Zero Quota Policy Creator Function

Find out how to use the Zero Quota Policy Creator pre-built function in OCI Functions to create a quota policy on compartments to prevent the creation of OCI resources, and so help to enforce budgets and manage OCI spending.

Common Usage Scenarios

Create a zero quota policy that prevents creation of OCI resources after reaching a spending threshold. To do this, perform the following two steps:

  • Create a budget for a compartment and a budget alert rule to set a budget alert based on an actual or forecasted spending threshold. For more information on budgets, see Managing Budgets.
  • Configure an event rule in the root compartment to trigger from the budget alert and to invoke a function created from this pre-built function. For more information on event rules, see Using the Console to Create a Rule.

Services related to the Zero Quota Policy Creator function include:

Scope

Scope considerations for this function include:

  • This pre-built function supports budgets created for compartment scope only. For more information, see Managing Budgets.

Prerequisites And Recommendations

The following are best practices when using this pre-built function:

  • Set the pre-built function timeout to 300 seconds.
  • The VCN linked to the application facilitates access to other OCI services by using a Service Gateway, Internet Gateway, or NAT gateway.
  • Create event rules only in the root compartment.
  • Both budgets and quota policy are tenancy level features. Configure this pre-built function in the home region. When configured in the home region, use a Service Gateway in a VCN.

    If the pre-built function is configured in another region, an Internet Gateway or a NAT gateway is required to make cross-region calls.

Configuring the Zero Quota Policy Creator Function

To configure a Zero Quota Policy Creator function, perform the following steps:

  1. On the Pre-Built Functions page, click Zero Quota Policy Creator, and then click Create function.
  2. Configure the Name, Compartment, and Application as follows:
    • Name: A name of your choice for the new function. The name must start with a letter or underscore, followed by letters, numbers, hyphens, or underscores. Length can be 1–255 characters. Avoid entering confidential information.

      To create the function in a different compartment, click Change Compartment.

    • Application: Select the application in which you want to create the function.

      If a suitable application doesn't already exist in the current compartment, click Create new application and specify the following details:

      • Name: A name for the new application. Avoid entering confidential information.
      • VCN: The VCN (virtual cloud network) in which to run functions in the application. Optionally, click Change Compartment to select a VCN from a different compartment.
      • Subnets: The subnet (or subnets, up to a maximum of three) in which to run functions. Optionally, click Change Compartment to select a subnet from a different compartment.
      • Shape: The processor architecture of the compute instances on which to deploy and run functions in the application. All the functions in the application are deployed and run on compute instances with the same architecture. The function's image must contain the necessary dependencies for the architecture you select.
      • Tagging options: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
  3. Configure the IAM policy for pre-built functions.

    By default, OCI Functions creates a dynamic group and an IAM policy with the policy statements required to run the pre-built function. Make no changes to accept the default behavior.

    If you don't want OCI Functions to automatically create the dynamic group and policy, select Do not create a dynamic group and IAM policy.

    Important

    If you select the Do not create a dynamic group and IAM policy option, you must define the dynamic group and the IAM policy yourself. For more information, see Permissions.
  4. Configure function memory and timeout values as follows:
    • Memory: The maximum amount of memory that the function can use while running, in megabytes. This is the memory available to the function image. (Default: 256 MB)
    • Timeout: The maximum amount of time that the function can run for, in seconds. If the function doesn’t complete in the specified time, the system cancels the function. (Default: 300)
  5. (Optional) Configure Provisioned concurrency to minimize any initial delays when invoking the function by specifying a minimum number of concurrent function invocations for which you want to have execution infrastructure constantly available. (Default: Not selected)

    If selected, specify the number of provisioned concurrency units assigned to this function. Default: 20.

    For more information about provisioned concurrency, see Reducing Initial Latency Using Provisioned Concurrency.

  6. Set the function configuration parameters as described in Configuration Parameters.
  7. Optionally enter any tags in the Tagging options section. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
  8. Click Create.

The deploy dialog displays the tasks to deploy the function (see Finishing Pre-Built Function Deployment).

Configuration Options

Configuration Parameters

Name Description Required
SERVICE_FAMILY_NAMES A comma separated list of service family names to be used in the quota policy statement. The default value includes all the service family names that support the Quota Service. For more information, see Available Quotas by Service. No
PBF_LOG_LEVEL Logging level, options are DEBUG, INFO, WARN, and ERROR. Defaults to INFO. No

Permissions

Running a function requires certain IAM policies. If you selected the Do not create a dynamic group and IAM policy option when creating the function, you must define the dynamic group and the IAM policy yourself.

To set the proper policies, perform the following steps:

  • Create a dynamic group with the rule:
    ALL {resource.id = '<function_ocid>' , resource.compartment.id = '<compartment_ocid>'}
  • Configure an IAM policy using the dynamic group:
    Allow dynamic-group <dynamic group name> to read usage-budgets in tenancy
    Allow dynamic-group <dynamic-group-name> to manage quota in tenancy
    Allow dynamic-group <dynamic-group-name> to read limits in tenancy
    Allow dynamic-group <dynamic-group-name> to read compartments in tenancy
Note

Replace <function-ocid> with the OCID of the function that you created in preceding steps.
Note

Replace <dynamic-group-name> with the name of the dynamic group that you created using the function's OCID.
Note

Replace <compartment_ocid> with the OCID of the compartment that contains the function.

Invoking This Function

You can invoke the function in the following ways:

  • Create an event rule to match the budget threshold spending events to a rule that creates a quota policy to prevent creation of new resources.

Response Body

  • Timestamps: Using UTC to avoid time zone issues.
  • Code: The function returns a 200 code if the task completes successfully.
  • Status: The function returns "Success" as the status if the task completes successfully.
  • Message: A JSON message body that includes specific response information for the task.

Example

The following example shows the JSON return data:

{
    "startTime": "2023-02-21T05:08:25.275Z",
    "endTime": "2023-02-21T05:08:28.731Z",
    "runTime": "PT3.456S",
    "code": 200,
    "status": "Success",
    "data": {
        "additionalInformation": {
            "Created Quota Policy OCID": "ocid1.quota.oc1..aaaaa..."
        }
    }
}

Troubleshooting

OCI Functions common status codes

The following table summarizes common OCI Functions errors that you might encounter when working with pre-built functions:

Error Code Error Message Action
200 Success None
404 NotAuthorizedOrNotFound Verify that the required policies are configured (see Running Fn Project CLI commands returns a 404 error).
444 Timeout

The connection between the client and OCI Functions was interrupted during function execution (see Invoking a function causes the client to report a timeout, and a 444 error is shown in the function's logs). A retry might solve the issue.

Note that most clients have an inner timeout of 60 seconds. Even when the pre-built function timeout is set to 300 seconds, the following might be required:

  • When using the OCI CLI: Use --read-timeout 300
  • When using the OCI SDK: Set the read timeout to 300 when creating the client
  • When using DBMS_CLOUD.SEND_REQUEST: Use UTL_HTTP.set_transfer_timeout(300);

For more information, see Invoking Functions.

502 (various) Most issues return a 502 status code (see Invoking a function returns a Function failed message and a 502 error). A 502 error with the message "error receiving function response" might be resolved by increasing the memory allocation. A 502 might occur occasionally when the function is in some transient state. A retry might solve the issue.
504 Container failed to initialize The application's shape must be compatible with the function (for example, GENERIC_X86).

To further identify the cause, enable logging features for the pre-built function (see Storing and Viewing Function Logs). For detailed information on troubleshooting a function, see Troubleshooting OCI Functions.

Zero Quota Policy Creator pre-built function status codes

The following table summarizes the errors that you might encounter when working with this pre-built function:

Error Code Error Message Action
400 Function payload has wrong Event Type Verify whether the event type is "AlertRule - Create".

To further identify the cause, enable logging features for the pre-built function (see Storing and Viewing Function Logs).

Log Analysis Tips

All the pre-built functions provide an option to specify the logging level as a configuration parameter. You can set the logging level to DEBUG to get more information.

Since an application has multiple functions, the pre-built function log entries are identified by the prefix "PBF | <PBF NAME> ".

For example, a log entry for the Media Workflow Job Spawner pre-built function looks similar to the following:

"PBF | Media Workflow Job Spawner | INFO | 2023-02-07T18:06:50.809Z | Fetching details from Events JSON"