In the cloud era, the key metric is speed. That, in combination with a self-service model (every service team owns their little space on the cloud), leads to a less secure cloud. Some of the examples are,
To be agile, you want users to be able to perform all of the above actions. However, as an Administrator, you want to be able to control or be notified when that happens. Or maybe in some cases, delete those artifacts when created.
Oracle announced some new OCI native services that can be used to implement that. I will talk about those services first and then talk about the Implementation.
Every OCI service emits events, which are structured messages indicating 1. CRUD operation on OCI service, and 2. The state change of an instance of a service. You can monitor those events and take corrective measures through functions or notify the administrator about the event. OCI also supports adding a filter to the monitored events. OCI Events (the messages, not the service) follow the CloudEvents industry-standard format hosted by the Cloud Native Computing Foundation (CNCF). This standard allows for interoperability between various cloud providers or on-premises systems and cloud providers. You can find more information about Events here.
OCI Functions is OCI service powered by the Fn Project open-source engine. It is a piece is code that you can write using your preferred language and trigger it as needed without worrying about underlying infrastructure including scaling requirements. Oracle will ensure that your application/function is highly-available, secure and monitored. You can invoke the function using CLI, OCI SDK, or events can trigger function invocation and you will be charged only for the resources consumed during the execution. You can find more information about Functions here.
OCI Notifications service broadcasts messages to selected channels. Channels can be Email or Pager duty. Notifications follow the Topic and Subscription model. You create topics and users can subscribe to those topics. You can find more information about Notifications here.
If a compute instance in the given compartment has a public IP, then terminate the instance.
When a monitored event takes place, take some action is the gist of the implementation.
A compute instance can get public IP in two ways. One during provisioning I can choose to assign a public IP or I can create secondary VNIC with public IP post compute instance provisioning. So to protect from both of them, I will monitor for both Instance launch and VNIC attach end events. Since I want to monitor the event in a given compartment, I will add a condition for that compartment.
As Actions, I will configure email notification and invoke a function. The function will check if the compute instance has public IP and terminate the instance if it has.
Event configuration is two parts. One what events do I want to monitor and second what action do I want to take when the event occurs.
When the event occurs, I will configure OCI to send an email notification and invoke a function. Email notification, as the name suggests, it straight forward and sends emails to subscribed users with the event payload. I want to focus on function invocation and what can be done in the function.
IAM policies required for events to be able to invoke function and trigger notification are,
Allow service cloudEvents to use ons-topic in tenancy
Allow service cloudEvents to use functions-family in tenancy
Function, when invoked, gets event payload in JSON format. The function first will read event payload to determine what is the event type. Every event type payload is different. For example, object storage event payload is different than compute creation. Compute Instance Creation event payload is different than VNIC attachment to compute instance.
Once you know the event type in function, you can read resource OCID. With resource OCID, you can connect to OCI to fetch more details. For example, fetch public IP for the compute instance once you have OCID of the compute instance. If the compute instance has public IP then you can choose to terminate the instance.
Below is the code snippet to check if the compute instance has a public IP.
if(cEvent!=null) {
String eventType = cEvent.getEventType();
resourceID = cEvent.getData().getResourceId();
compartmentID = cEvent.getData().getCompartmentID();
Iterable<vnicattachment> vnicAttachmentsIterable =computeClient.getPaginators()
.listVnicAttachmentsRecordIterator(ListVnicAttachmentsRequest.builder()
.compartmentId(compartmentID)
.instanceId(resourceID)
.build());
List<string> vnicIds = new ArrayList<string>();
for (VnicAttachment va : vnicAttachmentsIterable) {
vnicIds.add(va.getVnicId());
}
Set<string> publicIps = new HashSet<string>();
for (String vnicId : vnicIds) {
GetVnicResponse getVnicResponse =
vcnClient.getVnic(GetVnicRequest.builder().vnicId(vnicId).build());
if (getVnicResponse.getVnic().getPublicIp() != null) {
publicIps.add(getVnicResponse.getVnic().getPublicIp());
}
}
computeClient.close();
vcnClient.close();
if(publicIps.isEmpty()) {
return "Success. Compute " + resourceID + " doesn't have public IP. You are goodt!";
}
else {
return "Success. Compute " + resourceID + " has public IP. Terminate it!";
}
}
</string></string></string></string></vnicattachment>
TerminateInstanceRequest request = TerminateInstanceRequest.builder().build();
TerminateInstanceResponse response = computeClient.terminateInstance(request);
String opcRequestID = response.getOpcRequestId();
final GetWorkRequestRequest getWorkRequestRequest =
GetWorkRequestRequest.builder()
.workRequestId(response.getOpcRequestId())
.build();
GetWorkRequestResponse getWorkRequestResponse =
Failsafe.with(RETRY_POLICY)
.get(new Callable<getworkrequestresponse>() {
public GetWorkRequestResponse call() {
return identityClient.getWorkRequest(getWorkRequestRequest);
}
});
</getworkrequestresponse>
The email notification configuration is two parts. One is the creation of the topic and the second one is the creation of a subscription for the topic. Here is how you create the topic.
Once the topic is created, you can create subscriptions for the topic as captured in the below screenshot.
A sample email notification with event payload looks like the below email.
Apart from governance use cases, Events plus functions can also help in other functional use cases. A couple of examples are,
Oracle announced Cloud Guard that will do some of these governance use cases Out-Of the Box. We will get back to this topic when Cloud Guard is available.
Kiran Thakkar is an expert in Identity and Access Management with more than 10 years of experience in the space. He is also OCI certified Associate Architect and help customers on OCI use cases. He is believer in blockchain technology and follows that space as it grows.
Previous Post