Flexible Load Balancer (L7)

oci-load-balancer

Flexible OCI L7 (HTTPS) load balancer with backend sets, health checks, TLS certificates, rule sets and WAF-ready listeners. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

• Private load balancer (is_private = true) — flip explicitly to go internet-facing
• TLS listeners default to TLSv1.2/1.3 with the OCI default cipher suite
• 10 Mbps flexible shape min/max — matches the always-free allowance
• Canned 301 HTTP→HTTPS redirect (host/path/query preserving) one flag away

Usage

module "lb" {
  source         = "./oci-load-balancer"
  compartment_id = "ocid1.compartment.oc1..xxxx"
  name           = "app-lb"
  subnet_ids     = ["ocid1.subnet.oc1.iad.xxxx"]
  is_private     = false

  certificates = {
    app-cert-v1 = {
      public_certificate = file("cert.pem")
      private_key        = file("key.pem")
    }
  }

  backend_sets = {
    app = {
      health_check = { url_path = "/healthz" }
      backends = {
        a = { ip_address = "10.0.1.10", port = 8080 }
        b = { ip_address = "10.0.1.11", port = 8080 }
      }
    }
  }

  listeners = {
    https = {
      port                = 443
      protocol            = "HTTP"
      default_backend_set = "app"
      certificate_name    = "app-cert-v1"
    }
  }

  http_to_https_redirect = { enabled = true }
}

Inputs

Name	Type	Default	Description
compartment_id	string	—	Compartment OCID (required)
name	string	—	LB display name (required)
subnet_ids	list(string)	—	One regional or two AD-specific subnets (required)
is_private	bool	true	Private LB; set false for internet-facing
minimum_bandwidth_in_mbps	number	10	Flexible shape floor (10 = always-free)
maximum_bandwidth_in_mbps	number	10	Flexible shape ceiling
ip_mode	string	IPV4	IPV4 or IPV6
network_security_group_ids	list(string)	[]	NSGs attached to the LB
reserved_ip_id	string	null	Reserved public IP OCID (public LBs)
delete_protection_enabled	bool	false	Refuse deletion until disabled
certificates	map(object)	{}	Hosted certs keyed by name: public_certificate, private_key, ca_certificate, passphrase
backend_sets	map(object)	{}	policy, health_check, backends, cookie_session_persistence
listeners	map(object)	{}	port, protocol, default_backend_set, certificate_name, ssl_protocols, cipher_suite_name, idle_timeout_in_seconds, rule_set_names
rule_sets	map(list(object))	{}	Header add/remove rule sets, attached via listeners
http_to_https_redirect	object	{ enabled = false }	Canned 301 redirect listener (listener_port 80 → target_port 443)
freeform_tags / defined_tags	map(string)	{}	LB tags

Outputs

load_balancer_id, ip_addresses, backend_set_names, listener_names, certificate_names, rule_set_names.

Notes

• Certificate rotation: OCI LB certificates are immutable. Rotate by adding a new certificates key (e.g. app-cert-v2) and updating the listener's certificate_name; create_before_destroy is pre-wired so the old cert is removed only after the listener moves off it.
• Certificate values pass through Terraform state — feed them from a secret store (Vault secret, OCI Secrets) rather than committing PEMs.
• The redirect listener needs at least one backend set (OCI requires a default backend set on every listener, even when all traffic is redirected).
• cookie_session_persistence.is_secure = true is rejected on non-TLS listeners — enable it only when the backend set serves an HTTPS listener.

Requirements

• Terraform or OpenTofu >= 1.6
• Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).