1. Protecting OCI Functions Invoked by AI Event Triggers


    To protect Oracle Cloud Infrastructure (OCI) Functions when they are invoked by AI event triggers, you would want to ensure that only authenticated and authorized sources can invoke your function, and also that your application can handle any anomalous or unexpected inputs or behaviors gracefully. The Pulumi OCI provider offers a range of resources to help with this, including oci.Functions.Function for deploying function code and oci.Identity.Policy for managing access control.

    Here's a step-by-step guide on how to set up a secure OCI Function with Pulumi:

    1. Create a Function Application: To deploy functions, you first create an application resource. This serves as a context or namespace for your function.

    2. Deploy the Function: Within the application, you define a function resource, specifying the Docker image that contains your function code.

    3. Set up Identity Policies: You can create identity policies that specify who or what can invoke your function. For example, you can limit invocation to certain users or groups.

    4. Integrate AI Event Trigger: You can set up an OCI AI service that creates event triggers. If you're monitoring for anomalies, the trigger can call your function to respond to these events.

    5. Define Custom Protection Rules: If you need more granular control over the requests to your function, you can implement custom protection rules using resources such as oci.Waas.CustomProtectionRule.

    Let's put this into practice using a Pulumi program written in Python:

    import pulumi import pulumi_oci as oci # Replace these variables with appropriate values compartment_id = "your_compartment_id" subnet_ids = ["your_subnet_id"] image = "your_docker_image_for_function" function_display_name = "MySecureFunction" # Create an OCI Functions Application app = oci.functions.Application("myApp", compartment_id=compartment_id, display_name="MyApplication", subnet_ids=subnet_ids) # Deploy a Function within the newly created Application func = oci.functions.Function("myFunction", application_id=app.id, image=image, memory_in_mbs=128, config={ "LOG_LEVEL": "DEBUG", }, display_name=function_display_name) # Define an Identity Policy that specifies who can invoke the Function identity_policy = oci.identity.Policy("myPolicy", compartment_id=compartment_id, description="Policy to restrict function invocation", statements=[ f"Allow group FunctionInvokers to use functions-family in compartment {compartment_id}", f"Allow group FunctionInvokers to invoke functions in compartment {compartment_id}" ]) # Export the Function's OCID and invoke endpoint, which can be used for setting up triggers pulumi.export("function_id", func.id) pulumi.export("invoke_endpoint", func.invoke_endpoint)

    This Pulumi program sets up a secure environment where:

    • An OCI Functions Application acts as a container for your function.
    • The Function itself is defined along with its configuration, such as memory limits and environment variables.
    • An Identity Policy limits invocation of the function to members of a hypothetical FunctionInvokers group. You would need to ensure that this group is created within your OCI Identity and Access Management (IAM) service and that it contains the proper entities (such as users or other services) that should be able to invoke the function.

    For further security controls like AI-based anomaly detection and custom protection rules, you would integrate the OCI AI and Web Application Firewall (WAF) services, which go beyond the basic setup shown here. The details on how to implement this would depend on the specific AI and WAF services you intend to use.

    Remember to replace the placeholder variables with your actual compartment, subnet IDs, and Docker image information. After deploying this program with Pulumi (pulumi up), your function will be secure under the given policies.