Create Oracle Cloud resources

Learn to create a compartment, VCN, subnet, users, and user groups before you get started with Oracle Cloud Infrastructure GoldenGate.

Create a compartment

Compartments let you organize and control access to your cloud resources. It’s a logical container that you can use to group related cloud resources together and let specific user groups access.

When you sign up for Oracle Cloud Infrastructure, Oracle creates your tenancy, which is the root compartment that holds all your cloud resources. You then create additional compartments within your tenancy and the corresponding policies to control access to the resources in each compartment.

To create a compartment:

1. Open the Oracle Cloud console navigation menu, and then select Identity & Security.

2. Under Identity, select Compartments. A list of the compartments you have access to is displayed.

3. Navigate to the compartment where you want to create the new compartment.

   • To create the compartment in the tenancy (root compartment) select Create Compartment.

   • To create the compartment in a compartment other than the tenancy (root compartment), select through the hierarchy of compartments until you reach the detail page of the compartment where you want to create the compartment. On the Compartment Details page, select Create Compartment.

4. In the Create Compartment dialog, complete the fields as follows:

   1. For Name, enter a unique name for the compartment, no more than 100 characters (includes letters, numbers, periods, hyphens, and underscores). The name must be unique across all compartments in the tenancy. Avoid entering confidential information.

   2. For Description, enter a description that helps distinguish the compartment from others.

   3. For Parent Compartment, verify that this is the compartment where you want to create your compartment. To choose a different compartment, select one from the dropdown.

   4. (Optional) For Tag Namespace, you can add a free-form tag to help you search for you resources in the Oracle Cloud console. Select + Another Tag to add more tags.

   5. Select Create Compartment.

Your compartment appears in the Compartments list after it’s created. You can now create policies and add resources to your compartment.

Create a Virtual Cloud Network and subnet

A virtual cloud network (VCN) is a network that you set up in the Oracle Cloud Infrastructure data centers in a particular region. A subnet is a subdivision of a VCN.

OCI GoldenGate requires a VCN and at least one private subnet with a NAT Gateway. A route table with a route rule redirecting traffic to the NAT Gateway for the private subnet must be available. If you want to enable connectivity using a public endpoint then a public subnet is also required and the VCN must include an Internet Gateway. A route table with a route rule redirecting traffic to the Internet Gateway for the public subnet must be available.

To create a VCN and subnet:

1. Open the Oracle Cloud console navigation menu, select Networking, and then select Virtual cloud networks.

2. On the Virtual Cloud Networks page, confirm the compartment selection, or select a different compartment.

3. From the Actions menu, select Start VCN Wizard.

4. In the Start VCN Wizard panel, select Create VCN with Internet Connectivity, and then select Start VCN Wizard.

5. On the Configuration page, under Basic information, enter a VCN name.

6. For Compartment, select the compartment in which to create this VCN.

7. Select Next.

8. On the Review and Create page, verify the configuration details, and then select Create.

Select View VCN Details to verify that both a Public and Private subnet were created.

Create users

Create users to add to groups that can access to your OCI GoldenGate resources.

Before you create users, understand that:

• OCI GoldenGate deployment user management depends on whether your tenancy uses OCI IAM with Identity Domains or not. See Manage deployment users.

• User names must be unique across all users within your tenancy

• User names are unchangeable

• Users have no permissions until they’re placed in a group

To create users:

1. Open the Oracle Cloud console navigation menu, select Identity & Security, and then under Identity, select Domains.

2. On the Domains page, confirm the Compartment selection, or change to another compartment.

3. In the Domains list, select Default to access the default domain, or select Create Domain to create a new one.

4. Select the domain from the list.

5. On the Domains details page, select User management.

6. On the Users page, select Create user.

7. On the Create user page, complete the fields as follows:

   1. Enter the user's First name, Last name, and Email address, which can also be used as the Username.

      Note: The name must be unique across all users in the tenancy. You cannot change this value later. The user name cannot contain spaces, and can only consist of basic Latin letters (ASCII), numerals, hyphens, periods, underscores, +, and @.

   2. For Groups, select the groups to assign the user to.

8. Select Create.

You can then add the user to a group and create policies that give the group access to your resources. For more information about users, see Managing users.

Create groups

A group is a collection of users who require the same type of access to a set of resources or compartments.

Before you create a group, understand that:

• The group name must be unique within the tenancy.

• The group name cannot be changed once created.

