IaC Bazaar
Get started
Oracle CloudStatic-verified

File Storage (NFS)

Elastic NFSv3 file system with mount target, export options, snapshots and NSG-scoped access.

terraformOracle Cloud#oci
oci-file-storageterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan clean (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

oci-file-storage — File Storage (NFS)

Elastic NFSv3 file system on OCI File Storage: an encrypted-at-rest file system (optionally keyed by your own Vault key), a mount target that consumes one private IP in a subnet, an export that binds the file system into the mount target's export set with deny-leaning per-client options, and optional on-demand snapshots. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Status: static-validated, live-test pending. Ships under live-test quarantine — validated with tofu fmt, tofu validate, and tflint. Real apply → mount/verify → destroy against an OCI tenancy is pending a cloud sandbox. The mount target consumes a subnet IP and needs NFS ports (111, 2048-2050) open in its NSG to verify a mount, so it is gated until the live lane exists.

Secure / sane defaults

  • Private only. The mount target is placed on a subnet you choose and is never assigned a public address. NFSv3 has no transport encryption, so the documented posture is: private subnet + an NSG that allows only TCP/UDP 111 and TCP/UDP 2048-2050 from trusted client CIDRs.
  • Deny-by-default exports. With no export_options, the export grants no client access — you must add explicit rules. Each rule defaults to ROOT identity squash (remote root is remapped to nobody/65534) and require_privileged_source_port = true (clients must use a port < 1024).
  • Encryption at rest always on. Bring your own key via kms_key_id (Vault); null uses Oracle-managed keys (still encrypted).
  • Least-privilege auth. allowed_auth defaults to ["SYS"]; tighten to Kerberos (KRB5/KRB5I/KRB5P) where your fleet supports it.

Usage

module "shared_fs" {
  source = "./oci-file-storage"

  compartment_id      = "ocid1.compartment.oc1..xxxx"
  availability_domain = "Uocm:US-ASHBURN-AD-1"
  name                = "app-shared"

  subnet_id = "ocid1.subnet.oc1.iad.xxxx" # private subnet
  mount_target = {
    nsg_ids = ["ocid1.networksecuritygroup.oc1.iad.xxxx"] # NFS-only NSG
  }

  kms_key_id  = "ocid1.key.oc1.iad.xxxx"
  export_path = "/shared"

  export_options = {
    app_subnet = { source = "10.0.1.0/24", access = "READ_WRITE" }
    reporting  = { source = "10.0.2.10/32", access = "READ_ONLY" }
  }

  snapshots = {
    "baseline-2026-06" = {}
  }
}

Mount from a client in an allowed CIDR (resolve a private IP from mount_target_private_ip_ids):

sudo mount -t nfs <mount-target-ip>:/shared /mnt/shared

Inputs (key)

NameTypeDefaultDescription
compartment_idstringCompartment OCID (required)
availability_domainstringAD shared by FS + mount target (required)
namestringFile system display name / resource prefix (required)
subnet_idstringSubnet for the mount target — use a private subnet (required)
kms_key_idstringnullCustomer-managed Vault key; null = Oracle-managed
filesystem_snapshot_policy_idstringnullAttach a scheduled snapshot policy
mount_targetobject{}{ hostname_label?, ip_address?, nsg_ids?, requested_throughput? }
export_pathstring/sharedAbsolute NFS export path
export_optionsmap(object){}Per-client rules: { source, access?, identity_squash?, anonymous_uid?, anonymous_gid?, require_privileged_source_port?, allowed_auth? } — empty = no access
snapshotsmap(object){}On-demand snapshots keyed by name: { expiration_time? }
freeform_tags / defined_tagsmap(string){}Tags on all resources

Outputs

file_system_id, file_system_state, mount_target_id, export_set_id, mount_target_private_ip_ids, export_id, export_path, snapshot_ids.

Notes

  • File system and mount target must share an availability domain to be mountable together — this module places both in availability_domain.
  • The mount target's address comes from mount_target_private_ip_ids (resolve a private-IP OCID to its address, or read it in the console); that address is the :/path mount source.
  • Snapshot names are immutable; "rotate" by adding new map keys rather than renaming existing ones.
  • Provisioned throughput (requested_throughput) is billed at the tier you request even when idle — leave it null for elastic/default throughput.

Requirements

  • Terraform or OpenTofu >= 1.6
  • oracle/oci >= 8.0, < 9.0

Verification

Static-validated (tofu fmt, tofu validate, tflint). Live apply/mount/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).