IaC Bazaar
Get started
Oracle CloudPlan-validated

Functions Application

Serverless Fn application with functions, provisioned concurrency, invoke logging and Events-rule trigger wiring.

terraformOracle Cloud#oci

Compare Serverless Functions across clouds →

oci-functions-appterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan clean (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

oci-functions-app

A serverless OCI Functions (Fn) application and the functions it hosts — each backed by a pre-pushed OCIR container image, with optional provisioned concurrency to kill cold starts, invoke logging wired into OCI Logging, and Events-service rules so functions fire on cloud events. One module call gives you an application running in private subnets, image-signature verification ready to enforce, and per-invocation audit logs. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the oracle/oci provider. Not yet applied against a live OCI tenancy — a live apply requires a container image pre-pushed to OCIR (the podman build/push lane is reusable), so it ships under live-test quarantine until a cloud sandbox exists.

Design & secure defaults

  • Private networking: functions run only in the subnet_ids you supply — use private subnets so functions get no public IP; egress flows through a NAT/service gateway you control.
  • Deny-by-default isolation: prefer network_security_group_ids (stateful NSGs) over wide subnet security lists for the function VNICs.
  • Supply-chain integrity: image signature verification is on by default (image_signature_verification = true). It only engages once you supply image_signing_kms_key_ids — a plan precondition stops you enabling it with no keys rather than silently doing nothing.
  • Immutable images: pin each function to an image_digest (sha256:...) for reproducible, tamper-evident deploys.
  • No plaintext secrets: config maps are documented as non-secret; pass Vault secret OCIDs and resolve them at runtime, never raw credentials.
  • Auditable by default: a dedicated log group + SERVICE invoke log captures every invocation (90-day retention default) unless you opt out.
  • Cost-aware: provisioned concurrency defaults to 0 (on-demand, free-tier friendly); warm instances are opt-in per function.

Usage

module "functions_app" {
  source = "./oci-functions-app"

  compartment_id = "ocid1.compartment.oc1..xxxx"
  display_name   = "checkout"

  subnet_ids                 = ["ocid1.subnet.oc1.iad.xxxx"]            # private subnet
  network_security_group_ids = ["ocid1.networksecuritygroup.oc1.iad.x"] # stateful NSG

  image_signing_kms_key_ids = ["ocid1.key.oc1.iad.xxxx"] # enforce signed images

  functions = {
    "order-processor" = {
      image             = "iad.ocir.io/<ns>/checkout/order-processor:1.0.0"
      image_digest      = "sha256:abc...123"
      memory_in_mbs     = 256
      provisioned_count = 1 # one warm instance
    }
  }

  event_rules = {
    "on-object-create" = {
      condition    = "{\"eventType\":[\"com.oraclecloud.objectstorage.createobject\"]}"
      function_key = "order-processor"
    }
  }
}

The container image must already be pushed to OCIR before apply. Trigger a function purely on demand by omitting event_rules and invoking it via the Fn CLI / API; trigger it on cloud events by adding a rule whose function_key names a key in functions.

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
oracle/oci>= 8.0, < 9.0

Inputs

NameTypeDefaultDescription
compartment_idstringCompartment OCID (required)
display_namestringApplication display name (required)
subnet_idslist(string)1–3 (private) subnet OCIDs functions run in (required)
shapestringGENERIC_X86GENERIC_X86, GENERIC_ARM, or GENERIC_X86_ARM
network_security_group_idslist(string)[]Up to 5 NSG OCIDs for the function VNICs
configmap(string){}App-wide env vars (4KB; no plaintext secrets)
syslog_urlstringnullExternal tcp/udp/tcp+tls syslog endpoint
image_signature_verificationbooltrueEnforce image signature checks (needs keys to engage)
image_signing_kms_key_idslist(string)[]Vault key OCIDs accepted for signature verification
trace_configobjectnullAPM tracing: { is_enabled, domain_id }
functionsmap(object){}Functions keyed by name; see variable docs for fields
enable_invoke_loggingbooltrueCreate log group + SERVICE invoke log
log_retention_daysnumber90Invoke-log retention (30/60/90/120/150/180)
existing_log_group_idstringnullReuse an existing log group instead of creating one
event_rulesmap(object){}Events rules invoking a function; see variable docs
freeform_tags / defined_tagsmap(string){}Tags applied to created resources

functions value object: image (required OCIR URI), image_digest (sha256:...), memory_in_mbs (128/256/512/1024/2048), timeout_in_seconds (1–300), config (map), provisioned_count (0–100), freeform_tags, defined_tags.

event_rules value object: condition (event-matcher JSON string), function_key (key into functions), description, is_enabled.

Outputs

NameDescription
application_idFunctions application OCID
application_display_nameApplication display name
function_idsMap of function name => function OCID
function_invoke_endpointsMap of function name => invoke endpoint URL
log_group_idLog group OCID (created/supplied; null if disabled)
invoke_log_idSERVICE invoke log OCID (null if disabled)
event_rule_idsMap of event-rule name => rule OCID

Notes

  • OCIR image must exist first. oci_functions_function references an image by URI; a missing image fails the apply, not the plan. The live-test lane builds and pushes a tiny image before applying.
  • IAM for invoke logs. The Functions service principal must be allowed to use logging in the compartment, e.g. Allow service faas to use log-content in compartment <c> — without it the log resource is created but stays empty.
  • Events → Functions requires a policy letting the Events service invoke functions, e.g. Allow service cloudEvents to use fn-invocation in compartment <c>.
  • Image signature verification with empty key list is rejected by a plan precondition; either supply keys or set the flag to false.

Verification

Static-validated (tofu fmt, tofu validate, tflint; checkov non-blocking). Live apply/destroy testing pending OCIR image build + cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.