Hi [subscriber:firstname | default:subscriber],

This is OCI newsletter #5.

A lot of security related updates and news this week! We go from Access Control lists to Identity and Access Management (IAM). I'm happy seeing more discussions around IAM as even though it might not be the most exciting topic for everyone it's something you should invest early on.

Reach me on twitter @svilmune or just send an email if you want to give some feedback on this newsletter.

New Features

You can now restrict access to Autonomous Databases by using Access Control Lists (ACLs) and define CIDR blocks or public IP addresses where database can be connected from. If you are using a service gateway from OCI it will need a specific CIDR block to be added, be sure to check this!

Changing static routes for your IPSec VPN is now possible. Yippee! I've had this happen a few times that the static route we deployed had to be altered and running Terraform caused the whole resource to be recreated. Really welcomed change.

Another long standing issue has been resolved. Support for assertion encryption with Microsoft Active Directory is there. Previously if you were setting up federation with OCI and your Active Directory used assertion encryption the whole setup failed without a clear error message. Workaround suggested by support was to disable encryption and I think for many customers this probably wasn't an option..

And the weekly Terraform release is out too. Cost tracking tags are now supported as a data source.

Blogs & News

Fictional case study on setting up IAM for your company in OCI. Like said this is the thing you should put effort on when starting your OCI project. Don't make it too complicated but think on separating potentially network resources and some applications to different compartments with groups having different level of access. When your solution expands it's lot easier to handle everything with a proper IAM setup! I really like Oracle's approach with compartments compared to AWS Organizations with multiple accounts.

Handy script to clone your security list rules if you have multiple similar deployments by Rodrigo Jorge. I also recommend looking Terraform modules but security list with Terraform is a different beast! If there is one case where modules aren't that reusable it's OCI security lists, at least before Terraform 0.12 gets out..

Using Ksplice to detect exploit attempts in your system. It's not directly related to OCI but if you are running Oracle Linux on OCI you get to use Ksplice free of charge. One benefit to think of if you are considering if migrating to OCI makes sense.

Tip of the week

Terraform module to deploy SAP. Even you wouldn't be deploying it they have some good ideas on using remote-exec with Terraform and how to use depends on. I personally like to go these through just to get new ideas!


I'm not in partnership with Oracle in any way so all opinions are my personal views and should not be taken as an official statement from Oracle.

You can unsubscribe at any time using the link below if you feel this newsletter is not for you.

Hope you have a great day and thanks for reading!