In Oracle Cloud
Infrastructure (OCI), you can use Tagging Policies to require approval
before deleting Instances by leveraging Tag-Based Access Control (TBAC)
with IAM policies. Here’s how:
Step 1: Create a
Tag Namespace & Key
- Go to OCI Console → Navigate to Governance &
Administration → Tag Namespaces.
- Click "Create Tag Namespace",
e.g., Deletion-Tag.
- Inside the namespace, create a tag key:
- Tag Key: Delete-Approval
- Tag Values: Approved, Not-Approved
- Default Value: Not-Approved
Step 2: Apply Tags
to resources in our case we are attaching to Instances ( we will create new
instance and apply the tag to resource )
When creating or
managing a resource, tag it as:
- DeleteApproval= Not-Approved → Instance cannot be
deleted.
- DeleteApproval=Approved → Instance can be deleted.
Step 3: Create IAM
Policy to Restrict Instance Deletion
Assumption - Only
users in Tag management group can manage tags in tenancy
Group :
TagManagementGroup
Policy :
TagManagementPolicy
allow group TagManagementGroup to manage
tags in tenancy
allow group TagManagementGroup to manage
tag-namespaces in tenancy
Go to Identity
& Security → Policies and create a policy that enforces
approval.
Allow group
'Default'/'OCI_Admins' to manage instances in tenancy where
request.permission!= 'INSTANCE_DELETE'
Allow group
'Default'/'OCI_Admins' to manage all-resources in tenancy where
target.resource.tag.DeletionPolicy.Delete-Approval = 'Approved'
How It Works
- Blocks deletion unless DeleteApproval=Approved.
- Allows full management of Instances except
deletion if DeleteApproval=Not-Approved.
Step 4: Approval
Process
- A Tag Management admin updates the
tag from Not-Approved to Approved.
- OCI admin user with appropriate
permissions can then delete the Instance.
3.
Not-Approved
4.
5.
Approved
6.
7.
8.
