Object Storage Bucket
Bucket with versioning, lifecycle/auto-tiering, retention rules, replication and pre-authenticated request support.
Verification
Plan-validatedPassed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).
Conformance
- Static validation (fmt · validate · tflint)
- Security scan clean (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
oci-object-storage-bucket
OCI Object Storage bucket with versioning, lifecycle/auto-tiering, retention
rules, replication and pre-authenticated request support. Works with
Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.
Secure defaults:
NoPublicAccess— the bucket is private; share via scoped, expiring PARs- Object versioning on by default
- Encrypted at rest always; bring your own Vault key via
kms_key_id - Object events emission on (free; powers event-driven automation and audit)
- Namespace auto-discovered from the tenancy (override with
namespace)
Usage
module "bucket" {
source = "./oci-object-storage-bucket"
compartment_id = "ocid1.compartment.oc1..xxxx"
name = "app-artifacts"
lifecycle_rules = {
archive-old = { action = "ARCHIVE", time_amount = 90 }
abort-stale = { action = "ABORT", time_amount = 7, target = "multipart-uploads" }
}
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
compartment_id | string | — | Compartment OCID (required) |
name | string | — | Bucket name, unique per namespace (required) |
namespace | string | null | Object Storage namespace; null auto-discovers |
access_type | string | NoPublicAccess | NoPublicAccess, ObjectRead, ObjectReadWithoutList |
storage_tier | string | Standard | Standard or Archive (immutable) |
versioning_enabled | bool | true | Object versioning (mutually exclusive with retention rules) |
auto_tiering | string | Disabled | Disabled or InfrequentAccess |
kms_key_id | string | null | Customer-managed Vault key |
object_events_enabled | bool | true | Emit Events-service object events (free) |
metadata | map(string) | {} | User metadata on the bucket |
retention_rules | map(object) | {} | time_amount, time_unit (DAYS/YEARS), time_rule_locked |
lifecycle_rules | map(object) | {} | action (ARCHIVE/INFREQUENT_ACCESS/DELETE/ABORT), time_amount, time_unit, target, prefixes/patterns |
replication | object | null | destination_bucket_name, destination_region_name, name |
preauth_requests | map(object) | {} | access_type, time_expires (RFC3339), object_name, bucket_listing_action |
freeform_tags / defined_tags | map(string) | {} | Bucket tags |
Outputs
bucket_name, bucket_ocid, namespace, lifecycle_policy_id,
replication_policy_id, preauth_request_ids,
preauth_request_full_paths (sensitive — full PAR URLs are credentials).
Notes
- Lifecycle rules need an IAM policy for the Object Storage service
principal, e.g.
Allow service objectstorage-us-ashburn-1 to manage object-family in compartment <c>— without it the policy applies but never executes. - Replication requires the destination bucket to exist first and makes it read-only while the policy is active.
- Retention rules and versioning are mutually exclusive (enforced via a plan precondition).
Requirements
- Terraform or OpenTofu
>= 1.6 - Provider
oracle/oci>= 8.0, < 9.0
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).