Zero Quota Policy Creator Function
Find out how to use the Zero Quota Policy Creator pre-built function in OCI Functions to create a quota policy on compartments to prevent the creation of OCI resources, and so help to enforce budgets and manage OCI spending.
Common Usage Scenarios
Create a zero quota policy that prevents creation of OCI resources after reaching a spending threshold. To do this, perform the following two steps:
- Create a budget for a compartment and a budget alert rule to set a budget alert based on an actual or forecasted spending threshold. For more information on budgets, see Managing Budgets.
- Configure an event rule in the root compartment to trigger from the budget alert and to invoke a function created from this pre-built function. For more information on event rules, see Using the Console to Create a Rule.
Services related to the Zero Quota Policy Creator function include:
Scope
Scope considerations for this function include:
- This pre-built function supports budgets created for compartment scope only. For more information, see Managing Budgets.
Prerequisites And Recommendations
The following are best practices when using this pre-built function:
- Set the pre-built function timeout to 300 seconds.
- The VCN linked to the application facilitates access to other OCI services by using a Service Gateway, Internet Gateway, or NAT gateway.
- Create event rules only in the root compartment.
Both budgets and quota policy are tenancy level features. Configure this pre-built function in the home region. When configured in the home region, use a Service Gateway in a VCN.
If the pre-built function is configured in another region, an Internet Gateway or a NAT gateway is required to make cross-region calls.
Configuring the Zero Quota Policy Creator Function
To configure a Zero Quota Policy Creator function, perform the following steps:
The deploy dialog displays the tasks to deploy the function (see Finishing Pre-Built Function Deployment).
Configuration Options
Configuration Parameters
Name | Description | Required |
---|---|---|
SERVICE_FAMILY_NAMES |
A comma separated list of service family names to be used in the quota policy statement. The default value includes all the service family names that support the Quota Service. For more information, see Available Quotas by Service. | No |
PBF_LOG_LEVEL |
Logging level, options are DEBUG ,
INFO , WARN , and
ERROR . Defaults to
INFO . |
No |
Permissions
Running a function requires certain IAM policies. If you selected the Do not create a dynamic group and IAM policy option when creating the function, you must define the dynamic group and the IAM policy yourself.
To set the proper policies, perform the following steps:
- Create a dynamic group with the rule:
ALL {resource.id = '<function_ocid>' , resource.compartment.id = '<compartment_ocid>'}
- Configure an IAM policy using the dynamic group:
Allow dynamic-group <dynamic group name> to read usage-budgets in tenancy Allow dynamic-group <dynamic-group-name> to manage quota in tenancy Allow dynamic-group <dynamic-group-name> to read limits in tenancy Allow dynamic-group <dynamic-group-name> to read compartments in tenancy
Replace
<function-ocid>
with the OCID of the function that you created in preceding steps. Replace
<dynamic-group-name>
with the name of the dynamic group that you created using the function's OCID.Replace
<compartment_ocid>
with the OCID of the compartment that contains the function.Invoking This Function
You can invoke the function in the following ways:
- Create an event rule to match the budget threshold spending events to a rule that creates a quota policy to prevent creation of new resources.
Response Body
- Timestamps: Using UTC to avoid time zone issues.
- Code: The function returns a 200 code if the task completes successfully.
- Status: The function returns "Success" as the status if the task completes successfully.
- Message: A JSON message body that includes specific response information for the task.
Example
The following example shows the JSON return data:
{
"startTime": "2023-02-21T05:08:25.275Z",
"endTime": "2023-02-21T05:08:28.731Z",
"runTime": "PT3.456S",
"code": 200,
"status": "Success",
"data": {
"additionalInformation": {
"Created Quota Policy OCID": "ocid1.quota.oc1..aaaaa..."
}
}
}
Troubleshooting
OCI Functions common status codes
The following table summarizes common OCI Functions errors that you might encounter when working with pre-built functions:
Error Code | Error Message | Action |
---|---|---|
200 | Success | None |
404 | NotAuthorizedOrNotFound | Verify that the required policies are configured (see Running Fn Project CLI commands returns a 404 error). |
444 | Timeout |
The connection between the client and OCI Functions was interrupted during function execution (see Invoking a function causes the client to report a timeout, and a 444 error is shown in the function's logs). A retry might solve the issue. Note that most clients have an inner timeout of 60 seconds. Even when the pre-built function timeout is set to 300 seconds, the following might be required:
For more information, see Invoking Functions. |
502 | (various) | Most issues return a 502 status code (see Invoking a function returns a Function failed message and a 502 error). A 502 error with the message "error receiving function response" might be resolved by increasing the memory allocation. A 502 might occur occasionally when the function is in some transient state. A retry might solve the issue. |
504 | Container failed to initialize | The application's shape must be compatible with the function (for example, GENERIC_X86). |
To further identify the cause, enable logging features for the pre-built function (see Storing and Viewing Function Logs). For detailed information on troubleshooting a function, see Troubleshooting OCI Functions.
Zero Quota Policy Creator pre-built function status codes
The following table summarizes the errors that you might encounter when working with this pre-built function:
Error Code | Error Message | Action |
---|---|---|
400 | Function payload has wrong Event Type | Verify whether the event type is "AlertRule - Create". |
To further identify the cause, enable logging features for the pre-built function (see Storing and Viewing Function Logs).
Log Analysis Tips
All the pre-built functions provide an option to specify the logging level as a configuration parameter. You can set the logging level to DEBUG
to get more information.
Since an application has multiple functions, the pre-built function log entries are identified by the prefix "PBF | <PBF NAME> ".
For example, a log entry for the Media Workflow Job Spawner pre-built function looks similar to the following:
"PBF | Media Workflow Job Spawner | INFO | 2023-02-07T18:06:50.809Z | Fetching details from Events JSON"