Secure Ingress for OCI Autonomous Data Warehouse

Question

Pulumi · Accepted Answer

To secure ingress for an OCI (Oracle Cloud Infrastructure) Autonomous Data Warehouse, we need to create the Autonomous Database with proper network security settings that restrict access to authorized sources. An Oracle Autonomous Data Warehouse is a fully managed, pre-configured database optimized for data warehouse workloads with the ability to elastically scale compute and storage resources.

The following Pulumi Python program sets up an Autonomous Database with network security in place. We’ll use the `oci.Database.AutonomousDatabase` resource from the `pulumi_oci` package, which allows us to define the configuration for the Autonomous Database.

We will specify:
1. `nsgIds`: Network Security Group IDs that the Autonomous Database belongs to for controlling traffic to and from the database.
2. `isAccessControlEnabled`: A boolean that indicates whether access control is enabled. If true, network access is restricted to the IP addresses from `whitelistedIps`.
3. `whitelistedIps`: The list of allowed IP addresses.

Before proceeding, ensure you have the OCI Pulumi provider configured correctly with the necessary authentication credentials and permissions.

Below is a detailed Pulumi program that sets up a secure Autonomous Database with ingress defined through network security groups and whitelisted IP addresses.

```python
import pulumi
import pulumi_oci as oci

# Define the Network Security Group (NSG) resource which will have security rules
# associated with the ADW for controlling traffic.
network_security_group = oci.core.NetworkSecurityGroup("adwNsg",
    compartment_id=oci.config.require("compartmentId"),
    display_name="ADW Network Security Group",
    vcn_id=oci.config.require("vcnId"),
    freeform_tags={
        "Name": "ADW Network Security Group"
    }
)

# Create an Autonomous Database with the specified network security configurations.
autonomous_database = oci.database.AutonomousDatabase("adwDatabase",
    compartment_id=oci.config.require("compartmentId"),      # OCID of the compartment
    db_name="example_adw_db",                                # Name for the Autonomous Database
    cpu_core_count=1,                                        # Number of OCPU cores
    data_storage_size_in_tb=1,                               # Storage size (in TBs)
    admin_password=oci.config.require_secret("adminPass"),   # Admin password, should be provided as a secret
    db_workload="DW",                                        # Database workload type (OLTP or DW)
    is_free_tier=False,                                      # Specify if using the Always-Free tier
    display_name="exampleADW",                               # Display name for the Autonomous Database
    license_model="LICENSE_INCLUDED",                        # Licensing model
    nsg_ids=[network_security_group.id],                     # Network Security Group IDs
    is_access_control_enabled=True,                          # Enable access control
    whitelisted_ips=["10.0.0.1"],                            # Set allowed IP addresses
    # Additional configurations can be set here.
)

# Omitting the detailed configuration of the security rules for brevity, but it should follow
# the same approach as above, creating oci.core.SecurityRule resources associated with the NSG.

# Output the Autonomous Database OCID and the private endpoint IP if available.
pulumi.export("autonomous_database_ocid", autonomous_database.id)
if autonomous_database.private_endpoint_ip:
    pulumi.export("private_endpoint_ip", autonomous_database.private_endpoint_ip)
```

In this program:
- We create an instance of the `AutonomousDatabase` class from the `pulumi_oci` package, giving it a configuration that includes the necessary details for our data warehouse.
- The `compartment_id` parameter specifies the OCID of the compartment within OCI where your resources will live.
- `db_name` gives a name to the Autonomous Database, and `cpu_core_count` along with `data_storage_size_in_tb` specify its compute and storage capacity.
- The `admin_password` is pulled from the Pulumi configuration and should be handled as a secret.
- `db_workload` is set to "DW" to optimize for data warehousing.
- The `nsg_ids` parameter links our database to our previously defined network security group, which will contain ingress rules.
- `is_access_control_enabled` and `whitelisted_ips` control which IP addresses are allowed to connect to the database.
- Finally, we export important information like the Database OCID and the private endpoint IP, which can be used to reference the database in other parts of our stack or infrastructure.

To run this program, save it to a file (e.g., `main.py`), and then simply execute `pulumi up` in your console within the directory where the file is located. Pulumi will begin provisioning the resources as defined.

Please note that creating and managing OCI resources incurs costs and you should ensure that certain clean-up actions (such as `pulumi destroy`) are performed if resources are no longer needed to avoid unnecessary charges.