oracle-samples · wsanders00 · Dec 9, 2025 · Dec 5, 2025 · Dec 7, 2025 · Dec 7, 2025
@@ -14,7 +14,7 @@
     "condition": "*",
     "description": "Default condition",
     "payloadMapping": {
-      "$.system": "$"
+      "$.system": "${.}"
     }
   }
 ]
@@ -267,7 +267,7 @@ oci certs-mgmt certificate create-certificate-issued-by-internal-ca \
     --name ${dt_cert_display_name} \
     --certificate-profile-type TLS_CLIENT \
     --issuer-certificate-authority-id ${sub_ca_id} \
-    --subject '{ "dt_cert_common_name": "'${common_name}'", "country": "US" }' \
+    --subject '{ "commonName": "'${dt_cert_common_name}'", "country": "US" }' \
     --validity '{ "timeOfValidityNotAfter": "'$(${date_cmd} -u -d "+1 year" +"%Y-%m-%dT%H:%M:%S.%3NZ")'" }' \
     --certificate-rules '[{
       "ruleType": "CERTIFICATE_RENEWAL_RULE",

@@ -21,8 +21,8 @@
 
 # Root CA
 resource "oci_certificates_management_certificate_authority" "root_ca" {
-  name           = "root-ca${local.environment_name}-${local.region_short_name}"
-  description    = "Root CA${local.environment_description}"
+  name           = "${local.org_name}-${var.app_id}-ca-${local.region_short_name}-root"
+  description    = "Root CA for ${var.app_id}${local.org_description}"
   compartment_id = local.compartment_id
   kms_key_id     = oci_kms_key.ca.id
   certificate_authority_config {
@@ -50,8 +50,8 @@ resource "oci_certificates_management_certificate_authority" "root_ca" {
 
 # Subordinate CA
 resource "oci_certificates_management_certificate_authority" "sub_ca" {
-  name           = "sub-ca${local.environment_name}-${local.region_short_name}"
-  description    = "Subordinate CA${local.environment_description}"
+  name           = "${local.org_name}-${var.app_id}-ca-${local.region_short_name}-sub"
+  description    = "Subordinate CA for ${var.app_id}${local.org_description}"
   compartment_id = local.compartment_id
   kms_key_id     = oci_kms_key.ca.id
   certificate_authority_config {
@@ -82,8 +82,8 @@ resource "oci_certificates_management_certificate_authority" "sub_ca" {
 resource "oci_certificates_management_certificate" "this" {
   count = var.iot_digital_twin_cert_count
 
-  name           = "cert${local.environment_name}-${var.iot_digital_twin_cert_name}-${format("%02d", count.index + 1)}-${local.region_short_name}"
-  description    = "Certificate for Digital Twin  ${var.iot_digital_twin_cert_name}-${format("%02d", count.index + 1)}${local.environment_description}"
+  name           = "${local.org_name}-${var.app_id}-cert-${local.region_short_name}-${var.iot_digital_twin_cert_name}-${format("%02d", count.index + 1)}"
+  description    = "Certificate for Digital Twin ${var.iot_digital_twin_cert_name}-${format("%02d", count.index + 1)} ${local.region_short_name}${local.org_description}"
   compartment_id = local.compartment_id
   certificate_config {
     config_type                     = "ISSUED_BY_INTERNAL_CA"
@@ -118,6 +118,6 @@ locals {
 }
 
 resource "local_file" "certificates" {
-  filename = "data/iot-device-cert-id${local.environment_name}.json"
+  filename = "data/iot-device-cert-id${local.org_name}-${var.app_id}.json"
   content  = jsonencode(local.iot_digital_twin_cert_id)
 }
@@ -58,7 +58,7 @@ resource "terraform_data" "oci_identity_domains_setting_signing_cert_public_acce
 resource "oci_identity_domains_app" "this" {
   count = var.configure_ords_data_access && var.create_confidential_app ? 1 : 0
 
-  display_name  = "app${local.environment_name}"
+  display_name  = "${local.org_name}-${var.app_id}-app"
   idcs_endpoint = local.identity_domain_endpoint
   based_on_template {
     value         = "CustomWebAppTemplateId"
@@ -78,7 +78,7 @@ resource "oci_identity_domains_app" "this" {
   ]
   audience          = "/${split(".", oci_iot_iot_domain_group.this.data_host)[0]}"
   client_type       = "confidential"
-  description       = "Confidential App${local.environment_description}"
+  description       = "Confidential App for ${var.app_id}${local.org_description}"
   is_login_target   = true
   is_oauth_client   = true
   is_oauth_resource = true
@@ -112,8 +112,8 @@ resource "oci_identity_policy" "ca" {
 
   provider       = oci.home
   compartment_id = local.compartment_id
-  name           = "plc${local.environment_name}-ca"
-  description    = "Certificate Authority Service policy${local.environment_description}"
+  name           = "${local.org_name}-${var.app_id}-plc-ca"
+  description    = "Certificate Authority Service policy for ${var.app_id}${local.org_description}"
   statements = [
     "allow any-user to use keys in compartment id ${local.compartment_id} where request.principal.type = 'certificateauthority'",
     "allow any-user to manage objects in compartment id ${local.compartment_id} where request.principal.type = 'certificateauthority'",
@@ -131,8 +131,8 @@ resource "oci_identity_policy" "iot" {
 
