Serverless OCI API Gateway Invocation by Dynamic Groups

Question

Pulumi · Accepted Answer

In Oracle Cloud Infrastructure (OCI), you can build a serverless infrastructure by leveraging OCI API Gateway and Dynamic Groups to control access to serverless functions. This allows to have an API Gateway endpoint that acts as the entry point for clients which, upon invocation, triggers execution of a serverless function. A Dynamic Group, on the other hand, is used to create a group with a membership rule that automatically adds OCI resources as members based on conditions defined.

Here's how each component fits into the infrastructure:

1. **OCI Dynamic Group**: Creates a group where membership is determined by rules you set (like a query) rather than explicitly adding each principal to the group. This typically includes OCI resources like compute instances, which could be the source of API invocations.

2. **API Gateway**: Serves as a single entry point to the backend services and can provide features like traffic management, authorization and access control, monitoring, and API version management. It can route requests to different backend services including OCI Functions or other HTTP backends.

3. **OCI Functions (Serverless)**: These are the computing resources that are executed when they're triggered (in this case, via the API Gateway). They can execute code in response to HTTP requests or other events without the need to manage infrastructure.

Below is a Pulumi program in Python that demonstrates how you can deploy these components on OCI:

```python
import pulumi
import pulumi_oci as oci

# Set the compartment ID for resources (Replace it with your actual compartment ID)
compartment_id = 'oci-compartment-id'

# Define the Dynamic Group
# The matching rule grants the permission for functions within the compartment
dynamic_group = oci.identity.DynamicGroup("dynamic-group",
    compartment_id=compartment_id,
    description="Dynamic group for API Gateway invocation",
    matching_rule="ANY {resource.type = 'fnfunc', resource.compartment.id = '" + compartment_id + "'}")

# Create an API Gateway on OCI
# This requires a subnet. Ensure that you have a subnet ready for use and pass the subnet ID below
api_gateway = oci.apigateway.Gateway("api-gateway",
    compartment_id=compartment_id,
    subnet_id='oci-subnet-id',  # Replace with your actual subnet ID
    display_name="my-api-gateway")

# Define an OCI function that the API Gateway will invoke
# This would be the serverless piece of infrastructure. In this example, we assume the function already exists.
# If you're creating a new function, you would provide it here similarly
my_function = oci.functions.Function("myFunction",
    compartment_id=compartment_id,
    # Other necessary attributes to define the function...
    # function code, runtime, environment variables, etc.
)

# Deployment of the API Gateway requires a specification that defines the routes and methods
deployment = oci.apigateway.Deployment("api-deployment",
    compartment_id=compartment_id,
    # The gateway to which this deployment belongs
    gateway_id=api_gateway.id,
    path_prefix="/v1",
    specification={
        "routes": [
            {
                "path": "/myfunction",
                "methods": ["GET"],  # Allowed methods for the function, e.g., GET, POST
                "backend": {
                    "type": "ORACLE_FUNCTIONS_BACKEND",
                    "function_id": my_function.id,  # Integrating Oracle serverless function
                }
            }
        ],
    })

# Export the URL of the API Gateway endpoint so you can invoke it after deployment
endpoint_url = pulumi.Output.concat("https://", api_gateway.subnet_id.apply(lambda id: id), ".apigateway.oci.oraclecloud.com")
pulumi.export("api_gateway_url", endpoint_url)
```

Before running the program, make sure your Pulumi stack is set up for OCI and you have the necessary permissions to create these resources. The function code and runtime specifics are not included in this example and need to be defined where `my_function` is created.

Once the API Gateway is deployed, client applications can make HTTP requests to the gateway's endpoint, which will forward the request to the defined backend onwards to the serverless function. The Dynamic Group does not play an active role in the request/response cycle; however, it is crucial for defining permissions that allow the API Gateway to invoke serverless functions within OCI.

Remember that functions and the API gateway must be within the same compartment for the Dynamic Group's rule in this example to work. The compartment ID, subnet ID, and function details—among other things—must be specified accurately within this Pulumi program to ensure successful deployment.