Configuring the Provider

To interact with the Oracle Cloud Infrastructure (OCI) services and resources supported by the OCI Terraform provider, it needs to be configured with authentication credentials for an OCI account.

Authentication

The OCI Terraform provider supports three authentication methods:

API Key Authentication

Calls to OCI using API Key authentication require that you provide the following credentials:

You can provide these values as Environment Variables or within Terraform configuration variables.

Instance Principal Authorization

Instance principal authorization allows your provider to make API calls from an OCI Compute instance without needing the tenancy_ocid, user_ocid, private_key_path, and fingerprint attributes in your provider definition.

Note

Instance principal authorization applies only to instances that are running in Oracle Cloud Infrastructure.

To enable instance principal authorization for OCI Terraform providers, set the auth attribute to "InstancePrincipal" in your provider definition, as shown in the following example:

variable "region" {}

provider "oci" {
   auth = "InstancePrincipal"
   region = "${var.region}"
}

For more information, see Calling Services from an Instance.

Security Token Authentication

Security Token authentication allows you to run Terraform using a token generated with Token-based Authentication for the CLI. To enable Security Token authentication, set the auth attribute to "SecurityToken" and provide a value for config_file_profile in the provider definition. For example:

# Configure the Oracle Cloud Infrastructure provider to use Security Token authentication
provider "oci" {
  auth = "SecurityToken"
  config_file_profile = "PROFILE"
}
Important

This token expires after one hour. Avoid using this authentication method when provisioning of resources takes longer than one hour. See Refreshing a Token for more information.

Environment Variables

It is common to export the required authentication values as environment variables, or source them in different bash profiles when executing Terraform commands.

If you primarily work in a single compartment, consider exporting the compartment OCID as an environment variable as well. The tenancy OCID is also the OCID of the root compartment, and can be used where any compartment OCID is required.

Tip

Terraform configuration file provider blocks can be completely removed if all API Key Authentication required values are provided as environment variables or are set in a *.tfvars file.

Setting environment variables in Unix and Linux

If your Terraform configurations are limited to a single compartment or user, then using this bash_profile option be sufficient. For more complex environments you may want to maintain multiple sets of environment variables.

In your ~/.bash_profile set these variables:

export TF_VAR_tenancy_ocid=<tenancy_OCID>
export TF_VAR_compartment_ocid=<compartment_OCID>
export TF_VAR_user_ocid=<user_OCID>
export TF_VAR_fingerprint=<key_fingerprint>
export TF_VAR_private_key_path=<private_key_path>

Once you've set these values, open a new terminal or source your profile changes:

$ source ~/.bash_profile

Setting environment variables in Windows

Configuring for Windows usage is largely the same:

setx TF_VAR_tenancy_ocid <tenancy_OCID>
setx TF_VAR_compartment_ocid <compartment_OCID>
setx TF_VAR_user_ocid <user_OCID>
setx TF_VAR_fingerprint <key_fingerprint>
setx TF_VAR_private_key_path <private_key_path>

The variables won't be set for the current session. Exit the terminal and reopen it before proceeding.

Note

Ensure your keys are in PEM format. See How to Generate an API Signing Key for more information.

Using the SDK and CLI Configuration File

It is possible to define the required provider values in the same ~/.oci/config file that the SDKs and CLI use. For details on setting up this configuration, see SDK and CLI Configuration File.

Important

Parameter names in the SDK and CLI configuration file are slightly different.
Tip

Terraform configuration file provider blocks can be completely removed if all API Key Authentication required values are provided as environment variables or are set in the ~/.oci/config file.

You can set a non-default OCI config profile as an environment value by using the following command:

export TF_VAR_config_file_profile=<config_file_profile_name>

You can also set the OCI config profile in a provider block. For example:

provider "oci" {
  tenancy_ocid = var.tenancy_ocid
  config_file_profile= var.config_file_profile
}

Order of Precedence

If the parameters are set in multiple locations, the order of precedence is as follows:

  1. The environment variable
  2. The non-default profile in the OCI config file, if provided
  3. The DEFAULT profile in the OCI config file