Note:

Integrate Oracle Cloud Infrastructure Resource Manager with Automation Process

Introduction

The Oracle Cloud Infrastructure (OCI) Resource Manager service automates the deployment and operations of all OCI resources. Using the infrastructure-as-code (IaC) model, the service is based on Terraform, an open source industry standard that allows DevOps engineers to develop and deploy their infrastructure anywhere.

A Terraform configuration encodes your infrastructure in declarative configuration files. The OCI Resource Manager service allows you to share and manage infrastructure configuration and state files across multiple teams and platforms.

Through the OCI Resource Manager it is possible to execute Terraform scripts in the OCI Console. It is also possible to make a REST call or use the Oracle Cloud Infrastructure Command Line Interface (OCI CLI), thus expanding the possibilities of integration with automation tools such as OCI Devops, Jenkins, GitHub and so on.

architecture

In this tutorial, we will automate the deployment of an Oracle Autonomous Database instance by obtaining the database admin password securely through OCI Vault secrets without exposing it in the files, so that the OCI Resource Manager execution user has proper access to create the database and stored password.

Objectives

Prerequisites

Task 1: Create a Secret for Oracle Autonomous Database in OCI Vault

We will create a password in OCI Vault to illustrate how to configure a new resource in Terraform without exposing sensitive data.

Secrets are credentials such as passwords, certificates, SSH keys, or authentication tokens that you use with OCI services. Storing secrets in an OCI Vault provides greater security than you might achieve storing them elsewhere, such as in code or configuration files. You can retrieve secrets from the OCI Vault service when you need them to access resources or other services.

You can create secrets by using the OCI Console, OCI CLI, or API. Secret contents for a secret are imported to the service from an external source. The OCI Vault service stores secrets in vaults.

Note: For this task, we need to log in as an Admin user in the OCI Console. You must have permission to create a password in OCI Vault.

  1. Log in to the OCI Console, click Identity & Security and Vault.

    img_10.png

  2. Select the compartment where you want to store the secrets and click Create Vault.

    img_29.png

  3. Enter a name for your vault, confirm the compartment and click Create Vault.

    img_11.png

  4. Confirm that the vault is created and create a key. Click Master Encryption Keys and Create Key.

    img_12.png

  5. Confirm the compartment and enter a name for your key. For example, enter autonomouskey as Name and click Create Key.

    img_13.png

    Confirm that the key is created.

    img_14.png

  6. Click Secrets and Create Secret.

    img_15.png

  7. We will create the Autonomous Admin password. Enter the following information and click Create Secret.

    • Compartment: Select compartment.
    • Name: Enter name for your first secret.
    • Select Manual secret generation to include the password.
    • Secret Type Template: Enter Plain-Text.
    • Secret Contents: Enter your password.

    img_16.png

  8. You will need the Secret OCID. To copy the OCID, click Copy.

    img_17.png

Task 2: Create Policies for the OCI user

In this tutorial, consider your username TestUser included in a group named TestGroup. Now, create a policy with name TestPolicy.

This task is important because this controls all privileges needed to guarantee the security of Terraform automation.

Note: For this task, we need to log in with an Admin user in OCI.

  1. Go to the OCI Console, click Identity & Security and Policies.

    img_18.png

  2. Click Create Policy.

    img_19.png

  3. In the Statements section, enter the following policies.

    • These policies give the permission to group TestGroup created previously to manage a stack and jobs in OCI Resource Manager.

      - Allow group 'Default'/'TestGroup' to manage orm-stacks in compartment integration
      - Allow group 'Default'/'TestGroup' to manage orm-jobs in compartment integration
      - Allow group 'Default'/'TestGroup' to read orm-config-source-providers in tenancy
      
    • This policy gives the right to create an Oracle Autonomous Database instance in the compartment integration.

      - Allow group 'Default'/'TestGroup' to manage autonomous-database in compartment integration
      
    • The group can read the password stored in OCI Vault through Terraform scripts.

      - Allow group 'Default'/'TestGroup' to use secret-family in tenancy
      
    • This policy gives the right to save the Terraform scripts on a specific compartment.

      - Allow group 'Default'/'TestGroup' to manage all-resources in compartment kubernetes
      
    • This policy allows the users of TestGroup to edit code in the OCI Code Editor.

      - Allow group 'Default'/'TestGroup' to use cloud-shell in tenancy
      

    cloud_shell.png

Task 3: Create a Stack from a Template

Create a stack for an Oracle Autonomous Database instance. We can use a template for this. The first step is log in as the user created in Task 2.

  1. Go to the OCI Console and click the hamburger menu.

    img_1.png

  2. Click Developer Services and Stacks.

    img_2.png

  3. Select your Compartment and click Create stack.

    CleanShot 2024-04-15 at 07.47.32.png

  4. In the Stack information page, select Template and click Select template to generate a Terraform script for Oracle Autonomous Database.

