Terraform Backend with OCI Object Storage

[ravinitp]

Terraform Version

latest

Use Cases

A new Terraform backend utilising Oracle Cloud Infrastructure (OCI) Object Storage as the storage backend. Leveraging OCI Object Storage provides a scalable and cost-effective alternative to traditional backends, offering a robust solution for state file storage and management.

Attempted Solutions

Traditional Terraform backends, such as Amazon S3 and Azure Blob Storage, have been widely used for state file storage. However, for organisations operating within the Oracle Cloud ecosystem, OCI Object Storage presents an attractive option. This custom backend aims to facilitate Terraform deployments within OCI by seamlessly integrating with OCI Object Storage.

We aim to introduce OCI as a Terraform backend option, leveraging Object Storage. This implementation supports state lock relying on object storage alone, eliminating the need for DynamoDB when using S3-backed solutions.

Proposal

The Terraform user configures the backend using the custom backend module, specifying the OCI Object Storage details.

  backend "oci" {
    bucket    = "<mybucket>"
    object    = "<state file name>"
    namespace = "<Namespace>"

    # Other OCI authentication details
    tenancy_ocid         = "<Your Tenancy OCID>"
    user_ocid            = "<Your User OCID>"
    fingerprint          = "<Your API Key Fingerprint>"
    private_key_path     = "<Path to Your Private Key File>"
    region               = "<OCI Region>"
  }
}
--

2. During Terraform operations, the backend module interacts with OCI IAM to authenticate and obtain the necessary credentials.
3. The state file is read from or written to OCI Object Storage securely.
4. Access control policies ensure that only authorised users and services can interact with the state files.

### References

[- 32634](https://github.com/hashicorp/terraform/issues/32634)

[crw]

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!

[ravinitp]

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!

Hi @crw , Just wanted to know If I can start the development or should I wait for approval?

[crw]

I will run this past product, I didn't realize you were offering to build the backend. We have not been adding new backends in quite some time, just to set expectations, but it is always worth reviewing these policies.

[MayaN2212]

Hi @crw please add this backend feature it will be beneficial for people who are using Oracle Cloud

[Josephred999]

I know this is not the right platform, but is there a same backend compatibility for Dell ECS Enterprise Object Storage (Dell ECS)? If its doesnt exist, can I request the same way as original requestor did here? Hopefully, its ok to ask since I am in the same boat.

[galovics]

@crw is there an update on this? Thanks.

[crw]

No update right now. I'll raise this with product and engineering to see if we would support it. I notice that @ravinitp has as his GitHub bio "Terraform provider Developer at OCI" which is encouraging; usually the provider developer also is the codeowner for any related backend.

[galovics]

@crw so is it a question of supporting this or a matter of capacity to implement it? If the latter, I'm sure @ravinitp can do the implementation.

[crw]

It is both. When this originally came up, we had recently gone through the exercise of deprecating unmaintained backends. If @ravinitp implements this backend, the expectation is that @ravinitp would also become the CODEOWNER for this backend and support it into the future. However, every backend PR still needs to be code reviewed and approved by a core maintainer, so it does add more work for the core maintainer team and would be prioritized accordingly.

[galovics]

thanks @crw for clarification. @ravinitp would it be possible for you to start development on this front and become the codeowner for the backend? Thanks.

[ravinitp]

Sure @galovics,

I will share the ETA for this. @crw, just wanted to reconfirm: if the code looks good, satisfies all the requirements, and passes all tests, will Hashicorp allow the merge?

[crw]

I am currently working on getting that answer, @ravinitp. I will update this thread when I have clear guidance for you.

[galovics]

superb @crw, thank you.

[galovics]

@crw Do you by any chance have updates? Thanks.

[galovics]

@crw probably you are out on vacation but still wanted to ping you on the status.

[crw]

Apologies for the late response, I was hoping to get some feedback from our product team. On a basic level, what has been written in Contributing.md still is true:

The Terraform team is not merging PRs for new state storage backends. Our priority regarding state storage backends is to find maintainers for existing backends and remove those backends without maintainers.

I've been working to develop a more nuanced approach to backends. However it is not currently the top priority. I'll keep raising this with the product team. Thanks!

[galovics]

@crw I understand the general view on this but still. Oracle is a major cloud provider today and I think the fact that Terraform doesn't natively supports the OCI Object Storage as a backend, it's just a huge gap.

I see the future maintainer of this new backend, I see he wants to do the implementation too, I'm just not sure what's the showstopper here.

Let me know what needs to be done so that Oracle, as a major cloud provider gets supported with Terraform.

[galovics]

@crw any chance we can proceed on this thread?

[crw]

I have no new information, I do not think this will proceed before HashiConf at the earliest.

[galovics]

Noted @crw , thanks for the update.

[galovics]

@crw any chance there was progress here?

[crw]

This one will be on hold for a while -- the current guidance on backends has not changed, and there are internal discussion proceeding on the future of backends. Once those resolve, we'll have more information for you.

[eshneken]

@crw Echoing comments from @galovics this seems problematic to not support a pull request from OCI. You are missing first class support for 1 of the 4 leaders in the Gartner Magic Quadrant for Strategic Cloud Platform Services.

The current solution (using S3 backends) is very limiting because it does not support native state locking (requiring extra cost and complexity to set up extra info) and also not supporting OCI's native short-lived tokens for authentication. The latter is a issue because it requires users to place long lived S3 secret credentials into a local credentials file and figure out a solution for rotation/revocation. All of this would be solved with a native backend which from the above thread looks like OCI is willing to maintain/support.

The general policy of reducing backends is understood, but given that OCI is one of four MQ leaders and there is a material deficiency in terms of adoption and functionality, it seems like this should be seriously considered.