From 3a2a122dd8318437b67522913b7bc99c55b584ee Mon Sep 17 00:00:00 2001 From: David Cardenas Date: Mon, 25 May 2026 18:13:50 -0600 Subject: [PATCH 1/2] Adding 3 new code examples 1. Wallet Rotation (Should one-time terraform operation) 2. ADB-S secured with OCI Vault / customer-managed keys 3. Long-term backup scheduling / retention policy example for compliance Sign-off by: David Cardenas david.cardenas@oracle.com --- .../.terraform.lock.hcl | 25 ---- .../adb_long-term_backup_scheduling/README.md | 109 ++++++++++++++++ .../adb_long-term_backup_scheduling/main.tf | 47 +++++++ .../outputs.tf | 30 +++++ .../provider.tf | 7 ++ .../terraform.tfvars | 21 ++++ .../variables.tf | 92 ++++++++++++++ .../versions.tf | 10 ++ terraform/adb_wallet_rotation/README.md | 116 +++++++++++++++++ terraform/adb_wallet_rotation/main.tf | 22 ++++ terraform/adb_wallet_rotation/outputs.tf | 15 +++ terraform/adb_wallet_rotation/provider.tf | 7 ++ .../adb_wallet_rotation/terraform.tfvars | 22 ++++ terraform/adb_wallet_rotation/variables.tf | 95 ++++++++++++++ terraform/adb_wallet_rotation/versions.tf | 18 +++ .../adb_wallet_rotation/wallet_rotation.tf | 43 +++++++ .../adb_with_customer-managed_keys/README.md | 97 ++++++++++++++ .../dynamic_group.tf | 17 +++ .../adb_with_customer-managed_keys/key.tf | 25 ++++ .../adb_with_customer-managed_keys/main.tf | 27 ++++ .../adb_with_customer-managed_keys/outputs.tf | 31 +++++ .../adb_with_customer-managed_keys/policy.tf | 24 ++++ .../provider.tf | 7 ++ .../terraform.tfvars | 31 +++++ .../variables.tf | 118 ++++++++++++++++++ .../adb_with_customer-managed_keys/vault.tf | 18 +++ .../versions.tf | 14 +++ 27 files changed, 1063 insertions(+), 25 deletions(-) delete mode 100644 terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl create mode 100644 terraform/adb_long-term_backup_scheduling/README.md create mode 100644 terraform/adb_long-term_backup_scheduling/main.tf create mode 100644 terraform/adb_long-term_backup_scheduling/outputs.tf create mode 100644 terraform/adb_long-term_backup_scheduling/provider.tf create mode 100644 terraform/adb_long-term_backup_scheduling/terraform.tfvars create mode 100644 terraform/adb_long-term_backup_scheduling/variables.tf create mode 100644 terraform/adb_long-term_backup_scheduling/versions.tf create mode 100644 terraform/adb_wallet_rotation/README.md create mode 100644 terraform/adb_wallet_rotation/main.tf create mode 100644 terraform/adb_wallet_rotation/outputs.tf create mode 100644 terraform/adb_wallet_rotation/provider.tf create mode 100644 terraform/adb_wallet_rotation/terraform.tfvars create mode 100644 terraform/adb_wallet_rotation/variables.tf create mode 100644 terraform/adb_wallet_rotation/versions.tf create mode 100644 terraform/adb_wallet_rotation/wallet_rotation.tf create mode 100644 terraform/adb_with_customer-managed_keys/README.md create mode 100644 terraform/adb_with_customer-managed_keys/dynamic_group.tf create mode 100644 terraform/adb_with_customer-managed_keys/key.tf create mode 100644 terraform/adb_with_customer-managed_keys/main.tf create mode 100644 terraform/adb_with_customer-managed_keys/outputs.tf create mode 100644 terraform/adb_with_customer-managed_keys/policy.tf create mode 100644 terraform/adb_with_customer-managed_keys/provider.tf create mode 100644 terraform/adb_with_customer-managed_keys/terraform.tfvars create mode 100644 terraform/adb_with_customer-managed_keys/variables.tf create mode 100644 terraform/adb_with_customer-managed_keys/vault.tf create mode 100644 terraform/adb_with_customer-managed_keys/versions.tf diff --git a/terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl b/terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl deleted file mode 100644 index 1ce5b38..0000000 --- a/terraform/adb_from_subnet_private_endpoint/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/oracle/oci" { - version = "8.13.0" - constraints = ">= 6.0.0" - hashes = [ - "h1:XzP1XWq0WnCHW3tQw8ZOA41BiKyzvdkyZUiI+ZfpzJo=", - "zh:055ef341b3370d90b08f1ab56fdede11747c33a8a4f76c01382e80a9eac70c8f", - "zh:23713f132f34d0da9dbc11421d4b83d10f7fce677e1a5aafcf07619b12bf1a33", - "zh:443afc4c6183d6e9806d7414e4096a2669d0d3435118b37b7fd7bb5bc2596fa9", - "zh:579379341440d9be2fb82eeba58f7bb5874868b673c60cff8b8a50bea0747a74", - "zh:67a3a5df051e44e180e859bbef8480be10c0a9a7a719fb23abe545811cec3524", - "zh:7069d4bc824bf2dd3e6d476f86482bfb96c72ab465e3f770804e62af62935513", - "zh:7c6222cfb7f0a6ed330795457f40909e55b2736552767805f9b2bdf784bac1e1", - "zh:8346570c97b2f65787b475b2019c8ac7d96d142e9ecd99de85abd7ccf3518058", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a87d6e48c3f4f97417380518aafe14e3a30d297bee163b2718ded0b8b78da5b5", - "zh:ae690079802ffae84c83774b36707765a4d79b17b5971faa1c46fe39f299e0e8", - "zh:b78eea21c5ab34d00f243f490e3744925a783c67882a027c53f4ef827349a630", - "zh:bc8b719cccfdd20ae8e055abb8ca7d9a27ad629f4904f163850a6e79c8c17482", - "zh:c58b39a86a320ab74d340fde48bf0d83fc6de4a790846eb5b91c69b0a6205ca6", - "zh:ee4cf6cbafa373bd50de976a0cd5c2429ca8b4c0879dea9831891063820c3a9c", - ] -} diff --git a/terraform/adb_long-term_backup_scheduling/README.md b/terraform/adb_long-term_backup_scheduling/README.md new file mode 100644 index 0000000..74b59d4 --- /dev/null +++ b/terraform/adb_long-term_backup_scheduling/README.md @@ -0,0 +1,109 @@ +# Terraform — Long-Term Backup Scheduling and Retention Policy + +Configures automatic backup retention and a long-term backup schedule on an existing Autonomous Database. Designed for compliance scenarios where data must be retained beyond the 60-day automatic backup limit. + +## Files + +| File | Description | +|---|---| +| `versions.tf` | Terraform and provider version requirements | +| `provider.tf` | OCI provider configuration | +| `main.tf` | Automatic backup retention and long-term backup schedule | +| `variables.tf` | All configurable parameters | +| `outputs.tf` | Values exported after apply | +| `terraform.tfvars` | Fill in your values | + +## Quick Start + +```bash +# 1. Initialize Terraform +terraform init + +# 2. Import the existing ADB into the Terraform state +terraform import oci_database_autonomous_database.adb + +# 3. Review the plan — the ADB should show only backup-related changes +terraform plan + +# 4. Apply +terraform apply +``` + +## Backup Architecture + +``` +Existing Autonomous Database +├── Automatic backups (daily, managed by OCI) +│ └── Retained for backup_retention_days (1–60 days) +│ +└── Long-term backup schedule (managed by OCI natively) + ├── Cadence: ONE_TIME | WEEKLY | MONTHLY | YEARLY + ├── Anchor: backup_schedule_time (RFC3339) + └── Retained for long_term_backup_retention_days (90–3650 days) +``` + +## Schedule Reference + +| Cadence | Behavior | +|---|---| +| `ONE_TIME` | Single backup taken at `backup_schedule_time` | +| `WEEKLY` | Repeats every 7 days at the same time and day of week | +| `MONTHLY` | Repeats on the same day each month (last day if >= 29) | +| `YEARLY` | Repeats on the same date each year | + +## Retention Reference + +| Period | Days | +|---|---| +| 3 months (minimum) | 90 | +| 1 year | 365 | +| 2 years | 730 | +| 5 years | 1825 | +| 7 years | 2555 | +| 10 years (maximum) | 3650 | + +## Variables + +| Variable | Description | Default | +|---|---|---| +| `tenancy_ocid` | OCID of the OCI tenancy | — | +| `user_ocid` | OCID of the OCI user | — | +| `fingerprint` | Fingerprint of the API key | — | +| `private_key_path` | Path to the private key file (.pem) | — | +| `region` | OCI region where the ADB resides | `us-ashburn-1` | +| `compartment_ocid` | OCID of the compartment where the ADB resides | — | +| `adb_ocid` | OCID of the existing Autonomous Database | — | +| `adb_db_name` | Technical database name (must match exactly) | — | +| `adb_admin_password` | ADMIN password (required by provider, not modified) | — | +| `backup_retention_days` | Automatic daily backup retention in days (1–60) | `30` | +| `backup_schedule_cadence` | Backup frequency: `ONE_TIME`, `WEEKLY`, `MONTHLY`, `YEARLY` | `MONTHLY` | +| `backup_schedule_time` | RFC3339 anchor timestamp for the schedule | — | +| `long_term_backup_retention_days` | Long-term backup retention in days (90–3650) | `365` | + +## Outputs + +| Output | Description | +|---|---| +| `adb_id` | OCID of the Autonomous Database | +| `backup_retention_days` | Automatic backup retention period in days | +| `backup_schedule_cadence` | Frequency of the long-term backup schedule | +| `backup_schedule_time` | Anchor timestamp for the long-term backup schedule | +| `long_term_backup_retention_days` | Long-term backup retention period in days | + +## Notes + +- **Existing ADB required:** This Terraform is designed for existing databases only. Import the ADB before running `terraform apply` — see Quick Start above. + +- **Automatic backup prerequisite:** OCI requires at least one automatic backup to exist before the long-term backup schedule activates. After provisioning a new ADB, wait up to 4 hours for the first automatic backup to complete. + +- **`backup_schedule_time` format:** Must be a valid RFC3339 timestamp in UTC. Example: `2025-06-01T02:00:00Z`. This timestamp serves as both the first backup date and the anchor point for the recurring schedule. + +- **MONTHLY cadence edge case:** If `backup_schedule_time` falls on day 29, 30, or 31, OCI takes the backup on the last day of months with fewer days. + +- **`admin_password` in tfvars:** Required by the OCI provider schema but listed in `ignore_changes`. Terraform will never use it to modify the database password. + +- **Automatic backup limit:** OCI automatic backups support a maximum of 60 days. For retention beyond 60 days, the long-term backup schedule is required. + +- **Storage costs:** Long-term backups incur additional Object Storage costs beyond the standard ADB storage bill. + +- **Restore from long-term backup:** Long-term backups can only be used to clone a new database, not to restore in-place. Go to your ADB in the OCI console → Backups → select the long-term backup → click Clone. diff --git a/terraform/adb_long-term_backup_scheduling/main.tf b/terraform/adb_long-term_backup_scheduling/main.tf new file mode 100644 index 0000000..3ca75dd --- /dev/null +++ b/terraform/adb_long-term_backup_scheduling/main.tf @@ -0,0 +1,47 @@ +# ============================================================ +# main.tf — Existing ADB — backup retention and schedule +# Updates automatic backup retention and configures a long-term +# backup schedule on an existing Autonomous Database. +# ============================================================ + +resource "oci_database_autonomous_database" "adb" { + # Required by the provider schema — values must match the existing ADB. + compartment_id = var.compartment_ocid + db_name = var.adb_db_name + admin_password = var.adb_admin_password + + # ── Automatic backup retention ──────────────────────────── + # Retention period for daily automatic backups (1–60 days). + # For retention beyond 60 days use long_term_backup_schedule below. + backup_retention_period_in_days = var.backup_retention_days + + # ── Long-term backup schedule ───────────────────────────── + # OCI manages the schedule natively — no crontab or external tooling required. + # repeat_cadence options: ONE_TIME | WEEKLY | MONTHLY | YEARLY + # time_of_backup: RFC3339 timestamp — anchor point for the recurring schedule. + long_term_backup_schedule { + repeat_cadence = var.backup_schedule_cadence + retention_period_in_days = var.long_term_backup_retention_days + time_of_backup = var.backup_schedule_time + is_disabled = false + } + + # ── Lifecycle ───────────────────────────────────────────── + # Ignore fields not relevant to backup configuration so that + # Terraform does not attempt to modify the existing ADB. + lifecycle { + ignore_changes = [ + admin_password, + display_name, + db_workload, + db_version, + compute_model, + compute_count, + data_storage_size_in_tbs, + license_model, + is_mtls_connection_required, + whitelisted_ips, + freeform_tags, + ] + } +} diff --git a/terraform/adb_long-term_backup_scheduling/outputs.tf b/terraform/adb_long-term_backup_scheduling/outputs.tf new file mode 100644 index 0000000..bbde241 --- /dev/null +++ b/terraform/adb_long-term_backup_scheduling/outputs.tf @@ -0,0 +1,30 @@ +# ============================================================ +# outputs.tf — Values exported after apply +# ============================================================ + +# ── ADB ─────────────────────────────────────────────────────── +output "adb_id" { + description = "OCID of the Autonomous Database" + value = oci_database_autonomous_database.adb.id +} + +output "backup_retention_days" { + description = "Automatic backup retention period in days" + value = oci_database_autonomous_database.adb.backup_retention_period_in_days +} + +# ── Long-term backup schedule ───────────────────────────────── +output "backup_schedule_cadence" { + description = "Frequency of the long-term backup schedule" + value = var.backup_schedule_cadence +} + +output "backup_schedule_time" { + description = "Anchor timestamp for the long-term backup schedule" + value = var.backup_schedule_time +} + +output "long_term_backup_retention_days" { + description = "Long-term backup retention period in days" + value = var.long_term_backup_retention_days +} diff --git a/terraform/adb_long-term_backup_scheduling/provider.tf b/terraform/adb_long-term_backup_scheduling/provider.tf new file mode 100644 index 0000000..1a5bcef --- /dev/null +++ b/terraform/adb_long-term_backup_scheduling/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} diff --git a/terraform/adb_long-term_backup_scheduling/terraform.tfvars b/terraform/adb_long-term_backup_scheduling/terraform.tfvars new file mode 100644 index 0000000..1e58210 --- /dev/null +++ b/terraform/adb_long-term_backup_scheduling/terraform.tfvars @@ -0,0 +1,21 @@ +# ── OCI Credentials ────────────────────────────────────────── +tenancy_ocid = "" +user_ocid = "" +fingerprint = "" +private_key_path = "" +region = "us-ashburn-1" + +compartment_ocid = "" + +# ── Existing ADB ────────────────────────────────────────────── +adb_ocid = "" +adb_db_name = "" +adb_admin_password = "" + +# ── Backup — automatic ──────────────────────────────────────── +backup_retention_days = 60 # 1–60 days + +# ── Backup — long-term schedule ─────────────────────────────── +backup_schedule_cadence = "MONTHLY" # ONE_TIME | WEEKLY | MONTHLY | YEARLY +backup_schedule_time = "2026-06-01T02:00:00Z" # RFC3339 — first backup and recurring anchor +long_term_backup_retention_days = 365 # 365=1yr | 730=2yr | 1825=5yr | 3650=10yr diff --git a/terraform/adb_long-term_backup_scheduling/variables.tf b/terraform/adb_long-term_backup_scheduling/variables.tf new file mode 100644 index 0000000..5a95f82 --- /dev/null +++ b/terraform/adb_long-term_backup_scheduling/variables.tf @@ -0,0 +1,92 @@ +# ============================================================ +# variables.tf — Configurable parameters +# ============================================================ + +# ── OCI Credentials ────────────────────────────────────────── +variable "tenancy_ocid" { + description = "OCID of the Oracle Cloud tenancy" + type = string +} + +variable "user_ocid" { + description = "OCID of the OCI user" + type = string +} + +variable "fingerprint" { + description = "Fingerprint of the user's API key" + type = string +} + +variable "private_key_path" { + description = "Path to the private key file (.pem)" + type = string +} + +variable "region" { + description = "OCI region where the ADB resides" + type = string + default = "us-ashburn-1" +} + +variable "compartment_ocid" { + description = "OCID of the compartment where the ADB resides" + type = string +} + +# ── Existing ADB ────────────────────────────────────────────── +variable "adb_ocid" { + description = "OCID of the existing Autonomous Database" + type = string +} + +variable "adb_db_name" { + description = "Technical database name of the existing ADB (must match exactly)" + type = string +} + +variable "adb_admin_password" { + description = "ADMIN password of the existing ADB (required by provider schema, not modified)" + type = string + sensitive = true +} + +# ── Backup — automatic ──────────────────────────────────────── +variable "backup_retention_days" { + description = "Retention period for automatic daily backups (1–60 days)" + type = number + default = 30 + + validation { + condition = var.backup_retention_days >= 1 && var.backup_retention_days <= 60 + error_message = "Must be between 1 and 60 days." + } +} + +# ── Backup — long-term schedule ─────────────────────────────── +variable "backup_schedule_cadence" { + description = "Frequency of the long-term backup schedule: ONE_TIME | WEEKLY | MONTHLY | YEARLY" + type = string + default = "MONTHLY" + + validation { + condition = contains(["ONE_TIME", "WEEKLY", "MONTHLY", "YEARLY"], var.backup_schedule_cadence) + error_message = "Must be one of: ONE_TIME, WEEKLY, MONTHLY, YEARLY." + } +} + +variable "backup_schedule_time" { + description = "RFC3339 timestamp — anchor point for the recurring schedule. Example: 2025-06-01T02:00:00Z" + type = string +} + +variable "long_term_backup_retention_days" { + description = "Retention period for long-term backups in days (90–3650)" + type = number + default = 365 + + validation { + condition = var.long_term_backup_retention_days >= 90 && var.long_term_backup_retention_days <= 3650 + error_message = "Must be between 90 and 3650 days. Reference: 365=1yr, 730=2yr, 1825=5yr, 3650=10yr." + } +} diff --git a/terraform/adb_long-term_backup_scheduling/versions.tf b/terraform/adb_long-term_backup_scheduling/versions.tf new file mode 100644 index 0000000..b0a5c0b --- /dev/null +++ b/terraform/adb_long-term_backup_scheduling/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + oci = { + source = "oracle/oci" + version = ">= 6.0.0" + } + } +} diff --git a/terraform/adb_wallet_rotation/README.md b/terraform/adb_wallet_rotation/README.md new file mode 100644 index 0000000..65e4726 --- /dev/null +++ b/terraform/adb_wallet_rotation/README.md @@ -0,0 +1,116 @@ +# Terraform — Autonomous Database with mTLS Wallet Rotation + +Creates an Autonomous Database with mTLS enabled and manages wallet rotation via the OCI CLI. The wallet is rotated on every `terraform apply`. Supports both new and existing databases. + +## Files + +| File | Description | +|---|---| +| `versions.tf` | Terraform and provider version requirements | +| `provider.tf` | OCI provider configuration | +| `main.tf` | Autonomous Database resource | +| `wallet_rotation.tf` | Wallet rotation via OCI CLI | +| `variables.tf` | All configurable parameters | +| `outputs.tf` | Values exported after apply | +| `terraform.tfvars` | Example values file — copy to `terraform.tfvars` and fill in your values | + +## Quick Start + +```bash +# 1. Initialize Terraform +terraform init + +# 2. Review the plan before applying +terraform plan + +# 3. Create the ADB and download the initial wallet +terraform apply +``` + +## Using an Existing Database + +If the ADB already exists and was not created with this Terraform, import it into the state before applying: + +```bash +# 1. Fill terraform.tfvars with the values that match your existing ADB +# (adb_display_name, adb_db_name, adb_workload_type, adb_cpu_core_count, etc.) + +# 2. Import the existing ADB into the Terraform state +terraform import oci_database_autonomous_database.adb + +# 3. Review the plan — the ADB should show no changes +terraform plan + +# 4. Apply — only the wallet rotation runs, the ADB is not touched +terraform apply +``` + +> **Note:** After import, `admin_password` will show as a pending change on the first plan. This is expected. Terraform does not store sensitive values from imported resources. The `lifecycle { ignore_changes = [admin_password] }` block in `main.tf` suppresses this on subsequent plans. + +## How Wallet Rotation Works + +> **Important:** Rotating the wallet invalidates the current certificates. All apps using the old wallet will lose connection and must be updated with the new `wallet.zip` before they can reconnect. + +``` +terraform apply + │ + ▼ +null_resource detects timestamp() change (always true) + │ + ▼ +OCI CLI runs rotate-wallet (invalidates current certificates) + │ + ▼ +OCI CLI runs generate-wallet (downloads new wallet) + │ + ▼ +New wallet.zip saved to wallet_output_path +``` + +## Rotating the Wallet + +```bash +# The wallet rotates automatically on every apply +terraform apply +``` + +## Variables + +| Variable | Description | Default | +|---|---|---| +| `tenancy_ocid` | OCID of the OCI tenancy | — | +| `user_ocid` | OCID of the OCI user | — | +| `fingerprint` | Fingerprint of the API key | — | +| `private_key_path` | Path to the private key file (.pem) | — | +| `region` | OCI region (e.g. `us-ashburn-1`) | `us-ashburn-1` | +| `compartment_ocid` | OCID of the compartment where the ADB will be created | — | +| `adb_display_name` | Display name in the OCI console | — | +| `adb_db_name` | Database name — letters/numbers only, max 14 characters | — | +| `adb_admin_password` | ADMIN user password (sensitive) | — | +| `adb_workload_type` | Workload type: `OLTP` (ATP), `DW` (ADW), `AJD` (JSON), `APEX`, `LH` | `OLTP` | +| `adb_db_version` | Oracle database version | `19c` | +| `adb_cpu_core_count` | Number of ECPUs (minimum 2) | `2` | +| `adb_storage_tbs` | Storage in terabytes | `1` | +| `wallet_password` | Password to protect the wallet zip file (sensitive) | — | +| `wallet_output_path` | Local path where the wallet zip will be saved | `./wallet.zip` | + +## Outputs + +| Output | Description | +|---|---| +| `adb_id` | OCID of the Autonomous Database | +| `wallet_output_path` | Local path where the wallet zip file was saved | + +## Notes + +- **OCI CLI required:** The wallet rotation uses `local-exec` to call the OCI CLI. Make sure it is installed and configured (`oci setup config`) before running `terraform apply`. + +- **Wallet password requirements:** Minimum 8 characters, must contain at least one letter and one number. This password protects the zip file — it is separate from the ADMIN database password. + +- **Rotation on every apply:** The `null_resource` uses `timestamp()` as a trigger, which always changes on every `terraform apply`. This means the wallet is rotated every time you run apply, regardless of other changes. + +- **SINGLE vs ALL wallet:** The `--generate-type SINGLE` flag generates a wallet for this specific database only. Use `ALL` if you need a wallet that works across multiple databases in the same tenancy. + +- **mTLS is always on:** This configuration sets `is_mtls_connection_required = true`. Clients must use the wallet to connect — standard TLS connections without the wallet are rejected. + +- **Wallet file location:** The wallet is saved locally at `wallet_output_path`. Keep this file secure — it contains the credentials needed to connect to the database. diff --git a/terraform/adb_wallet_rotation/main.tf b/terraform/adb_wallet_rotation/main.tf new file mode 100644 index 0000000..c95a9f0 --- /dev/null +++ b/terraform/adb_wallet_rotation/main.tf @@ -0,0 +1,22 @@ +# ============================================================ +# main.tf — Autonomous Database with mTLS +# ============================================================ + +resource "oci_database_autonomous_database" "adb" { + compartment_id = var.compartment_ocid + display_name = var.adb_display_name + db_name = var.adb_db_name + admin_password = var.adb_admin_password + db_workload = var.adb_workload_type + db_version = var.adb_db_version + compute_model = "ECPU" + compute_count = var.adb_cpu_core_count + data_storage_size_in_tbs = var.adb_storage_tbs + + # ── mTLS — wallet required ──────────────────────────────── + is_mtls_connection_required = true + + lifecycle { + ignore_changes = [admin_password] + } +} diff --git a/terraform/adb_wallet_rotation/outputs.tf b/terraform/adb_wallet_rotation/outputs.tf new file mode 100644 index 0000000..727624c --- /dev/null +++ b/terraform/adb_wallet_rotation/outputs.tf @@ -0,0 +1,15 @@ +# ============================================================ +# outputs.tf — Values exported after apply +# ============================================================ + +# ── ADB ─────────────────────────────────────────────────────── +output "adb_id" { + description = "OCID of the Autonomous Database" + value = oci_database_autonomous_database.adb.id +} + +# ── Wallet ──────────────────────────────────────────────────── +output "wallet_output_path" { + description = "Local path where the wallet zip file was saved" + value = var.wallet_output_path +} diff --git a/terraform/adb_wallet_rotation/provider.tf b/terraform/adb_wallet_rotation/provider.tf new file mode 100644 index 0000000..1a5bcef --- /dev/null +++ b/terraform/adb_wallet_rotation/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} diff --git a/terraform/adb_wallet_rotation/terraform.tfvars b/terraform/adb_wallet_rotation/terraform.tfvars new file mode 100644 index 0000000..65cfb34 --- /dev/null +++ b/terraform/adb_wallet_rotation/terraform.tfvars @@ -0,0 +1,22 @@ +# ── OCI Credentials ────────────────────────────────────────── +tenancy_ocid = "" +user_ocid = "" +fingerprint = "" +private_key_path = "" +region = "us-ashburn-1" + +compartment_ocid = "" + +# ── ADB Configuration ───────────────────────────────────────── +adb_display_name = "" +adb_db_name = "" +adb_admin_password = "" +adb_workload_type = "LH" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_db_version = "26ai" +adb_cpu_core_count = 2 +adb_storage_tbs = 1 + +# ── Wallet ──────────────────────────────────────────────────── + +wallet_password = "" +wallet_output_path = "./wallet.zip" diff --git a/terraform/adb_wallet_rotation/variables.tf b/terraform/adb_wallet_rotation/variables.tf new file mode 100644 index 0000000..4993357 --- /dev/null +++ b/terraform/adb_wallet_rotation/variables.tf @@ -0,0 +1,95 @@ +# ============================================================ +# variables.tf — Configurable parameters +# ============================================================ + +# ── OCI Credentials ────────────────────────────────────────── +variable "tenancy_ocid" { + description = "OCID of the Oracle Cloud tenancy" + type = string +} + +variable "user_ocid" { + description = "OCID of the OCI user" + type = string +} + +variable "fingerprint" { + description = "Fingerprint of the user's API key" + type = string +} + +variable "private_key_path" { + description = "Path to the private key file (.pem)" + type = string +} + +variable "region" { + description = "OCI region where the resources will be created" + type = string + default = "us-ashburn-1" +} + +variable "compartment_ocid" { + description = "OCID of the compartment where the ADB will be created" + type = string +} + +# ── ADB Configuration ───────────────────────────────────────── +variable "adb_display_name" { + description = "Display name in the OCI console" + type = string +} + +variable "adb_db_name" { + description = "Technical database name (letters/numbers only, max 14 chars)" + type = string +} + +variable "adb_admin_password" { + description = "ADMIN user password (min 12 chars, uppercase, number and symbol required)" + type = string + sensitive = true +} + +variable "adb_workload_type" { + description = "Workload type: OLTP (ATP), DW (ADW), AJD (JSON), APEX" + type = string + default = "OLTP" + + validation { + condition = contains(["OLTP", "DW", "AJD", "APEX", "LH"], var.adb_workload_type) + error_message = "Must be one of: