Provision Oracle Cloud Infrastructure Home Region IAM resources in a multi-region Terraform configuration

Stephen Cross
Nov 27, 2019 · 3 min read

This article covers a common configuration pattern that I’ve been meaning to post for a while. When provisioning resources in Oracle Cloud Infrastructure (OCI), some resources, specifically IAM resources, can only be created in the Home Region.

If a configuration requires the creation of IAM resource, like a new compartment or deployment specific Policies, then the Terraform configuration needs to target multiple regions. Terraform allows for provisioning to multiple regions by declaring additional providers and assigning a provide alias, so for a simple example

# default provider for the configuration
provider "oci" {
region = var.region
}
# provider for home region for IAM resource provisioning
provider "oci" {
alias = "home"
region = "us-ashburn-1"
}
# create the compartment in the Home region
resource oci_identity_compartment compartment {
provider = oci.home
compartment_id = var.tenancy_id
name = "My_Compartment"
description = "My Compartment"
}

This will create the compartment in the home region us-ashburn-1, and any other resource in the configuration will be created in var.region. But not every tenancy has their home region in Ashburn, so let's look at how we can make this more portable without resorting to adding a separate home_region input parameter to the configuration variables.

The oci_identity_tenancy data source can be used to find the home region for the tenancy.

data oci_identity_tenancy tenancy {
tenancy_id = var.tenancy_ocid
}
output home_region {
value = oci_identity_tenancy.tenancy.home_region_key
}
home_region = IAD

But this gives us a three-letter code for the region, e.g. IAD . To convert this to the format expected by the provider region attribute we need a map of home region keys to region ids. Using the oci_identity_regions data source we get a complete list of regions from which we can create a lookup map, and look up the value using the home region key.

data oci_identity_regions regions {
}
locals {
region_map = {
for r in data.oci_identity_regions.regions.regions :
r.key => r.name
}
home_region = lookup(
local.region_map,
data.oci_identity_tenancy.tenancy.home_region_key
)
}
output home_region {
value = local.home_region
}
home_region = us-ashburn-1

Now we can use local.home_region in the provider definition:

# provider for home region for IAM resource provisioning
provider "oci" {
alias = "home"
region = local.home_region
}

Waiting for IAM resources to propagate across regions

A key consideration when provisioning IAM resources is that it takes time for resources created, updated, or deleted in the home region to propagate across all the other regions for a tenancy. If resources being provisioned in the target (non-home) region are dependent on the new IAM resources — e.g. to be provisioned in the new compartment, or dependent on a newly created policy, provisioning may (will) fail if the new resource hasn’t propagated in time.

One approach that will wait for the new resources to propagate is to add a data source for the same resource that was created in the home region. Resources dependent on the IAM resource then reference the data source rather than the IAM resource directly. Expanding on the example from above we add the compartment data source and a VCN to be created in the compartment:

# create the compartment in the Home region
resource oci_identity_compartment compartment {
provider = oci.home
compartment_id = var.tenancy_id
name = "My_Compartment"
description = "My Compartment"
}
# data source for compartment
data oci_identity_compartment mycompartment {
id = oci_identity_compartment.mycompartment.id
}
# vcn in new compartment
resource oci_core_vcn myvcn {
compartment_id = data.oci_identity_compartment.mycompartment
display_name = "My VCN"
cidr_block = "10.0.0.0/16"
}

When we apply the configuration we see the compartment data source waits for the compartment to be available in the target region before proceeding with the VCN provisioning.

oci_identity_compartment.mycompartment: Creating...
oci_identity_compartment.mycompartment: Still creating... [10s elapsed]
oci_identity_compartment.mycompartment: Creation complete after 10s [id=ocid1.compartment.oc1..aaaaaaaap7xfr4byri4phkykeazgyoexxdii2xtxx2o6ric4ok267lcm66aq]
data.oci_identity_compartment.mycompartment: Refreshing state...
oci_core_vcn.myvcn: Creating...
oci_core_vcn.myvcn: Creation complete after 1s [id=ocid1.vcn.oc1.ca-toronto-1.aaaaaaaav4fospzcnk3nqfcdb7ehd4nidk7ulfjhuroucy5dqwtj5i47ug3q]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Oracle Groundbreakers

Aggregation of articles from Oracle engineers, Groundbreaker Ambassadors, ACEs, and the developer community on all things Oracle Cloud and its technologies. The views expressed are those of the authors and not necessarily those of Oracle. Contact @jimgris or @brhubart

Stephen Cross

Written by

Product Manager, Oracle Cloud Infrastructure

Oracle Groundbreakers

Aggregation of articles from Oracle engineers, Groundbreaker Ambassadors, ACEs, and the developer community on all things Oracle Cloud and its technologies. The views expressed are those of the authors and not necessarily those of Oracle. Contact @jimgris or @brhubart

More From Medium

More from Oracle Groundbreakers

More from Oracle Groundbreakers

More from Oracle Groundbreakers

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade