1. Secure Ingress for OCI Autonomous Data Warehouse


    To secure ingress for an OCI (Oracle Cloud Infrastructure) Autonomous Data Warehouse, we need to create the Autonomous Database with proper network security settings that restrict access to authorized sources. An Oracle Autonomous Data Warehouse is a fully managed, pre-configured database optimized for data warehouse workloads with the ability to elastically scale compute and storage resources.

    The following Pulumi Python program sets up an Autonomous Database with network security in place. We’ll use the oci.Database.AutonomousDatabase resource from the pulumi_oci package, which allows us to define the configuration for the Autonomous Database.

    We will specify:

    1. nsgIds: Network Security Group IDs that the Autonomous Database belongs to for controlling traffic to and from the database.
    2. isAccessControlEnabled: A boolean that indicates whether access control is enabled. If true, network access is restricted to the IP addresses from whitelistedIps.
    3. whitelistedIps: The list of allowed IP addresses.

    Before proceeding, ensure you have the OCI Pulumi provider configured correctly with the necessary authentication credentials and permissions.

    Below is a detailed Pulumi program that sets up a secure Autonomous Database with ingress defined through network security groups and whitelisted IP addresses.

    import pulumi import pulumi_oci as oci # Define the Network Security Group (NSG) resource which will have security rules # associated with the ADW for controlling traffic. network_security_group = oci.core.NetworkSecurityGroup("adwNsg", compartment_id=oci.config.require("compartmentId"), display_name="ADW Network Security Group", vcn_id=oci.config.require("vcnId"), freeform_tags={ "Name": "ADW Network Security Group" } ) # Create an Autonomous Database with the specified network security configurations. autonomous_database = oci.database.AutonomousDatabase("adwDatabase", compartment_id=oci.config.require("compartmentId"), # OCID of the compartment db_name="example_adw_db", # Name for the Autonomous Database cpu_core_count=1, # Number of OCPU cores data_storage_size_in_tb=1, # Storage size (in TBs) admin_password=oci.config.require_secret("adminPass"), # Admin password, should be provided as a secret db_workload="DW", # Database workload type (OLTP or DW) is_free_tier=False, # Specify if using the Always-Free tier display_name="exampleADW", # Display name for the Autonomous Database license_model="LICENSE_INCLUDED", # Licensing model nsg_ids=[network_security_group.id], # Network Security Group IDs is_access_control_enabled=True, # Enable access control whitelisted_ips=[""], # Set allowed IP addresses # Additional configurations can be set here. ) # Omitting the detailed configuration of the security rules for brevity, but it should follow # the same approach as above, creating oci.core.SecurityRule resources associated with the NSG. # Output the Autonomous Database OCID and the private endpoint IP if available. pulumi.export("autonomous_database_ocid", autonomous_database.id) if autonomous_database.private_endpoint_ip: pulumi.export("private_endpoint_ip", autonomous_database.private_endpoint_ip)

    In this program:

    • We create an instance of the AutonomousDatabase class from the pulumi_oci package, giving it a configuration that includes the necessary details for our data warehouse.
    • The compartment_id parameter specifies the OCID of the compartment within OCI where your resources will live.
    • db_name gives a name to the Autonomous Database, and cpu_core_count along with data_storage_size_in_tb specify its compute and storage capacity.
    • The admin_password is pulled from the Pulumi configuration and should be handled as a secret.
    • db_workload is set to "DW" to optimize for data warehousing.
    • The nsg_ids parameter links our database to our previously defined network security group, which will contain ingress rules.
    • is_access_control_enabled and whitelisted_ips control which IP addresses are allowed to connect to the database.
    • Finally, we export important information like the Database OCID and the private endpoint IP, which can be used to reference the database in other parts of our stack or infrastructure.

    To run this program, save it to a file (e.g., main.py), and then simply execute pulumi up in your console within the directory where the file is located. Pulumi will begin provisioning the resources as defined.

    Please note that creating and managing OCI resources incurs costs and you should ensure that certain clean-up actions (such as pulumi destroy) are performed if resources are no longer needed to avoid unnecessary charges.