DEV Community: Faris Durrani

How to use OCI Terraform Provider without a config file path

Faris Durrani — Tue, 07 Oct 2025 16:06:25 +0000

How to use the OCI Terraform Provider without an OCI config file path

The Problem

Recall that traditionally, we declare in Terraform to use the OCI provider using this code:

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
    }
  }
}

provider "oci" {
  config_file_profile = "DEFAULT"
}

This requires you to already have an OCI config file set up in ~/.oci/config with a path that leads to the private key, as talked more in Setting up the OCI Configuration File using API Keys.

This leads to issues when using CI/CD or other automation tools which don't make it easy to add or modify internal files.

The Solution

Instead, we can hardcode the full config file details and the full API key within the provider block as follows:

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
    }
  }
}

provider "oci" {
  region           = "us-ashburn-1"
  tenancy_ocid     = "ocid1.tenancy.oc1..aaaaaaaavjzemxptyyi8w49b4itxn2asgvhuamsptyyi8w49b4itxn2asgvhuams"
  user_ocid        = "ocid1.user.oc1..aaaaaaaavjzemxgpcvptyyi8w49b4itxn2aszyy7m4gtv76ruzu36rk2p2o6j"
  private_key = base64decode(var.ssh_private_key_in_base64)
  fingerprint      = "00:34:63:27:c8:33:46:51:92:a0:23:6e:fb:9b:4a:48"
}

As an added option, you may also replace private_key with private_key_path with the full path of the private key as its value.

See full configuration options in the reference below.

References

Oracle Docs: Configuring the Provider

Safe harbor statement

The information provided on this channel/article/story is solely intended for informational purposes and cannot be used as a part of any contractual agreement. The content does not guarantee the delivery of any material, code, or functionality, and should not be the sole basis for making purchasing decisions. The postings on this site are my own and do not necessarily reflect the views or work of Oracle or Mythics, LLC.

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to create an OCI bucket using Terraform

Faris Durrani — Tue, 30 Sep 2025 18:15:44 +0000

A simple tutorial to create a bucket in Oracle Cloud using Terraform

1. Set up the OCI Configuration using API Keys

Follow the steps in Setting up the OCI Configuration File using API Keys

2. Install Terraform CLI

On Mac, you can install the CLI using Homebrew: brew install oci-cli

Verify installation using oci -v in the terminal. For other OSes, see Install Terraform.

3. Write the following Terraform code

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = ">= 7.0.0"
    }
  }
  required_version = ">=1.12"
}

provider "oci" {
  region              = "us-ashburn-1"
  config_file_profile = "DEFAULT"
}

resource "oci_objectstorage_bucket" "test_bucket" {
  #Required
  compartment_id = "ocid1.tenancy.oc1..aaaaaaaanwazgsy3nui2mz8wttfh26k7ra6xiazgsy3nui2mz8wttfh26k7ra6"
  name           = "test-bucket"
  namespace      = "idpugazgsy3"
}

More info about the Terraform resource: oci_objectstorage_bucket

We create the OCI bucket in the root tenancy compartment ID. You may get your tenancy ID and the Object storage namespace under your Tenancy details under Profile once logged into cloud.oracle.com.

4. Apply the terraform plan

Run:

terraform init && terraform apply

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

Deploying Vanity URLs for Oracle APEX on OCI

Faris Durrani — Wed, 24 Sep 2025 03:19:03 +0000

How to deploy an Oracle APEX instance publicly through a custom URL domain using Oracle Cloud (OCI) load balancers

The problem

So, you've created your own Oracle APEX application instance on OCI using its Autonomous Database service. You can access and share the application using OCI's default URL that looks like this:

https://kfawejskfefk-rwesjdjnweidfjwe.adb.us-ashburn-1.oraclecloudapps.com/ords/r/apex/workspace-sign-in/administration-sign-in?session=32492384908239

Can we change this so that our users can access the APEX application on a custom vanity URL like: my-apex.farisdurrani.com?

The Key Solution: Load Balancer

Yes! The key is using a public application load balancer (LB) with a DNS that points our custom URL to the load balancer's public IP address.

We'll follow the steps mentioned in Oracle's blog post about this topic and additionally demonstrate the access on a real URL, show how to deploy the DNS records, create a self-signed certificate, and showcase a private URL access to the instance from a private OCI network.

