Introduction

The OCI (Oracle Cloud Infrastructure) Functions service is a powerful mechanism for providing custom integration capabilities between different processes, be them running in OCI or elsewhere. Functions can be called directly or configured to be invoked because of an OCI event. One typical use case for OCI Functions is connecting to some external system that processes data generated by OCI. OCI Functions are based on the open source Fn project and supports code written in Java, Python, Node, Go, Ruby, and C#. For an overview and to learn about functions, review our How OCI Functions Work and our OCI Function Overview.

Once you through those links, you soon realize that deploying an OCI Function has a few key requirements. This post presents these requirements and provides an automated solution in Terraform that you can use to quickly deploy (and test) any OCI Function.

Functions Deployment Requirements

Identity and Access Management

Besides a compartment, an OCI Function needs an identity to execute as, as it may interact with multiple OCI services that require proper authorization. This identity is assigned by a dynamic group that grants permissions on select OCI resources through a policy.

Networking

An OCI Function needs a network context to run in. In OCI, this means a subnet within a VCN (Virtual Cloud Network) with access to the OSN (Oracle Services Network). This is for enabling the OCI Function service to pull the function image from the OCIR (OCI Registry).

OCI Registry

The OCI Function service requires functions to be available as an image within OCIR. At runtime, the service pulls the image and executes the code. The deployment phase hence requires the image to be pushed to OCIR.

Logging

Logging is not properly a requirement, but extremely desirable to identify any issues when running the function in OCI. The function can be written to print debug statements that become available in OCI Logging service.

Functions Deployment Automation

The Terraform automation assumes the function code is available. Very shortly though, use the command fn init –runtime <function-language> <function-name> (fn init –runtime python hello-world, for example) to get a template ready to go. This command gives you a few files:

  • func.yaml: minimum amount of information required to build and run the function, including the function name, version and entrypoint method.
  • func.py: the function code itself. Out of box, there’s a handle method that you should change per your function requirements.
  • requirements.txt (in case of Python): defines the external packages and dependencies required by the function.

For details on having the initial function template created, see Creating, Deploying and Invoking a Helloworld Function.

The provided Terraform automation supports for the following aspects:

  • IAM configuration, including compartment, dynamic group and IAM policy. 
  • Function configuration: creates all the required regional infrastructure to deploy and run the function:
    • Builds the function image and pushes it OCIR.
    • Deploys the network infrastructure, including a VCN, private subnet with appropriate access to Oracle Services Network via Service Gateway. Optionally, an existing subnet can be provided, in which case it must already has the appropriate connectivity to Oracle Services Network.
    • Deploys a function application resource and the function resource.
    • Optionally deploys a log group resource and a log resource for the function, very important for debugging.
    • Supports passing input parameters to the function.
    • Supports testing the function.

The Terraform configuration is recommended to be deployed through OCI Resource Manager service, in which case there’s no need to have fn or docker (or any compatible tool, like podman) locally available. The Resource Manager service already has these tools (fn and podman) in its fleet. If your intent is deploying the configuration from some local machine using Terraform CLI, you must have fn and docker (or podman) installed in that machine. If you wish to deploy with Terraform CLI and do not want to bother installing fn and docker (or podman), use OCI Cloud Shell.

Conclusion

This post describes the basic requirements for deploying and running OCI Functions and provides a Terraform automation that caters for the various aspects involved, bringing repeatability and consistency to the process. The provided automation is generic enough to deploy most OCI functions. Feedback is always appreciated. If you have any, please file an issue in the GitHub repository.