Governance and Automation with Oracle Events and Functions

Contributing Authors: Gregory Verstraeten and Vinay C. Rao

Oracle recently announced two new cloud native services: Oracle Events and Oracle Functions. With Oracle Events, you can track changes in cloud resources and respond to them by using the Functions, Notifications, and Streaming services. With Oracle Functions, you can develop, deploy, and run code without the need to provision, manage, or scale. Both of these services are fully managed by Oracle, and the Oracle Events service complies with the Cloud Native Computing Foundation (CNCF).

Using these services together, you can track changes in your cloud environment and automatically act by running your infrastructure as code. The combination of these integrated services complement Terraform by HashiCorp, which provisions and manages resources. Altogether, they facilitate event-based automation for cloud operations, simplify cloud governance, and reduce human labor and errors.

Following are just a few example use cases for Cloud Operations teams using Oracle Events and Functions:

  • Perform cleanup tasks when certain resources are terminated.
  • Analyze network logs when anomalies are detected in the network. Network logs can be uploaded to Oracle Cloud Infrastructure Object Storage or sent to third-party tools such as Splunk for further security analysis.
  • Process a file immediately and automatically when new files are uploaded in an Object Storage bucket.
  • Create a private Object Storage bucket when a new user is onboarded.
  • Archive all events in a specific compartment to a stream for later analysis.
  • Trigger an action when long-lived tasks, such as a backup, are completed.

Oracle Functions seamlessly integrates with the Oracle Cloud Infrastructure platform. This integration enables Oracle Functions to interact with other cloud services such as Object Storage, Streaming, and Compute by using Oracle Cloud Infrastructure software development kits (SDKs).

The following video shows how Events, Functions, and SDKs work together to drive governance and automation. In the video, a new compute instance is launched, and a function automatically creates an Object Storage bucket with the name of the compute resource, along with a timestamp. The function also places a readme.txt file in that bucket with a message that this is a confidential bucket. Watch the video and follow the instructions in this post to get started!

Getting Started

The rest of this post helps you set up the resources mentioned in the preceding video. The demo function is developed in Python, but you can use other languages such as Java, Go, Ruby, or Node.js.

Before you start, you need to meet the following prerequisites:

  • Have an Oracle Cloud Infrastructure account, or sign up for a free trial.

  • Ensure that appropriate policies are assigned to nonadministrative tenancy users. For example, for a nonadministrative account to list Oracle Events rules, a policy statement like the following one must be issued. For more information, see Policy Reference.

    allow group RuleReaders to read cloudevents-rules in tenancy


The following workflow diagram shows the key steps at a high level, and the following sections provide detailed instructions.

Diagram that shows four high-level steps for setting up and configuring functions and events.

Step 1: Set Up and Configure Oracle Functions

The best way to learn about, set up, and configure functions is to follow the Oracle Functions Quick Start Guide. It shows you how to set up the Oracle Cloud Infrastructure command line interface (CLI), the Functions client (local or a compute instance on Oracle Cloud), and the Oracle Cloud Infrastructure Registry (a registry for the function image). It also walks you through deploying a sample application and a function.

Follow the steps in the guide to deploy and invoke the sample function to ensure that your environment is set up and configured correctly.

Step 2: Create a New Python Application and Function

Create a new application or use the application that you created in step 1 to deploy the function shown in the video. You can use this example further for your specific use case.

  1. To create a new function application, from the Oracle Cloud Infrastructure Console navigation menu, select Developer Services and then Functions.

  2. Click Create Application.

  3. In the New Application dialog box, provide a name for the application, networking information, and logging information. For logging, you can select Object Storage or a third-party provider. Soon you will be able to use Oracle Logging service as well.

    Screenshot that shows the New Application dialog box with name, network, and logging values specified.

  4. (Optional) To use Papertrail for logging, perform these steps:

    1. Create a Papertrail account, and then go to Account > Log Destinations.

    2. Copy the syslogurl, similar to the one shown in the preceding screenshot, to use in the New Application dialog box.

    3. Under Accept connections via, select Plain text for both TCP and UDP.

      Screenshot that shows the Accept connections via area of the Log Destinations page, with Plain text as the selected values.

  5. From the same client development host or VM (local or Oracle Cloud Compute instance) used in step 1, create a new Python function boilerplate. A directory with the function name is created.

    $ fn init --runtime python ocibucket-func
  6. Change the current directory to the new directory:

    $ cd ocibucket-func/

    The directory contains the following files:

    • Function definition file: func.yaml

    • Function code file: func.py

    • Function dependency file: requirements.txt

    You can update these files manually or clone the complete code from GitHub to start from. In the next step, we clone the repository from GitHub. So, you can remove all the files from the directory:

    [ocibucket-func]$ rm *

Step 3: Download Code from GitHub

Replace the files created in step 2 with the files that you download from GitHub.