Step 1: Create a VCN

In OCI (cloud.oracle.com), create a VCN with Internet Connectivity. Using the VCN Wizard is the easiest way to do this. This will create a public subnet and a private subnet for us to use.

Step 2: Create a public load balancer

Internet traffic should hit our public application load balancer (LB) before reaching our APEX instance.

In addition to providing a public IP address, the LB also serves to balance the traffic load across multiple instances and to secure the traffic against Layer 7 attacks using the Web Application Firewall if included (not in current scope).

Choose public access:

Choose public subnet:

Let the backend servers be empty as default:

Modify the health check policy to use:

Protocol: HTTP
Port: 443
Status Code: 302
URI /

ℹ️ Troubleshoot: You should leave "Use SSL" as disabled on the backend set. However, if the health check fails, try enabling "Use SSL"

Modify the listener to use non-SSL HTTP 80 for now:

Leave the rest as default and create. Now we have a public load balancer with a non-HTTPS listener. We'll fix that soon.

Step 3: Create new Network Security Groups

We need to create two new Network Security Groups (NSG)--one for the load balancer (LB) and another for the autonomous database (ADB)--to allow the internet to access the load balancer, which in turn accesses the ADB.

Optionally, you can instead opt to modify the security lists instead.

NSG for LB

One simple NSG to allow access from everywhere on the internet to port 443.

NSG for ADB

One simple NSG to allow access from the public subnet CIDR range (10.0.0.0/24 in my case) to port 443.

Step 3: Create an APEX or APEX-included autonomous database

We create a new APEX autonomous database in OCI and select the APEX option as its Workload type.

It is possible to later upgrade the workload type to a Transaction Processing database without affecting the APEX instance.

It's not important, but we'll use 23ai as our version and using the minimum storage amount of 20 GB to save costs.

Importantly, select Private endpoint access only as the Network Access type so we can have a private IP address to use.

Alternatively, if you've already provisioned your autonomous database with Secure access from everywhere option, you can change the network type in the More actions menu.

Add the NSG created for this ADB. In the ADB page, under Autonomous Database information tab, go to Network > Network security groups. Click Edit.

Add the NSG for the ADB:

Now, we copy the database's private IP address:

Step 4: Add IP address to LB

Now, we add that private IP address to the LB we created. Back to the load balancer's details page, go to the Backend sets tab and click on the sole backend set.

We add a backend by selecting Add backends and putting in the database's private IP address (10.0.1.67 in my case) and port 443. Click Add.

Wait for the backend to finish updating and then wait a minute or two for the backend health to turn to Ok. This confirms the backend is able to connect to our database.

Troubleshoot: If this fails, check the health check of the backend set and the NSG settings.

Step 5: Add NSG to LB

Now, we'll add the NSG we created to the load balancer to allow the internet to connect to the load balancer.

In the LB page, under Details > Load balancer information > Network security groups, click Edit. Add the NSG we created for the LB.

Step 6: Create a self-signed SSL certificate

Now, we will create a self-signed SSL certificate to add to the load balancer and subsequently modify the listener to be an HTTPS listener.

Use the following command to create a temporary self-signed certificate.

Of course, users will see a warning that this certificate is not trusted but we assume you'll eventually get a trusted certificate.

openssl req -x509 -nodes -newkey rsa:2048 -keyout private.key -out certificate.crt -days 7

You may skip (press Enter) on all options to leave them as default.

This will create a temporary self-signed SSL certificate valid for 7 days in the form of two files: certificate.crt and private.key.

In the load balancer page, go to the Certificates and ciphers tab and under Load balancer managed certificates, click Add certificate.

Upload the following files to the following fields:

SSL certificate: certificate.crt
CA certificate: certificate.crt
Private key: private.key

Leave the private key passphrase as empty. Give a name and click Add certificate.

Step 7: Modify the listener to be an HTTPS listener

At the load balancer page, go to the Listeners tab and Edit the sole listener.

Update the following fields:

Protocol: HTTPS
Port: 443
Use SSL: Yes
Certificate resource: Load balancer managed certificate
Certificate name: the certificate you created

Leave the rest as default. Click Save changes.

Now, you are able to go to the IP address (https://129.153.150.95 for me, make sure to add the https) and access the APEX instance through the LB. Note that there may be a warning due to our use of a self-signed SSL certificate.

