Introduction

This is Part 4 of the “Extending Oracle Blockchain Events with OCI” Blog series. In previous blog posts I covered:

• Part 1: Introduction
• Part 2: Prepare OCI Environment 
• Part 3: Build the Oracle Functions "Event Producer"

As explained in Part 1: Introduction, the solution will utilize different OCI services (Virtual Cloud Network ‘VCN’, Subnets, Route Tables, security Lists, Internet Gateway and NAT Gateway, Functions, API gateway, KMS and OCIR) you can provision and configure these services manually using OCI console, or you can automate the process using terraform. Below is the architectural diagram for the artifacts that needs to be provisioned.

In this blog series, I'll be provisioning the OCI infrastructure using Terraform.

Before we start make sure you completed Part 2: Prepare OCI Environment and captured all the required details as we will reference them in this blog post.

In Part 2: Prepare OCI Environment we used cloud shell, we will be using it again in this post to run our terraform scripts.

Note: Make sure to login as a user with OCI Administrator privileges.

From within "OCI Cloud Shell", start by cloning the solution Github repo

git clone https://github.com/oracle-quickstart/oci-obp-extension.git

This will clone the repo into a folder named “oci-obp-extension”. Inside the folder you will find a  “terraform” folder containing the scripts to provision the needed infrastructure. "cd" into the “oci-obp-extension/terraform” folder to start the fun part :)

Start by editing the “terraform.tfvars” file to provide all the needed values to connect to your OCI tenant. Set the corresponding values you captured in Part 2: Prepare OCI Environment.

You can use “vi” command to edit the file.

REGION: copy the “Region Identifier” value from documentation that maps to the home_region.

PRIVATE_KEY_PATH: execute  “echo ~/.oci” , this will print the full path of the that directory. Then append “/oci_api_key.pem”. for example, ‘/home/tamer_qumh/.oci/oci_api_key.pem’

First of all, unset the following environment variables.

unset OCI_AUTH OCI_use_obo_token

Now and after your variables are set, you first need to initialize the terraform project:

terraform init

Then you can run a terraform plan job to understand what will be created

terraform plan

Finally run the terraform script to provision the solution

terraform apply -auto-approve

After few minutes, the scripts should finish executing, when it does you should see an outcome similar to the below

Make note of the outcome as you will use it in the next Blog post Part 5: Configuring Blockchain

To understand what components got created, you can use the "Compartment Explorer"

Terraform Code Walkthrough

As mentioned in Part 3: Build the Oracle Functions "Event Producer", the Oracle Function will be configured with a set of function configuration that are created at deployment time, although you can configure those from OCI console, you can also configure them using terraform. Notice the "config" section.

// Function
resource oci_functions_function obp-events-function {
  #Required
  application_id = oci_functions_application.obp-events-application.id
  display_name = "obpeventsfunc"
  image = "${lower(data.oci_identity_regions.current_region.regions.0.key)}.ocir.io/${data.oci_identity_tenancy.tenant_details.name}/obpeventsfunc:0.0.1"
  memory_in_mbs = "1024"
  config = {
    "BOOT_STRAP_SERVERS" = oci_streaming_stream_pool.obp-events-stream-pool.kafka_settings[0].bootstrap_servers
    "TENANT_NAME" = data.oci_identity_tenancy.tenant_details.name
    "USER_NAME" = oci_kms_encrypted_data.username-encrypt-data.ciphertext
    "AUTH_TOKEN" = oci_kms_encrypted_data.auth-token-encrypt-data.ciphertext
    "STREAM_OCID" = oci_streaming_stream_pool.obp-events-stream-pool.id
    "KMS_ENDPOINT" = oci_kms_vault.obp-events-vault.crypto_endpoint
    "KMS_KEY_ID" = oci_kms_key.obp-events-key.id
  }
  
}

Also as discussed before, the "USER_NAME" and "AUTH_TOKEN" will be encrypted before hand using KMS, also we use Terraform for that. Basically you create a KMS instance, an encryption key and finally encrypt data.

KMS requires the text to be encrypted to be base64 encoded, hence the use of terraform base64encode function. Now you can understand why the decrypted text was decoded from base64 in Part 3: Build the Oracle Functions "Event Producer" 

#*************************************
#           KMS
#*************************************

resource "oci_kms_vault" "obp-events-vault" {
  #Required
  compartment_id = var.compartment_ocid
  display_name = "Blockchain Platform Events Vault"
  vault_type = "VIRTUAL"
}

resource "oci_kms_key" "obp-events-key" {
  #Required
  compartment_id = var.compartment_ocid
  display_name = "OBP Events Key"
  key_shape {
    #Required
    algorithm = "AES"
    length = "24"
  }
  management_endpoint = oci_kms_vault.obp-events-vault.management_endpoint
}

resource "oci_kms_encrypted_data" "auth-token-encrypt-data" {
  #Required
  crypto_endpoint = oci_kms_vault.obp-events-vault.crypto_endpoint
  key_id = oci_kms_key.obp-events-key.id
  plaintext = base64encode(var.auth_token)
}

resource "oci_kms_encrypted_data" "username-encrypt-data" {
  #Required
  crypto_endpoint = oci_kms_vault.obp-events-vault.crypto_endpoint
  key_id = oci_kms_key.obp-events-key.id
  plaintext = base64encode(data.oci_identity_user.current_user.name)
}

The scripts also provisions an OCI Stream Pool with default message retention of 24 hours, and 1 partition; you can change these values but you need to understand the service limits as described here

#*************************************
#           Stream Pool
#*************************************
// Stream Pool
resource "oci_streaming_stream_pool" "obp-events-stream-pool" {
  #Required
  compartment_id = var.compartment_ocid
  name = "Blockchain Platform Events Stream Pool"
  kafka_settings {
    #Optional
    auto_create_topics_enable = true
    log_retention_hours = 24
    num_partitions = 1
  }
}

Next Step

Part 5: Configuring Blockchain