Terraform: Set Up OCI Terraform
In this tutorial, you set up Oracle Cloud Infrastructure Terraform provider scripts, documented in the Terraform Registry, to connect to an OCI account. To confirm the setup, you fetch information from the tenancy.
Key tasks include how to:
- Create RSA keys.
- Set up Oracle Cloud Infrastructure Terraform provider scripts:
- Authenticate your Terraform scripts.
- Get information about the availability domains in your tenancy.
For additional information, see:
Before You Begin
To successfully perform this tutorial, you must have the following:
- An Oracle Cloud Infrastructure account. See Signing Up for Oracle Cloud Infrastructure.
- A MacOS, Linux, or Windows environment:
- MacOS
- Linux (Any distribution)
- You can install a Linux VM with an Always Free Compute shape, on Oracle Cloud Infrastructure:
- Oracle Cloud Infrastructure Cloud Shell:
- Windows Subsystem for Linux (WSL)
- Git for Windows to access a Linux VM.
This tutorial uses an Oracle Linux VM environment with an AMD shape for its examples, but you can use any environment mentioned in this section.
1. Prepare
Prepare your environment for authenticating and running Terraform scripts. Also, gather the information your account needs to authenticate the scripts.
This tutorial suggests that you install the latest version of Terraform that's supported for OCI Resource Manager. Resource Manager is a service for creating Terraform templates for OCI resources. In case you want to use Resource Manager with your Terraform scripts later, then your Terraform version is supported.
If you created RSA keys for the Terraform Set Up Resource Discovery tutorial, then skip this step.
You create RSA keys for API signing in to your Oracle Cloud Infrastructure account.
If you're using Cloud Shell, skip creating the RSA keys. You're already authenticated when you log in to the OCI Console.
You have now set up the RSA keys to connect to your OCI account.
- Reference
If your username is in the Administrators group, then skip this section. Otherwise, ask your administrator to add the following policy to your tenancy:
allow group <the-group-your-username-belongs> to read all-resources in tenancy
With this privilege, you can list all the resources in your tenancy.
- In the top navigation bar, open the Profile menu.
- Click your username.
- In the left pane, click Groups.
- In a notepad, copy the Group Name that your username belongs.
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Select
<your-tenancy>(root)
from the Compartment dropdown. - Click Create Policy.
- Fill in the following information:
- Name:
list-resources
- Description:
Allow the group <the-group-your-username-belongs> to list the resources in this tenancy.
- Compartment:
<your-tenancy>(root)
- Name:
- For Policy Builder, click Show manual editor.
- Paste in the following
policy:
allow group <the-group-your-username-belongs> to read all-resources in tenancy
- Click Create.
Reference: Common Policies
Prepare the information you need to authenticate your Terraform scripts and copy the information into a notepad.
2. Create Scripts
Create three scripts: one for authentication, one to fetch data from your account, and one to print outputs.
First, set up a directory for Terraform scripts. Then add a provider script so your OCI account can authenticate the scripts running from this directory.
Use the following variables for API Key based authentication:
- tenancy_ocid
- user_ocid
- private_key_path
- fingerprint
- region
You don't need to install the provider. The provider is downloaded when you run the scripts in this tutorial.
In this section, you fetch a list of the availability domains in your tenancy. By fetching data, you confirm that your OCI account authenticates your provider.tf
script and you get information from your account.
In Terraform, to fetch data, you use a data source. Fetching data from a data source is similar to the GET method in REST APIs.
- Go to Oracle Cloud Infrastructure Provider.
- In the left navigation Filter, enter
availability domains
. - Under Identity, go to Data Sources and click oci_identity_availability_domains.
- Find the Data Source name from the title of the page:
- Data Source:
oci_identity_availability_domains
- Data Source:
- In the Argument Reference section, find all arguments (inputs) labeled as (Required):
- compartment_id
- Construct a data source block:
- Declare a data source with the keyword:
data
. - Add a label for the data source name:
"oci_identity_availability_domains"
- Add a label of your choice for the local name:
- The label can contain letters, digits, underscores (_), and hyphens (-). The first character must not be a digit.
- This tutorial uses the local name,
"ads"
to constructdata "oci_identity_availability_domains" "ads"
.
- Inside the code block, provide values for all required arguments.
- Example:
compartment_id = "<some-compartment-ocid>"
- Example:
- For optional arguments, provide values to narrow down the fetch results. Only some data sources have optional arguments.
- Declare a data source with the keyword:
The data source oci_identity_availability_domains
, fetches a
list of availability domains. In this section, you declare an output
block to print the fetched information.
- On the Data Source: oci_identity_availability_domains
page, go to Attribute Reference.Note
Attributes are the outputs you can return for the oci_identity_availability_domains data source. - Find the attributes:
- Attribute: availability_domains:
- The list of availability domains
- If you output availability_domains, you get three
attributes for each availability domain in the list:
- compartment_id
- id
- name
- Attribute: availability_domains:
- Construct a data source output block:
- Declare an output block with the keyword:
output
- Add a label to be printed with the output results:
- The label can contain letters, digits, underscores (_), and hyphens (-). The first character must not be a digit.
- Example:
"all-availability-domains-in-your-tenancy"
- Inside the code block, enter a value for the data source output with
the expression:
value = data.<data-source-name>.<local-name-for-data-source>.<attribute>
- Example:
value = data.oci_identity_availability_domains.ads.availability_domains
- Declare an output block with the keyword:
3. Run Scripts
Run your Terraform scripts. After your account authenticates the scripts, Terraform fetches your tenancy's availability domains.
Initialize a working directory in the tf-provider
directory.
Create an execution plan to check whether the changes shown in the execution plan match your expectations, without changing the real resources.
Congratulations! Your Oracle Cloud Infrastructure account can now authenticate your Oracle Cloud Infrastructure Terraform provider scripts.
References:
You might encounter the following error messages while running your Terraform scripts.
401 Errors - (Service error:NotAuthenticated)
One of the following variables has an incorrect value:
- Tenancy OCID
- User OCID
- Fingerprint
- RSA private key (the path or the key)
Can not create client, bad configuration: did not find a proper configuration for private key
The Terraform scripts can't find the RSA private key.
No such host
The region identifier has an incorrect value.
- In the Console's top navigation bar, find your region.
-
In the table listed in Regions and Availability Domains, find your region's
<region-identifier>
. Example:us-ashburn-1
. -
In the
provider.tf
file, update the value for <region-identifier> and try again.
Failed to query available provider packages
If you are on a VPN, check the proxy settings.
What's Next
For the next Terraform: Get Started tutorial, go to:
To explore more information about development with Oracle products, check out these sites: