OCI Functions Authentication for Serverless AI Services

Question

Pulumi · Accepted Answer

To create serverless AI services with authentication in Oracle Cloud Infrastructure (OCI), we would generally set up a Functions Application and a Function within OCI, which allows for running code in response to events without the need to manage infrastructure. The Functions application acts as a container for your functions and their common settings, while individual Functions define specific pieces of code to execute.

To invoke these functions securely, OCI provides a resource called `InvokeFunction` which handles the actual invocation of your deployed function. The Function itself needs to be deployed with the appropriate Docker image that includes your AI service logic.

Authentication, in this context, generally refers to securing your function so that only authenticated calls are allowed to execute it. OCI supports an identity and access management (IAM) service, which we can integrate with Functions to control access.

Let's go step by step to create an OCI Function with authentication for serverless AI services:

1. **Create a Functions Application** (`oci.Functions.Application`): This groups your functions and defines shared configuration such as network settings or logging.

2. **Create a Function** (`oci.Functions.Function`): This specifies the Docker image to run, the memory allocation, and other configurations specific to the function.

3. **Invoke the Function** (`oci.Functions.InvokeFunction`): This simulates invoking the function, possibly from an application or another service.

4. **Apply authentication**: We can use IAM policies to control who can invoke the function. This is not directly represented as a resource in Pulumi but can be set up using OCI's IAM service separately.

**Note:** The actual setting up of IAM policies and authentication mechanisms is more operational and would involve additional setup within OCI's IAM service that is outside the scope of Pulumi's infrastructure as code. Typically, you would create corresponding IAM roles and policies that define who can invoke the function.

Below is a simplified Pulumi program illustrating how you might define these resources:

```python
import pulumi
import pulumi_oci as oci

# Replace these variables with actual values
compartment_id = 'oci-compartment-id'
subnet_id = 'oci-subnet-id'
docker_image = 'docker-image-url' # URL for the Docker image for the function

# Create a Functions Application
application = oci.functions.Application("my-app",
    compartment_id=compartment_id,
    display_name="my-application",
    subnet_ids=[subnet_id])

# Create a Function within the application
function = oci.functions.Function("my-function",
    application_id=application.id,
    display_name="my-function",
    image=docker_image,
    memory_in_mbs=128)

# Example of invoking a function (note: this is typically done programmatically)
invoke = oci.functions.InvokeFunction("invoke-my-function",
    function_id=function.id,
    fn_invoke_type="sync",
    fn_intent="httprequest",
    invoke_function_body="{}") # The body would contain data for the AI service

# Outputs
pulumi.export('application_id', application.id)
pulumi.export('function_id', function.id)
pulumi.export('invoke_endpoint', invoke.invoke_endpoint)
```

In this program:

- The `oci.functions.Application` resource creates a new application with a name, compartment, and subnet for network configuration. For more details, refer to the [Application documentation](https://www.pulumi.com/registry/packages/oci/api-docs/functions/application/).
  
- The `oci.functions.Function` resource defines the code to execute and its configuration, such as the memory limit and the Docker image used. This would be your AI service logic in a container. Check the [Function documentation](https://www.pulumi.com/registry/packages/oci/api-docs/functions/function/) for more information.

- The `pulumi.export` lines at the end of the program output the created resources' IDs, which can be used for reference or integration with other services or tools.

Keep in mind that while Pulumi manages the infrastructure for these services, the code you deploy on OCI Functions and the authentication setup is done separately from Pulumi. You will need to handle the application code, Docker image building, and pushing it to a registry that OCI Functions can access. Additionally, for securing the function, it is essential to follow the Oracle Cloud Infrastructure documentation to set up the right IAM policies and roles, ensuring that only authenticated calls can invoke your functions.