Prepare the Tenancy for Function Development

To enable a function to access another Oracle Cloud Infrastructure resource, you have to include the function in a dynamic group, and then create a policy to grant the dynamic group access to that resource.

Create a Dynamic Group for Functions

Dynamic groups allow you to group Oracle Cloud Infrastructure computer instances as "principal" actors (similar to user groups). You can then create policies to permit instances to make API calls against Oracle Cloud Infrastructure services.

When you create a dynamic group, rather than adding members explicitly to the group, you instead define a set of matching rules to define the group members. For example, a rule could specify that all instances in a particular compartment are members of the dynamic group. The members can change dynamically as instances are launched and terminated in that compartment.

Open the Console, click Identity, and then click Dynamic Groups. A list of the dynamic groups in your tenancy is displayed.
Click Create Dynamic Group.
Enter the following:
- Name: A unique name for the group. The name must be unique across all groups in your tenancy (dynamic groups and user groups). You can't change this later.
- Description: A friendly description. You can't change this in the Console, but you can change it using the API.
Enter the Matching Rules. Resources that meet the rule criteria are members of the group.
- Rule 1: To allow all functions in a compartment to be able to access a resource, enter a rule similar to the following, where <compartment_id> is the OCID of the compartment where the application and associated functions will be deployed:
```
ALL {resource.type = 'fnfunc', resource.compartment.id = '<compartment_id>'}
```
- Enter additional rules as needed. To add a rule, click +Additional Rule.
If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
Click Create Dynamic Group.

The matching rule syntax is verified, but the OCIDs you used in the rules are not. Be sure that the OCIDs you enter are correct.

Create Policies for Functions

A policy allows a group to work in certain ways with specific types of resources in a particular compartment.

The group and compartment for which you're writing the policy must already exist.

The following steps add policies to the compartment where the application and associated functions will be deployed, and to the root compartment for the instance.

Open the navigation menu. Under Governance and Administration, click Identity and then click Policies.
A list of the policies in the compartment you're viewing is displayed.
From the list of compartments on the left, select the compartment where the application and associated functions will be deployed.
Click Create Policy.
Provide the following:
- Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
- Description: A friendly description. You can change this later if you want to.
- Policy Versioning: Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in format YYYY-MM-DD format.

Provide a policy Statement. To add one or more predefined statements, click Customize (Advanced).

Add the following policy statements where <group_name> is the name of the associated dynamic group and <compartment_name> is the compartment where the application and associated functions will be deployed:

Add the following statements to allow functions to access resources in the compartment:

Allow dynamic-group <group_name> to manage buckets in compartment <compartment_name>
Allow dynamic-group <group_name> to manage objects in compartment <compartment_name>
allow dynamic-group <group_name> to use autonomous-databases in compartment <compartment_name> where request.permission='AUTONOMOUS_DATABASE_CONTENT_READ'
Allow dynamic-group <group_name> to inspect instances in compartment <compartment_name>
Allow service FaaS to use virtual-network-family in compartment <compartment_name>
Allow group fleetAdmins to manage functions-family in compartment <compartment_name>

Add the following statements to allow Oracle Cloud Infrastructure Events to call functions when a file is uploaded to Oracle Cloud Infrastructure Object Storage:

Allow dynamic-group <group_name> to inspect streams in compartment <compartment_name>
Allow dynamic-group <group_name> to manage cloudevents-rules in compartment <compartment_name>
Allow dynamic-group <group_name> to use stream-push in compartment <compartment_name>
Allow dynamic-group <group_name> to use stream-pull in compartment <compartment_name>

Click Create.
The newly created policy is listed with the policies for the compartment.
From the list of compartments on the left, select the root compartment (<instance-name> (root)) and repeat steps 3 and 4 above.
Provide a policy Statement. To add one or more predefined statements, click Customize (Advanced).
Add the following policy statements where <compartment_name> is the compartment where the application and associated functions will be deployed:
```
Allow service FaaS to manage repos in tenancy
Allow service FaaS to use virtual-network-family in compartment <compartment_name>
```
Click Create.
The newly created policy is listed with the policies for the root compartment.