Oracle Cloud Managed Cloud Self Service Platform Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Application Development

1. Introduction

What this service is

In Oracle Cloud, Managed Cloud Self Service Platform is best understood as a self-service delivery model (and, in some Oracle-managed engagements, a customer-facing portal experience) that lets application teams request and manage approved cloud resources through standardized, governed automation—without needing deep administrator access.

One-paragraph simple explanation

A Managed Cloud Self Service Platform gives developers a “button-click” way to provision what they’re allowed to use (for example, a pre-approved storage bucket, a network, a database schema, or a Kubernetes namespace), while the platform team enforces security, naming, tagging, and cost controls behind the scenes.

One-paragraph technical explanation

In practice on Oracle Cloud Infrastructure (OCI), you typically implement a Managed Cloud Self Service Platform by combining OCI Identity and Access Management (IAM), Compartments, Policies, Tagging, and automation services such as OCI Resource Manager (Terraform), optionally fronted by a developer portal (for example, a simple internal web UI, Oracle APEX, or a service desk integration). Requests flow through authenticated APIs/console actions into controlled automation jobs that create resources in the right compartment, with logs, audit trails, and cost attribution.

What problem it solves

Reduces provisioning delays (days → minutes) by making common infrastructure and application components self-service.
Improves governance by enforcing consistent policies, tags, naming, encryption, and network placement.
Limits risk by restricting developers to approved “golden paths” instead of broad admin permissions.
Makes costs visible with standardized tagging and compartment-based chargeback/showback.

Important scope note (verify in official docs/your Oracle contract): “Managed Cloud Self Service Platform” is not commonly listed as a single standalone OCI service in the public OCI service catalog in the same way as “OCI Functions” or “OCI Resource Manager.” The term is frequently used as a solution pattern (and sometimes a managed-services portal capability). This tutorial therefore focuses on a real, executable OCI implementation of a Managed Cloud Self Service Platform using current, well-documented OCI building blocks. If your organization has an Oracle Managed Cloud contract that includes a portal named exactly “Managed Cloud Self Service Platform,” validate the exact features and workflows in your Oracle-provided documentation.

2. What is Managed Cloud Self Service Platform?

Official purpose (practical OCI interpretation)

A Managed Cloud Self Service Platform on Oracle Cloud is an approach to deliver standardized, approved cloud capabilities through self-service, while keeping the platform secure and operable at scale.

Because the phrase may be used differently across organizations and Oracle-managed engagements, the safest, OCI-aligned definition is:

Self-service for developers and teams (request/provision/update within guardrails)
Managed by a platform team (governance, templates, security, operations)
Cloud resources on OCI (compute, networking, storage, databases, DevOps)
Platform experience (portal, API, and/or controlled console workflows)

Core capabilities (what a proper platform provides)

A well-designed Managed Cloud Self Service Platform typically includes:

Catalog of approved templates (for example, Terraform stacks) for common components
Role-based access (who can provision what, where)
Guardrails (compartment boundaries, quotas, tagging policies, encryption, network constraints)
Auditing and traceability (who requested what, when, and what changed)
Standardized operations (logging, monitoring, incident hooks, runbooks)

Major components (OCI services commonly used)

On Oracle Cloud, these are the most common building blocks:

OCI IAM: users, groups, dynamic groups, policies
Compartments: isolation boundaries and administrative domains
OCI Resource Manager: Terraform-based provisioning via stacks and jobs
Docs: https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm
Tagging: defined tags for cost allocation and governance
Docs: https://docs.oracle.com/en-us/iaas/Content/Tagging/home.htm
Audit / Logging / Monitoring: operational visibility
Audit docs: https://docs.oracle.com/en-us/iaas/Content/Audit/home.htm
Logging docs: https://docs.oracle.com/en-us/iaas/Content/Logging/home.htm
Monitoring docs: https://docs.oracle.com/en-us/iaas/Content/Monitoring/home.htm
Optional portal/API layer: OCI API Gateway + OCI Functions, or Oracle APEX, or an internal portal
Optional governance: Cloud Guard, Security Zones, Budgets, Quotas
Cloud Guard: https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm

Service type

Not a single “one-click” OCI product SKU in many tenancies; rather a platform pattern implemented using OCI services.
In managed-service contexts, Oracle may provide a customer-facing self-service experience—verify in official docs/your contract.

Scope: regional/global/account-scoped (as applicable)

Most OCI building blocks are regional (for example, Object Storage is region-based; Resource Manager stacks and jobs run in a region; Monitoring/Logging are region services with tenancy-level views).
IAM, compartments, and policies are tenancy-scoped concepts (configured once and applied across regions).

How it fits into the Oracle Cloud ecosystem

This platform pattern sits in Application Development because it directly improves how developers build and ship software:

Developers consume standard environments quickly (dev/test/prod parity).
Platform teams publish golden templates and enforce guardrails.
Operations teams get repeatable deployments, better auditability, and consistent monitoring/logging integration.

3. Why use Managed Cloud Self Service Platform?

Business reasons

Faster time-to-market: fewer manual tickets and approvals for routine infrastructure.
Lower operational cost: reduce repetitive platform engineering work by standardizing templates.
Better cost accountability: enforce tags and compartment strategy for chargeback/showback.
Consistency: standard templates reduce drift and “snowflake” deployments.

Technical reasons

Repeatability with Terraform-backed provisioning (OCI Resource Manager).
Safer changes through versioned templates and controlled execution.
Better architecture hygiene: standard network patterns, encryption defaults, logging defaults.
Composable building blocks: the platform can evolve from “simple provisioning” to full platform engineering (IDP).

Operational reasons

Reduced configuration drift: re-apply templates or detect drift via IaC practices.
Auditability: OCI Audit events + job logs show who did what.
Standardized tagging: easier inventory, cost reporting, and automation.

Security/compliance reasons

Least privilege: developers can provision only what they’re allowed to.
Separation of duties: platform team owns templates and guardrails; dev teams self-serve within boundaries.
Policy-driven governance: compartments, quotas, and (optionally) security zones.

Scalability/performance reasons

Scales across teams via compartment structure and reusable modules.
Avoids bottlenecks: fewer human approvals for pre-approved components.

When teams should choose it

Choose a Managed Cloud Self Service Platform approach when: – Multiple teams need repeatable environments and shared patterns. – You want governed self-service rather than ad-hoc console clicks. – You need cost controls and audit trails by default. – You’re implementing an internal developer platform (IDP) on OCI.

When teams should not choose it

Avoid (or postpone) a full platform approach when: – You have only one small team and low change frequency (simple console usage may be enough). – Requirements are highly experimental and templates would churn weekly. – You can’t commit to template ownership (no platform owners → templates rot). – You need a vendor-provided portal with guaranteed features—because the “Managed Cloud Self Service Platform” label may not map to a single OCI product. In that case, confirm what Oracle provides in your managed-service agreement.

4. Where is Managed Cloud Self Service Platform used?

Industries

Common anywhere governance and speed matter: – Financial services and fintech (tight controls + rapid delivery) – Healthcare (auditability, segmentation) – Retail/e-commerce (frequent releases, seasonal scaling) – SaaS providers (multi-environment provisioning at scale) – Public sector (policy-heavy deployments)

Team types

Platform engineering teams building an internal developer platform
DevOps/SRE teams standardizing delivery
Security engineering teams enforcing guardrails
Application teams consuming pre-approved components
Shared services / Cloud Center of Excellence (CCoE)

Workloads

Microservices platforms (Kubernetes, API gateways, service meshes)
Web apps with standard network + database patterns
Data services (object storage buckets, data pipelines)
CI/CD and environment provisioning for dev/test/prod

Architectures

Multi-compartment landing zones
Hub-and-spoke networking
Multi-environment (dev/test/stage/prod) with standardized templates
Regulated environments with strict isolation

Real-world deployment contexts

Production: controlled provisioning, change approvals (possibly via pull requests), strict auditing
Dev/Test: faster self-service, lower friction, tighter cost controls (budgets/quotas), easier cleanup
Sandboxes: rapid provisioning with strong guardrails and automatic expiry (implemented via automation)

5. Top Use Cases and Scenarios

Below are realistic OCI-aligned scenarios for a Managed Cloud Self Service Platform approach.

1) Self-service provisioning of standardized Object Storage buckets

Problem: Teams create buckets inconsistently (wrong access type, missing tags, wrong retention).
Why it fits: A Terraform stack enforces naming/tagging and safe defaults.
Example: A dev team requests a bucket for build artifacts; platform stack creates it with defined tags and private access.

2) Self-service “project environment” bootstrap (compartment + policies + tags)

Problem: New projects wait on admins to create compartments and policies.
Why it fits: A controlled template can create project scaffolding.
Example: A new app team triggers a “New Project” workflow that creates proj-x-dev/test/prod compartments and baseline policies.

3) Self-service network patterns (spoke VCN + subnets + NSGs)

Problem: Teams create insecure networks or duplicate patterns.
Why it fits: Central templates enforce CIDR planning, NSGs, and route tables.
Example: A template provisions a spoke VCN that connects to a shared hub via DRG (verify your network architecture).

4) Self-service database provisioning with guardrails

Problem: DB requests create delays and inconsistent security settings.
Why it fits: Templates apply encryption, backups, and private endpoints.
Example: A team provisions a dev database with pre-approved shape and backup policies.

5) Self-service Kubernetes namespace + policies (platform on OKE)

Problem: Cluster admins become a bottleneck for namespace and RBAC setup.
Why it fits: Automation can create namespace, RBAC bindings, and resource quotas.
Example: New microservice team gets a namespace with CPU/memory quotas and logging enabled.

6) Self-service CI/CD pipeline creation for new repos

Problem: Pipeline setup varies and security scanning is inconsistent.
Why it fits: Standard pipeline templates enforce scanning gates.
Example: Every repo gets the same build/test/deploy pipeline with artifact signing steps (where supported).

7) Self-service secrets creation and rotation workflow

Problem: Secrets get stored in code or shared insecurely.
Why it fits: Platform workflow uses OCI Vault with access controls.
Example: Developers request a secret; platform grants scoped access and sets rotation reminders.

8) Self-service observability onboarding

Problem: Teams forget logs/metrics; troubleshooting becomes hard.
Why it fits: Standard logging/metrics policies and dashboards.
Example: A template configures Logging, alarms, and Notifications topics for a service.

9) Self-service sandbox environments with automatic cleanup

Problem: Sandboxes waste cost and are left running.
Why it fits: Budgets, quotas, tags, and scheduled teardown automation.
Example: A “24-hour sandbox” workflow provisions resources and tags them for auto-destroy.

10) Self-service compliance-ready baseline (secure defaults)

Problem: Teams accidentally deploy public endpoints or skip encryption.
Why it fits: Templates enforce private subnets, NSGs, encryption, and audit.
Example: A regulated workload baseline deploys with minimal exposure and mandatory tags.

6. Core Features

Because “Managed Cloud Self Service Platform” is commonly implemented as a platform pattern on Oracle Cloud, the “features” below describe what you can deliver using OCI-native services. Always verify exact service capabilities in official docs for your region and tenancy.

1) Self-service catalog of approved templates (IaC)

What it does: Publishes reusable Terraform stacks/modules for common components.
Why it matters: Standardization reduces risk and accelerates delivery.
Practical benefit: Teams provision consistent resources without deep OCI expertise.
Caveats: Template lifecycle management is work—versioning, testing, and deprecation must be planned.

2) Role-based access (RBAC) via OCI IAM

What it does: Controls who can run which stacks and manage which resources.
Why it matters: Prevents over-privileged access and reduces blast radius.
Practical benefit: Developers get self-service without being admins.
Caveats: IAM policy design can be complex; test policies carefully.

3) Compartment-based isolation and delegation

What it does: Uses compartments as boundaries for teams/environments.
Why it matters: Clear isolation supports governance and cost reporting.
Practical benefit: Easier to apply policies and budgets per environment.
Caveats: Poor compartment design becomes hard to fix later.

4) Guardrails with quotas, budgets, and tagging

What it does: Restricts consumption and enforces metadata.
Why it matters: Controls cost and improves auditability.
Practical benefit: Prevents runaway spend and helps ownership tracking.
Caveats: Not all guardrails prevent every cost type (for example, data egress may still surprise you).

5) Standard naming and tagging enforcement

What it does: Ensures consistent resource names and defined tags.
Why it matters: Operational clarity and cost allocation.
Practical benefit: Faster troubleshooting and reliable reporting.
Caveats: Enforcement depends on policy and process; some teams may resist until automation is frictionless.

