OpenMCF logoOpenMCF

Loading...

OCI MySQL DB System

Deploys an Oracle Cloud Infrastructure MySQL HeatWave Database System — a fully managed MySQL database service with optional High Availability across fault domains, automated backups, point-in-time recovery, and read-scaling endpoints. The component manages the DB System resource itself; HeatWave cluster and replication channels are separate OCI resources with independent lifecycles.

What Gets Created

When you deploy an OciMysqlDbSystem resource, OpenMCF provisions:

  • MySQL DB System — an oci_mysql_mysql_db_system resource in the specified compartment and subnet, placed in a given availability domain on a chosen compute shape. OCI automatically creates a primary read/write endpoint with a private IP address.
  • High Availability replicas — when isHighlyAvailable is true, three instances are provisioned across different fault domains with automatic failover. Standby instances are not directly accessible.
  • Automatic backups — when backupPolicy is configured, daily backups run within a 30-minute window with configurable retention. Point-in-time recovery can be enabled via the nested pitrPolicy.
  • Read endpoint — when readEndpoint is configured and enabled, a separate DNS endpoint distributes read queries across HA replicas for read scaling.
  • Database Console — when databaseConsole is configured and enabled, a web-based MySQL management UI is available on the specified port.
  • REST API service — when rest is configured, the MySQL Router REST API is exposed on the specified port.

Prerequisites

  • OCI credentials configured via environment variables or OpenMCF provider config (API Key, Instance Principal, Security Token, Resource Principal, or OKE Workload Identity)
  • A compartment OCID where the DB System will be created — either a literal value or a reference to an OciCompartment resource
  • A subnet OCID in an existing VCN — either a literal value or a reference to an OciSubnet resource
  • An availability domain name (e.g., Uocm:PHX-AD-1)
  • A compute shape name (e.g., MySQL.VM.Standard.E4.1.8GB)

Quick Start

Create a file mysql-db.yaml:

apiVersion: oci.openmcf.org/v1
kind: OciMysqlDbSystem
metadata:
  name: my-mysql
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.OciMysqlDbSystem.my-mysql
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  availabilityDomain: "Uocm:PHX-AD-1"
  shapeName: "MySQL.VM.Standard.E4.1.8GB"
  subnetId:
    value: "ocid1.subnet.oc1.phx..example"
  adminUsername: "admin"
  adminPassword: "Ex4mpl3!Pass"

Deploy:

openmcf apply -f mysql-db.yaml

This creates a single-instance MySQL DB System with Oracle-managed encryption and the default MySQL configuration for the selected shape. The DB System ID, endpoint hostname, IP address, and port are exported as stack outputs.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
compartmentIdStringValueOrRefOCID of the compartment where the MySQL DB System will be created. Can reference an OciCompartment resource via valueFrom.Required
availabilityDomainstringAvailability domain for the primary endpoint (e.g., Uocm:PHX-AD-1). Changing this forces recreation.Min length 1
shapeNamestringCompute shape for the DB System. Determines CPU, memory, and network bandwidth (e.g., MySQL.VM.Standard.E4.1.8GB).Min length 1
subnetIdStringValueOrRefOCID of the subnet where the DB System will be placed. Can reference an OciSubnet resource via valueFrom. Changing this forces recreation.Required

Optional Fields

FieldTypeDefaultDescription
displayNamestringmetadata.nameHuman-readable name shown in the OCI Console. Falls back to metadata.name if not provided.
adminUsernamestring—Administrative username for the database. Changing this forces recreation.
adminPasswordstring—Administrative password. Must be 8-32 characters with at least one numeric, one lowercase, one uppercase, and one special character. Changing this forces recreation.
mysqlVersionstringlatestMySQL version identifier (e.g., 8.0.36, 9.1.0). When omitted, the latest available version is used. Changing this forces recreation.
configurationIdStringValueOrRef—OCID of a MySQL Configuration defining server variable settings. When omitted, the default configuration for the selected shape is used.
isHighlyAvailablebool—When true, provisions three instances across different fault domains with automatic failover.
hostnameLabelstring—Hostname for the primary endpoint. Combined with the subnet's DNS domain to form the FQDN.
ipAddressstring—Specific private IP for the primary endpoint. When omitted, OCI auto-assigns. Changing this forces recreation.
faultDomainstring—Fault domain for the primary endpoint (e.g., FAULT-DOMAIN-1). Changing this forces recreation.
portint323306TCP port for the MySQL protocol. Changing this forces recreation.
portXint3233060TCP port for the X Protocol (MySQL Shell, connectors). Changing this forces recreation.
descriptionstring—User-provided description of the DB System.
crashRecoverystring—Controls InnoDB crash recovery. Values: ENABLED, DISABLED. Disabling improves write performance but risks data loss.
databaseManagementstring—Enables monitoring via OCI Database Management service. Values: ENABLED, DISABLED.
nsgIdsStringValueOrRef[]—OCIDs of network security groups for the DB System VNIC. Can reference OciSecurityGroup resources.
dataStorageDataStorage—Data storage configuration. See DataStorage.
backupPolicyBackupPolicy—Automatic backup configuration. See BackupPolicy.
maintenanceMaintenance—Maintenance window configuration. See Maintenance.
deletionPolicyDeletionPolicy—Deletion safety configuration. See DeletionPolicy.
encryptDataEncryptData—Data-at-rest encryption configuration. See EncryptData.
secureConnectionsSecureConnections—TLS certificate configuration for client connections. See SecureConnections.
customerContactsCustomerContact[]—Email addresses for operational notifications. Maximum 10 contacts. See CustomerContact.
readEndpointReadEndpoint—Read-only endpoint for read scaling. See ReadEndpoint.
databaseConsoleDatabaseConsole—Web-based MySQL management console. See DatabaseConsole.
restRest—MySQL REST API service configuration. See Rest.

