This is Part 4 of the “Extending Oracle Blockchain Events with OCI” Blog series. In previous blog posts I covered:
As explained in Part 1: Introduction, the solution will utilize different OCI services (Virtual Cloud Network ‘VCN’, Subnets, Route Tables, security Lists, Internet Gateway and NAT Gateway, Functions, API gateway, KMS and OCIR) you can provision and configure these services manually using OCI console, or you can automate the process using terraform. Below is the architectural diagram for the artifacts that needs to be provisioned.
In this blog series, I'll be provisioning the OCI infrastructure using Terraform.
Before we start make sure you completed Part 2: Prepare OCI Environment and captured all the required details as we will reference them in this blog post.
In Part 2: Prepare OCI Environment we used cloud shell, we will be using it again in this post to run our terraform scripts.
Note: Make sure to login as a user with OCI Administrator privileges.
From within "OCI Cloud Shell", start by cloning the solution Github repo
git clone https://github.com/oracle-quickstart/oci-obp-extension.git
This will clone the repo into a folder named “oci-obp-extension”. Inside the folder you will find a “terraform” folder containing the scripts to provision the needed infrastructure. "cd" into the “oci-obp-extension/terraform” folder to start the fun part :)
Start by editing the “terraform.tfvars” file to provide all the needed values to connect to your OCI tenant. Set the corresponding values you captured in Part 2: Prepare OCI Environment.
You can use “vi” command to edit the file.
REGION: copy the “Region Identifier” value from documentation that maps to the home_region.
PRIVATE_KEY_PATH: execute “echo ~/.oci” , this will print the full path of the that directory. Then append “/oci_api_key.pem”. for example, ‘/home/tamer_qumh/.oci/oci_api_key.pem’
First of all, unset the following environment variables.
unset OCI_AUTH OCI_use_obo_token
Now and after your variables are set, you first need to initialize the terraform project:
terraform init
Then you can run a terraform plan job to understand what will be created
terraform plan
Finally run the terraform script to provision the solution
terraform apply -auto-approve
After few minutes, the scripts should finish executing, when it does you should see an outcome similar to the below
Make note of the outcome as you will use it in the next Blog post Part 5: Configuring Blockchain
To understand what components got created, you can use the "Compartment Explorer"
As mentioned in Part 3: Build the Oracle Functions "Event Producer", the Oracle Function will be configured with a set of function configuration that are created at deployment time, although you can configure those from OCI console, you can also configure them using terraform. Notice the "config" section.
// Function
resource oci_functions_function obp-events-function {
#Required
application_id = oci_functions_application.obp-events-application.id
display_name = "obpeventsfunc"
image = "${lower(data.oci_identity_regions.current_region.regions.0.key)}.ocir.io/${data.oci_identity_tenancy.tenant_details.name}/obpeventsfunc:0.0.1"
memory_in_mbs = "1024"
config = {
"BOOT_STRAP_SERVERS" = oci_streaming_stream_pool.obp-events-stream-pool.kafka_settings[0].bootstrap_servers
"TENANT_NAME" = data.oci_identity_tenancy.tenant_details.name
"USER_NAME" = oci_kms_encrypted_data.username-encrypt-data.ciphertext
"AUTH_TOKEN" = oci_kms_encrypted_data.auth-token-encrypt-data.ciphertext
"STREAM_OCID" = oci_streaming_stream_pool.obp-events-stream-pool.id
"KMS_ENDPOINT" = oci_kms_vault.obp-events-vault.crypto_endpoint
"KMS_KEY_ID" = oci_kms_key.obp-events-key.id
}
}
Also as discussed before, the "USER_NAME" and "AUTH_TOKEN" will be encrypted before hand using KMS, also we use Terraform for that. Basically you create a KMS instance, an encryption key and finally encrypt data.
KMS requires the text to be encrypted to be base64 encoded, hence the use of terraform base64encode function. Now you can understand why the decrypted text was decoded from base64 in Part 3: Build the Oracle Functions "Event Producer"
#*************************************
# KMS
#*************************************
resource "oci_kms_vault" "obp-events-vault" {
#Required
compartment_id = var.compartment_ocid
display_name = "Blockchain Platform Events Vault"
vault_type = "VIRTUAL"
}
resource "oci_kms_key" "obp-events-key" {
#Required
compartment_id = var.compartment_ocid
display_name = "OBP Events Key"
key_shape {
#Required
algorithm = "AES"
length = "24"
}
management_endpoint = oci_kms_vault.obp-events-vault.management_endpoint
}
resource "oci_kms_encrypted_data" "auth-token-encrypt-data" {
#Required
crypto_endpoint = oci_kms_vault.obp-events-vault.crypto_endpoint
key_id = oci_kms_key.obp-events-key.id
plaintext = base64encode(var.auth_token)
}
resource "oci_kms_encrypted_data" "username-encrypt-data" {
#Required
crypto_endpoint = oci_kms_vault.obp-events-vault.crypto_endpoint
key_id = oci_kms_key.obp-events-key.id
plaintext = base64encode(data.oci_identity_user.current_user.name)
}
The scripts also provisions an OCI Stream Pool with default message retention of 24 hours, and 1 partition; you can change these values but you need to understand the service limits as described here
#*************************************
# Stream Pool
#*************************************
// Stream Pool
resource "oci_streaming_stream_pool" "obp-events-stream-pool" {
#Required
compartment_id = var.compartment_ocid
name = "Blockchain Platform Events Stream Pool"
kafka_settings {
#Optional
auto_create_topics_enable = true
log_retention_hours = 24
num_partitions = 1
}
}
Tamer Qumhieh, A technology evangelist with more than 15 years of technology and IT skillsets specialized in Blockchain, mobile, AppDev, AI Chatbots and Machine Learning. At Oracle A-Team, Tamer works closely with engineers, product management, customers and partners to ensure smooth and proper adoption of cutting-edge technologies in the market.
Previous Post
Next Post