IaC Bazaar
Get started
Oracle CloudPlan-validated

API Gateway & Deployment

Managed API gateway with route deployments, JWT/auth policies, rate limiting, CORS and custom-domain TLS.

terraformOracle Cloud#oci
oci-api-gatewayterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan clean (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

oci-api-gateway — API Gateway & Deployment

A managed OCI API Gateway with a single deployment that fans out to typed backends (HTTP/HTTPS upstreams, Oracle Functions, or stock/mock responses) and applies deployment-wide request policies: JWT or custom-function authentication (deny-by-default), CORS, rate limiting, mutual TLS, and an optional custom-domain TLS certificate. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Status: static-validated, live-test pending. Ships under live-test quarantine — validated with tofu fmt, tofu validate, and tflint. Real apply → curl the deployment endpoint → destroy against an OCI tenancy is pending a cloud sandbox. Per-call gateway pricing is cheap, so this is a good early candidate once the live lane exists.

Secure / sane defaults

  • Private endpoint by default. endpoint_type = "PRIVATE" — the gateway is reachable only from the VCN / peered networks. Switch to PUBLIC only with a deny-by-default auth policy (and ideally an NSG pinning ingress to 443).
  • Deny-by-default authentication. The default authentication block is JWT-shaped with is_anonymous_access_allowed = false — unauthenticated callers are rejected. JWT auth requires issuers, audiences and a jwks_uri (the remote JWKS key source the provider mandates) so signatures are actually verified.
  • CORS off until you opt in. No CORS headers are emitted (same-origin only) unless you set cors; the module refuses the is_allow_credentials_enabled
    • "*" origin combination browsers reject.
  • Backend TLS verified. is_ssl_verify_disabled defaults to false for HTTP_BACKEND routes — the gateway validates upstream certificates.
  • Quiet logs by default. Access logs on; execution log at WARN (set to "" to disable, INFO only for debugging — it is verbose).
  • Certificate immutability handled. The custom-domain cert is created create_before_destroy so rotation never deadlocks on the attached gateway.

Requirements

  • Terraform or OpenTofu >= 1.6
  • oracle/oci >= 8.0, < 9.0

Verification

Static-validated (tofu fmt, tofu validate, tflint). Live apply/curl/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs (key)
  • Outputs
  • Notes