Step 8: Add to DNS record

Finally, we'll add the load balancer's public IP address to our DNS records as an A record to give it a vanity custom URL. I have my own domain to test that I use in CloudFlare, so I'll add it here.

And voilà! I'm able to go to https://my-apex.farisdurrani.com and access the APEX instance.

Advanced: Private DNS and Load Balancer

Alternatively, if you want to set up a private DNS zone where only the internal network can access the LB through a private DNS record, you can use an OCI Private Load Balancer and an OCI DNS Private Zone.

Create a private LB in the same public subnet (the LB must be in a distinct subnet than the ADB subnet). Add the appropriate NSG, backend, and listener. The LB will only have a private IP address, copy that IP address.

Head over to Networking > DNS management > Private zones and create a new private zone (I choose my-apex-instance.com). Add the IP address as an A record to the zone. I choose the domain www.my-apex-instance.com.

Open a Cloud Shell instance, change the Network to the public subnet, and run curl -k https://www.my-apex-instance.com to verify connectivity to the APEX instance. Note that we need to add the insecure -k flag since we are using a self-signed certificate.

References

Oracle Blogs: Introducing Vanity URLs for APEX and ORDS on Oracle Autonomous Database

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to set up Interconnect / FastConnect between GCP and OCI

Faris Durrani — Tue, 23 Sep 2025 02:44:41 +0000

How to set up an Oracle Cloud (OCI) Partner Interconnect / FastConnect connection with Google Cloud (GCP)

You have an Oracle Cloud tenancy and you want to set a private, high-speed connection between OCI and GCP. Fortunately, OCI and GCP has collaborated on a new partner connection between those two tenancies.

This tutorial will largely follow the official demo tutorial to illustrate the steps to establish and confirm connectivity between an OCI VM instance and a GCP VM instance from scratch, located in the Ashburn / us-east4 region respectively. We provide screenshots and more thorough details.

1. Create an OCI VCN

Log in to Oracle Cloud (cloud.oracle.com) and create a standard internet-enabled virtual cloud network through the VCN wizard.

Go to ☰ Menu > Networking > Virtual Cloud Networks > Actions > Start VCN Wizard > Create VCN with Internet Connectivity.

Using the default settings will do. Our VCN name is ellipse4543-vcn. Click Next and Create.

After creating the VCN, we'll need to modify the subnet's security control list to allow for external pings. We assume we'll be using the public subnet to host our test VM instance simply to make SSH login into it easier.

Head to the public subnet's Security tab and modify the security list to allow for ICMP type 8 (Echo) ingress connections from 0.0.0.0/0.

2. Create an OCI DRG

Next, we'll create an OCI Dynamic Routing Gateway (DRG). Go to ☰ Menu > Networking > Customer connectivity > Dynamic routing gateway. Create a new DRG. Give it a name, in my case, ellipse4543-drg.

3. Set up DRG routing

First, we'll need to attach the DRG to the VCN.

Go to the DRG you created, head to the Attachments tab and click Create virtual cloud network attachment.

Give the attachment a name and click Create VCN attachment.

Next, we'll need to modify the route table on the VCN subnet to route any GCP-bound traffic to the DRG.

Go to the VCN you created and head to the Subnets tab. Click the public subnet and click on its route table.

Click Add Route Rules.

Assuming the GCP subnet CIDR range is 192.168.0.0/16, we input that as our Destination CIDR Block. Click Add Route Rules.

Now, we have the DRG route rule established. Make sure the Internet Gateway route rule to destination 0.0.0.0.0 has been created as well (should have been automatically provisioned).

4. Create a GCP VPC

Head over to Google Cloud (console.cloud.google.com) and head over to VPC network > VPC networks > Create VPC network.

Give it a name (ellipse4543-vpc). Set the MTU to 1500 to match the future OCI FastConnect value.

ℹ️ Note: it may be possible to optionally use the default MTU of 1460 but presumably, you would need to configure firewall rules to enable and response of detection of ICMP “Fragmentation Needed” (Type 3, Code 4) message.

Name the virtual private cloud (VPC) subnet. Set the region to us-east4, and add the IPv4 range (192.168.0.0/16).

Allow firewall rules to enable the OCI VM to ping any instances created in this subnet.

Leave the rest as default. Click Create.

5. Create a GCP Partner Interconnect

In GCP, head to Network Connectivity > Interconnect > Create VLAN attachments.

Select Partner Interconnect connection. Click Continue.

In the next page, click I already have a service provider.

Select the option Create a single VLAN (no redundancy). Select the created VPC and the region as us-east4 (Northern Virginia). Create a new router with a new name.

Give VLAN A an attachment name and select an MTU value of 1500 to match the future OCI FastConnect value. Click Create.

Copy the pairing key. Select the Enable button to pre-activate the VLAN attachment. You may also optionally enable it later.

6. Create an OCI FastConnect

With the pairing key, head to the OCI console. Go to ☰ Menu > Networking > Customer connectivity > FastConnect > Create FastConnect.

Ensure the connection type is FastConnect partner. Click Next.

Choose:

Partner: Google Cloud: OCI Interconnect
Dynamic routing gateway: the DRG you created
Proposed bandwidth: 1 Gbps
Partner service key: the copied pairing key
MTU: 1500

Click Create.

Wait until the Lifecycle State is Provisioned and the IPv4 BGP state is Up (5 mins).

Congratulations, we established connection. Now, let's test it.

7. Create an OCI VM instance

We'll need to create a new OCI virtual machine (VM) instance so we can test connectivity between the two cloud providers. Go to ☰ Menu > Compute > Instances > Create instance.

I'm creating the instance in a public subnet so I can SSH login into it easily.

Make sure to download the SSH private key under 3. Networking > Add SSH keys so you can SSH into the instance. Other settings can be kept to their default. Go through the creation steps until you create the instance.

Wait until it is provisioned. Get the public IP address and login using SSH into the instance using the command ssh -i your_ssh_key.pem opc@the_ip_addr.

8. Create a GCP VM instance

Back in GCP, head over to Compute Engine > VM instances and click Create instance.

Choose the us-east4 region. Don't click Create yet.

Go to the Networking tab and select the subnet we created. Choose VirtIO as the Network interface card. Click Create.

9. Test pings

Once created, click on the instance and click SSH to log in. Get the private (not public) IP address of the OCI instance you created and try pinging that OCI instance from the GCP VM. In my case, that is ping 10.0.0.100.

Received ping responses indicate successful connection to the OCI instance from GCP on the private network.

And on the OCI VM's SSH instance, we try the same thing. Retrieve the GCP instance's private IP address (192.168.0.2 in my case) and ping that address from the OCI instance.

Received ping responses indicate successful connection to the GCP instance from OCI on the private network.

This confirms successful interconnection pairing between the GCP and OCI virtual private clouds.

References

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to set up Identity Federation between Google Cloud and Oracle Cloud

Faris Durrani — Fri, 12 Sep 2025 21:38:51 +0000

How to set up Identity SAML Federation between Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI)

Setting up Identity Federation will allow users to log into OCI using their GCP IAM organization credentials, rather than logging in using a new username-password in OCI. This can improve credential management and security by having a central place to store all user logins.

We will replicate the steps in Oracle Docs: Task 6: Set Up Identity Federation (Optional) with some UI updates. This is an optional succession to the How to create an Oracle Autonomous Database@Google Cloud article we wrote.

Prerequisites

Have an OCI account
Have a GCP account and an associating GCP Workspace IAM Admin console at https://admin.google.com. Note that this requires you having and associating a private DNS domain (e.g. example.com) to the Google Cloud Admin console

1. Create groups in GCP Admin Console

While not strictly necessary, this helps to confirm the JIT (Just-in-time) provisioning works as intended. You can create any group but we recommend at least one group name already present in OCI and GCP ("odbg-db-family-administrators") and one other only present in GCP ("example-group415") for POC purposes.

We create a number of groups in the GCP Admin console: https://admin.google.com/u/1/ac/groups. If you came from the Oracle Database@Google Cloud article, we created the groups for Autonomous Database access based on Oracle Docs: Task 5: Set Up Role Based Access Control:

2. Create a new custom SAML app in GCP

Go to https://admin.google.com/u/1/ac/apps/unified and click on Add app > Add custom SAML app.

We added the following app details:

App name: OracleCloudFederation
Description: Configures identity federation between Google Cloud and Oracle Cloud for Oracle Database@Google Cloud use.

Click CONTINUE.

In the next page, Download Metadata. Leave this page open for now.

3. Add SAML IdP in OCI

Log into your OCI account. Go to ☰ Menu > Identity & Security > Domains > Default (or another domain) > Federation > Actions > Add SAML IdP.