6) Auditing and traceability

What it does: Tracks actions via OCI Audit and automation logs.
Why it matters: Compliance and incident investigation.
Practical benefit: Clear “who changed what” history.
Caveats: You must retain logs appropriately and centralize access.

7) Operational visibility (logging/metrics/alarms)

What it does: Integrates resources with Logging and Monitoring.
Why it matters: Self-service without observability creates operational debt.
Practical benefit: Faster detection and response.
Caveats: Logging volume can drive cost; tune and retain responsibly.

8) Optional API-driven provisioning (portal + API)

What it does: Fronts automation behind a portal/API for a better developer experience.
Why it matters: Reduces reliance on console clicks and simplifies workflows.
Practical benefit: Can integrate with service desk and GitOps.
Caveats: You must secure the API layer and manage credentials properly (prefer dynamic groups and least privilege).

9) Separation of duties and controlled change

What it does: Platform team owns templates; dev teams consume them.
Why it matters: Improves security and reduces misconfiguration.
Practical benefit: Predictable deployments.
Caveats: Requires clear ownership and support model (SLOs for platform).

7. Architecture and How It Works

High-level architecture

A typical OCI-based Managed Cloud Self Service Platform has these layers:

Identity & governance: IAM users/groups, compartments, policies, tags, quotas, budgets.
Self-service interface: OCI Console (Resource Manager), or a portal/API (optional).
Automation engine: OCI Resource Manager (Terraform stacks/jobs), optionally OCI DevOps pipelines.
Target resources: Object Storage, Compute, Networking, OKE, Database services, etc.
Observability & security: Audit, Logging, Monitoring, Cloud Guard, Notifications.

Request / data / control flow

Request: A developer requests a resource (for example, “create a project bucket”).
Authorization: IAM checks if the user/group can run the automation job in the compartment.
Execution: OCI Resource Manager runs a Terraform plan/apply job.
Provisioning: OCI APIs create/update resources.
Evidence: Audit logs capture API calls; Resource Manager stores job logs; tags show ownership and cost center.

Integrations with related services (common)

OCI Resource Manager + OCI IAM (policies for stacks/jobs and target resources)
OCI Logging (capture job logs, service logs)
OCI Monitoring/Alarms + Notifications (operational alerts)
OCI Vault (store secrets for apps provisioned by templates)
OCI DevOps (optional: CI/CD, artifact repos, deployment pipelines)

Dependency services

IAM and compartments (governance)
Resource Manager (automation)
Target service APIs (Object Storage, Networking, etc.)

Security/authentication model

End users authenticate to OCI using IAM (federated or local).
Policies grant permission to manage Resource Manager stacks/jobs and to create resources in target compartments.
For advanced models, you may use:
Dynamic groups + instance principals/resource principals (for automation components like Functions)
Verify the correct approach in official OCI docs for the service you use.

Networking model

Resource Manager and Object Storage are OCI services; no custom VCN is required for the basic lab in this article.
For private deployments (portal inside a VCN), you’ll design subnets/NSGs and private endpoints where supported (service-specific).

Monitoring/logging/governance considerations

Enable and review OCI Audit events for provisioning actions.
Store automation logs (Resource Manager job logs) for troubleshooting and compliance.
Enforce defined tags for cost and ownership.
Use budgets/quotas to avoid runaway usage.

Simple architecture diagram (Mermaid)

flowchart LR
  Dev[Developer] -->|Self-service request| OCIConsole[OCI Console<br/>Resource Manager]
  OCIConsole -->|IAM authz| IAM[OCI IAM<br/>Policies/Groups]
  OCIConsole --> RM[OCI Resource Manager<br/>Terraform Stack/Job]
  RM -->|OCI API calls| OS[OCI Object Storage<br/>Bucket]
  RM --> Audit[OCI Audit]
  RM --> Logs[Job Logs]

Production-style architecture diagram (Mermaid)

flowchart TB
  subgraph Users
    DevTeam[Dev Teams]
    PlatTeam[Platform Team]
    SecTeam[Security/Compliance]
  end

  subgraph Governance["Tenancy Governance (OCI)"]
    IAM2[IAM: Groups/Policies/Federation]
    Comp[Compartments: org/app/env]
    Tags[Defined Tags + Tag Defaults]
    Quotas[Quotas/Budgets]
    Audit2[Audit]
    CloudGuard[Cloud Guard / Security Zones<br/>(optional)]
  end

  subgraph SelfService["Self-Service Layer"]
    Portal[Developer Portal<br/>(APEX/internal UI/service desk)<br/>(optional)]
    APIGW[API Gateway (optional)]
    Func[OCI Functions (optional)]
    RM2[OCI Resource Manager<br/>Stacks + Jobs]
    Repo[Template Repo<br/>(Git)]
  end

  subgraph LandingZone["Workload Landing Zone"]
    OS2[Object Storage]
    Net[VCN/Subnets/NSGs]
    OKE[OKE Cluster]
    DB[Database Services]
    Apps[App Resources]
    Obs[Logging/Monitoring/Alarms]
    Vault[OCI Vault]
    Notif[Notifications]
  end

  DevTeam --> Portal
  Portal --> APIGW --> Func --> RM2
  PlatTeam --> Repo --> RM2
  RM2 --> OS2
  RM2 --> Net
  RM2 --> OKE
  RM2 --> DB
  RM2 --> Apps
  RM2 --> Obs
  RM2 --> Vault
  Obs --> Notif

  IAM2 --> Portal
  IAM2 --> RM2
  Comp --> RM2
  Tags --> RM2
  Quotas --> RM2
  RM2 --> Audit2
  SecTeam --> Audit2
  SecTeam --> CloudGuard

8. Prerequisites

Account / tenancy requirements

An Oracle Cloud tenancy with access to OCI.
Ability to create or use:
a compartment for the lab
IAM groups and policies
OCI Resource Manager stacks/jobs
Object Storage buckets

Permissions / IAM roles

You need permission to: – Create/manage compartments (or have one provided) – Create/manage groups and policies – Use OCI Resource Manager (stacks and jobs) – Create Object Storage buckets in the target compartment

If you cannot get tenancy-admin permissions, ask your admin to: – Create the compartment and policies on your behalf – Add you to a group that can run Resource Manager jobs in a specific compartment

Billing requirements

Object Storage and Resource Manager-based provisioning is typically low cost, but still requires billing to be enabled for paid usage.
Free tier availability and limits vary—verify your tenancy type and region.

Tools (recommended)

OCI Console access
OCI CLI (optional but helpful for validation)
Docs: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm
Git (optional, for storing Terraform code)

Region availability

OCI Resource Manager and Object Storage are broadly available, but always verify service availability in your region in official OCI documentation.

Quotas / limits

Your tenancy may have:
compartment quotas
Object Storage limits
Resource Manager job concurrency limits
Verify in official docs and your tenancy limits pages.

Prerequisite services

OCI IAM
OCI Resource Manager
OCI Object Storage

9. Pricing / Cost

Current pricing model (accurate approach)

A Managed Cloud Self Service Platform on Oracle Cloud is usually not priced as a single line item because it is implemented using underlying OCI services. Costs depend on what your self-service templates provision.

Key point: OCI charges are usage-based per service. Your “platform” cost is the sum of: – Provisioned resources (storage, compute, databases, load balancers, etc.) – Observability (log ingestion/storage, monitoring metrics—service-dependent) – Network egress and inter-region traffic (often the biggest surprise)

Pricing dimensions (typical)

Object Storage: storage capacity, requests, data retrieval (depending on tier), and egress
Compute: OCPU and memory hours, boot volume, block volume
Networking: load balancer hours/throughput, NAT gateways, egress
Logging: ingestion and retention (service-specific—verify)
Resource Manager: often no separate charge for basic use, but verify in current official pricing/documentation for your region/tenancy

Free tier (if applicable)

Oracle Cloud offers free tier options for certain services and limits. Free tier details vary by region and program—verify here: – Pricing overview: https://www.oracle.com/cloud/pricing/ – Cost estimator: https://www.oracle.com/cloud/costestimator.html

Cost drivers for a self-service platform

Direct drivers: – Number of environments provisioned (dev/test/prod + ephemeral sandboxes) – High-cost managed services included in templates (databases, load balancers, OKE nodes) – Always-on resources vs. scheduled/ephemeral

Indirect/hidden drivers: – Data egress to the public internet or other clouds – Log volume and retention – Backups and snapshots – Overprovisioned shapes chosen in templates – Orphaned resources (created by self-service but not cleaned up)

Network / data transfer implications

Self-service often increases the number of deployed components, which can increase:
outbound internet traffic (egress)
cross-region replication traffic
load balancer data processing
Make cost ownership visible via defined tags and budgets.

How to optimize cost

Use defined tags like CostCenter, Owner, Environment, Application.
Enforce budgets and quotas per compartment.
Provide smaller “dev” templates with lower shapes and shorter retention.
Add auto-expiry patterns (tag + scheduled cleanup).
Standardize logging levels and retention to avoid runaway log costs.

Example low-cost starter estimate (no fabricated numbers)

For the lab in this article (provisioning a private Object Storage bucket via Terraform): – Likely costs are dominated by Object Storage capacity and any data egress. – If you store only a few MB and do not download externally, cost is typically minimal. – Exact pricing depends on region and storage tier—use the OCI cost estimator: https://www.oracle.com/cloud/costestimator.html

Example production cost considerations

In production, a Managed Cloud Self Service Platform often provisions: – multiple VCNs and load balancers – OKE clusters and worker nodes – database instances – logging/monitoring and backups

In that scenario, the platform team should: – publish cost profiles per template (small/medium/large) – implement compartment budgets with alerts – require mandatory tags for chargeback – track cost anomalies (Cloud Guard can help with security posture; cost anomaly tooling may require additional processes)

Official pricing references (start here): – OCI pricing landing: https://www.oracle.com/cloud/pricing/ – OCI price list: https://www.oracle.com/cloud/price-list/ – OCI cost estimator: https://www.oracle.com/cloud/costestimator.html

10. Step-by-Step Hands-On Tutorial

This lab builds a small but real Managed Cloud Self Service Platform capability on Oracle Cloud: self-service provisioning of a standardized Object Storage bucket using OCI Resource Manager (Terraform) with governance via compartments, tags, and IAM policies.

Objective

Enable a developer group to self-serve an approved “bucket template” safely, without granting broad administrative access—demonstrating the core pattern behind a Managed Cloud Self Service Platform on Oracle Cloud.

Lab Overview

You will: 1. Create a compartment for self-service resources. 2. Create an IAM group for developers. 3. Create IAM policies: – allow developers to run Resource Manager stacks/jobs in that compartment – allow Resource Manager service to manage resources in that compartment (required for automation in many setups—verify your policy requirements in your tenancy) 4. Create a Resource Manager stack with Terraform code that creates a private bucket with standard tags. 5. Run an Apply job with a chosen bucket name. 6. Validate the bucket exists and is tagged. 7. Clean up (Destroy job and remove resources).

Expected result: A developer can provision a compliant bucket through the approved template, and the platform has an audit trail (Resource Manager job logs + OCI Audit).

Step 1: Create a compartment for self-service

Console path: OCI Console → Identity & Security → Compartments → Create Compartment

Create: – Name: appdev-selfservice – Description: Self-service resources for application development labs – Parent: your root compartment (or an existing org compartment)

Expected outcome – A compartment exists to isolate self-service resources.

Verification – You can see appdev-selfservice in the compartment picker.

Step 2: Create defined tags (recommended) and tag namespace

Tags are essential for Managed Cloud Self Service Platform governance.

Console path: OCI Console → Governance & Administration → Tagging → Tag Namespaces

Create a tag namespace (example): – Namespace: Platform – Description: Platform governance tags

Create defined tags under Platform: – Owner (string) – CostCenter (string) – Environment (string: dev/test/prod) – Application (string)

Expected outcome – Defined tags exist for governance and cost allocation.

Verification – Tags appear under your namespace.

If your organization already has tagging standards, use them instead.

Step 3: Create an IAM group for self-service developers

Console path: OCI Console → Identity & Security → Identity → Groups → Create Group

Create: – Name: dev-selfservice – Description: Developers allowed to run approved self-service stacks

Add your user to the group: – Identity → Users → (your user) → Groups → Add User to Group → dev-selfservice

Expected outcome – Your user is a member of dev-selfservice.

Verification – Your user’s group list includes dev-selfservice.

Step 4: Create IAM policies for Resource Manager self-service

Policies are where most self-service platforms succeed or fail. Start minimal and iterate.

Console path: OCI Console → Identity & Security → Identity → Policies → Create Policy
Create the policy in the root compartment or the appropriate parent compartment (depending on your governance model).

Policy name: dev-selfservice-resource-manager

Add statements (adjust compartment name as needed):

Allow group dev-selfservice to manage orm-stacks in compartment appdev-selfservice
Allow group dev-selfservice to manage orm-jobs in compartment appdev-selfservice
Allow group dev-selfservice to read buckets in compartment appdev-selfservice

Now grant OCI Resource Manager the ability to create resources. In many OCI designs, you add a policy for the service principal. Use the official Resource Manager documentation for the exact policy pattern supported in your tenancy; a commonly used form is:

Allow service resource-manager to manage all-resources in compartment appdev-selfservice

Expected outcome – Developers can create/run stacks/jobs in the self-service compartment. – Resource Manager can provision resources into the compartment (if required by your configuration).

Verification – Your user can open Resource Manager without authorization errors.

Caveat: Some organizations restrict manage all-resources. Prefer least privilege (for example, only Object Storage resources) where possible—verify the most current Resource Manager policy guidance.

Step 5: Create a Terraform configuration for the “bucket template”

Create a local folder, for example oci-mcssp-bucket-template/, and add main.tf:

terraform {
  required_version = ">= 1.3.0"
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = ">= 5.0.0"
    }
  }
}

variable "compartment_ocid" {
  description = "Target compartment OCID where the bucket will be created."
  type        = string
}

variable "bucket_name" {
  description = "Bucket name (must be unique within the Object Storage namespace and follow OCI naming rules)."
  type        = string
}

variable "owner" {
  description = "Owner tag value (e.g., user or team email)."
  type        = string
}

variable "cost_center" {
  description = "Cost center tag value."
  type        = string
}

variable "environment" {
  description = "Environment tag value (dev/test/prod)."
  type        = string
  default     = "dev"
}

variable "application" {
  description = "Application tag value."
  type        = string
  default     = "selfservice-lab"
}

data "oci_objectstorage_namespace" "ns" {
  compartment_id = var.compartment_ocid
}

resource "oci_objectstorage_bucket" "bucket" {
  compartment_id = var.compartment_ocid
  namespace      = data.oci_objectstorage_namespace.ns.namespace
  name           = var.bucket_name

  access_type = "NoPublicAccess"

  # Use tag keys that match your defined tag namespace and tag names.
  # If your tenancy doesn't enforce defined tags, you can still use freeform_tags.
  defined_tags = {
    "Platform.Owner"       = var.owner
    "Platform.CostCenter"  = var.cost_center
    "Platform.Environment" = var.environment
    "Platform.Application" = var.application
  }
}

output "bucket_name" {
  value = oci_objectstorage_bucket.bucket.name
}

Expected outcome – You have a reusable Terraform template that enforces: – private bucket (NoPublicAccess) – consistent defined tags

Verification – The Terraform code is syntactically valid. – Tag keys match your defined tags exactly (namespace.tag).

If defined tags are not configured or not required in your tenancy, replace defined_tags with freeform_tags. Prefer defined tags for governance.

Step 6: Create an OCI Resource Manager stack

Console path: OCI Console → Developer Services → Resource Manager → Stacks → Create Stack

Choose: – Terraform configuration source: “Zip file upload” (simple for labs) – Zip your template folder contents (ensure main.tf is at the root of the zip)

Stack settings: – Name: mcssp-bucket-stack – Compartment: appdev-selfservice – Terraform version: choose a supported version shown in the console – Variables: – compartment_ocid: OCID of appdev-selfservice – bucket_name: (leave for job time if you want per-run customization; otherwise set now) – owner, cost_center, etc.

Expected outcome – A stack exists in Resource Manager.

Verification – You can see the stack in the Stacks list. – Stack details show your variables.

Step 7: Run a Plan job (recommended)

From the stack: – Click Plan

Provide variables if prompted (example): – bucket_name: mcssp-lab-bucket-<unique-suffix> – owner: your.name@example.com – cost_center: CC-1001 – environment: dev – application: mcssp-lab

Expected outcome – The Plan job completes successfully and shows the resources that will be created.

Verification – Job status: Succeeded – Plan output includes creation of oci_objectstorage_bucket.bucket

Step 8: Run an Apply job to provision the bucket

From the stack: – Click Apply

Use the same variables as Plan.

Expected outcome – An Object Storage bucket is created in appdev-selfservice.

Verification (Console) – OCI Console → Storage → Object Storage & Archive Storage → Buckets – Compartment: appdev-selfservice – The bucket appears with expected name and tags.

Verification (CLI, optional) If you have OCI CLI configured:

oci os bucket list --compartment-id <COMPARTMENT_OCID>

Then get details:

oci os bucket get --namespace-name <NAMESPACE> --bucket-name <BUCKET_NAME>

Namespace can be retrieved from the Console (Object Storage) or by CLI: oci os ns get

Validation

You have validated a core Managed Cloud Self Service Platform pattern on Oracle Cloud when:

A developer (non-admin) can run an approved template (stack job).
The created resource:
is in the correct compartment
has correct tags
follows security defaults (no public access)
There is a traceable record:
Resource Manager job history and logs
OCI Audit events for resource creation

Troubleshooting

Common issues and fixes:

1) Authorization error when creating/running a stack – Symptom: “NotAuthorizedOrNotFound” or permission denied. – Fix: – Ensure your user is in dev-selfservice. – Verify policy statements for orm-stacks and orm-jobs. – Confirm you selected the correct compartment.

2) Resource Manager cannot create the bucket – Symptom: Apply fails during bucket creation. – Fix: – Verify Resource Manager service policies (service principal) are correct for your tenancy. – Ensure the compartment policy allows the right permissions for Object Storage.

3) Defined tags error – Symptom: Apply fails with tag validation errors. – Fix: – Confirm the tag namespace and tag names exist and match exactly (Platform.Owner, etc.). – If tag values have constraints (allowed values), use a valid value. – Temporarily switch to freeform_tags for the lab if defined tags aren’t set up.

4) Bucket name not valid or not unique – Symptom: Apply fails with bucket naming error. – Fix: – Bucket names must follow OCI naming rules and be unique in the namespace. – Add a unique suffix (for example, your initials + random digits).

5) Wrong compartment OCID – Symptom: Plan/apply references a compartment you can’t access. – Fix: – Use the OCID of appdev-selfservice. – Ensure your policies apply to that compartment.

Cleanup

To avoid ongoing costs and clutter:

1) Destroy the resources – Go to the stack → Destroy – Wait for job to succeed.

2) Delete the stack – Resource Manager → Stacks → (your stack) → Delete

3) Optional: Remove IAM and governance objects – Remove the policy dev-selfservice-resource-manager – Remove the group dev-selfservice (if created only for this lab) – Remove the compartment appdev-selfservice (only if empty and intended for lab use) – Remove tag namespace Platform (only if created just for this lab)

Expected outcome – No lab-created bucket remains. – No self-service artifacts remain unless you want to keep them.

11. Best Practices

Architecture best practices

Design compartments first (org → app → env). Don’t start with templates.
Create “golden paths”:
simple templates for common needs
advanced templates only when necessary
Prefer composable modules; avoid copy-pasting Terraform across stacks.

IAM / security best practices

Apply least privilege:
developers manage stacks/jobs in their compartment
do not grant broad resource permissions directly unless required
Separate duties:
platform team owns and updates templates
app teams execute templates
Use federation (SSO) where possible for identity lifecycle management (verify your identity provider setup).

Cost best practices

Mandatory tags: Owner, CostCenter, Environment, Application.
Budgets per environment compartment with alerts.
Publish “cost profiles” for each template (small/standard/large).
Build cleanup workflows for ephemeral environments.

Performance best practices

Keep templates small and focused; large stacks become slow and fragile.
Avoid serial provisioning when parallelism is safe; use Terraform patterns carefully.
Use appropriate service limits and request increases ahead of launches.

Reliability best practices

Version templates and treat updates as controlled releases.
Test templates in a staging compartment before production.
Prefer idempotent design (re-applying does not break resources).

Operations best practices

Centralize logs for automation and critical services.
Track change history via stack job runs and source control.
Use Notifications for job failures and alerts.
Document runbooks: “what to do when stack apply fails.”

Governance / tagging / naming best practices

Use defined tags over freeform tags where possible.
Standard naming: include app/env/region where helpful.
Use tag defaults at the compartment level (where appropriate) to reduce user input.

12. Security Considerations

Identity and access model

OCI IAM is the enforcement point.
Best practice is to:
restrict developer permissions to their compartment(s)
allow only stack/job management, not broad admin permissions
Use separate groups for:
platform-admins (template authors)
developers (template consumers)
auditors (read-only)

Encryption

Many OCI services encrypt at rest by default; validate per service.
For sensitive workloads, consider customer-managed keys in OCI Vault (service-dependent).

Network exposure

Prefer private endpoints and private subnets where supported.
Explicitly block public access in templates (as we did with NoPublicAccess for buckets).
Use NSGs and security lists intentionally; avoid “0.0.0.0/0 inbound” defaults.

Secrets handling

Do not hardcode secrets in Terraform variables or stack logs.
Use OCI Vault for secrets; use dynamic access patterns (resource principals/dynamic groups) where appropriate—verify official guidance for your automation component.

Audit and logging

Ensure OCI Audit is enabled/retained according to policy.
Review:
stack job logs
audit events for create/update/delete of resources
Restrict access to logs; logs can contain sensitive details.

Compliance considerations

Map templates to controls:
encryption
access restrictions
retention
change management
Evidence:
Git history for templates
stack job run history
audit logs

Common security mistakes

Giving developers tenancy-wide permissions “just to move fast”
Letting templates deploy public endpoints by default
No tagging → no ownership → no accountability
Storing credentials in templates or logs
No separation between dev/test/prod compartments

Secure deployment recommendations

Establish a baseline landing zone (compartments, IAM, network) before self-service expansion.
Require peer review for template changes (Git-based approvals).
Use Cloud Guard/Security Zones if they match your governance needs (verify requirements and supported services).

13. Limitations and Gotchas

Known limitations (pattern-level)

“Managed Cloud Self Service Platform” may not be a single OCI service; you must integrate components.
Self-service success depends on:
good IAM design
template quality
operational ownership

Quotas and limits

Resource limits can block provisioning unexpectedly (network, compute, load balancers).
Resource Manager job concurrency may limit how many teams can deploy simultaneously—verify current limits.

Regional constraints

Not every OCI service is available in every region.
Templates should be region-aware and validated per target region.

Pricing surprises

Data egress and logging retention are frequent surprises.
Always-on resources in “dev” can silently become expensive.

Compatibility issues

Terraform provider versions can introduce breaking changes.
If templates are not pinned/tested, production runs can fail.

Operational gotchas

Failed applies can leave partially created resources.
Rollback often requires either:
a destroy job, or
manual cleanup (document this as a runbook)
IAM changes can break previously working stacks.

Migration challenges

Moving from manual console provisioning to self-service requires:
standardization decisions (naming/tags)
ownership boundaries (who supports what)
refactoring existing resources into IaC (import patterns—verify supported methods)

Vendor-specific nuances

OCI policy language and compartment design are powerful but can be subtle.
Some advanced automation patterns (resource principals, dynamic groups) require careful setup per service—verify official docs for each integration.

14. Comparison with Alternatives

A Managed Cloud Self Service Platform approach on OCI overlaps with several services and patterns.

Comparison table

Option	Best For	Strengths	Weaknesses	When to Choose
Managed Cloud Self Service Platform (OCI pattern)	Organizations building a governed self-service experience	Flexible; tailored guardrails; works across many OCI services	Requires platform engineering effort; not a single product	When you need standardized self-service at scale on Oracle Cloud
OCI Resource Manager alone	IaC-driven provisioning without a portal	Native Terraform execution; job history; integrates with IAM	Developer experience is more “infra tool” than “portal”	When the OCI Console UX is sufficient as self-service interface
OCI DevOps (pipelines)	CI/CD automation around app deployments	Strong for build/test/deploy workflows	Not a full infrastructure catalog by itself	When self-service is primarily application delivery via pipelines
Oracle APEX as a portal	Rapid internal portal UI	Fast to build forms/workflows	You still need automation backend and secure integration	When you want a friendly “request form” in Oracle ecosystem
AWS Service Catalog	AWS-native service catalog	Mature catalog + governance	AWS-specific	When you’re on AWS and need native catalog
Azure Managed Applications / Service Catalog patterns	Azure governance-driven catalog	Integrates with Azure RBAC/policy	Azure-specific	When you’re on Azure
GCP Private Catalog (Marketplace/Blueprint patterns)	GCP catalog patterns	Integrates with GCP org policies	GCP-specific	When you’re on GCP
Backstage (open-source IDP portal)	Portal-centric developer experience	Great UX for catalogs/docs; extensible	Needs integration with OCI provisioning	When you want a modern IDP frontend across tools
Crossplane (open-source)	Kubernetes-native provisioning	GitOps-friendly; strong abstractions	Steeper learning; operational overhead	When you want Kubernetes as control plane for infra

15. Real-World Example

Enterprise example (regulated multi-team organization)

Problem A bank has 40+ application teams. Provisioning a compliant environment (network + storage + database + logging) takes weeks due to security reviews and manual tickets. Teams create inconsistent configurations when they bypass the process.

Proposed architecture – Compartments per application and environment (dev/test/prod) – Defined tags enforced and required for provisioning – Self-service catalog using OCI Resource Manager stacks: – “Standard private bucket” – “App VCN spoke” – “Database baseline” – “OKE namespace onboarding” – Approval and change management integrated via Git PR review for template changes – Audit + centralized logging retained per compliance needs

Why this service was chosen They wanted the Managed Cloud Self Service Platform model because: – developers need self-service – security needs guardrails and evidence – operations needs repeatability and auditability

Expected outcomes – Provisioning time reduced from weeks to hours/minutes for approved components – Reduced misconfigurations via golden templates – Better cost allocation via tags and compartment budgets – Clear audit trail for compliance

Startup / small-team example (cost-sensitive SaaS team)

Problem A 10-person SaaS team is moving to Oracle Cloud. They need consistent dev/test environments and want to avoid spending time on repetitive setup. They also fear surprise cloud bills.

Proposed architecture – Simple compartment layout: startup-dev, startup-prod – A small set of Resource Manager stacks: – “bucket for logs/artifacts” – “database instance baseline” (only if needed) – Strict budgets and quota limits in dev – Automated cleanup of ephemeral resources via tags and scheduled processes (implementation-specific)

Why this service was chosen A lightweight Managed Cloud Self Service Platform approach gives them: – speed (self-service) – cost control (budgets + small templates) – minimal operational overhead (few templates, strong defaults)

Expected outcomes – Faster onboarding for new services – Lower operational toil – Reduced risk of misconfigurations and runaway spend

16. FAQ

1) Is Managed Cloud Self Service Platform a single OCI product?
Often it is a platform pattern implemented with OCI services (IAM, Resource Manager, etc.). If Oracle provides a portal under this exact name in a managed-services contract, verify the exact capabilities in your official Oracle documentation.

2) What is the simplest way to start on Oracle Cloud?
Start with compartments + IAM + Resource Manager stacks for 2–3 common templates (storage bucket, network baseline, logging onboarding).

3) Do developers need admin access to self-serve?
No. The goal is to avoid admin access by granting permission to run approved stacks/jobs in controlled compartments.

4) How do we prevent teams from provisioning expensive resources?
Use compartments, quotas, budgets, and templates that only allow approved shapes/services. Also require tags and monitor spend.

5) How do we enforce tagging?
Use defined tags, tag defaults where appropriate, and make templates set tags automatically.

6) How do we handle approvals?
Common patterns: – Pre-approve templates (self-service without per-request approval) – Require PR approvals for template changes – Integrate portal workflows with a ticketing system (implementation-specific)

7) How do we track who provisioned what?
Use: – defined tags (Owner/Application) – Resource Manager job history – OCI Audit logs

8) What’s the biggest security risk in self-service?
Overbroad IAM permissions and templates that expose resources publicly by default.

9) Can we build a portal UI?
Yes—common options include an internal web app, Oracle APEX, or service desk forms—fronting OCI APIs/Resource Manager. Secure it with IAM and least privilege.

10) Does Resource Manager support Terraform modules and variables?
Yes, but details (supported Terraform versions, features) vary—verify in official Resource Manager documentation.

11) How do we handle secrets in templates?
Avoid placing secrets in Terraform variables and logs. Use OCI Vault and secure access patterns.

12) What about multi-region deployments?
Design region-aware templates and validate service availability per region. Replication and egress costs must be planned.

13) How do we prevent configuration drift?
Use IaC as the source of truth, restrict manual console changes for managed resources, and re-apply stacks carefully.

14) How do we onboard many teams quickly?
Provide a “project bootstrap” template (compartment scaffolding + baseline policies + tags), plus a small initial catalog.

15) What is a good first KPI for platform success?
Time-to-provision for approved resources, failure rate of automation jobs, and percentage of resources with mandatory tags.

17. Top Online Resources to Learn Managed Cloud Self Service Platform

Because the Managed Cloud Self Service Platform is usually implemented using OCI building blocks, the best learning resources are the official docs for those components.

Resource Type	Name	Why It Is Useful
Official documentation	OCI Resource Manager docs: https://docs.oracle.com/en-us/iaas/Content/ResourceManager/home.htm	Core automation engine for Terraform-based self-service
Official documentation	OCI IAM docs: https://docs.oracle.com/en-us/iaas/Content/Identity/home.htm	Required for groups, policies, least privilege
Official documentation	OCI Compartments overview (IAM docs): https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm	Foundation for isolation and governance
Official documentation	OCI Tagging docs: https://docs.oracle.com/en-us/iaas/Content/Tagging/home.htm	Cost allocation and governance metadata
Official documentation	OCI Audit docs: https://docs.oracle.com/en-us/iaas/Content/Audit/home.htm	Evidence and traceability for changes
Official documentation	OCI Logging docs: https://docs.oracle.com/en-us/iaas/Content/Logging/home.htm	Central logging for operations and troubleshooting
Official documentation	OCI Monitoring docs: https://docs.oracle.com/en-us/iaas/Content/Monitoring/home.htm	Metrics and alarms for reliability
Official documentation	Object Storage docs: https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/objectstorageoverview.htm	The lab’s target resource; common self-service building block
Official pricing	OCI Pricing: https://www.oracle.com/cloud/pricing/	Pricing model overview and links
Official pricing	OCI Price List: https://www.oracle.com/cloud/price-list/	Service-specific SKUs (region/SKU dependent)
Official pricing tool	OCI Cost Estimator: https://www.oracle.com/cloud/costestimator.html	Build region-specific estimates without guessing
Official tutorials (directory)	Oracle Cloud tutorials (general): https://docs.oracle.com/en/learn/	Hands-on labs for many OCI services (availability varies)
Official videos	Oracle Cloud Infrastructure YouTube: https://www.youtube.com/@OracleCloudInfrastructure	Practical walkthroughs and service updates (verify relevancy)
CLI documentation	OCI CLI concepts: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm	Helpful for validation and automation scripting
Reference architectures	Oracle Architecture Center: https://docs.oracle.com/en/solutions/	Patterns for landing zones, governance, and deployments

18. Training and Certification Providers

Institute	Suitable Audience	Likely Learning Focus	Mode	Website URL
DevOpsSchool.com	DevOps engineers, SREs, platform teams, developers	DevOps, IaC, CI/CD, cloud platform practices (verify OCI coverage)	check website	https://www.devopsschool.com/
ScmGalaxy.com	Beginners to intermediate DevOps learners	SCM, CI/CD fundamentals, DevOps practices	check website	https://www.scmgalaxy.com/
CLoudOpsNow.in	CloudOps/operations teams	Cloud operations, monitoring, reliability practices	check website	https://www.cloudopsnow.in/
SreSchool.com	SREs, operations teams, platform engineers	SRE principles, observability, incident management	check website	https://www.sreschool.com/
AiOpsSchool.com	Ops teams exploring AIOps	AIOps concepts, automation, monitoring analytics	check website	https://www.aiopsschool.com/

19. Top Trainers

Platform/Site	Likely Specialization	Suitable Audience	Website URL
RajeshKumar.xyz	DevOps/cloud training content (verify current offerings)	Beginners to advanced practitioners	https://rajeshkumar.xyz/
devopstrainer.in	DevOps training programs (verify course list)	DevOps engineers, students	https://www.devopstrainer.in/
devopsfreelancer.com	Freelance DevOps help/training (verify services)	Teams needing short-term guidance	https://www.devopsfreelancer.com/
devopssupport.in	DevOps support/training resources (verify scope)	Ops teams needing practical support	https://www.devopssupport.in/

20. Top Consulting Companies

Company	Likely Service Area	Where They May Help	Consulting Use Case Examples	Website URL
cotocus.com	DevOps and cloud consulting (verify OCI experience)	Platform engineering, CI/CD, automation	Build self-service provisioning templates; implement tagging strategy; set up IaC pipelines	https://cotocus.com/
DevOpsSchool.com	DevOps consulting and training	Upskilling + implementation support	Design IAM/compartment model; implement Resource Manager stack catalog; establish DevOps practices	https://www.devopsschool.com/
DEVOPSCONSULTING.IN	DevOps consulting services (verify portfolio)	Automation, DevOps transformation	Create standardized Terraform modules; implement observability baseline; design governance guardrails	https://www.devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before this service (foundations)

OCI fundamentals: regions, compartments, VCN basics
IAM: groups, policies, federation concepts
Terraform basics: providers, variables, state, modules
Basic security: least privilege, networking exposure, encryption concepts

What to learn after this service (to mature the platform)

OCI DevOps pipelines and release governance (where appropriate)
Advanced IAM patterns (dynamic groups, principals—service-specific)
Observability engineering: logging strategies, dashboards, alert tuning
FinOps: budgets, showback/chargeback, cost governance
Internal developer platform (IDP) tooling (Backstage, GitOps, policy-as-code patterns)

Job roles that use it

Platform Engineer / Internal Developer Platform Engineer
Cloud Engineer (OCI)
DevOps Engineer
Site Reliability Engineer (SRE)
Cloud Security Engineer
Solutions Architect / Cloud Architect

Certification path (if available)

OCI has role-based certifications (architect, developer, operations). The best match depends on your focus: – OCI Architect track (for landing zones, governance) – OCI Developer/DevOps track (for pipelines and automation)

Verify current OCI certification offerings here: https://education.oracle.com/

Project ideas for practice

Build a catalog of 5 templates: bucket, network spoke, logging onboarding, dev database, OKE namespace onboarding.
Add mandatory tags and compartment budgets.
Build a lightweight portal form that triggers Resource Manager jobs (API-based), with approval workflow.
Add a “sandbox expiry” mechanism: tag resources and auto-destroy after N hours (implementation-specific).

22. Glossary

OCI (Oracle Cloud Infrastructure): Oracle Cloud’s IaaS/PaaS platform for compute, networking, storage, and managed services.
Compartment: A logical isolation boundary in OCI for organizing and controlling access to resources.
IAM Policy: A statement-based access control rule that grants permissions to groups or services.
Defined Tags: Governed tags with predefined keys (and sometimes allowed values) used for compliance and cost allocation.
Resource Manager: OCI service that runs Terraform stacks and jobs to provision infrastructure as code.
Stack: A Resource Manager object representing a Terraform configuration plus variables.
Job: An execution run in Resource Manager (plan/apply/destroy).
Least Privilege: Security principle of granting only the minimum permissions required.
Golden Path: A preferred, approved way to provision and operate common components.
Audit Log: A record of API calls and actions for traceability and compliance.
Showback/Chargeback: Cost reporting models that attribute cloud spend to teams or cost centers.

23. Summary

A Managed Cloud Self Service Platform on Oracle Cloud is a governed self-service approach that helps application teams provision approved resources quickly while the platform team enforces security, operations standards, and cost controls. In many OCI environments, it is implemented by combining OCI IAM, Compartments, Tagging, and OCI Resource Manager (Terraform), optionally with a portal/API layer for a better developer experience.

Key takeaways: – Where it fits: Application Development enablement—faster provisioning with guardrails. – Cost: You primarily pay for the underlying OCI resources; watch data egress, logging retention, and orphaned resources. – Security: IAM least privilege, compartment isolation, and template-enforced secure defaults are the foundation. – When to use: Multiple teams, repeated environments, and strong governance requirements.

Next step: expand the lab into a small internal catalog (3–5 templates) and formalize governance (tags, budgets, approvals, and runbooks) using the official OCI docs linked above.

rajeshkumar

Category