Merge branch 'main' into oci-security-health-check-standard-2503

Author: oheimburger

app-dev/devops-and-containers/devops/oci-devops-terraform-function-java-graalvm/README.md

@@ -36,7 +36,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 -->
 
-# Terraform Stack to be used in OCI Resource Manager to create OCI DevOps pipelines for OCI Functions
+#  OCI Resource Manager Terraform Stack to create OCI DevOps CI/CD pipelines for OCI Functions
 
 Reviewed: 11.2.2025
 
@@ -50,32 +50,44 @@ The DevOps project is not specific to any programming language but includes <a h
 
 # How to use this asset?
 
-Clone this repo locally. In OCI Console click <code>Create Stack</code> under <code>Resource Manager</code> in your project compartment. Drag-n-drop the <a href="./files">files -folder</a> to <code>Stack Configuration</code> (<b>folder type</b>).
+Clone this repo locally. In OCI Console click <code>Create Stack</code> under <code>Resource Manager</code> in your project compartment. Drag-n-drop the <a href="./files">files</a> -folder to <code>Stack Configuration</code> (<b>folder type</b>) or click this button below to create the stack on your OCI tenancy:
+
 <p>
-OCI DevOps IAM Policies are not part of the stack, please refer to <a href="https://docs.oracle.com/en-us/iaas/Content/devops/using/devops_iampolicies.htm">docs</a> how to create them first.
+
+[![Deploy to Oracle Cloud](https://oci-resourcemanager-plugin.plugins.oci.oraclecloud.com/latest/deploy-to-oracle-cloud.svg)](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-devrel/technology-engineering/releases/download/latest/devops-tf-stack.zip)
+
 <p>
-Important! Before running the stack it is manadatory to create the OCI Registry repository for the OCI Function container and upload a dummy X86 architecture container to it. The <b>name</b> of the OCIR repo needs to match to the <code>image_name</code> of the Stack variables e.g. <b>helloworldai-java</b>. The image tag must be '<b>1</b>'.
-<br>
-The reason for this is that the Stack cannot create the Function without pointing to an image in OCIR.
+Note! OCI DevOps <code>IAM Policies</code> are not part of the stack, please refer to <a href="https://docs.oracle.com/en-us/iaas/Content/devops/using/devops_iampolicies.htm">docs</a> how to create them before running the devops project pipelines.
 <p>
-This can be done by doing the following in OCI Cloud Shell (assuming the image name is 'helloworldai-java'):
-<pre>
-oci artifacts container repository create --display-name helloworldai-java --compartment-id ocid1.compartment.oc1.....gq
-docker pull hello-world
-docker tag hello-world fra.ocir.io/&lt;YOUR_TENANCY_NAMESPACE&gt;/helloworldai-java:1
-docker push fra.ocir.io/&lt;YOUR_TENANCY_NAMESPACE&gt;/helloworldai-java:1
-</pre>
-Unless doing this the Stack will run into an error:
-<pre>
-Error: 400-InvalidParameter, Invalid Image fra.ocir.io/&lt;YOUR_TENANCY_NAMESPACE&gt;/&lt;image_name&gt:1 does not exist or you do not have access to use it
-</pre>
-After doing this the Stack can be run to create the OCI DevOps project. After the project creation the build pipelines can be run to build and deploy the OCI Function with real Function code like <a href="https://github.com/oracle-devrel/technology-engineering/blob/main/app-dev/devops-and-containers/functions/java-helloworld-AI-with-local-dev-and-oci-functions/README.md">this one</a> (the dummy hello-world image won't run properly).
+
+### Stack settings
+
+Creating the stack in OCI Resource Manger fill in the vars:
+
+![Stack](./files/stack.jpg)
+
+<ul>
+    <li><i>initial_image</i> that is used to create the OCI Function as target environment for the OCI DevOps deployment pipeline.
+    By default it is loaded from Dockerhub, but you can use any X86 arch image if want to replace this</li>
+    <li><i>docker_user</i> is your OCIR Docker user to push the initial image (above) to OCIR repo for the Function. Replace &lt;namespace&gt; with your <code>tenancy namespace</code>. <code>oracleidentitycloudservice</code> is only used for federated domains/users, not local</li>
+    <li><i>docker_password</i> is an <code>auth token</code> in your OCI user profile, <i>create one for this</i></li>
+</ul>
+
+Docker credentials are only used during the DevOps project creation to push the initial Function image and the DevOps project won't need them after it's been created by Terraform. <i>Hence, you can delete the auth token from your profile after the stack has been run.</i>
+<p>
+
+After creation run Stacks's Apply to create the OCI DevOps project. 
 <p>
 The Stack creates only a <i>private subnet</i> in the VCN and hence the Function cannot be called outside the tenancy by default after the build and deploy.
-<br>
-However, the Function invocation can be done from OCI Cloud Shell either by connecting to the VCN private subnet or to OCI Service Network, both options will work. The invocation can be done as follows using the Stack <code>project_name</code> e.g. :
+<p>
+However, the Function invocation can be done from <code>OCI Cloud Shell</code> either by connecting to the <b>VCN private subnet</b> or to <b>OCI Service Network</b>, both options will work. The invocation can be done as follows using the Stack <code>project_name</code> e.g. :
+<pre>
+fn invoke helloworldai-java helloworldai-java
+</pre>
+
+Since the stack creates the DevOps project with a target Function with the intial image it should already run and return:
 <pre>
-fn invoke helloworldai-java-project helloworldai-java-project
+Hello, world!
 </pre>
 
 # Useful Links

app-dev/devops-and-containers/devops/oci-devops-terraform-function-java-graalvm/files/artifacts.tf

@@ -2,15 +2,18 @@
 
 resource oci_artifacts_container_configuration export_container_configuration {
   compartment_id                      = var.compartment_ocid
-  is_repository_created_on_first_push = "true"
+  is_repository_created_on_first_push = "false"
 }
 
 resource oci_artifacts_container_repository export_project {
   compartment_id = oci_artifacts_container_configuration.export_container_configuration.compartment_id
 
-  display_name = "${var.project_name}-image"
+  display_name = "${var.image_name}"
   freeform_tags = {
   }
   is_immutable = "false"
   is_public    = "false"
+  provisioner "local-exec" {
+    command = "docker login ${var.registry} -u '${var.docker_user}' -p '${var.docker_pwd}' && docker pull ${var.initial_image} && docker tag ${var.initial_image} ${var.registry}/${data.oci_objectstorage_namespace.tenancy_namespace.namespace}/${var.image_name}:1 && docker push ${var.registry}/${data.oci_objectstorage_namespace.tenancy_namespace.namespace}/${var.image_name}:1"
+  }
 }

app-dev/devops-and-containers/devops/oci-devops-terraform-function-java-graalvm/files/build_pipeline_specs/build_spec_native.yaml

@@ -12,15 +12,6 @@ steps:
       echo "Build ID: $buildId"
   - type: Command
     command: |
-      # This replaces the default open-jdk
-      export GRAALVM_VERSION="21"
-      export JAVA_VERSION="17"
-      yum -y install graalvm${GRAALVM_VERSION}-ee-${JAVA_VERSION}-jdk;
-      export JAVA_HOME=/usr/lib64/graalvm/graalvm${GRAALVM_VERSION}-ee-java${JAVA_VERSION};
-      java -version
-
-      mvn clean install
-      
       docker build -f Dockerfile.native -t ${REGISTRY}/${NAMESPACE}/${IMAGE_NAME} .
       docker tag ${REGISTRY}/${NAMESPACE}/${IMAGE_NAME}:latest ${REGISTRY}/${NAMESPACE}/${IMAGE_NAME}:$buildId
 outputArtifacts:

app-dev/devops-and-containers/devops/oci-devops-terraform-function-java-graalvm/files/devops.tf

@@ -402,8 +402,8 @@ resource oci_devops_build_pipeline_stage export_build {
   build_pipeline_stage_type = "BUILD"
   build_runner_shape_config {
     build_runner_type = "CUSTOM"
-    memory_in_gbs     = "512"
-    ocpus             = "8"
+    memory_in_gbs     = "8"
+    ocpus             = "2"
   }
   build_source_collection {
     items {

app-dev/devops-and-containers/devops/oci-devops-terraform-function-java-graalvm/files/functions.tf

@@ -40,5 +40,5 @@ resource oci_functions_function export_project_2 {
   trace_config {
     is_enabled = "false"
   }
+  depends_on = [oci_artifacts_container_repository.export_project]
 }
-

app-dev/devops-and-containers/devops/oci-devops-terraform-function-java-graalvm/files/stack.jpg

@@ -2,10 +2,20 @@ variable region { default = "eu-frankfurt-1" }
 variable registry { default = "fra.ocir.io" }
 variable compartment_ocid { }
 variable project_name { 
-    default = "helloworldai-java-project"
+    default = "helloworldai-java"
     description = "Name of the OCI DevOps project and related resources"
 }
 variable image_name { 
-    default = "helloworldai-java"
-    description = "Name of the Docker image in OCIR. Important! Create/Push this into the OCIR repo for this before running this Stack, otherwise the stack will fail due to empty image in the function definition You can do this in OCI Cloud Shell using hello-world image from Docker Hub and then tagging and pushing it accordingly."
+    default = "helloworldai"
+    description = "Name of the image that is built by the pipelines and deployed in the target OCI Function"
+}
+variable docker_user { 
+    description = "Your docker user to login OCIR to create the initial Function image"
+}
+variable docker_pwd { 
+    description = "Your docker password (auth token) to login OCIR to create the initial Function image"
+}
+variable initial_image { 
+    default = "docker.io/mikarinneoracle/hello-world-java-graalvm"
+    description = "Intial native X86 Hello-world public image that is used to deploy the initial OCI Function"
 }

app-dev/devops-and-containers/devops/oci-devops-terraform-function-java-graalvm/files/vars.tf

@@ -1,17 +1,24 @@
+FROM fnproject/fn-java-fdk-build:jdk17-1.0-latest as build-stage
+WORKDIR /function
+ENV MAVEN_OPTS -Dhttp.proxyHost= -Dhttp.proxyPort= -Dhttps.proxyHost= -Dhttps.proxyPort= -Dhttp.nonProxyHosts= -Dmaven.repo.local=/usr/share/maven/ref/repository
+ADD pom.xml /function/pom.xml
+RUN ["mvn", "package", "dependency:copy-dependencies", "-DincludeScope=runtime", "-DskipTests=true", "-Dmdep.prependGroupId=true", "-DoutputDirectory=target", "--fail-never"]
+ADD src /function/src
+RUN ["mvn", "package"]
+
 FROM container-registry.oracle.com/graalvm/native-image:23-ol8 AS native
 WORKDIR /app
-
-COPY target .
+COPY --from=build-stage /function/target .
 ADD reflection.json .
 
 RUN native-image \
      -H:ReflectionConfigurationFiles=/app/reflection.json \
      -Ob \
      -H:Name=Hello \
-     -cp "/app/Hellofunc-1.0-SNAPSHOT.jar:/app/lib/*"  \
+     -cp "/app/Hellofunc-1.0-SNAPSHOT.jar:/app/*"  \
         com.fnproject.fn.runtime.EntryPoint
 
-FROM fnproject/fn-java-fdk:jre17-1.0.198 as fdk
+FROM fnproject/fn-java-fdk:jre17-latest as fdk
 
 FROM container-registry.oracle.com/os/oraclelinux:8-slim
 COPY --from=native /app/Hello .

app-dev/devops-and-containers/functions/java-helloworld-AI-with-local-dev-and-oci-functions/files/Dockerfile.native

@@ -12,15 +12,6 @@ steps:
       echo "Build ID: $buildId"
   - type: Command
     command: |
-      # This replaces the default open-jdk
-      export GRAALVM_VERSION="21"
-      export JAVA_VERSION="17"
-      yum -y install graalvm${GRAALVM_VERSION}-ee-${JAVA_VERSION}-jdk;
-      export JAVA_HOME=/usr/lib64/graalvm/graalvm${GRAALVM_VERSION}-ee-java${JAVA_VERSION};
-      java -version
-
-      mvn clean install
-      
       docker build -f Dockerfile.native -t ${REGISTRY}/${NAMESPACE}/${IMAGE_NAME} .
       docker tag ${REGISTRY}/${NAMESPACE}/${IMAGE_NAME}:latest ${REGISTRY}/${NAMESPACE}/${IMAGE_NAME}:$buildId
 outputArtifacts:

app-dev/devops-and-containers/functions/java-helloworld-AI-with-local-dev-and-oci-functions/files/build_spec_native.yaml

@@ -6,7 +6,7 @@ These resources aim to offer guidance throughout your migration, enabling you to
 
 Explore these materials to enhance your migration strategy. We appreciate your participation and are committed to supporting your cloud migration journey.
 
-Reviewed: 24.10.2024
+Reviewed: 26.02.2025
 
 # Table of Contents