We give the SAML identity provider a random name:

Import the downloaded IdP metadata from GCP:

Leave this page open.

4. Add SAML IdP in GCP

Click on Export SAML metadata to export the OCI SAML metadata details.

Switch view from Metadata file to Manual export.

Go back to the GCP Admin page. Click CONTINUE.

Copy paste the OCI values into GCP like so:

GCP	OCI
ACS URL	Assertion consumer service URL
Entity ID	Provider ID

Leave the Name ID details as their default.

Click CONTINUE.

4. Add attribute mapping in GCP

In the next page, add the following attribute

First name → FirstName
Last name → LastName
Primary email → PrimaryEmail

Under the Group membership section, add all the groups of the users you want to be sent to OCI. Enter the App attribute MemberOf. Click FINISH.

5. Turn on User access in GCP

In the next page showing the SAML app details, click on User access

Switch to ON for everyone. Click SAVE.

6. Finish SAML app creation in OCI

Go back to the OCI page. We finished importing GCP's IdP metadata file. Click Next.

Change Requested Name ID format to Email address. Click Next and Create IdP.

7. Activate and add to IdP policy

Now we want to activate our newly-created IdP app and add it as an option to the login policy. Click the app.

Click on the Activate IdP button (under Actions or in the banner).

Next, we need to add the IdP app to the IdP policy. Go back to the Federation page and click on the Default Identity Provider Policy.

Under the Identity provider rules, edit the first IdP rule.

Add the newly-created IdP app to the list of Assign identity providers. Click Save changes.

Now you can login but without any groups.

8. Set up JIT

To enable the user's groups in GCP to appear in OCI and sync the user's group membership, we need to enable Just-in-time (JIT) provisioning so the group membership info can be shared from GCP to OCI.

Go back to the Federation page and click on the IdP app.

Click Actions > Configure JIT.

Enable these settings:

Enable Just-In-Time (JIT) provisioning
Create a new identity domain user
Update the existing identity domain user

Add these Map user attributes info:

IdP user attribute type	IdP user attribute name	Maps to	Identity domain user attributes
NameID	NameID value	→	User Name
Attribute	LastName	→	Last name
Attribute	PrimaryEmail	→	Primary Work Email
Attribute	FirstName	→	First name

Now, we assign group mappings. Enter the following values:

Group membership attribute name: MemberOf
Assign implicit group membership: Select this
When assigning group membership...: Merge with existing group memberships
When a group is not found...: Ignore the missing group

Click Update.

9. Verify Federated login

We are done! Now, we need to test the OCI login using GCP credentials.

Log out of OCI as necessary. Log in to your OCI account at https://cloud.oracle.com. You should see your GCP login option here.

ℹ Troubleshoot: if the login is unsuccessful, check back the OCI JIT settings are correct.

We'll log out and log back in as the OCI admin so we can see all the groups and users added.

Here, we can see my GCP user added to the OCI list of users.

And I can see that new user is a member of the "odbg-db-family-administrators" group, which that user is in GCP. Note that while the user is also in the GCP group "example-group415", this group did not get transferred into OCI because that group was never created in OCI in the first place. The JIT only matches groups present in both OCI and GCP.

You now have successfully created an identity federation from GCP to OCI.

References

Oracle Docs: Task 6: Set Up Identity Federation (Optional)

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to create an Oracle Autonomous Database@Google Cloud

Faris Durrani — Thu, 11 Sep 2025 20:46:54 +0000

Steps to provision a simple Oracle Autonomous Database@Google Cloud using a public offer

Oracle Cloud Infrastructure (OCI) and Google Cloud Platform (GCP) recently released a joint offering--a provisioning of an Oracle Cloud Database infrastructure (Autonomous Database and Exadata Infrastructure) in Google Cloud while leveraging OCI's database services and features. In this tutorial, we follow a limited deployment of an Oracle Autonomous Database (ADB) in GCP through a public marketplace offering, also known as Pay As You Go.

1. Have a Google Cloud account

Be an editor to the current GCP project with billing rights. See Oracle Docs: Task 1: Prerequisites for Oracle Database@Google Cloud for full permissions.

2. Purchase an Oracle Database offer on GCP

In GCP > Marketplace, search for Oracle Database@Google Cloud. Click on it, choose the Pay as You Go option, and Subscribe. This process does not cost anything, but since Oracle has to manually approve of the order, the marketplace purchase process will take time.

