OCI Compute Instance (flex shapes)

oci-compute-instance

Opinionated OCI VM with E5/A1 flex shapes, cloud-init, attached block volumes, NSGs and in-transit encryption. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

• Legacy IMDS (v1) endpoints disabled — only the authenticated v2 endpoints respond (OCI's IMDSv2 enforcement)
• No public IP unless assign_public_ip = true
• In-transit encryption for boot volume and paravirtualized attachments
• Encryption at rest always on; bring your own KMS key via boot_volume_kms_key_id / per-volume kms_key_id

Usage

module "instance" {
  source              = "./oci-compute-instance"
  compartment_id      = "ocid1.compartment.oc1..xxxx"
  availability_domain = "Uocm:US-ASHBURN-AD-1"
  name                = "app-1"
  subnet_id           = "ocid1.subnet.oc1.iad.xxxx"
  ssh_authorized_keys = file("~/.ssh/id_ed25519.pub")

  shape         = "VM.Standard.A1.Flex" # always-free eligible
  ocpus         = 1
  memory_in_gbs = 6

  block_volumes = {
    data = { size_in_gbs = 100 }
  }
}

Inputs

Name	Type	Default	Description
compartment_id	string	—	Compartment OCID (required)
availability_domain	string	—	AD name, e.g. Uocm:US-ASHBURN-AD-1 (required)
name	string	—	Instance display name / resource prefix (required)
subnet_id	string	—	Subnet OCID for the primary VNIC (required)
shape	string	VM.Standard.A1.Flex	Compute shape; .Flex shapes honour ocpus/memory
ocpus / memory_in_gbs	number	1 / 6	Flex shape sizing
fault_domain	string	null	Pin to a fault domain
assign_public_ip	bool	false	Public IP on the primary VNIC
hostname_label	string	null	VNIC hostname label (needs subnet/VCN DNS)
nsg_ids	list(string)	[]	NSGs attached to the primary VNIC
image_id	string	null	Boot image OCID; null = latest matching platform image
image_operating_system (_version)	string	Oracle Linux / 9	Platform-image lookup filters
boot_volume_size_in_gbs	number	50	Boot volume size (50-32768)
boot_volume_vpus_per_gb	number	10	Boot volume performance (10-120)
boot_volume_kms_key_id	string	null	Customer-managed key for the boot volume
boot_volume_backup_policy	string	bronze	Oracle-defined backup policy (gold/silver/bronze, null = off)
in_transit_encryption_enabled	bool	true	In-transit encryption (boot + PV attachments)
disable_legacy_imds	bool	true	Disable IMDS v1 endpoints
recovery_action	string	RESTORE_INSTANCE	Maintenance recovery behaviour
preserve_boot_volume	bool	false	Keep boot volume on destroy
ssh_authorized_keys	string	null	SSH public key(s), newline-separated
user_data	string	null	Raw cloud-init (module base64-encodes)
block_volumes	map(object)	{}	Extra volumes: size_in_gbs, vpus_per_gb, attachment_type, kms_key_id, device, is_read_only, backup_policy
freeform_tags / defined_tags	map(string)	{}	Tags on all resources

Outputs

instance_id, instance_state, private_ip, public_ip, boot_volume_id, image_id (resolved — pin it back to prevent drift), block_volume_ids, block_volume_attachment_ids.

Notes

• A1.Flex capacity can be scarce on always-free tenancies; E2.1.Micro or paid E5.Flex are reliable fallbacks.
• Some shape/image combinations reject in-transit encryption — set in_transit_encryption_enabled = false if launch fails with that error.
• Block volumes are created in the instance's AD and attached paravirtualized by default; switch to iscsi per volume for bare-metal-class workloads.
• Boot and block volumes are assigned the Oracle-defined bronze backup policy by default (monthly incrementals; backup storage is billed). Set the policy to null for throwaway/test instances.

Requirements

• Terraform or OpenTofu >= 1.6
• Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).