, securityGroupForDomainBoundary, appSecurityGroupManagement)
  • Add missing fields to training job (iamRole, algorithmSpecification, hyperParameters, enableNetworkIsolation, enableInterContainerTrafficEncryption, failureReason, billableTimeInSeconds, outputDataConfig, resourceConfig, stoppingCondition)
  • Add missing fields to processing job (iamRole, enableNetworkIsolation, enableInterContainerTrafficEncryption, processingResources, environment)
  • Add SageMaker-to-SageMaker cross-references: modelPackage→modelPackageGroup, space→domain, userProfile→domain

New resources

Resource Key fields Typed refs
aws.sagemaker.cluster arn, name, status, instanceGroups, orchestrator, nodes iamRole, vpc
aws.sagemaker.clusterInstanceGroup instanceGroupName, instanceType, status, currentCount, targetCount iamRole, lifecycleConfig
aws.sagemaker.clusterNode instanceId, instanceGroupName, instanceType, status, privateDnsHostname
aws.sagemaker.featureGroup arn, name, status, featureDefinitions, offlineStoreConfig, onlineStoreConfig iamRole
aws.sagemaker.featureDefinition featureName, featureType, collectionType
aws.sagemaker.modelPackage arn, name, approvalStatus, inferenceSpecification kmsKey, modelPackageGroup
aws.sagemaker.modelPackageGroup arn, name, status, description
aws.sagemaker.modelCard arn, name, modelCardStatus, content, modelCardVersion kmsKey
aws.sagemaker.space arn, name, status, displayName, settings, ownerUserProfileName domain
aws.sagemaker.userProfile arn, name, status, singleSignOnUserIdentifier domain

Enhanced existing resources

Resource New fields
notebookinstancedetails ipAddressType, platformIdentifier, volumeSizeInGB, failureReason, iamRole, securityGroups
domain subnets, defaultExecutionRole, ssoLoginUrl, securityGroupForDomainBoundary, appSecurityGroupManagement
trainingJob vpc, iamRole, algorithmSpecification, hyperParameters, enableNetworkIsolation, enableInterContainerTrafficEncryption, failureReason, billableTimeInSeconds, outputDataConfig, resourceConfig, stoppingCondition
processingJob vpc, iamRole, enableNetworkIsolation, enableInterContainerTrafficEncryption, processingResources, environment
model vpc (typed cross-reference replacing raw vpcConfig)
inferenceComponent failureReason

Test plan

  • Build provider: make providers/build/aws && make providers/install/aws
  • Verify models with VPC cross-ref: mql run aws -c "aws.sagemaker.models { name vpc }"
  • Verify pipelines: mql run aws -c "aws.sagemaker.pipelines { name tags }"
  • Verify domains with new fields: mql run aws -c "aws.sagemaker.domains { name subnets defaultExecutionRole }"
  • Verify notebook details: mql run aws -c "aws.sagemaker.notebookInstances { name details { securityGroups iamRole platformIdentifier volumeSizeInGB } }"
  • Verify feature groups: mql run aws -c "aws.sagemaker.featureGroups { name featureDefinitions { featureName featureType } iamRole offlineStoreConfig }"
  • Verify model packages: mql run aws -c "aws.sagemaker.modelPackages { name approvalStatus inferenceSpecification }"
  • Verify model package groups: mql run aws -c "aws.sagemaker.modelPackageGroups { name status description }"
  • Verify model cards: mql run aws -c "aws.sagemaker.modelCards { name modelCardStatus content kmsKey }"
  • Verify spaces with domain ref: mql run aws -c "aws.sagemaker.spaces { name domain displayName settings }"
  • Verify user profiles with domain traversal: mql run aws -c "aws.sagemaker.userProfiles { name domain { name subnets } }"
  • Verify training jobs with VPC: mql run aws -c "aws.sagemaker.trainingJobs { name vpc iamRole }"
  • Verify processing jobs: mql run aws -c "aws.sagemaker.processingJobs { name vpc iamRole }"
  • Verify endpoints: mql run aws -c "aws.sagemaker.endpoints { name status }"
  • Verify clusters (requires HyperPod-supported region): mql run aws -c "aws.sagemaker.clusters { name status instanceGroups nodes }"

🤖 Generated with Claude Code

@github-actions

This comment has been minimized.

Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New SageMaker resources added; user profiles ignore tag filters and cluster node IP is always empty.

Comment thread providers/aws/config/config.go Outdated
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

Test Results

6 417 tests  ±0   6 413 ✅ ±0   2m 7s ⏱️ +7s
  458 suites ±0       4 💤 ±0 
   38 files   ±0       0 ❌ ±0 

Results for commit 90562a2. ± Comparison against base commit e64d1d8.

♻️ This comment has been updated with latest results.

Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New SageMaker resources won't surface notebook instance details (ipAddressType, platformIdentifier, volumeSizeInGB, failureReason) and CI spell check will break due to removed dictionary words still in use.

Comment thread providers/aws/resources/aws.lr Outdated
Comment thread .github/actions/spelling/expect.txt
Comment thread providers/aws/config/config.go
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SageMaker cluster instance group IDs can collide across clusters in the same region, and spell-check expect.txt still missing required terms.

Comment thread providers/aws/resources/aws_sagemaker.go
Comment thread .github/actions/spelling/expect.txt
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SageMaker feature definitions may silently share cached data across different feature groups due to non-unique IDs

Comment thread providers/aws/resources/aws_sagemaker.go
Comment thread providers/aws/resources/aws_sagemaker.go
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feature definition ID collisions remain unfixed; cluster instance group ID fix looks correct.

Comment thread providers/aws/resources/aws_sagemaker.go Outdated
@tas50 tas50 force-pushed the feat/sagemaker-resources branch from d258359 to 356cf56 Compare April 10, 2026 19:51
@mondoo-code-review mondoo-code-review bot dismissed their stale review April 10, 2026 19:52

Superseded by new review

Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ID collision and access-denied fixes for new SageMaker resources look correct.

Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New SageMaker resource types appear well-implemented with proper pagination and null handling.

Comment thread providers/aws/resources/aws.lr.versions
@tas50 tas50 force-pushed the feat/sagemaker-resources branch 2 times, most recently from e21e466 to 10e14b7 Compare April 10, 2026 20:53
…, spaces, user profiles

New resources:
- aws.sagemaker.cluster: HyperPod clusters with instance groups, nodes, VPC, IAM role
- aws.sagemaker.clusterInstanceGroup: instance group details with IAM role, lifecycle config
- aws.sagemaker.clusterNode: individual cluster node status and metadata
- aws.sagemaker.featureGroup: feature store groups with online/offline store config
- aws.sagemaker.featureDefinition: individual feature definitions within a group
- aws.sagemaker.modelPackage: standalone model packages with inference specs
- aws.sagemaker.modelPackageGroup: model package group metadata
- aws.sagemaker.modelCard: model documentation cards with KMS encryption
- aws.sagemaker.space: SageMaker Studio spaces with domain cross-reference
- aws.sagemaker.userProfile: Studio user profiles with domain cross-reference

Enhanced existing resources:
- notebookinstancedetails: added ipAddressType, platformIdentifier, volumeSizeInGB,
  failureReason, iamRole, securityGroups fields
- domain: added subnets, defaultExecutionRole, ssoLoginUrl,
  securityGroupForDomainBoundary, appSecurityGroupManagement fields
- inferenceComponent: added failureReason field
- model: added vpc typed cross-reference (replaces raw vpcConfig)
- trainingJob: added vpc, iamRole, algorithmSpecification, hyperParameters,
  enableNetworkIsolation, enableInterContainerTrafficEncryption, failureReason,
  billableTimeInSeconds, outputDataConfig, resourceConfig, stoppingCondition
- processingJob: added vpc, iamRole, enableNetworkIsolation,
  enableInterContainerTrafficEncryption, processingResources, environment

All new typed cross-references use cached internal structs to avoid N+1 API
calls. Resource IDs include parent identifiers to prevent cache collisions.
HyperPod cluster listing gracefully handles regions where the API is unavailable.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tas50 tas50 force-pushed the feat/sagemaker-resources branch from 10e14b7 to 90562a2 Compare April 10, 2026 20:59
@tas50 tas50 merged commit e9ab512 into main Apr 10, 2026
22 checks passed
@tas50 tas50 deleted the feat/sagemaker-resources branch April 10, 2026 21:04
@github-actions github-actions bot locked and limited conversation to collaborators Apr 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant