IaC Bazaar
Get started
Oracle CloudStatic-verified

OCI VCN (hub-ready network foundation)

Production VCN with public/private subnets, internet/NAT/service gateways, route tables, NSGs and IPv6 — the module every OCI tenancy starts with.

terraformOracle Cloud#oci

Compare Virtual Private Cloud (VPC) across clouds →

oci-vcnterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan clean (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

oci-vcn

Production VCN with public/private subnets, internet/NAT/service gateways, route tables, NSGs and IPv6 — the module every OCI tenancy starts with. Works with Terraform and OpenTofu (>= 1.6), OCI provider >= 8.0, < 9.0.

Secure defaults:

  • Private subnets prohibit public IPs on VNICs and route via NAT/service gateway
  • No security rules are opened implicitly — every rule is an explicit NSG entry
  • Service-gateway route keeps Oracle Services Network traffic (Object Storage, OS updates) off the public internet
  • IPv6 is opt-in (VCN-level enable_ipv6 + per-subnet ipv6_index /64 carve)

Usage

module "vcn" {
  source         = "./oci-vcn"
  compartment_id = "ocid1.compartment.oc1..xxxx"
  name           = "prod"
  cidr_blocks    = ["10.0.0.0/16"]
  dns_label      = "prod"

  subnets = {
    app = { cidr_block = "10.0.0.0/24", type = "public", dns_label = "app" }
    db  = { cidr_block = "10.0.1.0/24", type = "private", dns_label = "db" }
  }

  network_security_groups = {
    web = {
      rules = {
        https_in = { direction = "INGRESS", protocol = "6", source = "0.0.0.0/0", port_min = 443 }
        all_out  = { direction = "EGRESS", protocol = "all", destination = "0.0.0.0/0" }
      }
    }
  }
}

Inputs

NameTypeDefaultDescription
compartment_idstringCompartment OCID owning all resources (required)
namestringDisplay-name prefix for all resources (required)
cidr_blockslist(string)["10.0.0.0/16"]VCN IPv4 CIDR blocks
dns_labelstringnullVCN DNS label (max 15 chars); null disables VCN DNS
enable_ipv6boolfalseOracle-allocated GUA /56 + IPv6 default route
create_internet_gatewaybooltrueInternet gateway + public route table
create_nat_gatewaybooltrueNAT gateway for private egress
create_service_gatewaybooltrueService gateway for Oracle Services Network
subnetsmap(object){}Subnets keyed by name: cidr_block, type (public/private), dns_label, availability_domain, ipv6_index
network_security_groupsmap(object){}NSGs with rule maps: direction, protocol, source/destination, port_min/port_max, icmp_type/icmp_code, stateless
freeform_tagsmap(string){}Freeform tags on all resources
defined_tagsmap(string){}Defined tags on all resources

Outputs

vcn_id, vcn_cidr_blocks, vcn_ipv6_cidr_blocks, vcn_domain_name, default_security_list_id, subnet_ids, subnet_domain_names, internet_gateway_id, nat_gateway_id, nat_gateway_public_ip, service_gateway_id, public_route_table_id, private_route_table_id, network_security_group_ids.

Notes

  • Public subnets are attached to the IGW route table; private subnets to the NAT + service-gateway route table — no manual route wiring needed.
  • The VCN's default security list is left unmanaged (and unattached rules unused) — attach NSGs to VNICs/load balancers instead.
  • Subnet dns_label only takes effect when the VCN dns_label is set.

Requirements

  • Terraform or OpenTofu >= 1.6
  • Provider oracle/oci >= 8.0, < 9.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).