OLTP, DW, AJD, APEX, LH." + } +} + +variable "adb_db_version" { + description = "Oracle database version" + type = string + default = "19c" +} + +variable "adb_cpu_core_count" { + description = "Number of ECPUs (minimum 2)" + type = number + default = 2 +} + +variable "adb_storage_tbs" { + description = "Storage size in terabytes" + type = number + default = 1 +} + +# ── Wallet ──────────────────────────────────────────────────── + +variable "wallet_password" { + description = "Password to protect the wallet zip file (min 8 chars, 1 letter, 1 number)" + type = string + sensitive = true +} + +variable "wallet_output_path" { + description = "Local path where the wallet zip file will be saved" + type = string + default = "./wallet.zip" +} diff --git a/terraform/adb_wallet_rotation/versions.tf b/terraform/adb_wallet_rotation/versions.tf new file mode 100644 index 0000000..6fccec8 --- /dev/null +++ b/terraform/adb_wallet_rotation/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + oci = { + source = "oracle/oci" + version = ">= 6.0.0" + } + time = { + source = "hashicorp/time" + version = ">= 0.9.0" + } + null = { + source = "hashicorp/null" + version = ">= 3.0.0" + } + } +} diff --git a/terraform/adb_wallet_rotation/wallet_rotation.tf b/terraform/adb_wallet_rotation/wallet_rotation.tf new file mode 100644 index 0000000..471f75a --- /dev/null +++ b/terraform/adb_wallet_rotation/wallet_rotation.tf @@ -0,0 +1,43 @@ +# ============================================================ +# wallet_rotation.tf — Wallet rotation via OCI CLI +# Runs on every terraform apply. +# +# Two steps: +# 1. rotate-wallet — invalidates current certificates and generates new ones +# 2. generate-wallet — downloads the new wallet to var.wallet_output_path +# ============================================================ + +# Wait for the ADB to reach AVAILABLE state before rotating the wallet. +# rotate-wallet fails if the ADB is still in PROVISIONING state. +resource "time_sleep" "wait_for_adb" { + create_duration = "120s" + depends_on = [oci_database_autonomous_database.adb] +} + +resource "null_resource" "wallet_rotation" { + # timestamp() always returns a new value on every apply, + # forcing this resource to re-run every time. + triggers = { + always_run = timestamp() + } + + provisioner "local-exec" { + command = <<-EOT + # Step 1: Rotate — invalidates current certificates and generates new ones. + # All apps using the old wallet will lose connection after this step. + oci db autonomous-database rotate-wallet \ + --autonomous-database-id ${oci_database_autonomous_database.adb.id} \ + --region ${var.region} + + # Step 2: Download the new wallet to wallet_output_path. + oci db autonomous-database generate-wallet \ + --autonomous-database-id ${oci_database_autonomous_database.adb.id} \ + --password "${var.wallet_password}" \ + --file "${var.wallet_output_path}" \ + --generate-type SINGLE \ + --region ${var.region} + EOT + } + + depends_on = [time_sleep.wait_for_adb] +} diff --git a/terraform/adb_with_customer-managed_keys/README.md b/terraform/adb_with_customer-managed_keys/README.md new file mode 100644 index 0000000..6fe60b9 --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/README.md @@ -0,0 +1,97 @@ +# Terraform — Autonomous Database with Customer-Managed Keys (CMK) + +Creates an OCI Vault, a Master Encryption Key, a Dynamic Group, an IAM Policy, and an Autonomous Database encrypted with Customer-Managed Keys. + +## Files + +| File | Description | +|---|---| +| `versions.tf` | Terraform and provider version requirements | +| `provider.tf` | OCI provider configuration | +| `vault.tf` | OCI KMS Vault resource | +| `key.tf` | Master Encryption Key (CMK) resource | +| `dynamic_group.tf` | Dynamic Group resource | +| `policy.tf` | IAM Policy resource | +| `main.tf` | Autonomous Database resource | +| `variables.tf` | All configurable parameters | +| `outputs.tf` | Values exported after apply | +| `terraform.tfvars` | Fill in your values | + +## Quick Start + +```bash +# 1. Initialize Terraform +terraform init + +# 2. Review the plan before applying +terraform plan + +# 3. Create all resources +terraform apply +``` + +## Resources Created + +| Resource | Type | Description | +|---|---|---| +| `vault_display_name` | `oci_kms_vault` | OCI Vault that stores the master encryption key | +| `key_display_name` | `oci_kms_key` | AES-256 Master Encryption Key (CMK) stored in HSM | +| `dynamic_group_name` | `oci_identity_dynamic_group` | Dynamic group that identifies the ADB instance | +| `policy_name` | `oci_identity_policy` | IAM policy granting the ADB access to the Vault and Key | +| `adb_display_name` | `oci_database_autonomous_database` | Autonomous Database encrypted with the CMK | + +## Variables + +| Variable | Description | Default | +|---|---|---| +| `tenancy_ocid` | OCID of the OCI tenancy | — | +| `user_ocid` | OCID of the OCI user | — | +| `fingerprint` | Fingerprint of the API key | — | +| `private_key_path` | Path to the private key file (.pem) | — | +| `region` | OCI region (e.g. `us-ashburn-1`, `mx-queretaro-1`) | `us-ashburn-1` | +| `compartment_ocid` | OCID of the compartment where all resources will be created | — | +| `vault_display_name` | Display name for the OCI KMS Vault | — | +| `key_display_name` | Display name for the Master Encryption Key (CMK) | — | +| `dynamic_group_name` | Name for the Dynamic Group | — | +| `policy_name` | Name for the IAM Policy | — | +| `adb_display_name` | Display name in the OCI console | — | +| `adb_db_name` | Database name — letters/numbers only, max 14 characters | — | +| `adb_admin_password` | ADMIN user password (sensitive) | — | +| `adb_workload_type` | Workload type: `OLTP` (ATP), `DW` (ADW), `AJD` (JSON), `APEX` | `OLTP` | +| `adb_db_version` | Oracle database version | `26ai` | +| `adb_cpu_core_count` | Number of ECPUs | `2` | +| `adb_storage_tbs` | Storage in terabytes | `1` | +| `adb_auto_scaling` | Enable ECPU auto-scaling | `false` | + +## Outputs + +| Output | Description | +|---|---| +| `vault_id` | OCID of the created Vault | +| `vault_management_endpoint` | Management endpoint of the Vault | +| `kms_key_id` | OCID of the Master Encryption Key (CMK) | +| `dynamic_group_id` | OCID of the Dynamic Group | +| `adb_id` | OCID of the Autonomous Database | +| `adb_connection_strings` | Connection strings for the ADB | +| `adb_state` | Current lifecycle state of the ADB | + +## Notes + +- **Resource order:** Terraform creates resources in this order: Vault → Master Key → Dynamic Group → IAM Policy → ADB. The `depends_on` blocks enforce this sequence. The IAM Policy must exist before the ADB is provisioned, otherwise the CMK switch will fail. + +- **Vault and ADB region:** The Vault and the ADB must be in the **same OCI region**. Placing them in different regions causes the CMK switch to fail at provisioning time. + +- **Dynamic Group policy syntax — undocumented behavior:** The IAM policy must reference the Dynamic Group by its **OCID** using the `id` keyword, not by name: + ``` + Allow dynamic-group id to manage vaults in compartment id + Allow dynamic-group id to manage keys in compartment id + ``` + Using the Dynamic Group name instead of the OCID causes OCI to fail silently with a generic IAM configuration error, even when the policy appears valid in the console. + +- **`manage` vs `use`:** The policy uses `manage vaults` and `manage keys` instead of `use`. Using only `use` is insufficient for the ADB to complete the CMK switch during provisioning. + +- **HSM protection mode:** The Master Key is created with `protection_mode = "HSM"`. The key material never leaves the HSM in plaintext... not even Oracle can extract it. Use `SOFTWARE` only for dev/test environments. + +- **Envelope encryption:** OCI uses a two-layer encryption model. The ADB data is encrypted with a Data Encryption Key (DEK), and the DEK itself is encrypted with your CMK. Your CMK never directly touches the data, it only protects the DEK. Revoking or disabling the CMK makes the DEK permanently inaccessible, which renders all database data unreadable. + +- **Key revocation impact:** If the CMK is disabled or deleted, the ADB enters an `Inaccessible` state after a 2-hour grace period. All existing connections are dropped and new connections are rejected. This is intentional — it is the primary control that CMK provides over your data. diff --git a/terraform/adb_with_customer-managed_keys/dynamic_group.tf b/terraform/adb_with_customer-managed_keys/dynamic_group.tf new file mode 100644 index 0000000..8d2ba08 --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/dynamic_group.tf @@ -0,0 +1,17 @@ +# ============================================================ +# dynamic_group.tf — Dynamic Group +# Identifies all ADB instances in the compartment so that +# IAM policies can grant them access to the Vault and Key. +# Dynamic groups must be created at the tenancy root level. +# ============================================================ + +resource "oci_identity_dynamic_group" "adb_dynamic_group" { + compartment_id = var.tenancy_ocid + name = var.dynamic_group_name + description = "Dynamic group for Autonomous Databases using CMK" + + # Matches all resources in the compartment. + # If the ADB already exists, you can scope it further: + # resource.id = '' + matching_rule = "resource.compartment.id = '${var.compartment_ocid}'" +} diff --git a/terraform/adb_with_customer-managed_keys/key.tf b/terraform/adb_with_customer-managed_keys/key.tf new file mode 100644 index 0000000..96d1201 --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/key.tf @@ -0,0 +1,25 @@ +# ============================================================ +# key.tf — Master Encryption Key (CMK) +# AES-256 key stored in HSM (FIPS 140-2 Level 3). +# This key wraps the Data Encryption Key (DEK) that directly +# encrypts the ADB data — envelope encryption pattern. +# ============================================================ + +resource "oci_kms_key" "adb_master_key" { + compartment_id = var.compartment_ocid + display_name = var.key_display_name + management_endpoint = oci_kms_vault.adb_vault.management_endpoint + + key_shape { + algorithm = "AES" + length = 32 # 256 bits + } + + # HSM: key material never leaves the hardware module in plaintext. + # Use SOFTWARE only for dev/test environments. + protection_mode = "HSM" + + # Depends on the sleep to ensure the Vault management endpoint + # is fully resolvable in DNS before attempting to create the key. + depends_on = [time_sleep.wait_for_vault] +} diff --git a/terraform/adb_with_customer-managed_keys/main.tf b/terraform/adb_with_customer-managed_keys/main.tf new file mode 100644 index 0000000..6cb8dfd --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/main.tf @@ -0,0 +1,27 @@ +# ============================================================ +# main.tf — Autonomous Database with Customer-Managed Keys (CMK) +# ============================================================ + +resource "oci_database_autonomous_database" "adb" { + compartment_id = var.compartment_ocid + display_name = var.adb_display_name + db_name = var.adb_db_name + admin_password = var.adb_admin_password + db_workload = var.adb_workload_type # OLTP | DW | AJD | APEX + db_version = var.adb_db_version + compute_model = var.adb_compute_model # ECPU required for new databases + compute_count = var.adb_cpu_core_count + data_storage_size_in_tbs = var.adb_storage_tbs + + # ── Customer-Managed Keys ───────────────────────────────── + # The ADB uses envelope encryption: data is encrypted with a DEK, + # and the DEK is wrapped using this CMK stored in OCI Vault. + kms_key_id = oci_kms_key.adb_master_key.id + vault_id = oci_kms_vault.adb_vault.id + + # ── Auto-scaling ────────────────────────────────────────── + is_auto_scaling_enabled = var.adb_auto_scaling + + # The IAM policy must exist before the ADB attempts the CMK switch. + depends_on = [oci_identity_policy.adb_kms_policy, oci_kms_key.adb_master_key] +} diff --git a/terraform/adb_with_customer-managed_keys/outputs.tf b/terraform/adb_with_customer-managed_keys/outputs.tf new file mode 100644 index 0000000..ca6d803 --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/outputs.tf @@ -0,0 +1,31 @@ +# ============================================================ +# outputs.tf — Values exported after apply +# ============================================================ + +# ── KMS ─────────────────────────────────────────────────────── +output "vault_id" { + description = "OCID of the created Vault" + value = oci_kms_vault.adb_vault.id +} + +output "vault_management_endpoint" { + description = "Management endpoint of the Vault" + value = oci_kms_vault.adb_vault.management_endpoint +} + +output "kms_key_id" { + description = "OCID of the Master Encryption Key (CMK)" + value = oci_kms_key.adb_master_key.id +} + +# ── IAM ─────────────────────────────────────────────────────── +output "dynamic_group_id" { + description = "OCID of the Dynamic Group" + value = oci_identity_dynamic_group.adb_dynamic_group.id +} + +# ── ADB ─────────────────────────────────────────────────────── +output "adb_id" { + description = "OCID of the Autonomous Database" + value = oci_database_autonomous_database.adb.id +} \ No newline at end of file diff --git a/terraform/adb_with_customer-managed_keys/policy.tf b/terraform/adb_with_customer-managed_keys/policy.tf new file mode 100644 index 0000000..abd3964 --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/policy.tf @@ -0,0 +1,24 @@ +# ============================================================ +# policy.tf — IAM Policy +# Grants the ADB dynamic group permission to use the Vault +# and Key. Must be created at the tenancy root level and must +# exist before the ADB is provisioned. +# ============================================================ + +resource "oci_identity_policy" "adb_kms_policy" { + compartment_id = var.tenancy_ocid + name = var.policy_name + description = "Allows Autonomous Database to use Customer-Managed Keys" + + statements = [ + # IMPORTANT: reference the dynamic group by OCID using the "id" keyword, + # not by name. When a tenancy has multiple identity domains, OCI fails to + # resolve the group name silently. This syntax is undocumented but required + # for consistent behavior. + # "manage" is required... "use" alone is insufficient for the CMK switch. + "Allow dynamic-group id ${oci_identity_dynamic_group.adb_dynamic_group.id} to manage vaults in compartment id ${var.compartment_ocid}", + "Allow dynamic-group id ${oci_identity_dynamic_group.adb_dynamic_group.id} to manage keys in compartment id ${var.compartment_ocid}", + ] + + depends_on = [oci_identity_dynamic_group.adb_dynamic_group] +} diff --git a/terraform/adb_with_customer-managed_keys/provider.tf b/terraform/adb_with_customer-managed_keys/provider.tf new file mode 100644 index 0000000..1a5bcef --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/provider.tf @@ -0,0 +1,7 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} diff --git a/terraform/adb_with_customer-managed_keys/terraform.tfvars b/terraform/adb_with_customer-managed_keys/terraform.tfvars new file mode 100644 index 0000000..74a17be --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/terraform.tfvars @@ -0,0 +1,31 @@ +# ── OCI Credentials ────────────────────────────────────────── +tenancy_ocid = "" +user_ocid = "" +fingerprint = "" +private_key_path = "" +region = "us-ashburn-1" + +compartment_ocid = "" + +# ── Vault ───────────────────────────────────────────────────── +vault_display_name = "" + +# ── Master Encryption Key ───────────────────────────────────── +key_display_name = "" + +# ── Dynamic Group ───────────────────────────────────────────── +dynamic_group_name = "" + +# ── IAM Policy ──────────────────────────────────────────────── +policy_name = "" + +# ── ADB Configuration ───────────────────────────────────────── +adb_display_name = "" +adb_db_name = "" +adb_admin_password = "" +adb_compute_model = "ECPU" +adb_workload_type = "DW" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_db_version = "26ai" +adb_cpu_core_count = 2 # minimum 2 in ECPU model +adb_storage_tbs = 1 +adb_auto_scaling = false \ No newline at end of file diff --git a/terraform/adb_with_customer-managed_keys/variables.tf b/terraform/adb_with_customer-managed_keys/variables.tf new file mode 100644 index 0000000..279b685 --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/variables.tf @@ -0,0 +1,118 @@ +# ============================================================ +# variables.tf — Configurable parameters +# ============================================================ + +# ── OCI Credentials ────────────────────────────────────────── +variable "tenancy_ocid" { + description = "OCID of the Oracle Cloud tenancy" + type = string +} + +variable "user_ocid" { + description = "OCID of the OCI user" + type = string +} + +variable "fingerprint" { + description = "Fingerprint of the user's API key" + type = string +} + +variable "private_key_path" { + description = "Path to the private key file (.pem)" + type = string +} + +variable "region" { + description = "OCI region where the resources will be created" + type = string + default = "us-ashburn-1" +} + +variable "compartment_ocid" { + description = "OCID of the compartment where all resources will be created" + type = string +} + +# ── Vault ───────────────────────────────────────────────────── +variable "vault_display_name" { + description = "Display name for the OCI KMS Vault" + type = string +} + +# ── Master Encryption Key ───────────────────────────────────── +variable "key_display_name" { + description = "Display name for the Master Encryption Key (CMK)" + type = string +} + +# ── Dynamic Group ───────────────────────────────────────────── +variable "dynamic_group_name" { + description = "Name for the Dynamic Group" + type = string +} + +# ── IAM Policy ──────────────────────────────────────────────── +variable "policy_name" { + description = "Name for the IAM Policy" + type = string +} + +# ── ADB Configuration ───────────────────────────────────────── +variable "adb_display_name" { + description = "Display name in the OCI console" + type = string +} + +variable "adb_db_name" { + description = "Technical database name (letters/numbers only, max 14 chars)" + type = string +} + +variable "adb_admin_password" { + description = "ADMIN user password (min 12 chars, uppercase, number and symbol required)" + type = string + sensitive = true +} + +variable "adb_workload_type" { + description = "Workload type: OLTP (ATP), DW (ADW), AJD (JSON), APEX" + type = string + default = "OLTP" + + validation { + condition = contains(["OLTP", "DW", "AJD", "APEX"], var.adb_workload_type) + error_message = "Must be one of: OLTP, DW, AJD, APEX." + } +} + +variable "adb_db_version" { + description = "Oracle database version" + type = string + default = "26ai" +} + +variable "adb_compute_model" { + description = "Compute model for the ADB (ECPU is required for new databases)" + type = string + default = "ECPU" +} + +variable "adb_cpu_core_count" { + description = "Number of ECPUs (minimum 2 in ECPU model)" + type = number + default = 2 +} + +variable "adb_storage_tbs" { + description = "Storage size in terabytes" + type = number + default = 1 +} + +# ── Auto-scaling ────────────────────────────────────────────── +variable "adb_auto_scaling" { + description = "Enable ECPU auto-scaling" + type = bool + default = false +} \ No newline at end of file diff --git a/terraform/adb_with_customer-managed_keys/vault.tf b/terraform/adb_with_customer-managed_keys/vault.tf new file mode 100644 index 0000000..246e5ed --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/vault.tf @@ -0,0 +1,18 @@ +# ============================================================ +# vault.tf — OCI KMS Vault +# Stores the Customer-Managed Key (CMK) used to encrypt the ADB. +# Must be in the same region as the Autonomous Database. +# ============================================================ + +resource "oci_kms_vault" "adb_vault" { + compartment_id = var.compartment_ocid + display_name = var.vault_display_name + vault_type = "DEFAULT" +} + +# Wait for the Vault to reach ACTIVE state before any key is created. +# The management endpoint DNS is not resolvable until the Vault is fully active. +resource "time_sleep" "wait_for_vault" { + create_duration = "90s" + depends_on = [oci_kms_vault.adb_vault] +} \ No newline at end of file diff --git a/terraform/adb_with_customer-managed_keys/versions.tf b/terraform/adb_with_customer-managed_keys/versions.tf new file mode 100644 index 0000000..dc53b0a --- /dev/null +++ b/terraform/adb_with_customer-managed_keys/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 1.5.0" + + required_providers { + oci = { + source = "oracle/oci" + version = ">= 6.0.0" + } + time = { + source = "hashicorp/time" + version = ">= 0.9.0" + } + } +} From c3bd6969593113b3a32668dcd13843243e3a5281 Mon Sep 17 00:00:00 2001 From: David Cardenas Date: Tue, 26 May 2026 16:08:02 -0600 Subject: [PATCH 2/2] Changing db_version & workload default values Signed-off by: David Cardenas david.cardenas@oracle.com --- .../terraform.tfvars | 2 +- .../adb_ocpu_to_ecpu_update/terraform.tfvars | 18 +++++++++--------- terraform/adb_wallet_rotation/README.md | 2 +- terraform/adb_wallet_rotation/terraform.tfvars | 2 +- terraform/adb_wallet_rotation/variables.tf | 2 +- .../terraform.tfvars | 2 +- .../terraform.tfvars | 2 +- .../adb_with_local_standby/terraform.tfvars | 2 +- .../terraform.tfvars | 2 +- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/terraform/adb_from_subnet_private_endpoint/terraform.tfvars b/terraform/adb_from_subnet_private_endpoint/terraform.tfvars index 507df19..b3e7093 100644 --- a/terraform/adb_from_subnet_private_endpoint/terraform.tfvars +++ b/terraform/adb_from_subnet_private_endpoint/terraform.tfvars @@ -24,7 +24,7 @@ nsg_display_name = "" adb_display_name = "" adb_db_name = "" adb_admin_password = "" -adb_workload_type = "DW" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_workload_type = "LH" # OLTP=ATP | LH=LAKEHOUSE | DW=ADW | AJD=JSON | APEX adb_db_version = "26ai" adb_cpu_core_count = 2 adb_storage_tbs = 1 diff --git a/terraform/adb_ocpu_to_ecpu_update/terraform.tfvars b/terraform/adb_ocpu_to_ecpu_update/terraform.tfvars index 55ccf3b..af8706e 100644 --- a/terraform/adb_ocpu_to_ecpu_update/terraform.tfvars +++ b/terraform/adb_ocpu_to_ecpu_update/terraform.tfvars @@ -1,17 +1,17 @@ # ── OCI Credentials ────────────────────────────────────────── -tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaakc2xkehakt7bmhmipdbhz3tbkej53jzwmrlmuqoloydlotthkrbq" -user_ocid = "ocid1.user.oc1..aaaaaaaas3nxkab5ct2mhfno7j2ltpcsiyhi5xzrs7xwcprpmpbfoxvsylva" -fingerprint = "ae:0d:91:96:d9:10:07:81:ba:f4:b2:af:db:48:06:25" -private_key_path = "/Users/davcarde/.oci/oci_api_key_t5.pem" +tenancy_ocid = "" +user_ocid = "" +fingerprint = "" +private_key_path = "" region = "us-ashburn-1" -compartment_ocid = "ocid1.tenancy.oc1..aaaaaaaakc2xkehakt7bmhmipdbhz3tbkej53jzwmrlmuqoloydlotthkrbq" +compartment_ocid = "" # ── ADB Configuration ───────────────────────────────────────── -adb_display_name = "xiaTest2" -adb_db_name = "xiaTest2" -adb_admin_password = "HolaMundo1330" -adb_workload_type = "AJD" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_display_name = "" +adb_db_name = "" +adb_admin_password = "" +adb_workload_type = "LH" # OLTP=ATP | LH=LAKEHOUSE | DW=ADW | AJD=JSON | APEX adb_cpu_core_count = 2 # ECPU: minimum 2, multiples of 2 adb_storage_tbs = 1 adb_auto_scaling = false diff --git a/terraform/adb_wallet_rotation/README.md b/terraform/adb_wallet_rotation/README.md index 65e4726..fca6bcf 100644 --- a/terraform/adb_wallet_rotation/README.md +++ b/terraform/adb_wallet_rotation/README.md @@ -88,7 +88,7 @@ terraform apply | `adb_db_name` | Database name — letters/numbers only, max 14 characters | — | | `adb_admin_password` | ADMIN user password (sensitive) | — | | `adb_workload_type` | Workload type: `OLTP` (ATP), `DW` (ADW), `AJD` (JSON), `APEX`, `LH` | `OLTP` | -| `adb_db_version` | Oracle database version | `19c` | +| `adb_db_version` | Oracle database version | `26ai` | | `adb_cpu_core_count` | Number of ECPUs (minimum 2) | `2` | | `adb_storage_tbs` | Storage in terabytes | `1` | | `wallet_password` | Password to protect the wallet zip file (sensitive) | — | diff --git a/terraform/adb_wallet_rotation/terraform.tfvars b/terraform/adb_wallet_rotation/terraform.tfvars index 65cfb34..5d4ff8b 100644 --- a/terraform/adb_wallet_rotation/terraform.tfvars +++ b/terraform/adb_wallet_rotation/terraform.tfvars @@ -11,7 +11,7 @@ compartment_ocid = "" adb_display_name = "" adb_db_name = "" adb_admin_password = "" -adb_workload_type = "LH" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_workload_type = "LH" # OLTP=ATP | LH=LAKEHOUSE | DW=ADW | AJD=JSON | APEX adb_db_version = "26ai" adb_cpu_core_count = 2 adb_storage_tbs = 1 diff --git a/terraform/adb_wallet_rotation/variables.tf b/terraform/adb_wallet_rotation/variables.tf index 4993357..ba95a04 100644 --- a/terraform/adb_wallet_rotation/variables.tf +++ b/terraform/adb_wallet_rotation/variables.tf @@ -65,7 +65,7 @@ variable "adb_workload_type" { variable "adb_db_version" { description = "Oracle database version" type = string - default = "19c" + default = "26ai" } variable "adb_cpu_core_count" { diff --git a/terraform/adb_with_cross-region_standby/terraform.tfvars b/terraform/adb_with_cross-region_standby/terraform.tfvars index 3216485..5ef1b34 100644 --- a/terraform/adb_with_cross-region_standby/terraform.tfvars +++ b/terraform/adb_with_cross-region_standby/terraform.tfvars @@ -13,7 +13,7 @@ adb_db_name = "primarydb" admin_password = "" -db_workload = "OLTP" +db_workload = "OLTP" # OLTP=ATP | LH=LAKEHOUSE | DW=ADW | AJD=JSON | APEX compute_count = 2 data_storage_size_in_tbs = 1 diff --git a/terraform/adb_with_customer-managed_keys/terraform.tfvars b/terraform/adb_with_customer-managed_keys/terraform.tfvars index 74a17be..78e01c8 100644 --- a/terraform/adb_with_customer-managed_keys/terraform.tfvars +++ b/terraform/adb_with_customer-managed_keys/terraform.tfvars @@ -24,7 +24,7 @@ adb_display_name = "" adb_db_name = "" adb_admin_password = "" adb_compute_model = "ECPU" -adb_workload_type = "DW" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_workload_type = "LH" # OLTP=ATP | LH=LAKEHOUSE | DW=ADW | AJD=JSON | APEX adb_db_version = "26ai" adb_cpu_core_count = 2 # minimum 2 in ECPU model adb_storage_tbs = 1 diff --git a/terraform/adb_with_local_standby/terraform.tfvars b/terraform/adb_with_local_standby/terraform.tfvars index 0919a28..d0829d3 100644 --- a/terraform/adb_with_local_standby/terraform.tfvars +++ b/terraform/adb_with_local_standby/terraform.tfvars @@ -11,4 +11,4 @@ display_name = "primarydb" admin_password = "" compute_count = 2 data_storage_tbs = 1 -db_workload = "OLTP" +db_workload = "LH" # OLTP=ATP | LH=LAKEHOUSE | DW=ADW | AJD=JSON | APEX diff --git a/terraform/adb_with_public_endpoint_and_acls/terraform.tfvars b/terraform/adb_with_public_endpoint_and_acls/terraform.tfvars index 88a2e67..53e46e1 100644 --- a/terraform/adb_with_public_endpoint_and_acls/terraform.tfvars +++ b/terraform/adb_with_public_endpoint_and_acls/terraform.tfvars @@ -11,7 +11,7 @@ compartment_ocid = "" adb_display_name = "" adb_db_name = "" adb_admin_password = "" -adb_workload_type = "DW" # OLTP=ATP | DW=ADW | AJD=JSON | APEX +adb_workload_type = "LH" # OLTP=ATP | LH=LAKEHOUSE | DW=ADW | AJD=JSON | APEX adb_db_version = "26ai" adb_cpu_core_count = 2 adb_storage_tbs = 1