DataStorage

FieldTypeDefaultDescription
dataStorageSizeInGbint32—Initial data volume size in gigabytes. Minimum depends on shape (typically 50 GB).
isAutoExpandStorageEnabledbool—When true, storage automatically expands when usage nears the limit.
maxStorageSizeInGbsint32—Maximum storage size in GB for auto-expansion. Range: 32768-131072 depending on initial size. Only effective when isAutoExpandStorageEnabled is true.

BackupPolicy

FieldTypeDefaultDescription
isEnabledbool—Whether automatic backups are enabled.
retentionInDaysint32—Number of days to retain automatic backups.
windowStartTimestring—Start of the 30-minute daily backup window in RFC 3339 time format (e.g., 03:00). When omitted, OCI selects the window.
pitrPolicyPitrPolicy—Point-in-time recovery configuration. See PitrPolicy.

PitrPolicy

FieldTypeDefaultDescription
isEnabledbool—Whether point-in-time recovery is enabled. Requires automatic backups to be enabled.

Maintenance

FieldTypeDefaultDescription
windowStartTimestring—Start of the maintenance window. Format: {day-of-week} {time-of-day} (e.g., mon 10:00). Required when maintenance is configured.
maintenanceScheduleTypeenum—When maintenance patches are applied. Values: early (receive patches earlier), regular (standard Oracle schedule).
versionPreferenceenum—Version selected during upgrades. Values: oldest, second_newest, newest.
versionTrackPreferenceenum—MySQL release stream to follow. Values: long_term_support, innovation, follow (OCI-recommended).

DeletionPolicy

FieldTypeDefaultDescription
automaticBackupRetentionstring—What to do with automatic backups on deletion. Values: DELETE, RETAIN.
finalBackupstring—Whether to create a final backup before deletion. Values: REQUIRE_FINAL_BACKUP, SKIP_FINAL_BACKUP.
isDeleteProtectedbool—When true, the DB System cannot be deleted until this is set to false.

EncryptData

FieldTypeDefaultDescription
keyGenerationTypeenum—Encryption key strategy. Values: system (Oracle-managed), byok (Bring Your Own Key — requires keyId).
keyIdStringValueOrRef—OCID of the customer-managed encryption key. Required when keyGenerationType is byok.

SecureConnections

FieldTypeDefaultDescription
certificateGenerationTypeenum—TLS certificate strategy. Values: system_cert (Oracle-managed), byoc (Bring Your Own Certificate — requires certificateId).
certificateIdStringValueOrRef—OCID of the customer-managed certificate. Required when certificateGenerationType is byoc.

CustomerContact

FieldTypeDefaultDescription
emailstring—Email address for operational notifications (maintenance windows, critical alerts).

ReadEndpoint

FieldTypeDefaultDescription
isEnabledbool—Whether the read endpoint is enabled.
excludeIpsstring[]—IP addresses to exclude from serving read requests.
readEndpointHostnameLabelstring—Hostname for the read endpoint. Combined with the subnet's DNS domain to form the FQDN.
readEndpointIpAddressstring—Specific private IP for the read endpoint. When omitted, OCI auto-assigns.

DatabaseConsole

FieldTypeDefaultDescription
statusenum—Whether the console is active. Values: enabled, disabled.
portint32—Port for the database console. Valid values: 443 or 1024-65535.

Rest

FieldTypeDefaultDescription
configurationstring—REST API configuration mode.
portint32—Port for the REST API service. Valid values: 443 or 1024-65535.

Examples

Minimal Development Instance

A single-instance MySQL DB System with defaults — suitable for development or testing:

apiVersion: oci.openmcf.org/v1
kind: OciMysqlDbSystem
metadata:
  name: dev-mysql
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.OciMysqlDbSystem.dev-mysql
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  availabilityDomain: "Uocm:PHX-AD-1"
  shapeName: "MySQL.VM.Standard.E4.1.8GB"
  subnetId:
    value: "ocid1.subnet.oc1.phx..example"
  adminUsername: "admin"
  adminPassword: "Ex4mpl3!Pass"

High Availability with Backups

HA enabled with daily backups, point-in-time recovery, and a weekly maintenance window:

apiVersion: oci.openmcf.org/v1
kind: OciMysqlDbSystem
metadata:
  name: ha-mysql
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: staging.OciMysqlDbSystem.ha-mysql
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  availabilityDomain: "Uocm:PHX-AD-1"
  shapeName: "MySQL.VM.Standard.E4.4.64GB"
  subnetId:
    value: "ocid1.subnet.oc1.phx..example"
  adminUsername: "admin"
  adminPassword: "Pr0d$ecure!99"
  mysqlVersion: "8.0.36"
  isHighlyAvailable: true
  dataStorage:
    dataStorageSizeInGb: 200
    isAutoExpandStorageEnabled: true
    maxStorageSizeInGbs: 32768
  backupPolicy:
    isEnabled: true
    retentionInDays: 14
    windowStartTime: "03:00"
    pitrPolicy:
      isEnabled: true
  maintenance:
    windowStartTime: "sun 04:00"
    maintenanceScheduleType: regular
    versionPreference: second_newest
    versionTrackPreference: long_term_support

Production with BYOK Encryption, Deletion Protection, and Read Endpoint

Full production configuration with customer-managed encryption, deletion safeguards, read scaling, NSG attachment, and customer contact notifications:

apiVersion: oci.openmcf.org/v1
kind: OciMysqlDbSystem
metadata:
  name: prod-mysql
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.OciMysqlDbSystem.prod-mysql
  env: prod
  org: acme
spec:
  compartmentId:
    value: "ocid1.compartment.oc1..example"
  availabilityDomain: "Uocm:PHX-AD-1"
  shapeName: "MySQL.VM.Standard.E4.8.128GB"
  subnetId:
    value: "ocid1.subnet.oc1.phx..example"
  adminUsername: "dbadmin"
  adminPassword: "Pr0d!Str0ng#42"
  mysqlVersion: "8.0.36"
  isHighlyAvailable: true
  hostnameLabel: "prod-mysql"
  faultDomain: "FAULT-DOMAIN-1"
  port: 3306
  portX: 33060
  description: "Production MySQL for order processing"
  crashRecovery: "ENABLED"
  databaseManagement: "ENABLED"
  nsgIds:
    - value: "ocid1.networksecuritygroup.oc1.phx..example"
  dataStorage:
    dataStorageSizeInGb: 500
    isAutoExpandStorageEnabled: true
    maxStorageSizeInGbs: 65536
  backupPolicy:
    isEnabled: true
    retentionInDays: 30
    windowStartTime: "02:00"
    pitrPolicy:
      isEnabled: true
  maintenance:
    windowStartTime: "sun 05:00"
    maintenanceScheduleType: regular
    versionPreference: oldest
    versionTrackPreference: long_term_support
  deletionPolicy:
    automaticBackupRetention: "RETAIN"
    finalBackup: "REQUIRE_FINAL_BACKUP"
    isDeleteProtected: true
  encryptData:
    keyGenerationType: byok
    keyId:
      value: "ocid1.key.oc1.phx..example"
  secureConnections:
    certificateGenerationType: system_cert
  customerContacts:
    - email: "dba-team@example.com"
    - email: "oncall@example.com"
  readEndpoint:
    isEnabled: true
    readEndpointHostnameLabel: "prod-mysql-ro"
  databaseConsole:
    status: enabled
    port: 443

Using Foreign Key References

Reference OpenMCF-managed compartment and subnet instead of hardcoding OCIDs:

apiVersion: oci.openmcf.org/v1
kind: OciMysqlDbSystem
metadata:
  name: ref-mysql
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.OciMysqlDbSystem.ref-mysql
spec:
  compartmentId:
    valueFrom:
      kind: OciCompartment
      name: prod-compartment
      fieldPath: status.outputs.compartmentId
  availabilityDomain: "Uocm:PHX-AD-1"
  shapeName: "MySQL.VM.Standard.E4.4.64GB"
  subnetId:
    valueFrom:
      kind: OciSubnet
      name: db-subnet
      fieldPath: status.outputs.subnetId
  adminUsername: "admin"
  adminPassword: "R3fPass!word1"
  isHighlyAvailable: true
  nsgIds:
    - valueFrom:
        kind: OciSecurityGroup
        name: mysql-nsg
        fieldPath: status.outputs.networkSecurityGroupId

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
db_system_idstringOCID of the MySQL DB System
endpoint_hostnamestringHostname of the primary (read/write) endpoint
endpoint_ip_addressstringPrivate IP address of the primary (read/write) endpoint
endpoint_portstringTCP port of the primary (read/write) endpoint

Related Components

  • OciVcn — provides the VCN containing the subnet where the DB System is placed
  • OciSubnet — provides the subnet referenced by subnetId
  • OciCompartment — provides the compartment referenced by compartmentId
  • OciSecurityGroup — manages network security rules attached via nsgIds

Next article

OCI Network Firewall

OCI Network Firewall Deploys an Oracle Cloud Infrastructure Network Firewall with an inline firewall policy. The firewall appliance is deployed into a subnet and inspects traffic according to security rules that match on source/destination IP addresses, TCP/UDP ports, and URL patterns. The policy and all sub-resources (address lists, services, service lists, URL lists, security rules) are declared in a single manifest. What Gets Created When you deploy an OciNetworkFirewall resource, OpenMCF...
Read next article
Presets
2 ready-to-deploy configurationsView presets →