IaC Bazaar
Get started
Oracle CloudPlan-validated

Vault, Keys & Secrets

KMS vault with HSM/software master keys, key rotation and secret lifecycle management for app credentials.

terraformOracle Cloud#oci

Compare Secrets & Key Management across clouds →

oci-vault-kmsterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan clean (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

oci-vault-kms

KMS vault with HSM/software master keys, key rotation and secret lifecycle management for app credentials. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

  • Keys are HSM-protected AES-256 unless you say otherwise
  • Optional automatic key rotation (60-365 days, HSM keys)
  • Secrets get a reuse rule by default (old values, even deleted versions, can't be re-set) and an optional expiry rule that blocks retrieval of expired content
  • Secret material flows through a dedicated sensitive variable (secret_values) — metadata and plan diffs never show plaintext

Usage

module "vault" {
  source = "./oci-vault-kms"

  compartment_id = "ocid1.compartment.oc1..xxxx"
  name           = "prod-vault"

  keys = {
    app-master  = {}                               # HSM AES-256
    db-wrapping = { rotation_interval_days = 90 }  # auto-rotated
    api-signing = { algorithm = "RSA", length = 256 }
  }

  secrets = {
    app-db-password = {
      key_name        = "app-master"
      description     = "Application database password"
      expiry_interval = "P90D"
    }
  }

  secret_values = {
    app-db-password = var.app_db_password # inject, never hardcode
  }
}

Inputs

NameTypeDefaultDescription
compartment_idstringCompartment OCID (required)
namestringVault display name (required)
vault_typestringDEFAULTOr VIRTUAL_PRIVATE (dedicated HSM partition)
keysmap(object){}Keys by name: algorithm (AES/RSA/ECDSA), length (bytes), curve_id, protection_mode (HSM/SOFTWARE), rotation_interval_days
secretsmap(object){}Secrets by name: key_name, description, expiry_interval (day-denominated ISO-8601, P1DP90D), block_retrieval_on_expiry, prevent_reuse
secret_valuesmap(string) (sensitive){}Secret name => plaintext value; must cover every key of secrets
freeform_tagsmap(string){}Freeform tags on all resources

Outputs

vault_id, vault_management_endpoint, vault_crypto_endpoint, key_ids, key_current_versions, secret_ids.

Notes

  • Destroy semantics: OCI vaults and keys cannot be deleted immediately — destroy schedules deletion (7-30 days, default 30). A successful destroy means deletion scheduled, not removed; the vault name stays taken until the schedule completes.
  • Secret plaintext is base64-encoded by the module and stored in Terraform state — encrypt and access-control your state backend.
  • Automatic rotation requires HSM protection (enforced by a precondition).
  • ECDSA keys: set curve_id (NIST_P256, NIST_P384, NIST_P521).
  • Updating a value in secret_values creates a new secret version; the reuse rule rejects values that were used before.

Requirements

  • Terraform or OpenTofu >= 1.6
  • Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).