1. Compliance and Security Boundaries with OCI Compartments


    In Oracle Cloud Infrastructure (OCI), compartments provide a way to isolate and control access to resources to enforce security and compliance requirements. Compartments act as logical containers allowing you to organize and control access to your cloud resources.

    In this context, you would typically use compartments to create separate environments for development, staging, and production, each with different access policies and settings to ensure that only authorized individuals have access to specific resources.

    To create a compartment in OCI using Pulumi, you will use the oci.Identity.Compartment resource from the pulumi_oci package. In addition, you can also utilize oci.CloudGuard.SecurityZone to enforce additional security zone policies within those compartments.

    Below is a Pulumi program written in Python that will create a new compartment in OCI and then set up a security zone within that compartment. It assumes that you have the necessary OCI credentials configured for Pulumi to communicate with your OCI account.

    import pulumi import pulumi_oci as oci # Create a new OCI compartment compartment = oci.Identity.Compartment("myCompartment", description="Compartment for production environment", # You can retrieve the compartment ID from your OCI console or using CLI/API calls. # Usually, the root compartment ID for your tenancy is used here when creating new compartments. compartment_id=pulumi.Config().require("root_compartment_id"), # Provide a name for your compartment name="ProductionCompartment") # Create a new Security Zone within the created compartment security_zone = oci.CloudGuard.SecurityZone("mySecurityZone", # Display name for the Security Zone display_name="ProductionSecurityZone", # The description of the Security Zone description="Security Zone for production compartment", compartment_id=compartment.id, # The ID of the Security Zone Recipe, which is a predefined OCI recipe or your custom one. security_zone_recipe_id="ocid1.securityzonerecipe.oc1..example") # Export the compartment ID and security zone ID as stack outputs pulumi.export("compartment_id", compartment.id) pulumi.export("security_zone_id", security_zone.id)

    In the program above, we first import pulumi and pulumi_oci which are the Python packages required to interact with Pulumi and OCI respectively.

    Then we proceed to define a new OCI compartment with the name "ProductionCompartment" and provide a description. The compartment_id is required to be that of the root compartment or another parent compartment under which you want to create this new compartment.

    After defining the compartment, we create a security zone within it. We give it a name "ProductionSecurityZone", a description, and associate it with the newly created compartment through its ID. The security_zone_recipe_id is an identifier for a predefined or custom set of security zone policies. These policies dictate what kinds of resources can be created within the security zone and how they’re configured.

    The pulumi.export function is used to output the compartment ID and security zone ID, so they can be easily retrieved if needed (for example, when integrating with other parts of your infrastructure as code).

    To run this Pulumi program, you'll need to save it in a file (e.g., main.py), set up Pulumi with the appropriate OCI configuration, and then run pulumi up to execute it. Ensure that the root_compartment_id is provided either through Pulumi configuration or replaced in the script with the actual root compartment ID of your OCI tenancy.