• A group has no permissions unless you write at least one permission that gives the group permission to a tenancy or compartment.

To create a group:

1. Open the Oracle Cloud console navigation menu, select Identity & Security, and then under Identity, select Domains.

2. On the Domains page, confirm the Compartment selection, or change the compartment.

3. Select a domain from the list.

4. On the Domain details page, select User management.

5. Under Groups, select Create Group.

6. On the Create group page:

   1. For Name, enter a unique name for the group.

      Note: Once the group is created, you cannot change the name. The group name must be unique within the tenancy. The group name can be 1 to 100 alphanumeric characters long, upper or lowercase letters, and can contain periods, dashes, hyphens, but no spaces

   2. For Description, enter a friendly description.

7. Select whether a User can request access to this group.

8. From the Users list, select the users to assign to this group.

9. Select Create.

A group doesn’t have any permissions until you write a policy that gives the group permission to a compartment or tenancy. For more information about groups, see Managing groups.

Create policies

Policies define what actions members of a group can perform, and in which compartments.

Use the Oracle Cloud console to create policies. In the Oracle Cloud console navigation menu, select Identity & Security, and then under Identity, and select Policies. Policies are written in the following syntax:

allow group <identity-domain>/<group-name> to <verb> <resource-type> in <location> where <condition>

Parameter definitions are as follows:

• <identity-domain>: (Optional) If using OCI IAM for identity management, then include the identity domain of the user group. If omitted, then OCI uses the default domain.

• <group-name>: The name of the user group you're giving permissions to.

• <verb>: Gives the group a certain level of access to a resource-type. As the verbs go from inspect to read to use to manage, the level of access increases and the permissions granted are cumulative.

  Learn more about the relationship between permissions and verbs.

• <resource-type>: The type of resource you're giving a group permission to work with. There are individual resources, such as goldengate-deployments, goldengate-pipelines, and goldengate-connections, and there are resource families, such as goldengate-family, which includes the individual resources previously mentioned.

  For more information, see resource-types.

• <location>: Attaches the policy to a compartment or tenancy. You can specify a single compartment or compartment path by name or OCID, or specify tenancy to cover the entire tenancy.

• <condition>: Optional. One or more conditions for which this policy will apply.

Learn more about policy syntax.

How to create a policy

To create a policy:

1. In the Oracle Cloud navigation menu, select Identity & Security, and then under Identify, select Policies.

2. On the Policies page, select Create Policy.

3. On the Create Policy page, enter a name and description for the policy.

4. Select the Compartment in which to create this policy.

5. In the Policy Builder section, you can either

   • Select GoldenGate Service from the Policy use case dropdown and a common policy template, such as Required policies to let users manage GoldenGate resources.

   • Select Show manual editor to enter a policy rule in the following format:

     allow <subject> to <verb> <resource-type> in <location> where <condition>

     Conditions are optional. See Details for Verbs + Resource-Type Combinations.

   Tip: See Minimum recommended policies for more information.

6. Select Create.

For more information about policies, see how policies work, policy syntax, and policy reference.

Minimum recommended policies

Tip:

To use a common policy template to add all the required policies:

1. For Policy use cases, select GoldenGate Service from the dropdown.

2. For Common use templates, select Required policies to let users manage GoldenGate resources from the dropdown.

At minimum, you need policies to:

• Allow users to use or manage GoldenGate resources, so that they can work with deployments and connections. For example:

  allow group <identity-domain>/<group-name> to manage goldengate-family in <location>

• Allow users to manage network resources, so that they can view and select compartments and subnets, and create and delete private endpoints when creating GoldenGate resources. For example:

  allow group <identity-domain>/<group-name> to manage virtual-network-family in <location>

  Note:

  • When creating a deployment or a connection using a dedicated endpoint, one or more IPs are allocated in the subnet selected. You must provide the required network access privileges in both the subnet and the deployment or connection's compartment to allow the service to create the network resources.

  • Similarly, the appropriate network access privileges are required when deleting a deployment or connection using a dedicated endpoint to allow the service to delete the network resources.

  Optionally, you can further secure network resources using a combination of granular policies. See Policy Examples for Securing Network Resources.

