Managing Multi-Tenant Environments with OCI Compartments

Question

Pulumi · Accepted Answer

Oracle Cloud Infrastructure (OCI) compartments are a core component of Oracle Cloud that help in organizing and isolating your cloud resources. When you're managing multi-tenant environments, compartments enable each tenant to have its own compartment, which acts much like a separate account. This allows you to control access and permissions per tenant, set up budgets, and track costs individually.

To create and manage OCI compartments and resources within compartments using Pulumi, you will first need the OCI Pulumi provider. This provider allows you to interact with OCI services through Pulumi's infrastructure as code approach.

Here's how you might create a compartment and then deploy resources within it using Pulumi:

Define the compartment.
Create resources within the compartment.

Let's write a Pulumi program in Python that creates a compartment in OCI, and then provisions a Virtual Cloud Network (VCN) within that compartment. I will guide you through the program, explaining each step.

import pulumi
import pulumi_oci as oci

# Create a new compartment.
# A compartment requires a name and a description, along with your root compartment ID, which acts as the parent compartment.
compartment = oci.identity.Compartment("myCompartment",
                                       description="Compartment for Tenant A",
                                       name="TenantACompartment",
                                       # Replace '<root_compartment_id>' with your root compartment's ID.
                                       compartment_id="<root_compartment_id>")

# Create a VCN within the new compartment.
# VCNs are created with a CIDR block and optionally DNS label among other settings.
# Note that the `compartment_id` attribute is set to the `id` of the compartment we've created above.
vcn = oci.core.Vcn("myVcn",
                   compartment_id=compartment.id,
                   cidr_block="10.0.0.0/16",
                   display_name="MyVcn",
                   dns_label="myvcn")

# To access the VCN or compartment later on (for example, in the Pulumi Console or in outputs), you can export their IDs.
pulumi.export("compartment_id", compartment.id)
pulumi.export("vcn_id", vcn.id)

In the above program:

We import the necessary Pulumi libraries for Python.
We use the oci.identity.Compartment class to create a new compartment. This requires parameters like the compartment name, description, and the ID of the parent compartment.
We use the oci.core.Vcn class to create a new Virtual Cloud Network within that compartment, specifying the compartment ID, CIDR block, display name, and DNS label for the VCN resource.
Finally, we export the IDs of the created resources using pulumi.export so you can easily use these IDs elsewhere or obtain them after running Pulumi up.

This is a basic example that shows how to create a compartment and a VCN within it. Multi-tenancy often involves creating more resources and applying fine-grained policies which can also be automated using Pulumi.

To run the Pulumi program, you should have Pulumi CLI installed and configured with OCI. Save the program to a file (e.g., main.py), and execute pulumi up to deploy the OCI resources. After the deployment, you will see the exported outputs on your terminal, which include the IDs of the compartment and VCN.

Keep in mind to replace <root_compartment_id> with your actual root compartment's ID. The compartment ID can be found in the OCI console or via the OCI CLI.

This is just a starting point, and you can expand upon it by creating additional resources, implementing IAM policies, and setting up your multi-tenant infrastructure in a way that aligns with your operational best practices.