OCI Autonomous Database Access by Resource Tags

Question

Pulumi · Accepted Answer

To grant access to an Oracle Cloud Infrastructure (OCI) Autonomous Database based on resource tags, you would typically define tagging strategies and policies within your OCI environment. In OCI, tags are key-value pairs that you can attach to resources, which can then be used for organizing and controlling access to resources.

Below is a Pulumi program in Python that demonstrates how you might:

1. Import standard tag namespaces.
2. Tag an Autonomous Database with these standard tags.
3. Set access policies using these tags (the actual implementation of policies would be done through OCI Identity and Access Management policies, which is currently not feasible through Pulumi's OCI provider, so it's assumed this step would be done manually in OCI or through scripting calls to OCI’s APIs).

In the program, I will start by creating an import standard tags management resource, which ensures that you have a standardized tagging setup that can be associated with OCI resources. Then, I will show you how to create an Autonomous Database and tag it. Note that enforcement of access control based on tags is out of the scope of Pulumi and needs to be handled on the OCI IAM side.

The following Python Pulumi program assumes that you have already set up the OCI provider and authenticated with the correct permissions to create resources and manage tags:

```python
import pulumi
import pulumi_oci as oci

# Compartment ID where the resources will be created.
# Replace this with your actual compartment ID.
compartment_id = 'ocid1.compartment.oc1..exampleuniqueID'

# Define standard tag namespaces by importing them.
# 'standardTagNamespaceName' is the name of the tag namespace you wish to import, e.g., "CostCenter"
standard_tags_management = oci.identity.ImportStandardTagsManagement("importStandardTags",
    compartment_id=compartment_id,
    standard_tag_namespace_name="CostCenter")

# Create an Autonomous Database
autonomous_db = oci.database.AutonomousDatabase("myAutonomousDatabase",
    compartment_id=compartment_id,
    db_name="myADB",
    admin_password="BEstr0ng_#123", # Please choose a strong, unique password
    cpu_core_count=1,
    data_storage_size_in_tbs=1,
    db_workload="OLTP",
    display_name="myAutonomousDatabase",
    is_auto_scaling_enabled=True,
    is_free_tier=False,
    # Apply tags to the database using the tag namespace that was imported.
    # This example assumes a tag namespace "CostCenter" and a tag key "Project" were already set up in OCI.
    defined_tags={
        "CostCenter": {
            "Project": "ProjectA"
        }
    },
    freeform_tags={
        "Environment": "Dev"
    })

# The above tagging setup doesn't enforce access control. To enforce it, you would typically use OCI IAM policies.
# OCI IAM policies based on tags would look something like this in OCI (not via Pulumi):
# "Allow group ADBAdmins to manage autonomous-database family in compartment Development
#  if all {tag.CostCenter.Project = 'ProjectA'}"

# Export the Autonomous Database OCID and the applied tags
pulumi.export("autonomousDatabaseOcid", autonomous_db.id)
pulumi.export("autonomousDatabaseDefinedTags", autonomous_db.defined_tags)
```

What the above program does:

1. We define a compartment where the resources will reside.
2. We import standard tag namespaces that we intend to use for our resources, which is a good practice to maintain consistency and governance across your organization's cloud resources.
3. We create an OCI Autonomous Database in the provided compartment, with a set of configuration options such as CPU core count and storage size.
4. We apply both defined tags and freeform tags to the Autonomous Database. Defined tags are structured and typically used for enforcing policies and governance, while freeform tags are flexible and can be used for ad-hoc labeling.
5. Finally, we export the OCID (Oracle Cloud Identifier) and the defined tags of the Autonomous Database for reference.

Keep in mind that this Pulumi program only sets up the resources and tags. Actual access control policies based on tags need to be implemented in the OCI Identity and Access Management (IAM) system. This typically involves writing IAM policies that grant privileges to users or groups based on the tags attached to the resources. These IAM policies need to be managed directly through the OCI console or via API calls/scripts, as Pulumi's OCI provider currently doesn't support IAM policy management.

For more details on tagging in Oracle Cloud Infrastructure, you can refer to the [OCI documentation](https://docs.oracle.com/en-us/iaas/Content/Tagging/Concepts/taggingoverview.htm).