DNS Zone & Traffic Steering

oci-dns-zone

Status: static-validated, live-test pending. This module ships under live-test quarantine — it passes tofu fmt, tofu validate and tflint, but a real apply → verify → destroy has not yet run (no OCI cloud sandbox available). Promotion to a full live-tested artifact follows when a sandbox exists.

OCI DNS made plug-and-play: a PRIMARY zone (public global or private view-scoped) with its record sets, plus optional traffic-management steering policies (failover / geo / load-balance) backed by HTTP health-check monitors. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

• PRIMARY zones only — OCI is the source of truth; no SECONDARY zone pulling from a harder-to-trust external master.
• DNSSEC enabled by default on public (GLOBAL) zones for origin authentication. Private zones force it off (unsupported there).
• Private zones are view-scoped — resolvable only inside the VCNs bound to the view, never exposed to the internet. A view_id is required and validated for scope = PRIVATE.
• Steering policy ordering is handled for you: the attachment references the fully-formed policy resource (with its answers), so the documented "attach-before-answers" race is avoided.

Usage

module "dns_zone" {
  source         = "./oci-dns-zone"
  compartment_id = "ocid1.compartment.oc1..xxxx"
  zone_name      = "example.com"
  scope          = "GLOBAL"

  record_sets = {
    apex_a = {
      domain  = "example.com"
      rtype   = "A"
      records = [{ ttl = 300, rdata = "203.0.113.10" }]
    }
  }

  health_check_monitors = {
    primary = { targets = ["203.0.113.10"], protocol = "HTTPS", path = "/healthz", port = 443 }
  }

  steering_policies = {
    failover = {
      template                 = "FAILOVER"
      domain_name              = "app.example.com"
      health_check_monitor_key = "primary"
      answers = [
        { name = "primary", rtype = "A", rdata = "203.0.113.10" },
        { name = "backup", rtype = "A", rdata = "203.0.113.20" },
      ]
      rules = [{ rule_type = "HEALTH" }, { rule_type = "LIMIT", default_count = 1 }]
    }
  }
}

Inputs

Name	Type	Default	Description
compartment_id	string	—	Compartment OCID owning the zone (required)
zone_name	string	—	Fully-qualified zone name, e.g. example.com (required)
scope	string	GLOBAL	GLOBAL (public) or PRIVATE (view-scoped)
view_id	string	null	DNS view OCID; required when scope = PRIVATE
dnssec_enabled	bool	true	DNSSEC on public zones (forced off for private)
record_sets	map(object)	{}	RRSets: domain, rtype, records (ttl, rdata)
health_check_monitors	map(object)	{}	targets, protocol, interval_in_seconds, timeout_in_seconds, method, path, port
steering_policies	map(object)	{}	template, domain_name, ttl, health_check_monitor_key, answers[], rules[]
freeform_tags	map(string)	{}	Freeform tags on all resources
defined_tags	map(string)	{}	Defined tags on all resources

Outputs

zone_id, zone_name, zone_nameservers, zone_serial, record_set_ids, health_check_monitor_ids, steering_policy_ids, steering_policy_attachment_ids.

Notes

• For public zones, delegate the parent domain to the zone_nameservers output so OCI becomes authoritative.
• Steering-policy attachments require a public (GLOBAL) zone — the module enforces this with a precondition, so a private-zone misconfig fails at plan time, not at apply.
• Record TTLs below 30 seconds are rejected (validated locally).

Requirements

• Terraform or OpenTofu >= 1.6
• Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial.