Skip to content

Terraform OCI Provider Cycle error when attempt to source user_ocid and fingerprint from OCI Vault #38104

New issue
New issue
Closed as not planned
Closed as not planned
Terraform OCI Provider Cycle error when attempt to source user_ocid and fingerprint from OCI Vault#38104
Labels
bugnewnew issue not yet triagedprovider/oci
@nivimalla

Description

@nivimalla
nivimalla
opened on Jan 27, 2026

Terraform Version

Terraform Provider Version: oracle/oci >= 6.0.0 / 7.31.0

Terraform Configuration Files

Product / Component: Oracle Cloud Infrastructure – Terraform Provider Version: oracle/oci >= 6.0.0 / 7.31.0 Environment: Local execution (Linux), later planned for GitHub Actions CI/CD Region: us-ashburn-1 (iad)

Requirement / Business Goal:

We want to follow security best practices and eliminate static API key credentials (user_ocid + fingerprint) from Terraform configuration files and tfvars.

The goal is to store only the user_ocid and fingerprint in OCI Vault secrets and have the Terraform OCI provider authenticate using those Vault values, while keeping tenancy_ocid, region, and private_key_path as-is (hardcoded or from tfvars).

What we tried:

Direct use in provider block:
hcl

user_ocid = base64decode(data.oci_secrets_secretbundle.user_ocid_bundle.secret_bundle_content[0].content) fingerprint = base64decode(data.oci_secrets_secretbundle.fingerprint_bundle.secret_bundle_content[0].content)

→ Cycle error: Cycle: data.oci_secrets_secretbundle.fingerprint_bundle, data.oci_secrets_secretbundle.user_ocid_bundle, provider["registry.terraform.io/oracle/oci"]
Two-phase bootstrap with terraform_remote_state:
Phase 1: static creds → read Vault → output user_ocid/fingerprint
Phase 2: read outputs from state → Works temporarily, but after removing output blocks (phase 2 cleanup), outputs are removed from state → next plan fails with "Unsupported attribute" (no user_ocid / fingerprint in outputs).
Hybrid / conditional fallback:
user_ocid = var.user_ocid != "" ? var.user_ocid : base64decode(...)
count = var.user_ocid == "" ? 1 : 0 on data sources → Still results in cycle when bootstrap vars are removed.
Documentation reference:

From official OCI Terraform Provider documentation (Configuring the Provider): https://registry.terraform.io/providers/oracle/oci/latest/docs https://docs.oracle.com/en-us/iaas/Content/dev/terraform/configuring.htm

Only four authentication methods are listed: API Key (static), Instance Principal, Resource Principal, Security Token / OKE Workload Identity.
No mention of dynamic resolution of API Key fields (user_ocid, fingerprint) from data sources or Vault.
API Key auth requires all parameters to be known at configuration time.
Current status / question to Oracle Support:

We consistently hit a cycle error or state inconsistency when trying to source user_ocid and fingerprint from data.oci_secrets_secretbundle in the same Terraform root module.

Is there an officially supported pattern to:

Bootstrap the OCI Terraform provider using values stored in OCI Vault secrets, or
Avoid the cycle when using Vault for provider authentication credentials?
We would prefer to avoid:

Keeping static API keys in tfvars/GitHub Secrets long-term
Maintaining a separate bootstrap module/directory/repo
Using Instance Principal (Terraform not always running on OCI compute)
If this is not possible per current provider design, we would appreciate confirmation and any recommended alternatives or future roadmap items.

Debug Output

...debug output, or link to a gist...
```Product / Component: Oracle Cloud Infrastructure – Terraform Provider Version: oracle/oci >= 6.0.0 / 7.31.0 Environment: Local execution (Linux), later planned for GitHub Actions CI/CD Region: us-ashburn-1 (iad)

Requirement / Business Goal:

We want to follow security best practices and eliminate static API key credentials (user_ocid + fingerprint) from Terraform configuration files and tfvars.

The goal is to store only the user_ocid and fingerprint in OCI Vault secrets and have the Terraform OCI provider authenticate using those Vault values, while keeping tenancy_ocid, region, and private_key_path as-is (hardcoded or from tfvars).

What we tried:

Direct use in provider block:
hcl

user_ocid = base64decode(data.oci_secrets_secretbundle.user_ocid_bundle.secret_bundle_content[0].content) fingerprint = base64decode(data.oci_secrets_secretbundle.fingerprint_bundle.secret_bundle_content[0].content)

→ Cycle error: Cycle: data.oci_secrets_secretbundle.fingerprint_bundle, data.oci_secrets_secretbundle.user_ocid_bundle, provider["registry.terraform.io/oracle/oci"]
Two-phase bootstrap with terraform_remote_state:
Phase 1: static creds → read Vault → output user_ocid/fingerprint
Phase 2: read outputs from state → Works temporarily, but after removing output blocks (phase 2 cleanup), outputs are removed from state → next plan fails with "Unsupported attribute" (no user_ocid / fingerprint in outputs).
Hybrid / conditional fallback:
user_ocid = var.user_ocid != "" ? var.user_ocid : base64decode(...)
count = var.user_ocid == "" ? 1 : 0 on data sources → Still results in cycle when bootstrap vars are removed.
Documentation reference:

From official OCI Terraform Provider documentation (Configuring the Provider): https://registry.terraform.io/providers/oracle/oci/latest/docs https://docs.oracle.com/en-us/iaas/Content/dev/terraform/configuring.htm

Only four authentication methods are listed: API Key (static), Instance Principal, Resource Principal, Security Token / OKE Workload Identity.
No mention of dynamic resolution of API Key fields (user_ocid, fingerprint) from data sources or Vault.
API Key auth requires all parameters to be known at configuration time.
Current status / question to Oracle Support:

We consistently hit a cycle error or state inconsistency when trying to source user_ocid and fingerprint from data.oci_secrets_secretbundle in the same Terraform root module.

Is there an officially supported pattern to:

Bootstrap the OCI Terraform provider using values stored in OCI Vault secrets, or
Avoid the cycle when using Vault for provider authentication credentials?
We would prefer to avoid:

Keeping static API keys in tfvars/GitHub Secrets long-term
Maintaining a separate bootstrap module/directory/repo
Using Instance Principal (Terraform not always running on OCI compute)
If this is not possible per current provider design, we would appreciate confirmation and any recommended alternatives or future roadmap items.


### Expected Behavior

Product / Component: Oracle Cloud Infrastructure – Terraform Provider Version: oracle/oci >= 6.0.0 / 7.31.0 Environment: Local execution (Linux), later planned for GitHub Actions CI/CD Region: us-ashburn-1 (iad)

Requirement / Business Goal:

We want to follow security best practices and eliminate static API key credentials (user_ocid + fingerprint) from Terraform configuration files and tfvars.

The goal is to store only the user_ocid and fingerprint in OCI Vault secrets and have the Terraform OCI provider authenticate using those Vault values, while keeping tenancy_ocid, region, and private_key_path as-is (hardcoded or from tfvars).

What we tried:

Direct use in provider block:
hcl

user_ocid = base64decode(data.oci_secrets_secretbundle.user_ocid_bundle.secret_bundle_content[0].content) fingerprint = base64decode(data.oci_secrets_secretbundle.fingerprint_bundle.secret_bundle_content[0].content)

→ Cycle error: Cycle: data.oci_secrets_secretbundle.fingerprint_bundle, data.oci_secrets_secretbundle.user_ocid_bundle, provider["registry.terraform.io/oracle/oci"]
Two-phase bootstrap with terraform_remote_state:
Phase 1: static creds → read Vault → output user_ocid/fingerprint
Phase 2: read outputs from state → Works temporarily, but after removing output blocks (phase 2 cleanup), outputs are removed from state → next plan fails with "Unsupported attribute" (no user_ocid / fingerprint in outputs).
Hybrid / conditional fallback:
user_ocid = var.user_ocid != "" ? var.user_ocid : base64decode(...)
count = var.user_ocid == "" ? 1 : 0 on data sources → Still results in cycle when bootstrap vars are removed.
Documentation reference:

From official OCI Terraform Provider documentation (Configuring the Provider): https://registry.terraform.io/providers/oracle/oci/latest/docs https://docs.oracle.com/en-us/iaas/Content/dev/terraform/configuring.htm

Only four authentication methods are listed: API Key (static), Instance Principal, Resource Principal, Security Token / OKE Workload Identity.
No mention of dynamic resolution of API Key fields (user_ocid, fingerprint) from data sources or Vault.
API Key auth requires all parameters to be known at configuration time.
Current status / question to Oracle Support:

We consistently hit a cycle error or state inconsistency when trying to source user_ocid and fingerprint from data.oci_secrets_secretbundle in the same Terraform root module.

Is there an officially supported pattern to:

Bootstrap the OCI Terraform provider using values stored in OCI Vault secrets, or
Avoid the cycle when using Vault for provider authentication credentials?
We would prefer to avoid:

Keeping static API keys in tfvars/GitHub Secrets long-term
Maintaining a separate bootstrap module/directory/repo
Using Instance Principal (Terraform not always running on OCI compute)
If this is not possible per current provider design, we would appreciate confirmation and any recommended alternatives or future roadmap items.

### Actual Behavior

Product / Component: Oracle Cloud Infrastructure – Terraform Provider Version: oracle/oci >= 6.0.0 / 7.31.0 Environment: Local execution (Linux), later planned for GitHub Actions CI/CD Region: us-ashburn-1 (iad)

Requirement / Business Goal:

We want to follow security best practices and eliminate static API key credentials (user_ocid + fingerprint) from Terraform configuration files and tfvars.

The goal is to store only the user_ocid and fingerprint in OCI Vault secrets and have the Terraform OCI provider authenticate using those Vault values, while keeping tenancy_ocid, region, and private_key_path as-is (hardcoded or from tfvars).

What we tried:

Direct use in provider block:
hcl

user_ocid = base64decode(data.oci_secrets_secretbundle.user_ocid_bundle.secret_bundle_content[0].content) fingerprint = base64decode(data.oci_secrets_secretbundle.fingerprint_bundle.secret_bundle_content[0].content)

→ Cycle error: Cycle: data.oci_secrets_secretbundle.fingerprint_bundle, data.oci_secrets_secretbundle.user_ocid_bundle, provider["registry.terraform.io/oracle/oci"]
Two-phase bootstrap with terraform_remote_state:
Phase 1: static creds → read Vault → output user_ocid/fingerprint
Phase 2: read outputs from state → Works temporarily, but after removing output blocks (phase 2 cleanup), outputs are removed from state → next plan fails with "Unsupported attribute" (no user_ocid / fingerprint in outputs).
Hybrid / conditional fallback:
user_ocid = var.user_ocid != "" ? var.user_ocid : base64decode(...)
count = var.user_ocid == "" ? 1 : 0 on data sources → Still results in cycle when bootstrap vars are removed.
Documentation reference:

From official OCI Terraform Provider documentation (Configuring the Provider): https://registry.terraform.io/providers/oracle/oci/latest/docs https://docs.oracle.com/en-us/iaas/Content/dev/terraform/configuring.htm

Only four authentication methods are listed: API Key (static), Instance Principal, Resource Principal, Security Token / OKE Workload Identity.
No mention of dynamic resolution of API Key fields (user_ocid, fingerprint) from data sources or Vault.
API Key auth requires all parameters to be known at configuration time.
Current status / question to Oracle Support:

We consistently hit a cycle error or state inconsistency when trying to source user_ocid and fingerprint from data.oci_secrets_secretbundle in the same Terraform root module.

Is there an officially supported pattern to:

Bootstrap the OCI Terraform provider using values stored in OCI Vault secrets, or
Avoid the cycle when using Vault for provider authentication credentials?
We would prefer to avoid:

Keeping static API keys in tfvars/GitHub Secrets long-term
Maintaining a separate bootstrap module/directory/repo
Using Instance Principal (Terraform not always running on OCI compute)
If this is not possible per current provider design, we would appreciate confirmation and any recommended alternatives or future roadmap items.

### Steps to Reproduce

Product / Component: Oracle Cloud Infrastructure – Terraform Provider Version: oracle/oci >= 6.0.0 / 7.31.0 Environment: Local execution (Linux), later planned for GitHub Actions CI/CD Region: us-ashburn-1 (iad)

Requirement / Business Goal:

We want to follow security best practices and eliminate static API key credentials (user_ocid + fingerprint) from Terraform configuration files and tfvars.

The goal is to store only the user_ocid and fingerprint in OCI Vault secrets and have the Terraform OCI provider authenticate using those Vault values, while keeping tenancy_ocid, region, and private_key_path as-is (hardcoded or from tfvars).

What we tried:

Direct use in provider block:
hcl

user_ocid = base64decode(data.oci_secrets_secretbundle.user_ocid_bundle.secret_bundle_content[0].content) fingerprint = base64decode(data.oci_secrets_secretbundle.fingerprint_bundle.secret_bundle_content[0].content)

→ Cycle error: Cycle: data.oci_secrets_secretbundle.fingerprint_bundle, data.oci_secrets_secretbundle.user_ocid_bundle, provider["registry.terraform.io/oracle/oci"]
Two-phase bootstrap with terraform_remote_state:
Phase 1: static creds → read Vault → output user_ocid/fingerprint
Phase 2: read outputs from state → Works temporarily, but after removing output blocks (phase 2 cleanup), outputs are removed from state → next plan fails with "Unsupported attribute" (no user_ocid / fingerprint in outputs).
Hybrid / conditional fallback:
user_ocid = var.user_ocid != "" ? var.user_ocid : base64decode(...)
count = var.user_ocid == "" ? 1 : 0 on data sources → Still results in cycle when bootstrap vars are removed.
Documentation reference:

From official OCI Terraform Provider documentation (Configuring the Provider): https://registry.terraform.io/providers/oracle/oci/latest/docs https://docs.oracle.com/en-us/iaas/Content/dev/terraform/configuring.htm

Only four authentication methods are listed: API Key (static), Instance Principal, Resource Principal, Security Token / OKE Workload Identity.
No mention of dynamic resolution of API Key fields (user_ocid, fingerprint) from data sources or Vault.
API Key auth requires all parameters to be known at configuration time.
Current status / question to Oracle Support:

We consistently hit a cycle error or state inconsistency when trying to source user_ocid and fingerprint from data.oci_secrets_secretbundle in the same Terraform root module.

Is there an officially supported pattern to:

Bootstrap the OCI Terraform provider using values stored in OCI Vault secrets, or
Avoid the cycle when using Vault for provider authentication credentials?
We would prefer to avoid:

Keeping static API keys in tfvars/GitHub Secrets long-term
Maintaining a separate bootstrap module/directory/repo
Using Instance Principal (Terraform not always running on OCI compute)
If this is not possible per current provider design, we would appreciate confirmation and any recommended alternatives or future roadmap items.

### Additional Context

_No response_

### References

_No response_

### Generative AI / LLM assisted development?

_No response_

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugnewnew issue not yet triagedprovider/oci

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions