MySQL HeatWave DB System

oci-mysql-heatwave

Status: static-validated, live-test pending. Ships under live-test quarantine — no OCI cloud sandbox is wired into CI yet, so the live apply → verify → destroy gate has not run. Static validation (fmt, validate, tflint) passes.

Managed MySQL HeatWave DB System for OCI: a VCN-private MySQL with optional HeatWave analytics cluster, optional 3-node HA, automatic backups with point-in-time recovery, an optional dedicated server configuration, and an optional inbound replication channel. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults

• No public endpoint. MySQL HeatWave is reachable only from inside the VCN; this module places the system in a private subnet and prefers NSGs (nsg_ids) for a deny-by-default data plane.
• Encryption at rest is always on (OCI-managed); TLS in transit is available with secure_connections_certificate_id (BYOC) or the Oracle SYSTEM certificate by default.
• Automatic backups + PITR on by default (7-day retention), with explicit deletion safety: is_delete_protected, final_backup_on_delete and automatic-backup retention on delete.
• Crash recovery on (InnoDB redo + double-write) for durability.
• Replication is encrypted by default (source_ssl_mode = REQUIRED).
• shape_name = MySQL.Free ships an Always-Free single-node 50 GB system for $0; HA and HeatWave need a paid shape (guarded by preconditions and notes).

Usage

module "mysql" {
  source = "./oci-mysql-heatwave"

  compartment_id      = "ocid1.compartment.oc1..xxxx"
  display_name        = "prod-mysql"
  availability_domain = "Uocm:US-ASHBURN-AD-1"
  subnet_id           = module.vcn.subnet_ids["db"]
  nsg_ids             = [module.vcn.network_security_group_ids["db"]]

  admin_username = "appadmin"
  admin_password = var.mysql_admin_password # inject, never hardcode

  # Paid HA + HeatWave analytics:
  shape_name              = "MySQL.2"
  data_storage_size_in_gb = 100
  is_highly_available     = true

  heatwave_enabled      = true
  heatwave_cluster_size = 2
}

Inputs

Name	Type	Default	Description
compartment_id	string	—	Compartment OCID (required)
display_name	string	—	DB system display name (required)
subnet_id	string	—	Private subnet OCID (required)
availability_domain	string	—	AD of the read/write endpoint (required)
fault_domain	string	null	Fault domain for the endpoint
shape_name	string	MySQL.Free	Compute shape (Always-Free by default)
mysql_version	string	null	MySQL version (null = OCI default)
admin_username	string	admin	Administrative user
admin_password	string (sensitive)	—	8-32 chars, mixed classes (required)
data_storage_size_in_gb	number	50	Initial data volume (≥ 50)
is_highly_available	bool	false	3-node HA group (paid)
hostname_label	string	null	Endpoint DNS hostname label
port / port_x	number	3306 / 33060	Classic / X protocol ports
nsg_ids	list(string)	[]	NSGs on the DB system VNIC
crash_recovery_enabled	bool	true	InnoDB redo + double-write
database_management_enabled	bool	false	Database Management monitoring
backup_enabled	bool	true	Automatic backups
backup_retention_in_days	number	7	Backup window (1-35)
backup_window_start_time	string	null	HH:MM backup window start
pitr_enabled	bool	true	Point-in-time recovery
is_delete_protected	bool	false	Block deletion until disabled
final_backup_on_delete	string	SKIP_FINAL_BACKUP	Final backup on delete
retain_automatic_backups_on_delete	string	null	RETAIN / DELETE
maintenance_window_start_time	string	null	"<DAY> HH:MM"
storage_auto_expand_enabled	bool	false	Auto-expand data volume
storage_max_size_in_gbs	number	null	Auto-expand ceiling
secure_connections_certificate_id	string	null	BYOC TLS certificate OCID
create_configuration	bool	false	Create a dedicated server config
configuration_id	string	null	Use an existing config OCID
configuration_variables	object	{}	Server variables for the created config
heatwave_enabled	bool	false	Attach a HeatWave cluster (paid)
heatwave_cluster_size	number	1	HeatWave nodes (1-64)
heatwave_shape_name	string	MySQL.HeatWave.VM.Standard	HeatWave node shape
heatwave_lakehouse_enabled	bool	false	HeatWave Lakehouse
replication_channel	object	{}	Inbound replication channel config
replication_source_password	string (sensitive)	null	Source replication user password
freeform_tags / defined_tags	map(string)	{}	Tags

Outputs

db_system_id, db_system_state, endpoints, ip_address, hostname_label, port, port_x, configuration_id, heatwave_cluster_id, replication_channel_id.

Notes

• admin_password, replication_source_password and the replication CA live in Terraform state — encrypt and access-control your state backend.
• HA and HeatWave are not available on the MySQL.Free shape; pick a paid shape for those.
• create_configuration and configuration_id are mutually exclusive (precondition). configuration_variables are the fixed-name attributes of the provider's variables{} block; null entries fall back to the shape default.
• Storage auto-expansion requires storage_max_size_in_gbs greater than the initial size (precondition).

Requirements

• Terraform or OpenTofu >= 1.6
• Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).