Introduction

This is Part 2 of the “Extending Oracle Blockchain Events with OCI” series. In Part 1 I introduced the solution architecture and the different components that will be utilized for extending Oracle Blockchain platform with OCI services. In this Blog series, I will explain the steps needed to prepare your OCI environment and setup all the needed security artifacts.

The first building block of any Oracle OCI solution is to ensure you have the proper IAM policies for provisioning, managing and configuring OCI services. To properly scope your access, it is recommended that you create a dedicate group and target the corresponding required policies against it.

Note: Make sure to login as a user with OCI Administrator privileges.

Compartments

Compartments are the primary building blocks you use to organize your cloud resources. You use compartments to organize and isolate your resources to make it easier to manage and secure access to them.  When your tenancy is provisioned, a root compartment is created for you. Your root compartment holds all of your cloud resources. You can think of the root compartment like a root folder in a file system.  The first time you sign in to the Console and select a service, you will see your one, root compartment.

You can create compartments under your root compartment to organize your cloud resources in a way that aligns with your resource management goals. As you create compartments, you control access to them by creating policies that specify what actions groups of users can take on the resources in those compartments.

 Let us start by creating a dedicated OCI compartment

From OCI console main navigation menu, select Identity/Compartments and click “Create Compartment” to create a new “OBP_Events” compartment. Make sure to select your root compartment under “Parent Compartment” option

After the new compartment is created, copy its OCID and store it on a scratch card as you will be using it later on; it will be referenced as “compartment_ocid” Simply hover your mouse over the OCID value and the select “Copy” from the popup menu

Now all the OCI artifacts we will create will live within this compartment.

Groups

The second building block is creating groups. Select Groups and then click “Create Group” to create a new Group named “OBP_Events_Group”. After the group is created you need to add your user to that group. To do so, click on the “OBP_Events_Group” and add your user to that group.

All security policies will be targeted against this group “OBP_Events_Group”

Within OCI, it is very common that you not only grant users privileges to access, use and manage OCI services, but also you need to grant some “OCI Services” privileges to manage other “OCI Services”, in our case API Gateway and Oracle Functions need privileges to use OCI Network services in addition to access each other. For that you need to create a “Dynamic Group” and apply policies against it.

From Dynamic Groups menu, create a new Dynamic Group “OBP_Events_Dynamic_Group” and create 2 rules to include API Gateway and Oracle Functions in it.

all {resource.type='fnfunc',resource.compartment.id='COMPARTMENT_OCID'}
all {resource.type='ApiGateway',resource.compartment.id='COMPARTMENT_OCID'}

Make sure to replace "COMPARTMENT_OCID" with your compartment OCID

Policies

A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how. A policy simply allows a group  to work in certain ways with specific types of resources  in a particular compartment . 

Now as your groups are created, it is time to create the targeted policies.

From “Policies” menu, create a new Policy “OBP_Events_Policies” and add the below Policies, make sure to select the “Root” compartment under the “Compartments” drop down menu:

Allow dynamic-group OBP_Events_Dynamic_Group to manage vaults in compartment OBP_Events
Allow dynamic-group OBP_Events_Dynamic_Group to manage keys in compartment OBP_Events
Allow dynamic-group OBP_Events_Dynamic_Group to manage key-delegate in compartment OBP_Events
Allow dynamic-group OBP_Events_Dynamic_Group to use virtual-network-family in compartment OBP_Events
Allow dynamic-group OBP_Events_Dynamic_Group to use functions-family in compartment OBP_Events
Allow dynamic-group OBP_Events_Dynamic_Group to manage public-ips in compartment OBP_Events
Allow service FaaS to use virtual-network-family in compartment OBP_Events
Allow service FaaS to read repos in tenancy
Allow group OBP_Events_Group to use cloud-shell in tenancy
Allow group OBP_Events_Group to manage all-resources in compartment OBP_Events
Allow group OBP_Events_Group to manage repos in tenancy

 Now as you have all the needed requirements in place,  you need to get hold of some details and store them in a scratch card for later use

Create API Key

Oracle OCI Cloud Shell is a web browser-based terminal accessible from the Oracle Cloud Console, it provides access to a Linux shell, with a pre-authenticated Oracle Cloud Infrastructure CLI and other useful tools. It is pre-configured with OCI SDK, Terraform, FN, docker, git and many more. 

You need to create an “OCI API Key” that will be used later on to run the terraform scripts.

Start OCI Cloud Shell by clicking on its icon in the top right corner, in few seconds you will see a full functioning terminal within your browser

Create folder to store the certificates we are going to create:

mkdir ~/.oci

Generate a private key:

openssl genrsa -out ~/.oci/oci_api_key.pem 2048

Ensure that only you can read the private key file:

chmod go-rwx ~/.oci/oci_api_key.pem

Generate a public key:

openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem

upload certificate to your profile using OCI SDK, make sure to set the value of  USER_OCID you captured before. Also for REGION, make sure to copy the “Region Identifier” value from documentation that maps to the home_region you captured before.

oci iam user api-key upload --user-id USER_OCID --key-file ~/.oci/oci_api_key_public.pem --region REGION

This will upload the API Key to your profile, you can check it from console under user details screen. Copy the value of the “Fingerprint” and add it to the scratch card list for later use.

Next Step

Part 3: Build your Oracle Function "Event Producer"