    CleanShot 2024-04-15 at 07.48.19.png

  5. In the Service tab, select Autonomous Transaction Processing Database and click Select template.

    CleanShot 2024-04-15 at 07.49.57.png

  6. You can generate the Terraform scripts and store in the OCI Object Storage bucket. Select Use custom Terraform providers, enter the bucket Compartment and Name, and save your stack.

    CleanShot 2024-04-15 at 07.51.23.png

    Your stack is saved.

    CleanShot 2024-04-15 at 07.54.01.png

  7. This template does not read the secret stored in your OCI Vault. To make the Terraform to read the secret, we need to change the code.

    Click Edit and select Edit Terraform configuration in code editor.

    img_3.png

  8. You can edit the code. The default code generates a random string for the password.

    • main.tf file.

      CleanShot 2024-04-15 at 08.05.40.png

      CleanShot 2024-04-15 at 08.08.32.png

      You need to add a new data named oci_secrets_secretbundle and assign it to the following attributes:

      • admin_password at autonomous_data_warehouse and autonomous_database sections.
      • password at autonomous_database_wallet section.
    • main.tf - autonomous_data_warehouse section.

      data "oci_secrets_secretbundle" "bundle" {
          secret_id = var.secret_ocid
      }
      
      admin_password = base64decode(data.oci_secrets_secretbundle.bundle.secret_bundle_content.0.content)
      

      CleanShot 2024-04-15 at 08.28.07.png

    • main.tf - autonomous_database section.

      img_4.png

    • main.tf - autonomous_database_wallet section.

      img_5.png

      CleanShot 2024-04-15 at 08.30.15 substituir.png

    Add the following code in the variables.tf file and replace the OCID for your secret generated in Task 1.

    variable "secret_ocid" {
        default = "ocid1.vaultsecret.oc1.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    }
    
    • variables.tf file.

      CleanShot 2024-04-15 at 08.30.52.png

    Note: Save your files. Move the mouse cursor over your stack (on the right side of the editor, in Autonomous Transaction Processing…. title), right-click and save your project. If you leave without saving, the execution assumes you will use the random string in the original code script.

Task 4: Test the Permissions

You can test the policies and see how you have control of the OCI Resource Manager, OCI Vault and Oracle Autonomous Database instances in a specific compartment.

  1. Log in to the OCI Console with your Admin user credentials and remove all the policies for the TestGroup group in the TestPolicy policy. Click Delete and confirm.

    img_7.png

  2. Now, log in with your user in the TestGroup group and you cannot see the stack, so you cannot execute it.

    CleanShot 2024-04-15 at 20.02.33.png

  3. Add the following statements with the Admin user.

    Allow group 'Default'/'TestGroup' to manage orm-stacks in compartment integration
    Allow group 'Default'/'TestGroup' to manage orm-jobs in compartment integration
    Allow group 'Default'/'TestGroup' to read orm-config-source-providers in tenancy
    Allow group 'Default'/'TestGroup' to manage all-resources in compartment kubernetes
    

    img_8.png

    The following statements grant your user in TestGroup permissions to use the OCI Resource Manager stack.

    CleanShot 2024-04-15 at 20.12.55.png

  4. We removed the grant for your user to create an Oracle Autonomous Database instance and read the secret in OCI Vault. So you can execute your stack but with no success. To test, click apply in your stack detail page.

    CleanShot 2024-04-15 at 20.16.39.png

    CleanShot 2024-04-15 at 20.18.40.png

  5. Add Oracle Autonomous Database and OCI Vault permissions on the TestPolicy.

    Allow group 'Default'/'TestGroup' to manage all-resources in compartment kubernetes
    Allow group 'Default'/'TestGroup' to manage autonomous-database in compartment integration
    

    img_9.png

  6. Click apply in your stack detail page and you can see you have the control for all resources without exposing any password.

    CleanShot 2024-04-15 at 21.34.57.png

Task 5: Call your OCI Resource Manager Automation with REST

All the resources in OCI have an OCI REST API or an OCI CLI command to call services as is executed in your OCI Console.

For more information about OCI REST API, see OCI REST API. You can see the list of OCI CLI commands here: Oracle Cloud Infrastructure CLI Command Reference.

Now, we can choose to execute the OCI Resource Manager stack with an OCI REST API or an OCI CLI command. To create a Job, see CreateJob or you can use the following sample code curl-oci.zip with curl-oci.sh prepared with OCI parameters.

img_20.png

You need to create the signature for your REST requests. For more information, see Oracle Cloud Infrastructure (OCI) REST call walkthrough with curl.

  1. Create a file named STACK-RUN.sh. This will be your REST request using a curl-oci.sh (this tool will prepare your authorization string with your OCI information).

    img_1.png

  2. Create a file named request.json with your stack ID and compartment ID.

    img.png

  3. Open the curl-oci.sh file and change the following parameters. These parameters are the same as your OCI CLI installation.

    img_2.png

    Now, execute the script.

    img_3.png

    You can see the success results.

    img_4.png

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.