Resource Manager is an Oracle Cloud Infrastructure service that allows you to automate the process of provisioning your Oracle Cloud Infrastructure resources. It helps you install, configure, and manage resources using the "infrastructure-as-code" model.
Resource Manager runs as an Oracle Cloud Infrastructure service and uses Terraform to codify your infrastructure in declarative configuration files, which allows you to review and edit, version, persist, reuse, and share them across teams. You can then use Resource Manager to provision Oracle Cloud Infrastructure resources using your Terraform configurations.
For more information about the Oracle Cloud Infrastructure Terraform provider, see Terraform Provider. For a general introduction to Terraform and the "infrastructure-as-code" model, see Terraform: Write, Plan, and Create Infrastructure as Code.
While you can install and run Terraform locally and use Oracle Terraform modules to do specific tasks, using Resource Manager allows you to share and manage infrastructure configurations and state files across multiple teams and platforms.
You can run Resource Manager using either the command line interface (CLI) or the Oracle Cloud Infrastructure Console. The Console provides an easy-to-use interface, while the CLI enables programmatic interaction with the Resource Manager. You can also program directly by using the Software Development Kits and Command Line Interface, or by using the Resource Manager REST APIs. Oracle provides API reference documentation in the Resource Manager API Reference.
Resource Manager integrates with Identity and Access Management (IAM), allowing you to define granular permissions using policies. It also integrates seamlessly with the Oracle Cloud Infrastructure Audit service to enable auditing for your infrastructure provisioning.
Resource Manager is not available in Oracle Cloud Infrastructure Government Cloud.
Authentication and Authorization
To use Resource Manager, you must configure the required Identity and Access Management (IAM) permissions.
Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.
Many tasks in the Resource Manager require specific permissions for the user who is performing the action. For details and examples, see:
- Details for Resource Manager for a complete list of Resource Manager permissions
- Managing Stacks and Jobs for example policies for Resource Manager
Permissions are scoped to the tenancy compartment. When your tenancy is first provisioned, a root compartment is created automatically. The administrator can create more compartments and control access to each one and its resources by creating IAM policies. These policies specify which actions each group can take on the resources in each compartment. For information about IAM permissions, see Overview of Oracle Cloud Infrastructure Identity and Access Management. See also How Policies Work.
Limits on Resource Manager Resources
See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.
You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.
Moving Resources to a Different Compartment
You can move stacks from one compartment to another. When you move a stack to a new compartment, its associated jobs move with it. After you move the stack to the new compartment, inherent policies apply immediately and affect access to the stack and associated jobs through the Console. For more information, see Managing Compartments.
Following are brief descriptions of key concepts and the main components of Resource Manager.
Stacks represent definitions of groups of Oracle Cloud Infrastructure resources that you can act upon as a group. Each stack has a configuration, which is made up of one or more declarative configuration files. Stacks are attached to a specific region. However, where necessary, the resources on a given stack can be deployed across multiple regions.
Stacks reside in a compartment of your choosing inside your Oracle Cloud Infrastructure tenancy. Jobs reside in the compartment that is occupied by the stack they are associated with. Resource Manager assigns unique Oracle Cloud IDs (OCIDs) to both stacks and jobs.
Jobs perform the actions that are defined in your configuration. Only one job at a time can run on a given stack; further, you can have only one set of Oracle Cloud Infrastructure resources on a given stack. When you have to run a job to provision a different set of resources, you must create a separate stack and use a different configuration.
The Resource Manager provides three job types:
- Plan job. A plan job takes your Terraform configuration, parses it, and creates an execution plan. The execution plan lists a sequence of specific actions that take place to provision your Oracle Cloud Infrastructure resources. The execution plan is handed off to the apply job, which then executes the instructions.
- Apply job. The apply job takes your execution plan, applies it to the associated stack, then executes the configuration's instructions. By doing so, it creates (or modifies) the stack resources. Depending on the number and type of resources specified, apply jobs can result in a long-running operation. Both Console and the CLI allow you to determine the status of job while it executes.
- Destroy job. To clean up the infrastructure controlled by the stack, you run a destroy job. A destroy job does not delete the stack and its resources, but instead releases the resources (terminates a Compute instance, for example). However, the stack's job history and state remain. You can monitor the status and review the results of a destroy job by inspecting the stack's log files.
- Import State job. An import Terraform state job takes a Terraform state file and sets it as the current state of the stack. Use this job to migrate local Terraform environments to Resource Manager.
In a sense, jobs represent a record of a stack's history, which you can see by reviewing the following:
- The configuration (snapshot) for a given apply job.
- The execution plan that is derived by a plan job.
- The state file for a given apply job.
A tenancy is a secure, isolated partition within the Oracle Cloud Infrastructure ecosystem where you can create, organize, and administer your cloud resources. The scope of a tenancy is typically an entire organization. You can subdivide your organization's resources by creating compartments that align with your business.
Organize and control access to your cloud resources by segmenting them into compartments. A compartment is a collection of related resources such as instances, virtual cloud networks, block volumes, and so forth. Compartments also form security barriers that employ role-based access control to regulate access to your cloud resources.
Compartments create logical groupings of resources that you can align with your business. For example, you might have a human resources compartment, a finances compartment, an operations compartment, and so forth.
Regions represent geographical locations where Oracle Cloud Infrastructure hosting resources are physically located. Each region contains availability domains, which are individual data centers. For more information about regions and availability domains, see Regions and Availability Domains.
A configuration is a set of one or more Terraform configuration (.tf) files that specify the Oracle Cloud Infrastructure resources in a given stack, including resource metadata, and other important information, including data source definitions, variables declarations, and so forth.
Configurations are simple text files that describe your infrastructure using a declarative language (HashiCorp Configuration Language, or HCL). Alternatively, you can provide configurations using JSON format when your configurations must be machine readable. Configuration files that use the HCL format end with the
.tf file extension; those using JSON format end with the
.tf.json file extension. The HCL format is human-readable, while the JSON format is machine readable.
State (state files)
Essential information about the state of your resources configuration is maintained in a state (.tfstate) file, which uses the JSON format. The state file maps your stack's resources to your configuration and also maintains essential configuration metadata, such as resource dependencies. Resource Manager generates and updates state files automatically. You cannot edit the file manually.
Resource Manager supports state locking by allowing only one job at a time to run on a given stack. For more information about state files, see Hashicorp: State.
Terraform supports using modules to group related resources. Modules can be used to create lightweight and reusable abstractions, so that you can describe your infrastructure in terms of its architecture. For more information, see Creating Modules.
We recommend that all modules used by a Resource Manager stack are included locally in the configuration and referenced using a local path. To use a module for Oracle Cloud Infrastructure from the Terraform Module Registry, download the source from GitHub and include the relevant portion in a subdirectory in your zip file, then reference the module using a local path. For more information, see Local Paths.
The following image represents a generalized view of the Resource Manager workflow.
- Create a Terraform configuration.
- Create a stack.
- Create a plan job, which produces an execution plan.
- Review the execution plan.
- If changes are needed in the execution plan, update the configuration and recreate the plan job.
- Create and run the apply job to provision resources.
- Review state file and log files, as needed.
- You can optionally reapply your configuration, with or without making changes.
- Optionally, to release the resources running on a stack, run a destroy job .