  1. In a browser, go to the GitHub repository, click Clone or download, and copy the URL.

    Screenshot of the Clone with HTTPS dialog box in GitHub.

  2. In the same terminal window that you opened in step 2, clone the repository in the current directory. Be sure to specify the current directory at the end ("."); otherwise, a directory with a repository name will be created.

    [ocibucket-func]$ git clone https://github.com/sssshah/OracleEventsAndFunctions.git .
  3. Use the code as is, or make any necessary changes to the func.py, func.yaml, and requirement.txt files.

Step 4: Deploy and Configure the Function

Similar to how you deployed your first function in step 1, you now deploy the new function on Oracle Cloud Infrastructure. Because you already configured a dynamic group, policies, and the registry in step 1, you don’t need to do it again in the same development environment. Ensure that you’re still in the same directory as in step 2. The application name is the one that you created in step 2.

  1. Deploy the function:
    [ocibucket-func]$ fn deploy --app fnbucket-app 
  2. After the function is deployed, check the Oracle Cloud Console and Registry repository. Locate the function under the application, as shown in the following screenshot.

    Screenshot of the application details page, with the new function displayed.

    Because this function creates an Object Storage bucket, you need to configure the function with an Object Storage namespace parameter.

  3. Under Resources, click Configuration.

    Screenshot that shows the Resources menu.

  4. Add a parameter for the application, with OCI_NAMESPACE as the key and the Object Storage namespace as the value. To find the namespace, open the Profile menu (user menu icon) and click Tenancy: <your_tenancy_name>. The namespace string is listed under Object Storage Settings.

    Screenshot that shows the Application Configuration page with a namespace parameter defined.

Step 5: Configure Dynamic Groups and Events Policies

To allow the function to create and read/write from Object Storage, you need to add more policies. You can add the policies to the ones that you created in step 1 (Quick Start Guide step B3).

  1. Add the following policy with your compartment name. Provide the name of the dynamic group that you created earlier.

    allow dynamic-group <dynamic_group_name> to manage object-family in compartment <compartment_name>

    Screenshot that shows several defined policy statements.

  2. To allow Oracle Events to call the function, create a new policy and add the following statement for your compartment:

    allow service cloudEvents to use functions-family in compartment <compartment_name>

    Screenshot that shows the specified policy statement.

Step 6: Invoke the Function Manually

Before configuring Oracle Events to trigger the function automatically, invoke the function manually by using the following format:

echo "[event JSON string]" | fn invoke fnbucket-app ocibucket-func

For our function, you can run the command as follows with the JSON string. Note that we’re using the DEBUG flag to capture any errors. If any errors occur, check the logs that you configured earlier.

[ocibucket-func]$ echo -n '{"eventType": "manualtest", "source": "manual", "bucketName": "fntestbucket","content": "Sample text for file", "objectName": "requirements.txt", "data":{"resourceName":"newuser"}}' | DEBUG=1 fn invoke fnbucket-app ocibucket-func

If the bucket is successfully created with a requirements.txt file in Object Storage, then the function is working!

Step 7: Trigger the Function When an Oracle Event Occurs

In this step, you configure Oracle Events to invoke the function when a compute instance launch begins. The CNCF-conformed cloudEvents object is passed from Oracle Events to the function. In this case, the function creates a bucket with a specific name and creates a readme.txt file in that bucket.

  1. From the Console’s main menu, select Application Integration, and then Events Service.

    Screenshot that shows navigation to Events Service.

  2. Create a rule for the Compute service with the event type Instance - Launch Begin. If you don't want to trigger the function when anyone in your tenancy provisions an instance, you can limit the scope. Add an attribute that applies this rule to your compartment only.

    Screenshot of the Rule Conditions section of the Create Rule page, showing the specified values.

  3. After you define the rule conditions, specify the actions. To invoke a function, specify the compartment where it is located, the function application, and the function. That's it!

    Screenshot of the Actions section of the Create Rule page, showing a function specified.

Step 8: Test Events and Functions

To trigger an event and test the rule, provision a VM from the Console. After it’s provisioned, a new bucket with a name of your VM and a timestamp is created and appears on the Object Storage buckets page. The bucket contains a readme.txt file.

Screenshot that shows a new bucket created from the function.

Now you're ready to try more use cases!

Useful Links

Join the discussion

Comments ( 2 )
  • Patrick Monday, December 2, 2019
    Good to see all the options and a working demo!
  • Gabriel Wednesday, February 12, 2020
    What a great content!
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.