• Create a Dynamic Group to grant permissions to resources based on defined rules, allowing your GoldenGate deployments and/or pipelines to access resources in your tenancy. Replace <dynamic-group-name> with a name of your choice. You can create as many dynamic groups as you need, for example, to control permissions in deployments across different compartments or tenancies.

  name: <dynamic-group-name>
  Matching rule: ALL {resource.type = 'goldengatedeployment', resource.compartment.id = '<location>'}

  Tip: The policies that follow in this list refer to <dynamic-group-name>. If you create more than one dynamic group, ensure that you refer to the correct dynamic group name when adding any of the policies that follow.

• If using connections with password secrets, the deployment you're assigning to the connection must be able to access the connection's password secrets. Ensure that you add the policy to your compartment or tenancy:

  allow dynamic-group <identity-domain>/<dynamic-group-name> to read secret-bundles in <location>

• Allow users to read the Identity and Access Management (IAM) user and group for validations in IAM enabled tenancies:

  allow service goldengate to {idcs_user_viewer, domain_resources_viewer} in <location>

  allow dynamic-group <identity-domain>/<dynamic-group-name> to {idcs_user_viewer, domain_resources_viewer} in <location>

• Access customer managed encryption keys and password secrets in Oracle Vault. For example:

  allow group <identity-domain>/<group-name> to manage secret-family in <location>
  allow group <identity-domain>/<group-name> to use keys in <location>
  allow group <identity-domain>/<group-name> to use vaults in <location>
  allow dynamic-group <identity-domain>/<dynamic-group-name> to use keys in <location>
  allow dynamic-group <identity-domain>/<dynamic-group-name> to use vaults in <location>
  allow dynamic-group <identity-domain>/<dynamic-group-name> to read secret-bundles in <location>

Depending on whether you intend to use the following services, you may also need to add policies for:

• Oracle AI Databases, for your source and/or target databases. For example:

  allow group <identity-domain>/<group-name> to read database-family in <location>

  allow group <identity-domain>/<group-name> to read autonomous-database-family in <location>

• Oracle Object Storage, to store manual and scheduled OCI GoldenGate backups. For example:

  allow group <identity-domain>/<group-name> to manage objects in <location>
  allow dynamic-group <identity-domain>/<dynamic-group-name> to manage objects in <location> where target.bucket.name = '<bucket-name>'
  allow group <identity-domain>/<group-name> to inspect buckets in <location>

• OCI Logging, to access log groups. For example:

  allow group <identity-domain>/<group-name> to read log-groups in <location>
  allow group <identity-domain>/<group-name> to read log-content in <location>

• Load Balancer, if you enable public access to the deployment console:

  allow group <identity-domain>/<group-name> to manage load-balancers in <location>
  allow group <identity-domain>/<group-name> to manage public-ips in <location>
  
  allow group <identity-domain>/<group-name> to manage network-security-groups in <location>
  allow group <identity-domain>/<group-name> to manage vcns in <location> where ANY {request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup'}

• Work requests:

  allow group <identity-domain>/<group-name> to inspect work-requests in <location>

• Zero Trust Packet Routing (ZPR). Required only If you've added security attributes to your VCN and/or Load Balancer to control access for your connections and public deployments, add the following policies to allow public internet traffic to the load balancer and traffic flow between the load balancer and private endpoints:

  • If security attributes were added for both VCN and load balancer:

    in <vcn-sa-key>:<vcn-sa-value> VCN allow <lb-sa-key>:<lb-sa-value> endpoints to connect to <pe-sa-key>:<pe-sa-value> endpoints
    in <vcn-sa-key>:<vcn-sa-value> VCN allow all-endpoints to connect to <lb-sa-key>:<lb-sa-value> endpoints

  • If security attributes were added only for the VCN and not load balancer, and the load balancer is in a public subnet with CIDR 10.0.1.0/24:

    in <vcn-sa-key>:<vcn-sa-value> VCN allow '10.0.1.0/24' to connect to <pe-sa-key>:<pe-sa-value> endpoints

    Note: For other resources, such as dedicated connections and private deployments, security attributes are added to the private endpoint created. Load balancers aren’t created by default with private deployments, so the ZPR examples above don’t apply. You may need a ZPR policy, as ZPR protects the private endpoint in this case. The exact policy depends on your use-case.

  Learn more about ZPR Policy syntax.

The following statement gives a group permission to manage tag-namespaces and tags for workspaces:

allow group <identity-domain>/<group-name> to manage tag-namespaces in <location>

To add a defined tag, you must have permission to use the tag namespace. To learn more about tagging, see Resource Tags.