> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Oracle Cloud (OCI)

> Connect your Oracle Cloud Infrastructure tenancy to RAD Security for comprehensive cloud security monitoring.

## Overview

Integrate your Oracle Cloud Infrastructure (OCI) tenancy with RAD Security to enhance threat detection capabilities and ensure your cloud environments adhere to stringent compliance frameworks.

RAD Security publishes a Terraform module in the Terraform Registry that provisions everything needed to connect your tenancy: an OCI user, a group, a read-only IAM policy at the tenancy scope, an RSA keypair, and registration of the credentials with RAD Security for cloud resource discovery and monitoring.

## Prerequisites

<Check>
  * An OCI tenancy admin (or equivalent) with permissions to create IAM users, groups, and tenancy-scoped policies
  * The OCI Terraform provider configured locally (user OCID, fingerprint, private key, tenancy OCID, region)
  * A RAD Security access key and secret
</Check>

## Connection setup

1. Sign in to RAD Security
2. Go to `Data Sources`
3. Click on `Add provider`
4. Follow the guide for Oracle Cloud (OCI)

## Terraform setup

A Terraform snippet will appear, similar to the example below. Copy it and add it to your existing Terraform code. At minimum you need to provide your tenancy OCID and the OCI home region.

```hcl theme={null}
terraform {
  required_providers {
    rad-security = {
      source  = "rad-security/rad-security"
      version = "..."
    }
    oci = {
      source  = "oracle/oci"
      version = ">= 5.0.0"
    }
  }
}

provider "oci" {
  # Your OCI provider configuration here
}

provider "rad-security" {
  access_key_id        = "..."
  secret_key           = "..."
  rad_security_api_url = "https://api.rad.security"
}

module "rad-security-connect" {
  source  = "rad-security/rad-security-connect/oci"
  version = "..."

  tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa..."
  region       = "us-ashburn-1"
}
```

## Module inputs

| Variable                | Description                                                      | Required | Default                                                                 |
| ----------------------- | ---------------------------------------------------------------- | -------- | ----------------------------------------------------------------------- |
| **`tenancy_ocid`**      | OCI tenancy OCID where IAM resources are created.                | Yes      | —                                                                       |
| **`region`**            | OCI home region used for API calls (for example `us-ashburn-1`). | Yes      | —                                                                       |
| **`user_name`**         | OCI user name created for RAD authentication.                    | No       | `rad-security-connect`                                                  |
| **`group_name`**        | OCI group the user is added to.                                  | No       | `rad-security-connect`                                                  |
| **`policy_name`**       | IAM policy name created at the tenancy scope.                    | No       | `rad-security-connect`                                                  |
| **`policy_statements`** | List of OCI policy statements granting RAD read access.          | No       | `["Allow group rad-security-connect to read all-resources in tenancy"]` |

<Info>
  The canonical inputs and defaults live in the [`rad-security/terraform-oci-rad-security-connect`](https://github.com/rad-security/terraform-oci-rad-security-connect) repository. The published module is available on the [Terraform Registry](https://registry.terraform.io/modules/rad-security/rad-security-connect/oci/latest).
</Info>

## Customizing the policy

By default the module grants RAD read access to all resources in the tenancy via the statement `Allow group rad-security-connect to read all-resources in tenancy`. If you need to scope access more narrowly, pass your own list of OCI policy statements through `policy_statements`. The statements must reference the group created by the module (or whatever you set `group_name` to).

```hcl theme={null}
module "rad-security-connect" {
  source  = "rad-security/rad-security-connect/oci"
  version = "..."

  tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa..."
  region       = "us-ashburn-1"

  policy_statements = [
    "Allow group rad-security-connect to read instance-family in tenancy",
    "Allow group rad-security-connect to read virtual-network-family in tenancy",
    "Allow group rad-security-connect to read object-family in tenancy",
  ]
}
```

## Multiple OCI tenancies

If you're integrating multiple OCI tenancies with RAD Security, the module needs to be applied once per tenancy. Use distinct `user_name`, `group_name`, and `policy_name` values for each invocation so the IAM resources do not collide.

```hcl theme={null}
module "rad-security-connect-prod" {
  source  = "rad-security/rad-security-connect/oci"
  version = "..."

  tenancy_ocid = "ocid1.tenancy.oc1..prod..."
  region       = "us-ashburn-1"
  user_name    = "rad-security-connect-prod"
  group_name   = "rad-security-connect-prod"
  policy_name  = "rad-security-connect-prod"
}
```