Implement Object Storage versioning, life cycle management and retention rules

Summary

An object storage bucket can either have versioning or retention rules, but not both. Life cycle rules are ARCHIVE, INFREQUENT_ACCESS, DELETE, and ABORT (for uncommitted multipart uploads).

Reference

• ObjectLifecycleRule Reference
• oci
• iam
• compartment
• list
• policy
• create
• os
• bucket
• create
• update
• ns
• get
• object-lifecycle-policy
• put
• retention-rule
• create

Enable Versioning

Use the following command to enable object versioning:

oci os bucket update \
  --name FRA-AA-LAB11-1-BKT-01 \
  --versioning Enabled

The sample output is:

{
  "data": {
    "approximate-count": null,
    "approximate-size": null,
    "auto-tiering": "Disabled",
    "compartment-id": "ocid1.compartment.oc1..aaaaaaaamoo6uz2qmix2adls2cgoqxxhdt4wuam3wbcrw6co6z4osweos6da",
    "created-by": "ocid1.user.oc1..aaaaaaaab6dmoec6utwsmvueyko32h6vvhmptr3yeaunitxj6733jpo6hsca",
    "defined-tags": {
      "Oracle-Tags": {
        "CreatedBy": "default/tenancy_admin",
        "CreatedOn": "2024-08-03T17:36:07.615Z"
      }
    },
    "etag": "e6a6c4fb-2fe3-4f20-884e-8eed73562785",
    "freeform-tags": {},
    "id": "ocid1.bucket.oc1.ap-sydney-1.aaaaaaaaz4b7hgfkmiqk6ovgpbhvmr746j4xdw3nw2wyexn4rsyorc4m5pdq",
    "is-read-only": false,
    "kms-key-id": null,
    "metadata": {},
    "name": "FRA-AA-LAB11-1-BKT-01",
    "namespace": "sdorfvwhnhvj",
    "object-events-enabled": false,
    "object-lifecycle-policy-etag": null,
    "public-access-type": "NoPublicAccess",
    "replication-enabled": false,
    "storage-tier": "Standard",
    "time-created": "2024-08-03T17:36:07.627000+00:00",
    "versioning": "Enabled"
  },
  "etag": "e6a6c4fb-2fe3-4f20-884e-8eed73562785"
}

Create Lifecycle Policy

Use the following commands to update security policy to allow Object Service to manage objects:

printf -v policy '["%s"]' \
  "Allow service objectstorage-ap-sydney-1 to manage object-family in tenancy"
oci iam policy create                 \
  --compartment-id ${OCI_CLI_TENANCY} \
  --description 'Allow Object Storage Service to manage objects in my tenancy' \
  --name 'object-storage-service'     \
  --statements "${policy}"

The output is:

{
  "data": {
    "compartment-id": "ocid1.tenancy.oc1..aaaaaaaa7ilqdzmkbqduujc3tt6zrl2n2ytcughcjoidozg4memj2k4cm7na",
    "defined-tags": {
      "Oracle-Tags": {
        "CreatedBy": "default/tenancy_admin",
        "CreatedOn": "2024-08-06T01:13:18.856Z"
      }
    },
    "description": "Allow Object Storage Service to manage objects in my tenancy",
    "freeform-tags": {},
    "id": "ocid1.policy.oc1..aaaaaaaay25zezvxv6pfe3ioifi5laokyertwtt7ctdp3wbihbjo5ct4cvla",
    "inactive-status": null,
    "lifecycle-state": "ACTIVE",
    "name": "object-storage-service",
    "statements": [
      "Allow service objectstorage-ap-sydney-1 to manage object-family in tenancy"
    ],
    "time-created": "2024-08-06T01:13:18.907000+00:00",
    "version-date": null
  },
  "etag": "a52b622b9f6bf2a4c7db1b006fd9d1c436f19651"
}

Use the following commands to create a lifecycle policy:

policy='[{"name":"ArchiveRule","action":"ARCHIVE","objectNameFilter":{"inclusionPrefixes":["/"]},"target":"objects","timeAmount":30,"timeUnit":"DAYS"}]'
oci os object-lifecycle-policy put    \
  --bucket-name FRA-AA-LAB11-1-BKT-01 \
  --items "${policy}"                 \
  --force

The output is:

{
  "data": {
    "items": [
      {
        "action": "ARCHIVE",
        "is-enabled": false,
        "name": "ArchiveRule",
        "object-name-filter": {
          "exclusion-patterns": null,
          "inclusion-patterns": null,
          "inclusion-prefixes": [
            "/"
          ]
        },
        "target": "objects",
        "time-amount": 30,
        "time-unit": "DAYS"
      }
    ],
    "time-created": "2024-08-06T01:17:57.264000+00:00"
  },
  "etag": "5c1791af-28c4-4553-9945-e6e7790b37d7"
}

Create Retention Rule

A new bucket is required as a retention rule cannot applied to an object that has versioning enabled.

Use the following commands to create a retention rule:

bucket_name='FRA-AA-LAB11-1-BKT-02'
name_space=$(       \
  oci os ns get     \
    --query 'data'  \
    --raw-output    \
  )
comp_id=$(                  \
  oci iam compartment list  \
    --name 'Sandbox'        \
    --query 'data[0].id'    \
    --raw-output            \
)
oci os bucket create              \
  --namespace ${name_space}       \
  --name ${bucket_name}           \
  --compartment-id ${comp_id}     \
  --query 'data.id'               \
  --raw-output
oci os retention-rule create          \
  --bucket-name ${bucket_name}        \
  --display-name 'Retention Rule'     \
  --time-amount 90                    \
  --time-unit DAYS

The sample output is:

ocid1.bucket.oc1.ap-sydney-1.aaaaaaaa5q3ahqwv4ovmogvwqhpf5yjvgo3f535cry4e36gqx6xjsvn43gya
{
  "data": {
    "display-name": "Retention Rule",
    "duration": {
      "time-amount": 90,
      "time-unit": "DAYS"
    },
    "etag": "45144334-c254-4676-9e5c-92f718913dbd",
    "id": "a268daf3-f29b-4f4e-9000-b223adb1bb3c",
    "time-created": "2024-08-05T19:34:19.140000+00:00",
    "time-modified": "2024-08-05T19:34:19.140000+00:00",
    "time-rule-locked": null
  },
  "etag": "45144334-c254-4676-9e5c-92f718913dbd"
}