Using Oracle Object Storage to store Terraform state files
You can store Terraform state files in the Oracle Cloud Infrastructure (OCI) Object Store. Please follow the steps below to configure OCI as your backend for Terraform state files.
Pre-authenticated requests provide a way to let users access a bucket or an object in OCI without having their own credentials. Create a Pre-Authenticated Request with read write permissions to an object where you will store the terraform state file.
There are two ways of creating a Pre-Authenticated request. You can do this through the console UI or the CLI.
On the console, navigate to Object Storage, select a bucket or an object, then click on "Create a Pre-Authenticated Request. The object name and expiration time are required to successfully complete this operation. The object name is usually the name of the tf state file. Once this operation is complete, it will return a URL that needs to be saved.
Please refer screenshots below on how to do this through the console.
To further enhance the security of your pre-authenticated request you can select a shorter expiration time. Please note that although this practice tightens security, you will be required to generate a new pre-authenticated request and replace the output URL in your configuration files each time the request expires.
This URL will be in the following form https://prefix/my-access-uri
An example of this URL looks like
https://objectstorage.us-phoenix-1.oraclecloud.com/bucketname/additionalparams/objectname where
prefix = objectstorage.us-phoenix-1.oraclecloud.com
oci os preauth-request create -ns <namespace> -bn TerraformStates -on foo.tfstate --name TfState1 --access-type ObjectReadWrite --time-expires 2020-09-01T00:09:51.000+02:00
This will return a PreAuthenticatedRequest object . Save the accessUri field from the response to be used later.
Please note that this accessUri will need to be prefixed in some cases depending on your OCI region.
For more information and CLI examples please reference the OCI docs at https://docs.us-phoenix-1.oraclecloud.com/Content/Object/Tasks/managingaccess.htm#pre-auth
The PreAuthenticatedRequest object details can be found at https://docs.us-phoenix-1.oraclecloud.com/api/#/en/objectstorage/20160918/requests/PreauthenticatedRequest
If you have an existing state, upload it using an http PUT to the access url.
curl -X PUT -H "Content-Type: text/plain" --data-binary "@path/to/local/tfstate" http://<prefix>/<my-access-uri>
Terraform supports different standard backend types which allow you to store state remotely and also determine how the state is loaded into Terraform. You need to configure HTTP as your Terraform backend type .After you have downloaded and installed Terraform, please configure “http” as your Terraform Backend. You can reference the example on https://www.terraform.io/docs/backends/types/http.html to do this.
Additionally, the access uri to use in terraform config should be of the form :
https://objectstorage.us-phoenix-1.oraclecloud.com/my-access-uri
Example in terraform config:
terraform {
backend "http"
{ address = "[https://objectstorage.us-phoenix-1.oraclecloud.com/<my-access-uri>](https://objectstorage.us-phoenix-1.oraclecloud.com/<my-access-uri>)" }
}
Please note the region in the above URL can be different from Phoenix depending upon your region.
Run the following commands
terraform init
terraform apply
After completing these steps, you are now ready to use OCI as the backend to store Terraform state files.