3. Create a new OCI account through the Oracle Database offer

Once the offer has been successfully processed, GCP's Oracle Database@Google Cloud resource page will show an option to link the GCP project to an OCI tenancy account. Note that since we opted to purchase a public offering, we can only link the project to a new OCI account and not link to an existing one.

Oracle Database@Google Cloud resource page. A banner will show up to connect to an OCI account if you haven't done so already:

4. Create an ODB network

An ODB network in GCP is an virtual network that provides connectivity between Oracle Database@Google Cloud resources in the OCI child site within the GCP data center and your Google Cloud VPC network. It allows the Oracle Virtual Cloud Network (VCN) used to host the Oracle Databases to map back to the Google Cloud VPC. You will not find the ODB network listed in Google Cloud VPCs.

In GCP's Oracle Database@Google Cloud resource page, go to ODB network on the left menu and create an ODB network.

While you can use the default network, I chose to optionally opt to use my own VPC equipped with automatically-created subnets:

5. Create the client and backup ODB network subnets

After creating the ODB network, create the backup and client subnets for the database. An Autonomous Database needs a minimum of /27 CIDR size. See Oracle Docs: Plan for IP Address Space in Oracle Database@Google Cloud for more IP Address Space considerations.

Here, I simply opted to use 10.0.1.0/24 and 10.0.2.0/24 for the client and backup subnets respectively. Again, provisioning will take time.

6. Create Autonomous Database

Hooray! You're near the end! 🎉

Go to the Autonomous Database menu selection and begin Create.

Fill out the details for the Autonomous Database. Note that only select regions are supported. See Oracle Docs: Regional Availability for Oracle Database@Google Cloud for supported regions.

I also make sure to include my personal IP so I can connect publicly to this POC database to prove it's working. Require mutual TLS is also nice to enable.

7. Verify database connection

Once done creating the database, you should be able to select that database and manage it in OCI by clicking on the Manage in OCI button.

Once clicked, you will log into your new OCI account and see the ADB details. Let us try to connect to it by clicking on the Database connection button and download the wallet.

Download connection wallet:

We will attempt to publicly connect to the ADB using Oracle SQL Developer.

Input your password for admin that you put during the creation process in GCP
Choose Cloud Wallet as your Connection Type
Choose the downloaded wallet as your Configuration File
Important: Select one of the public connection type services instead of the default private high type

Click Test and Connect.

Verify any SQL commands:

Next steps: RBAC IAM permissions

To maintain a strict user access management, we need groups and policy permissions. OCI automatically created some groups and policies to help you manage access to the database resources upon provisioning of the new tenancy. Assign users appropriately to the groups. See below for groups created:

These groups--except for some like odbaa-db-family-readers, odbg-exa-infra-readers for unclear reasons--align with the groups described here: Oracle Docs: Task 5: Set Up Role Based Access Control.

If you want to set up Identity Federation between GCP and OCI to enable GCP users to log into OCI using their GCP credentials, hop on to Dev.to: How to set up Identity Federation between Google Cloud and Oracle Cloud .

Closing

Now, obviously this tutorial is meant to give a high-level overview to a limited database service with easy permission levels. Feel free to look over the resources to learn more. Make sure to stop the ADB in GCP if you're not using it to save costs.

Resources

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to write Hello World in Oracle SQL

Faris Durrani — Thu, 11 Sep 2025 13:41:01 +0000

The below query returns a simple 'hello world' message in Oracle SQL (application used in Oracle SQL Developer):

select 'hello world' from dual;

You can

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to deploy Apache site behind OCI Load Balancer with self-signed certificates and URL

Faris Durrani — Thu, 07 Aug 2025 20:41:04 +0000

How to create and add a self-signed SSL certificate to your Oracle Cloud Infrastructure (OCI) Load Balancer to access your deployed Apache web site using https, as well as to deploy your Apache site behind a URL

1️⃣ Create an internet-enabled VCN

Create an internet-enabled Virtual Cloud Network using the Start VCN Wizard > Create VCN with Internet Connectivity.

Give a random name for your VCN. Leave all other options as default. This will create a VCN with a public and private subnet.

2️⃣ Create a VM instance in the private subnet

Go to the Instances page and click Create instance to create a new instance in the private subnet. We'll be using Oracle Linux 9.

You may leave all other options as the default. Make sure to download the private SSH key so you can login into the instance.

3️⃣ Set up the Apache web site

We will be doing the steps mentioned in How to deploy an Apache web app using Oracle Cloud .

A simple Apache web site is easy to set up. But first, we need to log in using SSH into the VM instance.

🔹 1. Create a new Cloud Shell session and create a new private network definition of your private subnet. This is to enable us to be in the same network subnet as our VM instance.

🔹 2. Upload the private SSH .key file

Once we've connected to the new private network definition, we can upload our private SSH .key file.

🔹 3. Change permission level of SSH key

Change the permission level of the private SSH key first:

chmod 400 ssh-key-2025-08-07.key

🔹 4. Log in to the VM

Make sure to update the IP address to the private IP address of your VM instance.

ssh -i ssh-key-2025-08-07.key opc@10.0.1.87

🔹 5. Install Apache site

Run these Oracle Linux commands to install a simple Apache HTML site on your instance and to open the firewall rule for incoming port 80 HTTP requests.

sudo dnf install httpd -y
sudo apachectl start
sudo systemctl enable httpd
sudo apachectl configtest
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --reload
sudo bash -c 'echo "This is APP server 1 running on Oracle Cloud Infrastructure | Hostname: $(hostname) | Date: $(date)" > /var/www/html/index.html'

🔹 6. Verify Apache site is up

Do a

curl localhost:80

to verify the Apache site and connectable.

Congratulations, you have set up your Apache site.

4️⃣ Create a self-signed SSL certificate

A self-signed certificate allows you to connect to the HTTPS version of your deployed site in an untrusted manner. You will still need to download an authenticated SSL certificate from a trusted partner like DigiCert, Let's Encrypt, or Google Trust Services in a production environment.

Run this command:

openssl req -x509 -nodes -newkey rsa:2048 -keyout private.key -out certificate.crt -days 7

You may skip (press Enter) on all options to leave them as default.

This will create a temporary self-signed SSL certificate valid for 7 days in the form of two files: certificate.crt and private.key.

5️⃣ Create a Load Balancer with the SSL certificate

🔹 1. Select a public application Load Balancer

Go to the OCI Load Balancers page and create a new load balancer. Select the Public option.

🔹 2. Select the public subnet option

We'll add a network security group later.

🔹 3. Add the instance as our backend

Leave the health check as the default (HTTP port 80 with status code 200).

Turning on Use SSL for the backend set is optional. We will keep this turned off.

🔹 4. Leave automatic security rule changes as the default

No changes needed here.

🔹 5. Add SSL certificate

As we're moving into the listener creation step, we'll choose the Load balancer managed certificate option for Certificate resource and begin adding the two files we created before.

Make sure that you upload the two files to the correct spots:

SSL certificate <- certificate.crt
CA certificate <- certificate.crt
Private key <- private.key
Private key passphrase <- leave empty

Leave the SSL policy settings as the default.

🔹 6. Create the load balancer

You may turn off the Error logs. We'll proceed to clicking Submit to create the application load balancer.

6️⃣ Allow incoming https requests to load balancer

Go back to the Virtual Cloud Networks page and go to the VCN you created. Go under Security and select the default security list, which should be the security list that is used by the public subnet.

Click Add Ingress Rules

Add a port 443 for https requests from all sources (0.0.0.0/0)

7️⃣ Test connection

Go back to the load balancer you created. Copy the public IP address of the load balancer.

Copy paste the IP address to your web browser, prefixing a https:// at the beginning.

There might be a privacy warning shown. This is expected since you are using an untrusted SSL certificate that you created on your own.

💠 BONUS: Deploy on a URL

You can also add the public IP address to your DNS provider with an A record to get to the site on a normal URL. I use CloudFlare for example:

However, since I am using CloudFlare, CloudFlare already gives me free trusted SSL certificates to use. So I'll:

Remove the self-signed SSL certificate from the load balancer;
Change the listener port to 80 on HTTP;
Add an ingress 80 rule to my public subnet's security list; and
Turn on Proxy status on my CloudFlare page.

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to schedule Functions using OCI Resource Scheduler

Faris Durrani — Tue, 08 Jul 2025 13:59:54 +0000

How to use the OCI Resource Scheduler to schedule serverless Functions in Oracle Cloud

This post references How to use Functions in OCI (Python)

You can schedule the Function to run periodically based on a Cron schedule using OCI's Resource Scheduler.

Policies needed

First, you need to give the Resource Scheduler permission to use the Function with the OCI IAM Policies:

allow any-user to use fn-function in compartment compA where all {request.principal.type='resourceschedule', request.principal.id='ocid1.resourceschedule.oc1.iad.aaaaaxxxxxxxxxxx'}

Of course, filtering by ID is optional if you want to allow the Resource Scheduler to invoke all Functions in the tenancy.

Include as well any policies the Function may need to read or access your OCI resources like below:

allow dynamic-group 'lb-fn-dynamic-grp' to inspect load-balancers in tenancy

where lb-fn-dynamic-grp is a Dynamic Group defined as:

resource.id = 'ocid1.fnfunc.oc1.iad.aaaaaxxxxxxxx'

Create the Schedule

Then, create a Schedule to Start the Function. In Basic mode, you can easily use the buttons to set the schedule, or use Cron mode.

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to update user's details using OCI CLI on Identity Domains

Faris Durrani — Wed, 02 Jul 2025 15:21:39 +0000

How to update a user's details through Identity Domains on Oracle Cloud CLI

Why Identity Domains

Identity Domains (identity-domains) in OCI is an upgrade to IAM (iam), which offers multiple identity domains and more specific change possibilities and conformity to the SCIM user provisioning protocol. Specific details like timezone can only be updated through identity-domains and this post aims to show you how to do that.

Updating user details

As an example, here is the way to update your timezone of your user using the Identity Domains API to US Eastern time. No IAM policy needed:

oci identity-domains user patch --user-id <YOUR_USER_OCID> --operations '[{"op": "REPLACE","value": {"timezone": "America/New_York"}}]' --schemas '["urn:ietf:params:scim:api:messages:2.0:PatchOp"]' --endpoint <IDENTITY_DOMAIN_ENDPOINT_URL>

For example:

oci identity-domains user patch --user-id ocid1.user.oc1..aaaaaaaaaxxxxxxxxxxx --operations '[{"op": "REPLACE","value": {"timezone": "America/New_York"}}]' --schemas '["urn:ietf:params:scim:api:messages:2.0:PatchOp"]' --endpoint https://idcs-ive7a985hyeakc4wzhrtzvygn.identity.oraclecloud.com:443

Note: Changing your user timezone will have little impact on your view of the OCI tenancy. The vast majority of services will always use UTC as its displayed timezone and as of now, you cannot change that. Some services like Base DB Systems may allow you to use your local browser-detected timezone but that is not related to your user timezone.

How to find list of posible patch keys

OCI Identity Domains follows Section 3.5.2 of the draft-ietf-scim-api-19 RFC preprint ³.

You can find the list of possible keys to update for --operations by retrieving the info of your user using oci identity-domains user patch --user-id <USER_OCID> --endpoint <DOMAIN_ENDPOINT_URL>. The same info is also outputted after you did your PATCH update operation, hence the similar screenshot:

Alternatively, the oci_identity_domains_user Terraform resource page can also give you that list:

References

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to encrypt OCI Bucket using customer-managed-keys

Faris Durrani — Mon, 30 Jun 2025 20:28:20 +0000

How to encrypt an Oracle Cloud bucket using customer-managed keys stored in OCI Vault

1. Create a key in the vault

2. Add policy

We'll need a new IAM policy to allow the buckets to use the Vault keys:

allow service objectstorage-us-ashburn-1 to use keys in tenancy

Info: you can swap the objectstorage-us-ashburn-1 with blockstorage to enable encryption using customer-managed keys on block volumes

3. Create a bucket with customer-managed keys encryption

You can also edit a current bucket to use the customer-managed key instead of the default OCI key.

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to retrieve the OCI instance ID from within itself

Faris Durrani — Wed, 25 Jun 2025 14:33:27 +0000

How to retrieve the OCID of a compute instance in Oracle Cloud from within itself using Instance Metadata (Bash and Python)

Using Bash

INSTANCE_ID=$(curl -s -H "Authorization: Bearer Oracle" http://169.254.169.254/opc/v2/instance/ | jq -r '.id')

Using Python

import requests

instance_id = requests.get(
    "http://169.254.169.254/opc/v2/instance/",
    headers={"Authorization": "Bearer Oracle"},
).json()["id"]

References

Oracle: Getting Instance Metadata

Safe harbor statement

This work is licensed under a Creative Commons Attribution 4.0 International License.