Dynamic Group-Based Access for OCI Functions
PythonIn Oracle Cloud Infrastructure (OCI), Functions is a serverless platform that enables you to run code in response to events, without the need to manage servers or runtimes, and Dynamic Groups are a feature that allows you to group OCI resources so that you can assign a common policy for automated tasks.
Using Pulumi with OCI, you can define and manage both Functions and Dynamic Groups programmatically, providing a way to grant function-based resources permissions to other OCI resources dynamically. Here's a detailed overview of how you can create an OCI Function and the necessary Dynamic Group for group-based access and policies:
-
oci.Functions.Application: This resource represents an application within OCI Functions, which acts as a logical grouping of functions. We define an application before deploying functions to it.
-
oci.Functions.Function: This is the actual serverless function you create within the context of an application. This function will be invoked based on your defined events or triggers.
-
oci.Identity.DynamicGroup: A Dynamic Group allows you to create a group with members defined by a matching rule. The members can be a list of OCI resources, such as compute instances or functions, that match the rule. This helps you manage access policies more dynamically than with static groups.
-
oci.Identity.Policy: Identity policies in OCI let you define what actions a group or dynamic group can perform. After setting up the function and the dynamic group, we'll need to create a policy to specify what the dynamic group can access or do.
Here's a Pulumi program in Python that sets up an OCI Function and a Dynamic Group to manage its access:
import pulumi import pulumi_oci as oci # Create an OCI Functions Application. app = oci.functions.Application("my-app", compartment_id=oci.config.require("compartment_id"), display_name="my-functions-app", subnet_ids=[oci.config.require("subnet_id")]) # Define the OCI Function within the application. function = oci.functions.Function("my-function", application_id=app.id, display_name="my-oci-function", image=oci.config.require("docker-image"), memory_in_mbs=pulumi.Config().require_int("memory_in_mbs")) # Create a Dynamic Group for the function. dynamic_group = oci.identity.DynamicGroup("my-dynamic-group", compartment_id=oci.config.require("compartment_id"), description="Dynamic group for my function", matching_rule=f"resource.id = '{function.id.apply(str)}'") # Define an Identity Policy that allows the dynamic group to invoke functions. policy = oci.identity.Policy("my-policy", compartment_id=oci.config.require("compartment_id"), description="Policy for dynamic group to invoke functions", statements=[ f"Allow dynamic-group {dynamic_group.name} to function-family in compartment {oci.config.require('compartment_id')}" ]) # Export the function's invoke endpoint. pulumi.export("invoke_endpoint", function.invoke_endpoint)To use this program, replace the placeholder values with actual values from your OCI environment:
oci.config.require("compartment_id")with the OCI compartment ID where you wish to create these resources.oci.config.require("subnet_id")with the subnet ID that the application will use.oci.config.require("docker-image")with the Docker image for the function (e.g.,phx.ocir.io/namespace/repo:tag).memory_in_mbswith the amount of memory allocated to the function.
Before running this program with Pulumi CLI, ensure that you've set up the required permissions and that your Pulumi stack is configured with the required settings:
pulumi config set oci:compartment_id <compartment-id> pulumi config set subnet_id <subnet-id> pulumi config set docker-image <docker-image> pulumi config set memory_in_mbs 128 # Example memory allocation in megabytesThis code sets up the access so that any resource within the dynamic group, which in our case includes our function, can interact with other OCI services that are specified in the policy. It provides a way to manage access dynamically as the group's membership isn't static and can change based on the matching rule.
-