search

Oracle Cloud Infrastructure

Firefly integrates with Oracle Cloud Infrastructure to pull in information about your cloud resources—such as compute instances, object storage, databases etc. Directly into your Firefly Inventory. This enables you to view, manage, and govern OCI assets. You can use Firefly to enforce infrastructure-as-code (IaC) practices and apply policies across your OCI environment, helping ensure compliance, visibility, and best practices at scale.

hashtag
Best Practices

  1. For governance, mark certain compartments as production during integration (Firefly has a "Mark as Production" checkbox for each integration which you should tick for your production accounts).

  2. Use a dedicated OCI user for Firefly's access rather than sharing with other applications.

hashtag
Integration Methods

  • ORM Stack Creates a service user with read access to your OCI resources and optionally configures audit log streaming via Service Connector Hub.

hashtag
Using ORM Stack

ORM Stack (Oracle Resource Manager) is the recommended method for OCI integration as it provides automated deployment through the OCI Console.

Note: The ORM stack should be deployed in your tenancy's home region.

hashtag
Prerequisites

  • Ensure you have appropriate permissions in OCI to deploy ORM stacks.

  • Access to the OCI Console.

  • Proper access to the compartments or tenancy you want to integrate.

hashtag
Setup Procedure

  1. Log in to your desired OCI Tenancy with permission to create ORM Stack and IAM OCI resources.

  2. In Firefly, go to Settings > Integrations.

  3. Select Add New > OCI.

  4. Enter your OCI Tenancy details.

  5. Click Generate API Key to create a Firefly API key. Copy the key and paste it into the OCI Stack configuration.

  6. (Optional) Expand Advanced Options to configure:

    • Domain ID — Specify the identity domain for user and group management.

    • Compartment ID — Specify the compartment for Firefly resources. If left empty, a "Firefly" compartment is auto-created.

    • Service Connector Management — Enable Firefly to manage audit log streaming via Service Connector Hub.

  7. (Optional) Select Mark as Production to flag this account as production in Firefly. You can edit this at any time in the Integrations window.

  8. (Optional) Select Subscribed regions to scan all subscribed regions, or uncheck to specify specific regions.

  9. Click Deploy to OCI to open the ORM Stack in the OCI Console, and follow the instructions to deploy the stack.

  10. Complete the stack deployment in the OCI Console.

  11. Firefly will wait for the initiation of the connection and finish the integration process.

hashtag
Created Resources

The ORM stack creates the following OCI resources:

  • IAM User (firefly-svc) — Service user for Firefly authentication.

  • IAM Group (firefly-svc-admin) — Group for managing Firefly user permissions.

  • IAM User Group Membership — Adds the Firefly user to the admin group.

  • API Key — API key pair for the Firefly service user.

  • IAM Dynamic Group (firefly-dynamic-group) — For service connector permissions.

  • IAM Policy (firefly-svc-policy) — Comprehensive permissions for Firefly access.

  • Service Connector Hub (firefly-audit-connector) — Routes audit logs to Firefly's stream (optional).

hashtag
IAM Policies

The integration creates an IAM policy (firefly-svc-policy) with the following permissions:

  • Global Read Access — Allows Firefly to discover and inventory all OCI resources in your tenancy.

  • Service Connector Management — Allows creation and management of Service Connector Hub resources in the Firefly compartment.

  • Stream Push Permissions — Enables pushing audit logs to Firefly's managed streams for processing and analysis.

hashtag
Compartment Management

If no compartment is specified during deployment, the stack automatically creates a new compartment named "Firefly" in your tenancy root for application resources (service connectors, audit log configurations).

Note: Identity resources (users, groups, policies, dynamic groups) are always created in the root tenancy, regardless of the compartment setting. This is an OCI requirement.

hashtag
Event-Driven Integration

The integration optionally configures audit log streaming via OCI Service Connector Hub for real-time event-driven scanning. When enabled, service connectors capture audit events across multiple categories—including compute, networking, storage, IAM, and database operations—and stream them to Firefly for analysis and monitoring.

Service connectors can be deployed across multiple OCI regions. The target stream is automatically selected based on your OCI region through Firefly's API.

hashtag
OCI Discovery Status

To scan your integration for changes and discover new assets on-demand:

hashtag
Procedure

  1. Go to Settings > Integrations > OCI.

  2. Find the integration you want to scan.

  3. For assets changes, on the integration menu, select Scan Assets.

  4. For IaC stacks changes, on the integration menu, select Scan Stacks.

  5. View changes in the Inventory and/or IaC Explorer after several minutes.

PreviousGoogle CloudNextKubernetes

Last updated

Was this helpful?