From fb048d1e51ba367968669291e8ca189b930660c5 Mon Sep 17 00:00:00 2001 From: David Cardenas Date: Mon, 11 May 2026 08:57:21 -0600 Subject: [PATCH 1/4] Terraform: Adding two new code examples 1. Create an ADB with a public endpoint and ACLs. 2. Create a VCN, a subnet, and an ADB in that subnet with a private endpoint. Have the right NSG to allow incoming database connections and HTTP traffic. --- .../.terraform.lock.hcl | 25 +++ .../README.md | 53 ++++++ .../adb_from_subnet_private_endpoint/main.tf | 26 +++ .../adb_from_subnet_private_endpoint/nsg.tf | 60 +++++++ .../outputs.tf | 30 ++++ .../provider.tf | 7 + .../terraform.tfvars | 35 ++++ .../variables.tf | 151 ++++++++++++++++++ .../adb_from_subnet_private_endpoint/vcn.tf | 44 +++++ .../versions.tf | 10 ++ .../README.md | 30 ++++ .../adb_with_public_endpoint_and_acls/main.tf | 30 ++++ .../outputs.tf | 18 +++ .../provider.tf | 7 + .../terraform.tfvars | 27 ++++ .../variables.tf | 117 ++++++++++++++ .../versions.tf | 10 ++ 17 files changed, 680 insertions(+) create mode 100644 terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl create mode 100644 terraform/adb_from_subnet_private_endpoint/README.md create mode 100644 terraform/adb_from_subnet_private_endpoint/main.tf create mode 100644 terraform/adb_from_subnet_private_endpoint/nsg.tf create mode 100644 terraform/adb_from_subnet_private_endpoint/outputs.tf create mode 100644 terraform/adb_from_subnet_private_endpoint/provider.tf create mode 100644 terraform/adb_from_subnet_private_endpoint/terraform.tfvars create mode 100644 terraform/adb_from_subnet_private_endpoint/variables.tf create mode 100644 terraform/adb_from_subnet_private_endpoint/vcn.tf create mode 100644 terraform/adb_from_subnet_private_endpoint/versions.tf create mode 100644 terraform/adb_with_public_endpoint_and_acls/README.md create mode 100644 terraform/adb_with_public_endpoint_and_acls/main.tf create mode 100644 terraform/adb_with_public_endpoint_and_acls/outputs.tf create mode 100644 terraform/adb_with_public_endpoint_and_acls/provider.tf create mode 100644 terraform/adb_with_public_endpoint_and_acls/terraform.tfvars create mode 100644 terraform/adb_with_public_endpoint_and_acls/variables.tf create mode 100644 terraform/adb_with_public_endpoint_and_acls/versions.tf diff --git a/terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl b/terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl new file mode 100644 index 0000000..1ce5b38 --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/oracle/oci" { + version = "8.13.0" + constraints = ">= 6.0.0" + hashes = [ + "h1:XzP1XWq0WnCHW3tQw8ZOA41BiKyzvdkyZUiI+ZfpzJo=", + "zh:055ef341b3370d90b08f1ab56fdede11747c33a8a4f76c01382e80a9eac70c8f", + "zh:23713f132f34d0da9dbc11421d4b83d10f7fce677e1a5aafcf07619b12bf1a33", + "zh:443afc4c6183d6e9806d7414e4096a2669d0d3435118b37b7fd7bb5bc2596fa9", + "zh:579379341440d9be2fb82eeba58f7bb5874868b673c60cff8b8a50bea0747a74", + "zh:67a3a5df051e44e180e859bbef8480be10c0a9a7a719fb23abe545811cec3524", + "zh:7069d4bc824bf2dd3e6d476f86482bfb96c72ab465e3f770804e62af62935513", + "zh:7c6222cfb7f0a6ed330795457f40909e55b2736552767805f9b2bdf784bac1e1", + "zh:8346570c97b2f65787b475b2019c8ac7d96d142e9ecd99de85abd7ccf3518058", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a87d6e48c3f4f97417380518aafe14e3a30d297bee163b2718ded0b8b78da5b5", + "zh:ae690079802ffae84c83774b36707765a4d79b17b5971faa1c46fe39f299e0e8", + "zh:b78eea21c5ab34d00f243f490e3744925a783c67882a027c53f4ef827349a630", + "zh:bc8b719cccfdd20ae8e055abb8ca7d9a27ad629f4904f163850a6e79c8c17482", + "zh:c58b39a86a320ab74d340fde48bf0d83fc6de4a790846eb5b91c69b0a6205ca6", + "zh:ee4cf6cbafa373bd50de976a0cd5c2429ca8b4c0879dea9831891063820c3a9c", + ] +} diff --git a/terraform/adb_from_subnet_private_endpoint/README.md b/terraform/adb_from_subnet_private_endpoint/README.md new file mode 100644 index 0000000..270a2e5 --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/README.md @@ -0,0 +1,53 @@ +# Terraform — Oracle Autonomous Database with Private Endpoint + +Creates a VCN, a private subnet, a Network Security Group, and an Autonomous Database (ADB) with a private endpoint. The ADB is only accessible from within the VCN. + +## Files + +| File | Description | +|---|---| +| `main.tf` | ADB resource with private endpoint configuration | +| `vcn.tf` | VCN, internet gateway, route table, and private subnet | +| `nsg.tf` | Network Security Group with rules for DB and HTTP traffic | +| `variables.tf` | All configurable parameters | +| `outputs.tf` | Values exported after apply | +| `versions.tf` | Terraform and provider version requirements | +| `provider.tf` | OCI provider configuration | +| `terraform.tfvars` | Your actual values | + +## Architecture + +``` +VCN (10.0.0.0/16) +└── Private Subnet (10.0.1.0/24) + ├── NSG + │ ├── Ingress: port 1521-1522 (SQL*Net) from VCN + │ ├── Ingress: port 443 (HTTPS) from VCN + │ └── Egress: all traffic allowed + └── ADB (private endpoint) + └── No public IP — accessible only from within the VCN +``` + +## Quick Start + +```bash +# 1. Edit terraform.tfvars with your real values +# (tenancy_ocid, user_ocid, fingerprint, compartment_ocid, etc.) + +# 2. Initialize Terraform +terraform init + +# 3. Review the plan before applying +terraform plan + +# 4. Create all resources +terraform apply +``` + +## NSG Rules + +| Direction | Protocol | Port | Source/Destination | Purpose | +|---|---|---|---|---| +| Ingress | TCP | 1521-1522 | VCN CIDR | SQL*Net database connections | +| Ingress | TCP | 443 | VCN CIDR | HTTPS — Database Actions and APEX | +| Egress | All | All | 0.0.0.0/0 | Outbound traffic | \ No newline at end of file diff --git a/terraform/adb_from_subnet_private_endpoint/main.tf b/terraform/adb_from_subnet_private_endpoint/main.tf new file mode 100644 index 0000000..16b4959 --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/main.tf @@ -0,0 +1,26 @@ +# ============================================================ +# main.tf — Autonomous Database with private endpoint +# ============================================================ + +resource "oci_database_autonomous_database" "adb" { + compartment_id = var.compartment_ocid + display_name = var.adb_display_name + db_name = var.adb_db_name + admin_password = var.adb_admin_password + db_workload = var.adb_workload_type # OLTP | DW | AJD | APEX + db_version = var.adb_db_version + compute_model = var.adb_compute_model + compute_count = var.adb_cpu_core_count + data_storage_size_in_tbs = var.adb_storage_tbs + is_auto_scaling_enabled = var.adb_auto_scaling + + # ── Private endpoint ────────────────────────────────────── + # Removes the public endpoint — access only from within the VCN + private_endpoint_label = var.adb_private_endpoint_label + subnet_id = oci_core_subnet.private_subnet.id + nsg_ids = [oci_core_network_security_group.adb_nsg.id] + + # mTLS: false = allows standard TLS connections (more flexible) + # true = requires client certificate (more secure) + is_mtls_connection_required = var.require_mtls +} diff --git a/terraform/adb_from_subnet_private_endpoint/nsg.tf b/terraform/adb_from_subnet_private_endpoint/nsg.tf new file mode 100644 index 0000000..74edc9a --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/nsg.tf @@ -0,0 +1,60 @@ +# ============================================================ +# nsg.tf — Network Security Group for the ADB private endpoint +# ============================================================ + +# ── NSG ─────────────────────────────────────────────────────── +resource "oci_core_network_security_group" "adb_nsg" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + display_name = var.nsg_display_name +} + +# ── Ingress: SQL*Net / database connections (port 1521) ─────── +resource "oci_core_network_security_group_security_rule" "ingress_sqlnet" { + network_security_group_id = oci_core_network_security_group.adb_nsg.id + direction = "INGRESS" + protocol = "6" # TCP + + source = var.vcn_cidr + source_type = "CIDR_BLOCK" + + tcp_options { + destination_port_range { + min = 1521 + max = 1522 + } + } + + description = "Allow SQL*Net database connections from within the VCN" +} + +# ── Ingress: HTTPS / Database Actions and APEX (port 443) ──── +resource "oci_core_network_security_group_security_rule" "ingress_https" { + network_security_group_id = oci_core_network_security_group.adb_nsg.id + direction = "INGRESS" + protocol = "6" # TCP + + source = var.vcn_cidr + source_type = "CIDR_BLOCK" + + tcp_options { + destination_port_range { + min = 443 + max = 443 + } + } + + description = "Allow HTTPS traffic for Database Actions and APEX console" +} + +# ── Egress: allow all outbound traffic ──────────────────────── +resource "oci_core_network_security_group_security_rule" "egress_all" { + network_security_group_id = oci_core_network_security_group.adb_nsg.id + direction = "EGRESS" + protocol = "all" + + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + + description = "Allow all outbound traffic" +} diff --git a/terraform/adb_from_subnet_private_endpoint/outputs.tf b/terraform/adb_from_subnet_private_endpoint/outputs.tf new file mode 100644 index 0000000..d00bbf3 --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/outputs.tf @@ -0,0 +1,30 @@ +# ============================================================ +# outputs.tf — Values exported after apply +# ============================================================ + +# ── VCN ────────────────────────────────────────────────────── +output "vcn_id" { + description = "OCID of the created VCN" + value = oci_core_vcn.vcn.id +} + +output "subnet_id" { + description = "OCID of the private subnet" + value = oci_core_subnet.private_subnet.id +} + +output "nsg_id" { + description = "OCID of the Network Security Group" + value = oci_core_network_security_group.adb_nsg.id +} + +# ── ADB ─────────────────────────────────────────────────────── +output "adb_id" { + description = "OCID of the created Autonomous Database" + value = oci_database_autonomous_database.adb.id +} + +output "adb_private_endpoint" { + description = "Private endpoint IP address of the ADB" + value = oci_database_autonomous_database.adb.private_endpoint_ip +} diff --git a/terraform/adb_from_subnet_private_endpoint/provider.tf b/terraform/adb_from_subnet_private_endpoint/provider.tf new file mode 100644 index 0000000..1a5bcef --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} diff --git a/terraform/adb_from_subnet_private_endpoint/terraform.tfvars b/terraform/adb_from_subnet_private_endpoint/terraform.tfvars new file mode 100644 index 0000000..f89f66e --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/terraform.tfvars @@ -0,0 +1,35 @@ +# ── OCI Credentials ────────────────────────────────────────── +tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaafcue47pqmrf4vigneebgbcmmoy5r7xvoypicjqqge32ewnrcyx2a" +user_ocid = "ocid1.user.oc1..aaaaaaaatkpdjtfpvqwwpvcexdrfmlyvyk2ywsbs2atlvhqqxw6hkovhjala" +fingerprint = "bd:13:f4:5a:a1:72:c5:98:00:1e:5a:3f:24:42:a7:fb" +private_key_path = "~/.oci/oci_api_key.pem" +region = "us-ashburn-1" + +compartment_ocid = "ocid1.compartment.oc1..aaaaaaaapz4knoy7df3gvi6trkxd4yffaz6jzbaj6r5grv3b6v33remrw2ta" + +# ── VCN ────────────────────────────────────────────────────── +vcn_display_name = "adb-vcn" +vcn_cidr = "10.0.0.0/16" +vcn_dns_label = "adbvcn" + +# ── Subnet ──────────────────────────────────────────────────── +subnet_display_name = "adb-private-subnet" +subnet_cidr = "10.0.1.0/24" +subnet_dns_label = "adbsubnet" + +# ── NSG ─────────────────────────────────────────────────────── +nsg_display_name = "adb-nsg" + +# ── ADB Configuration ───────────────────────────────────────── +adb_display_name = "terravcndb" +adb_db_name = "terravcndb" +adb_admin_password = "HolaMundo1330" +adb_workload_type = "DW" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_db_version = "26ai" +adb_cpu_core_count = 2 +adb_storage_tbs = 1 +adb_auto_scaling = false +adb_private_endpoint_label = "adbprivate" + +# ── Security ────────────────────────────────────────────────── +require_mtls = false diff --git a/terraform/adb_from_subnet_private_endpoint/variables.tf b/terraform/adb_from_subnet_private_endpoint/variables.tf new file mode 100644 index 0000000..0b54035 --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/variables.tf @@ -0,0 +1,151 @@ +# ============================================================ +# variables.tf — Configurable parameters +# ============================================================ + +# ── OCI Credentials ────────────────────────────────────────── +variable "tenancy_ocid" { + description = "OCID of the Oracle Cloud tenancy" + type = string +} + +variable "user_ocid" { + description = "OCID of the OCI user" + type = string +} + +variable "fingerprint" { + description = "Fingerprint of the user's API key" + type = string +} + +variable "private_key_path" { + description = "Path to the private key file (.pem)" + type = string +} + +variable "region" { + description = "OCI region where the resources will be created" + type = string + default = "us-ashburn-1" +} + +variable "compartment_ocid" { + description = "OCID of the compartment where resources will be created" + type = string +} + +# ── VCN ────────────────────────────────────────────────────── +variable "vcn_display_name" { + description = "Display name for the VCN" + type = string + default = "adb-vcn" +} + +variable "vcn_cidr" { + description = "CIDR block for the VCN" + type = string + default = "10.0.0.0/16" +} + +variable "vcn_dns_label" { + description = "DNS label for the VCN (lowercase letters and numbers only)" + type = string + default = "adbvcn" +} + +# ── Subnet ──────────────────────────────────────────────────── +variable "subnet_display_name" { + description = "Display name for the private subnet" + type = string + default = "adb-private-subnet" +} + +variable "subnet_cidr" { + description = "CIDR block for the private subnet (must be within the VCN CIDR)" + type = string + default = "10.0.1.0/24" +} + +variable "subnet_dns_label" { + description = "DNS label for the subnet (lowercase letters and numbers only)" + type = string + default = "adbsubnet" +} + +# ── NSG ─────────────────────────────────────────────────────── +variable "nsg_display_name" { + description = "Display name for the Network Security Group" + type = string + default = "adb-nsg" +} + +# ── ADB Configuration ───────────────────────────────────────── +variable "adb_display_name" { + description = "Display name in the OCI console" + type = string +} + +variable "adb_db_name" { + description = "Technical database name (letters/numbers only, max 14 chars)" + type = string +} + +variable "adb_admin_password" { + description = "ADMIN user password (min 12 chars, uppercase, number and symbol required)" + type = string + sensitive = true +} + +variable "adb_workload_type" { + description = "Workload type: OLTP (ATP), DW (ADW), AJD (JSON), APEX" + type = string + default = "OLTP" + + validation { + condition = contains(["OLTP", "DW", "AJD", "APEX"], var.adb_workload_type) + error_message = "Must be one of: OLTP, DW, AJD, APEX." + } +} + +variable "adb_db_version" { + description = "Oracle database version" + type = string + default = "26ai" +} + +variable "adb_compute_model" { + description = "Compute model for the ADB (ECPU is required for new databases)" + type = string + default = "ECPU" +} + +variable "adb_cpu_core_count" { + description = "Number of ECPUs (minimum 2 in ECPU model)" + type = number + default = 2 +} + +variable "adb_storage_tbs" { + description = "Storage in terabytes (minimum 1)" + type = number + default = 1 +} + +variable "adb_auto_scaling" { + description = "Enable ECPU auto-scaling (up to 3x the configured value)" + type = bool + default = false +} + +variable "adb_private_endpoint_label" { + description = "Label for the ADB private endpoint (used as DNS hostname within the VCN)" + type = string + default = "adbprivate" +} + +# ── Connection security ─────────────────────────────────────── +variable "require_mtls" { + description = "Require mutual TLS authentication (mTLS). false = standard TLS" + type = bool + default = false +} \ No newline at end of file diff --git a/terraform/adb_from_subnet_private_endpoint/vcn.tf b/terraform/adb_from_subnet_private_endpoint/vcn.tf new file mode 100644 index 0000000..7d98d8d --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/vcn.tf @@ -0,0 +1,44 @@ +# ============================================================ +# vcn.tf — Virtual Cloud Network and private subnet +# ============================================================ + +# ── VCN ────────────────────────────────────────────────────── +resource "oci_core_vcn" "vcn" { + compartment_id = var.compartment_ocid + display_name = var.vcn_display_name + cidr_blocks = [var.vcn_cidr] + dns_label = var.vcn_dns_label +} + +# ── Internet Gateway (required for HTTPS outbound from subnet) ── +resource "oci_core_internet_gateway" "igw" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + display_name = "${var.vcn_display_name}-igw" + enabled = true +} + +# ── Route Table ─────────────────────────────────────────────── +resource "oci_core_route_table" "rt" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + display_name = "${var.vcn_display_name}-rt" + + route_rules { + destination = "0.0.0.0/0" + destination_type = "CIDR_BLOCK" + network_entity_id = oci_core_internet_gateway.igw.id + } +} + +# ── Private Subnet ──────────────────────────────────────────── +resource "oci_core_subnet" "private_subnet" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.vcn.id + display_name = var.subnet_display_name + cidr_block = var.subnet_cidr + dns_label = var.subnet_dns_label + prohibit_public_ip_on_vnic = true # private subnet — no public IPs + route_table_id = oci_core_route_table.rt.id + security_list_ids = [oci_core_vcn.vcn.default_security_list_id] +} diff --git a/terraform/adb_from_subnet_private_endpoint/versions.tf b/terraform/adb_from_subnet_private_endpoint/versions.tf new file mode 100644 index 0000000..b0a5c0b --- /dev/null +++ b/terraform/adb_from_subnet_private_endpoint/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + oci = { + source = "oracle/oci" + version = ">= 6.0.0" + } + } +} diff --git a/terraform/adb_with_public_endpoint_and_acls/README.md b/terraform/adb_with_public_endpoint_and_acls/README.md new file mode 100644 index 0000000..d2eb0e8 --- /dev/null +++ b/terraform/adb_with_public_endpoint_and_acls/README.md @@ -0,0 +1,30 @@ +# Terraform — Oracle Autonomous Database with Public Endpoint and ACLs + +Creates an Autonomous Database (ADB) with a public endpoint and ACLs. + +## Files + +| File | Description | +|---|---| +| `main.tf` | Main ADB resource | +| `variables.tf` | All configurable parameters | +| `outputs.tf` | Values exported after apply | +| `versions.tf` | Terraform and provider version requirements | +| `provider.tf` | OCI provider configuration | +| `terraform.tfvars` | Your actual values | + +## Quick Start + +```bash +# 1. Edit terraform.tfvars with your real values: +# (tenancy_ocid, user_ocid, fingerprint, private_key_path, ACLs, etc.) + +# 2. Initialize Terraform +terraform init + +# 3. Review the plan before applying +terraform plan + +# 4. Create the ADB +terraform apply +``` \ No newline at end of file diff --git a/terraform/adb_with_public_endpoint_and_acls/main.tf b/terraform/adb_with_public_endpoint_and_acls/main.tf new file mode 100644 index 0000000..6a57e3b --- /dev/null +++ b/terraform/adb_with_public_endpoint_and_acls/main.tf @@ -0,0 +1,30 @@ +# ============================================================ +# main.tf — Autonomous Database with public endpoint and ACLs +# ============================================================ + +# ============================================================ +# Autonomous Database +# ============================================================ + +resource "oci_database_autonomous_database" "adb" { + compartment_id = var.compartment_ocid + display_name = var.adb_display_name + db_name = var.adb_db_name + admin_password = var.adb_admin_password + db_workload = var.adb_workload_type # OLTP | DW | AJD | APEX + db_version = var.adb_db_version + compute_model = var.adb_compute_model + compute_count = var.adb_cpu_core_count + data_storage_size_in_tbs = var.adb_storage_tbs + is_auto_scaling_enabled = var.adb_auto_scaling + + # ── Public endpoint with ACL-controlled access ─────────── + # "RESTRICTED" = public endpoint + mandatory ACLs + # "UNRESTRICTED" = public endpoint without ACLs (not recommended) + # "PRIVATE" = private endpoint inside VCN + whitelisted_ips = var.acl_allowed_cidrs + + # mTLS: false = allows standard TLS connections (more flexible) + # true = requires client certificate (more secure) + is_mtls_connection_required = var.require_mtls +} diff --git a/terraform/adb_with_public_endpoint_and_acls/outputs.tf b/terraform/adb_with_public_endpoint_and_acls/outputs.tf new file mode 100644 index 0000000..e3a958f --- /dev/null +++ b/terraform/adb_with_public_endpoint_and_acls/outputs.tf @@ -0,0 +1,18 @@ +# ============================================================ +# outputs.tf — Values exported after apply +# ============================================================ + +output "adb_id" { + description = "OCID of the created Autonomous Database" + value = oci_database_autonomous_database.adb.id +} + +output "adb_acl_rules" { + description = "IPs and CIDRs configured in the ADB ACL" + value = oci_database_autonomous_database.adb.whitelisted_ips +} + +output "adb_mtls_required" { + description = "Indicates whether mTLS is required for connections" + value = oci_database_autonomous_database.adb.is_mtls_connection_required +} diff --git a/terraform/adb_with_public_endpoint_and_acls/provider.tf b/terraform/adb_with_public_endpoint_and_acls/provider.tf new file mode 100644 index 0000000..1a5bcef --- /dev/null +++ b/terraform/adb_with_public_endpoint_and_acls/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} diff --git a/terraform/adb_with_public_endpoint_and_acls/terraform.tfvars b/terraform/adb_with_public_endpoint_and_acls/terraform.tfvars new file mode 100644 index 0000000..88a2e67 --- /dev/null +++ b/terraform/adb_with_public_endpoint_and_acls/terraform.tfvars @@ -0,0 +1,27 @@ +# ── OCI Credentials ────────────────────────────────────────── +tenancy_ocid = "" +user_ocid = "" +fingerprint = "" +private_key_path = "" +region = "us-ashburn-1" + +compartment_ocid = "" + +# ── ADB Configuration ───────────────────────────────────────── +adb_display_name = "" +adb_db_name = "" +adb_admin_password = "" +adb_workload_type = "DW" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_db_version = "26ai" +adb_cpu_core_count = 2 +adb_storage_tbs = 1 +adb_auto_scaling = false + +# ── ACLs ────────────────────────────────────────────────────── +# Add all IPs or ranges that should have access +acl_allowed_cidrs = [ + "" +] + +# ── Security ────────────────────────────────────────────────── +require_mtls = false diff --git a/terraform/adb_with_public_endpoint_and_acls/variables.tf b/terraform/adb_with_public_endpoint_and_acls/variables.tf new file mode 100644 index 0000000..04ba9c7 --- /dev/null +++ b/terraform/adb_with_public_endpoint_and_acls/variables.tf @@ -0,0 +1,117 @@ +# ============================================================ +# variables.tf — Configurable parameters +# ============================================================ + +# ── OCI Credentials ────────────────────────────────────────── +variable "tenancy_ocid" { + description = "OCID of the Oracle Cloud tenancy" + type = string +} + +variable "user_ocid" { + description = "OCID of the OCI user" + type = string +} + +variable "fingerprint" { + description = "Fingerprint of the user's API key" + type = string +} + +variable "private_key_path" { + description = "Path to the private key file (.pem)" + type = string +} + +variable "region" { + description = "OCI region where the ADB will be created" + type = string +} + +variable "compartment_ocid" { + description = "OCID of the compartment where the ADB will be created" + type = string +} + +# ── ADB Configuration ───────────────────────────────────────── +variable "adb_display_name" { + description = "Display name in the OCI console" + type = string +} + +variable "adb_db_name" { + description = "Technical database name (letters/numbers only, max 14 chars)" + type = string +} + +variable "adb_admin_password" { + description = "ADMIN user password (min 12 chars, uppercase, number and symbol required)" + type = string + sensitive = true +} + +variable "adb_workload_type" { + description = "Workload type: OLTP (ATP), DW (ADW), AJD (JSON), APEX" + type = string + + validation { + condition = contains(["OLTP", "DW", "AJD", "APEX"], var.adb_workload_type) + error_message = "Must be one of: OLTP, DW, AJD, APEX." + } +} + +variable "adb_db_version" { + description = "Oracle database version" + type = string + default = "26ai" +} + +variable "adb_compute_model" { + description = "Compute model for the ADB (ECPU is required for new databases)" + type = string + default = "ECPU" +} + +variable "adb_cpu_core_count" { + description = "Number of ECPUs (minimum 2 in ECPU model)" + type = number + default = 2 +} + +variable "adb_storage_tbs" { + description = "Storage in terabytes (minimum 1)" + type = number + default = 1 +} + +variable "adb_auto_scaling" { + description = "Enable ECPU auto-scaling" + type = bool + default = false +} + +# ── ACLs: IP-based access control ──────────────────────────── +variable "acl_allowed_cidrs" { + description = <<-EOT + List of allowed IPs or CIDR ranges for connecting to the ADB. + Also accepts VCN OCIDs in the format: ocid1.vcn.oc1... + Examples: + - "203.0.113.50" → individual IP + - "203.0.113.0/24" → network range + - "ocid1.vcn.oc1...." → full OCI VCN + EOT + type = list(string) + default = [] + + validation { + condition = length(var.acl_allowed_cidrs) > 0 + error_message = "You must specify at least one IP or CIDR in acl_allowed_cidrs to protect the public endpoint." + } +} + +# ── Connection security ─────────────────────────────────────── +variable "require_mtls" { + description = "Require mutual TLS authentication (mTLS). false = standard TLS" + type = bool + default = false +} diff --git a/terraform/adb_with_public_endpoint_and_acls/versions.tf b/terraform/adb_with_public_endpoint_and_acls/versions.tf new file mode 100644 index 0000000..b0a5c0b --- /dev/null +++ b/terraform/adb_with_public_endpoint_and_acls/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + oci = { + source = "oracle/oci" + version = ">= 6.0.0" + } + } +} From c36125dbddc1562335612ecbf020d01d26b8f11d Mon Sep 17 00:00:00 2001 From: David Cardenas Date: Mon, 11 May 2026 09:00:29 -0600 Subject: [PATCH 2/4] removing my sensible data --- .../terraform.tfvars | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/terraform/adb_from_subnet_private_endpoint/terraform.tfvars b/terraform/adb_from_subnet_private_endpoint/terraform.tfvars index f89f66e..507df19 100644 --- a/terraform/adb_from_subnet_private_endpoint/terraform.tfvars +++ b/terraform/adb_from_subnet_private_endpoint/terraform.tfvars @@ -1,29 +1,29 @@ # ── OCI Credentials ────────────────────────────────────────── -tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaafcue47pqmrf4vigneebgbcmmoy5r7xvoypicjqqge32ewnrcyx2a" -user_ocid = "ocid1.user.oc1..aaaaaaaatkpdjtfpvqwwpvcexdrfmlyvyk2ywsbs2atlvhqqxw6hkovhjala" -fingerprint = "bd:13:f4:5a:a1:72:c5:98:00:1e:5a:3f:24:42:a7:fb" -private_key_path = "~/.oci/oci_api_key.pem" +tenancy_ocid = "" +user_ocid = "" +fingerprint = "" +private_key_path = "" region = "us-ashburn-1" -compartment_ocid = "ocid1.compartment.oc1..aaaaaaaapz4knoy7df3gvi6trkxd4yffaz6jzbaj6r5grv3b6v33remrw2ta" +compartment_ocid = "" # ── VCN ────────────────────────────────────────────────────── -vcn_display_name = "adb-vcn" +vcn_display_name = "" vcn_cidr = "10.0.0.0/16" -vcn_dns_label = "adbvcn" +vcn_dns_label = "" # ── Subnet ──────────────────────────────────────────────────── -subnet_display_name = "adb-private-subnet" +subnet_display_name = "" subnet_cidr = "10.0.1.0/24" -subnet_dns_label = "adbsubnet" +subnet_dns_label = "" # ── NSG ─────────────────────────────────────────────────────── -nsg_display_name = "adb-nsg" +nsg_display_name = "" # ── ADB Configuration ───────────────────────────────────────── -adb_display_name = "terravcndb" -adb_db_name = "terravcndb" -adb_admin_password = "HolaMundo1330" +adb_display_name = "" +adb_db_name = "" +adb_admin_password = "" adb_workload_type = "DW" # OLTP=ATP | DW=ADW | AJD=JSON | APEX adb_db_version = "26ai" adb_cpu_core_count = 2 From 82f40ca6a17630119c4f843785a2b8a390e825ca Mon Sep 17 00:00:00 2001 From: David Cardenas Date: Fri, 15 May 2026 11:27:31 -0600 Subject: [PATCH 3/4] Update OCPU to ECPU terraform example . --- .../.terraform.lock.hcl | 25 ++++++ terraform/adb_ocpu_to_ecpu_update/README.md | 67 +++++++++++++++ terraform/adb_ocpu_to_ecpu_update/main.tf | 27 ++++++ terraform/adb_ocpu_to_ecpu_update/outputs.tf | 23 +++++ terraform/adb_ocpu_to_ecpu_update/provider.tf | 7 ++ .../adb_ocpu_to_ecpu_update/terraform.tfvars | 17 ++++ .../adb_ocpu_to_ecpu_update/variables.tf | 84 +++++++++++++++++++ terraform/adb_ocpu_to_ecpu_update/versions.tf | 10 +++ 8 files changed, 260 insertions(+) create mode 100644 terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl create mode 100644 terraform/adb_ocpu_to_ecpu_update/README.md create mode 100644 terraform/adb_ocpu_to_ecpu_update/main.tf create mode 100644 terraform/adb_ocpu_to_ecpu_update/outputs.tf create mode 100644 terraform/adb_ocpu_to_ecpu_update/provider.tf create mode 100644 terraform/adb_ocpu_to_ecpu_update/terraform.tfvars create mode 100644 terraform/adb_ocpu_to_ecpu_update/variables.tf create mode 100644 terraform/adb_ocpu_to_ecpu_update/versions.tf diff --git a/terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl b/terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl new file mode 100644 index 0000000..5ea8e53 --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/oracle/oci" { + version = "8.14.0" + constraints = ">= 6.0.0" + hashes = [ + "h1:GD9SyetIxuyeGXSuP6NPu3xSAtxyk0LGNg2x1IocpvY=", + "zh:0f677f7609c10733f5a83d4add15a062b4b213fdcca53869611fc97bbae8e153", + "zh:277d3376d94dc2dee083f4604d2d27a55beb79c5c81c31008926c255655f1351", + "zh:30606342d76407d4199d612aa7ecf97e3e2630441dcbe91d54dc5efbf97a53ac", + "zh:3d36211d264636167d3b2ae87226b003b9da3e8d5e31826ffd3d484d27a82061", + "zh:5bdece1719420258b9eb7150db130d0c7cf1b26eb99bc19b781a7613d43d5a76", + "zh:916f51472593ac4e0fac7fba292ab4a001cdb4991f50514c880b00e3f8699da2", + "zh:99de6ad9bfddc28db2dbfc4022826eead1e287ba7f53e3da55419df7e6a5e46c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a03be6c6a73f0140022bc2ba0afc7377f55a2da48b1cac8b85b5c0a711d1df94", + "zh:a1518b65e51f6b56807cfb570ff591a594f5a8f1168951a3a34183b3adc52a25", + "zh:bb4ff42d8b8ebda39856a0776b158517e3da564ce17e0ba2d3e7818cdab8f838", + "zh:bd5f07135742acd3d8e8b06476a0a2bde621a8707ed5f6f9499ac7cfa5ca73b1", + "zh:bfe90d987619bbf42f359f88b46a66e16aeedf33130044cbcf8e6f0791c10ece", + "zh:c8d969593b9ca8a3382896f3fd675af428b1647de3e78460dbfed793a02c4172", + "zh:e2562ac49ab980da419822fd2a61be6957e3253b39600ebfd36d922e4788508d", + ] +} diff --git a/terraform/adb_ocpu_to_ecpu_update/README.md b/terraform/adb_ocpu_to_ecpu_update/README.md new file mode 100644 index 0000000..a10aaa5 --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/README.md @@ -0,0 +1,67 @@ +# Terraform — Migrate Autonomous Database from OCPU to ECPU + +Migrates an existing Autonomous Database (ADB) from the OCPU compute model to the ECPU compute model. Supports all workload types: ATP, ADW, AJD, and APEX. + +## Files + +| File | Description | +|---|---| +| `main.tf` | ADB resource with ECPU compute model configuration | +| `variables.tf` | All configurable parameters | +| `outputs.tf` | Values exported after apply | +| `versions.tf` | Terraform and provider version requirements | +| `provider.tf` | OCI provider configuration | +| `terraform.tfvars` | Your actual values | + +## Quick Start + +```bash +# 1. Edit terraform.tfvars with your real values +# (tenancy_ocid, user_ocid, fingerprint, private_key_path, adb_ocid, etc.) + +# 2. Initialize Terraform +terraform init + +# 3. Import the existing ADB into the Terraform state +terraform import oci_database_autonomous_database.adb + +# 4. Review the plan before applying +terraform plan + +# 5. Apply the migration +terraform apply +``` + +## Variables + +| Variable | Description | Default | +|---|---|---| +| `tenancy_ocid` | OCID of the OCI tenancy | — | +| `user_ocid` | OCID of the OCI user | — | +| `fingerprint` | Fingerprint of the API key | — | +| `private_key_path` | Path to the private key file (.pem) | — | +| `region` | OCI region where the ADB resides | — | +| `compartment_ocid` | OCID of the compartment where the ADB resides | — | +| `adb_display_name` | Display name in the OCI console | — | +| `adb_db_name` | Technical database name (max 14 chars) | — | +| `adb_admin_password` | ADMIN password — not used during migration (see note below) | — | +| `adb_workload_type` | Workload type: `OLTP`, `DW`, `AJD`, `APEX` | — | +| `adb_cpu_core_count` | Number of ECPUs (min 2, multiples of 2) | `2` | +| `adb_storage_tbs` | Storage in terabytes | `1` | +| `adb_auto_scaling` | Enable ECPU auto-scaling | `false` | + +## Outputs + +| Output | Description | +|---|---| +| `adb_id` | OCID of the Autonomous Database | +| `compute_model` | Compute model after migration (`ECPU`) | +| `compute_count` | Number of ECPUs assigned | +| `adb_state` | Current lifecycle state of the ADB | + +## Notes + +- **terraform import:** The database already exists, so it must be imported into the Terraform state before applying. Without this step, `terraform apply` would try to create a new database instead of updating the existing one. +- **admin_password:** The `lifecycle { ignore_changes = [admin_password] }` block is set in `main.tf`. Terraform ignores this field during apply. The value in `terraform.tfvars` is required by the provider schema but has no effect on the migration. +- **ECPU count:** Minimum value is 2. Must be set in multiples of 2. Reference: 1 OCPU ≈ 2 ECPUs. +- **Workload types:** The migration works for all ADB workload types — ATP (`OLTP`), ADW (`DW`), AJD (`AJD`), and APEX. diff --git a/terraform/adb_ocpu_to_ecpu_update/main.tf b/terraform/adb_ocpu_to_ecpu_update/main.tf new file mode 100644 index 0000000..c801930 --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/main.tf @@ -0,0 +1,27 @@ +# ============================================================ +# main.tf — Migrate Autonomous Database from OCPU to ECPU +# ============================================================ + +# ============================================================ +# Autonomous Database +# ============================================================ + +resource "oci_database_autonomous_database" "adb" { + compartment_id = var.compartment_ocid + display_name = var.adb_display_name + db_name = var.adb_db_name + admin_password = var.adb_admin_password + db_workload = var.adb_workload_type # OLTP | DW | AJD | APEX + data_storage_size_in_tbs = var.adb_storage_tbs + is_auto_scaling_enabled = var.adb_auto_scaling + + # ── Compute model migration ─────────────────────────────── + # Changing from OCPU to ECPU triggers a brief DB restart (~2-5 min) + # ECPU minimum is 2, must be set in multiples of 2 + compute_model = "ECPU" + compute_count = var.adb_cpu_core_count + + lifecycle { + ignore_changes = [admin_password] + } +} diff --git a/terraform/adb_ocpu_to_ecpu_update/outputs.tf b/terraform/adb_ocpu_to_ecpu_update/outputs.tf new file mode 100644 index 0000000..6a4dd9e --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/outputs.tf @@ -0,0 +1,23 @@ +# ============================================================ +# outputs.tf — Values exported after apply +# ============================================================ + +output "adb_id" { + description = "OCID of the Autonomous Database" + value = oci_database_autonomous_database.adb.id +} + +output "compute_model" { + description = "Compute model in use after migration (ECPU)" + value = oci_database_autonomous_database.adb.compute_model +} + +output "compute_count" { + description = "Number of ECPUs assigned after migration" + value = oci_database_autonomous_database.adb.compute_count +} + +output "adb_state" { + description = "Current lifecycle state of the Autonomous Database" + value = oci_database_autonomous_database.adb.state +} diff --git a/terraform/adb_ocpu_to_ecpu_update/provider.tf b/terraform/adb_ocpu_to_ecpu_update/provider.tf new file mode 100644 index 0000000..1a5bcef --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} diff --git a/terraform/adb_ocpu_to_ecpu_update/terraform.tfvars b/terraform/adb_ocpu_to_ecpu_update/terraform.tfvars new file mode 100644 index 0000000..55ccf3b --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/terraform.tfvars @@ -0,0 +1,17 @@ +# ── OCI Credentials ────────────────────────────────────────── +tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaakc2xkehakt7bmhmipdbhz3tbkej53jzwmrlmuqoloydlotthkrbq" +user_ocid = "ocid1.user.oc1..aaaaaaaas3nxkab5ct2mhfno7j2ltpcsiyhi5xzrs7xwcprpmpbfoxvsylva" +fingerprint = "ae:0d:91:96:d9:10:07:81:ba:f4:b2:af:db:48:06:25" +private_key_path = "/Users/davcarde/.oci/oci_api_key_t5.pem" +region = "us-ashburn-1" + +compartment_ocid = "ocid1.tenancy.oc1..aaaaaaaakc2xkehakt7bmhmipdbhz3tbkej53jzwmrlmuqoloydlotthkrbq" + +# ── ADB Configuration ───────────────────────────────────────── +adb_display_name = "xiaTest2" +adb_db_name = "xiaTest2" +adb_admin_password = "HolaMundo1330" +adb_workload_type = "AJD" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_cpu_core_count = 2 # ECPU: minimum 2, multiples of 2 +adb_storage_tbs = 1 +adb_auto_scaling = false diff --git a/terraform/adb_ocpu_to_ecpu_update/variables.tf b/terraform/adb_ocpu_to_ecpu_update/variables.tf new file mode 100644 index 0000000..2817673 --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/variables.tf @@ -0,0 +1,84 @@ +# ============================================================ +# variables.tf — Configurable parameters +# ============================================================ + +# ── OCI Credentials ────────────────────────────────────────── +variable "tenancy_ocid" { + description = "OCID of the Oracle Cloud tenancy" + type = string +} + +variable "user_ocid" { + description = "OCID of the OCI user" + type = string +} + +variable "fingerprint" { + description = "Fingerprint of the user's API key" + type = string +} + +variable "private_key_path" { + description = "Path to the private key file (.pem)" + type = string +} + +variable "region" { + description = "OCI region where the ADB resides" + type = string +} + +variable "compartment_ocid" { + description = "OCID of the compartment where the ADB resides" + type = string +} + +# ── ADB Configuration ───────────────────────────────────────── +variable "adb_display_name" { + description = "Display name in the OCI console" + type = string +} + +variable "adb_db_name" { + description = "Technical database name (letters/numbers only, max 14 chars)" + type = string +} + +variable "adb_admin_password" { + description = "ADMIN user password (min 12 chars, uppercase, number and symbol required)" + type = string + sensitive = true +} + +variable "adb_workload_type" { + description = "Workload type: OLTP (ATP), DW (ADW), AJD (JSON), APEX" + type = string + + validation { + condition = contains(["OLTP", "DW", "AJD", "APEX"], var.adb_workload_type) + error_message = "Must be one of: OLTP, DW, AJD, APEX." + } +} + +variable "adb_cpu_core_count" { + description = "Number of ECPUs to assign (minimum 2, must be a multiple of 2)" + type = number + default = 2 + + validation { + condition = var.adb_cpu_core_count >= 2 && var.adb_cpu_core_count % 2 == 0 + error_message = "ECPU count must be at least 2 and a multiple of 2." + } +} + +variable "adb_storage_tbs" { + description = "Storage in terabytes (minimum 1)" + type = number + default = 1 +} + +variable "adb_auto_scaling" { + description = "Enable ECPU auto-scaling" + type = bool + default = false +} diff --git a/terraform/adb_ocpu_to_ecpu_update/versions.tf b/terraform/adb_ocpu_to_ecpu_update/versions.tf new file mode 100644 index 0000000..b0a5c0b --- /dev/null +++ b/terraform/adb_ocpu_to_ecpu_update/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + oci = { + source = "oracle/oci" + version = ">= 6.0.0" + } + } +} From 19ff75fa2ef461167f442bb34e240dfc7b85fe1c Mon Sep 17 00:00:00 2001 From: David Cardenas Date: Fri, 15 May 2026 12:01:26 -0600 Subject: [PATCH 4/4] deleting unnecessary file --- .../.terraform.lock.hcl | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl diff --git a/terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl b/terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl deleted file mode 100644 index 5ea8e53..0000000 --- a/terraform/adb_ocpu_to_ecpu_update/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/oracle/oci" { - version = "8.14.0" - constraints = ">= 6.0.0" - hashes = [ - "h1:GD9SyetIxuyeGXSuP6NPu3xSAtxyk0LGNg2x1IocpvY=", - "zh:0f677f7609c10733f5a83d4add15a062b4b213fdcca53869611fc97bbae8e153", - "zh:277d3376d94dc2dee083f4604d2d27a55beb79c5c81c31008926c255655f1351", - "zh:30606342d76407d4199d612aa7ecf97e3e2630441dcbe91d54dc5efbf97a53ac", - "zh:3d36211d264636167d3b2ae87226b003b9da3e8d5e31826ffd3d484d27a82061", - "zh:5bdece1719420258b9eb7150db130d0c7cf1b26eb99bc19b781a7613d43d5a76", - "zh:916f51472593ac4e0fac7fba292ab4a001cdb4991f50514c880b00e3f8699da2", - "zh:99de6ad9bfddc28db2dbfc4022826eead1e287ba7f53e3da55419df7e6a5e46c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a03be6c6a73f0140022bc2ba0afc7377f55a2da48b1cac8b85b5c0a711d1df94", - "zh:a1518b65e51f6b56807cfb570ff591a594f5a8f1168951a3a34183b3adc52a25", - "zh:bb4ff42d8b8ebda39856a0776b158517e3da564ce17e0ba2d3e7818cdab8f838", - "zh:bd5f07135742acd3d8e8b06476a0a2bde621a8707ed5f6f9499ac7cfa5ca73b1", - "zh:bfe90d987619bbf42f359f88b46a66e16aeedf33130044cbcf8e6f0791c10ece", - "zh:c8d969593b9ca8a3382896f3fd675af428b1647de3e78460dbfed793a02c4172", - "zh:e2562ac49ab980da419822fd2a61be6957e3253b39600ebfd36d922e4788508d", - ] -}