   provider       = oci.home
   compartment_id = local.compartment_id
-  name           = "plc${local.environment_name}-iot"
-  description    = "IoT Platform policy${local.environment_description}"
+  name           = "${local.org_name}-${var.app_id}-plc-iot"
+  description    = "IoT Platform policy for ${var.app_id}${local.org_description}"
   statements = [
     "allow any-user to {SECRET_BUNDLE_READ, SECRET_READ} in compartment id ${local.compartment_id} where request.principal.type = 'iotdomain'",
     "allow any-user to {CERTIFICATE_BUNDLE_READ, CERTIFICATE_READ} in compartment id ${local.compartment_id} where request.principal.type = 'iotdomain'",
@@ -154,8 +154,8 @@ resource "oci_identity_compartment" "this" {
 
   provider       = oci.home
   compartment_id = var.parent_compartment_id
-  name           = "cmp${local.environment_name}"
-  description    = "IoT compartment ${local.environment_description}"
+  name           = "${local.org_name}-${var.app_id}-cmp"
+  description    = "IoT compartment for ${var.app_id}${local.org_description}"
   defined_tags   = var.defined_tags
   freeform_tags  = var.freeform_tags
   lifecycle {

@@ -10,8 +10,8 @@
 
 resource "oci_iot_iot_domain_group" "this" {
   compartment_id = local.compartment_id
-  display_name   = "iot-dmn-grp${local.environment_name}-${local.region_short_name}"
-  description    = "Domain Group${local.environment_description}"
+  display_name   = "${local.org_name}-${var.app_id}-iotdmngrp-${local.region_short_name}"
+  description    = "IoT Domain Group for ${var.app_id}${local.org_description}"
 
   defined_tags  = var.defined_tags
   freeform_tags = var.freeform_tags
@@ -24,14 +24,12 @@ resource "oci_iot_iot_domain_group" "this" {
 }
 
 resource "oci_iot_iot_domain" "this" {
-  #Required
   compartment_id      = local.compartment_id
   iot_domain_group_id = oci_iot_iot_domain_group.this.id
-  display_name        = "iot-dmn${local.environment_name}-${local.region_short_name}"
-  description         = "Domain${local.environment_description}"
-
-  defined_tags  = var.defined_tags
-  freeform_tags = var.freeform_tags
+  display_name        = "${local.org_name}-${var.app_id}-iotdmn-${local.region_short_name}"
+  description         = "IoT Domain for ${var.app_id}${local.org_description}"
+  defined_tags        = var.defined_tags
+  freeform_tags       = var.freeform_tags
   lifecycle {
     ignore_changes = [defined_tags, freeform_tags]
   }
@@ -45,8 +43,8 @@ resource "oci_iot_digital_twin_model" "this" {
   count = var.iot_digital_twin_model_spec == null ? 0 : 1
 
   iot_domain_id = oci_iot_iot_domain.this.id
-  display_name  = "iot-mdl${local.environment_name}-${local.region_short_name}"
-  description   = "Digital Twin Model${local.environment_description}"
+  display_name  = "${local.org_name}-${var.app_id}-iotmdl-${local.region_short_name}"
+  description   = "Digital Twin Model for ${var.app_id}${local.org_description}"
   spec = jsonencode(
     merge(
       jsondecode(file("${path.module}/data/${var.iot_digital_twin_model_spec}")),
@@ -71,8 +69,8 @@ resource "oci_iot_digital_twin_adapter" "this" {
   count = var.iot_digital_twin_model_spec == null ? 0 : 1
 
   iot_domain_id         = oci_iot_iot_domain.this.id
-  display_name          = "iot-adptr${local.environment_name}-${local.region_short_name}"
-  description           = "Digital Twin Adapter${local.environment_description}"
+  display_name          = "${local.org_name}-${var.app_id}-iotadptr-${local.region_short_name}"
+  description           = "Digital Twin Adapter for ${var.app_id}${local.org_description}"
   digital_twin_model_id = oci_iot_digital_twin_model.this[0].id
 
   dynamic "inbound_envelope" {
@@ -82,7 +80,7 @@ resource "oci_iot_digital_twin_adapter" "this" {
       dynamic "envelope_mapping" {
         for_each = contains(keys(local.iot_digital_twin_adapter_envelope), "envelopeMapping") ? { envelope_mapping = true } : {}
         content {
-          time_observed = try(local.iot_digital_twin_adapter_envelope.envelopeMapping.time_observed, null)
+          time_observed = try(local.iot_digital_twin_adapter_envelope.envelopeMapping.timeObserved, null)
         }
       }
       dynamic "reference_payload" {
@@ -142,90 +140,49 @@ resource "oci_iot_digital_twin_instance" "this" {
 }
 
 ########## Data access ##########
-
-# As of today, the Terraform OCI provider cannot configure the IoT Domain Group
-# and Domain for data access.
-# As workaround we use the `terraform_data` resource to run the OCI CLI
+# Add dependencies to avoid concurrent data access resource creation
 
 ########## APEX data access ##########
-resource "terraform_data" "oci_iot_configure_data_access_apex" {
+resource "oci_iot_iot_domain_configure_data_access" "apex" {
   count = var.configure_apex_data_access ? 1 : 0
 
-  triggers_replace = {
-    iot_domain_id = oci_iot_iot_domain.this.id
-  }
-
-  provisioner "local-exec" {
-    when        = create
-    interpreter = ["/bin/bash", "-c"]
-    command     = <<-CMD
-      oci iot domain configure-apex-data-access \
-          --iot-domain-id ${self.triggers_replace.iot_domain_id} \
-          --db-workspace-admin-initial-password "${var.apex_admin_initial_password}" \
-          --wait-for-state SUCCEEDED --wait-for-state FAILED
-    CMD
-  }
+  iot_domain_id                       = oci_iot_iot_domain.this.id
+  type                                = "APEX"
+  db_workspace_admin_initial_password = var.apex_admin_initial_password
 }
 
 ########## ORDS data access ##########
-resource "terraform_data" "oci_iot_configure_data_access_ords" {
+resource "oci_iot_iot_domain_configure_data_access" "ords" {
   count = var.configure_ords_data_access ? 1 : 0
 
-  triggers_replace = {
-    iot_domain_id = oci_iot_iot_domain.this.id
-  }
-
-  provisioner "local-exec" {
-    when        = create
-    interpreter = ["/bin/bash", "-c"]
-    command     = <<-CMD
-      oci iot domain configure-ords-data-access  \
-          --iot-domain-id ${self.triggers_replace.iot_domain_id} \
-          --db-allowed-identity-domain-host "${local.identity_domain_endpoint}"  \
-          --wait-for-state SUCCEEDED --wait-for-state FAILED
-    CMD
-  }
+  iot_domain_id                   = oci_iot_iot_domain.this.id
+  type                            = "ORDS"
+  db_allowed_identity_domain_host = local.identity_domain_endpoint
+  depends_on = [
+    oci_iot_iot_domain_configure_data_access.apex
+  ]
 }
 
 ########## Direct database data access ##########
-resource "terraform_data" "oci_cli_configure_direct_database_access_db_vcn" {
+resource "oci_iot_iot_domain_group_configure_data_access" "direct" {
   count = var.configure_direct_database_access ? 1 : 0
 
-  triggers_replace = {
-    iot_domain_group_id = oci_iot_iot_domain_group.this.id
-    vcn_list_hash       = sensitive(join(",", var.db_allow_listed_vcn_ids))
-  }
-
-  provisioner "local-exec" {
-    when        = create
-    interpreter = ["/bin/bash", "-c"]
-    command     = <<-CMD
-      oci iot domain-group configure-data-access  \
-          --iot-domain-group-id ${self.triggers_replace.iot_domain_group_id} \
-          --db-allow-listed-vcn-ids '${jsonencode(var.db_allow_listed_vcn_ids)}' \
-          --wait-for-state SUCCEEDED --wait-for-state FAILED
-    CMD
-  }
+  iot_domain_group_id     = oci_iot_iot_domain_group.this.id
+  db_allow_listed_vcn_ids = var.db_allow_listed_vcn_ids
+  depends_on = [
+    oci_iot_iot_domain_configure_data_access.ords
+  ]
 }
 
-resource "terraform_data" "oci_cli_configure_direct_database_access_db_groups" {
+resource "oci_iot_iot_domain_configure_data_access" "direct" {
   count = var.configure_direct_database_access ? 1 : 0
 
-  triggers_replace = {
-    iot_domain_id   = oci_iot_iot_domain.this.id
-    group_list_hash = sensitive(join(",", var.db_allow_listed_identity_group_names))
-  }
-
-  provisioner "local-exec" {
-    when        = create
-    interpreter = ["/bin/bash", "-c"]
-    command     = <<-CMD
-      oci iot domain configure-direct-data-access \
-          --iot-domain-id ${self.triggers_replace.iot_domain_id} \
-          --db-allow-listed-identity-group-names '${jsonencode(local.prefixed_allow_listed_identity_groups)}' \
-          --wait-for-state SUCCEEDED --wait-for-state FAILED
-    CMD
-  }
+  iot_domain_id                        = oci_iot_iot_domain.this.id
+  type                                 = "DIRECT"
+  db_allow_listed_identity_group_names = local.prefixed_allow_listed_identity_groups
+  depends_on = [
+    oci_iot_iot_domain_group_configure_data_access.direct
+  ]
 }
 
 # Re-query IoT Domain Group to get database token scope and connect string
@@ -235,7 +192,7 @@ data "oci_iot_iot_domain_group" "this" {
 
   iot_domain_group_id = oci_iot_iot_domain_group.this.id
   depends_on = [
-    terraform_data.oci_cli_configure_direct_database_access_db_vcn
+    oci_iot_iot_domain_group_configure_data_access.direct
   ]
 }
 
@@ -246,6 +203,6 @@ data "oci_iot_iot_domain" "this" {
 
   iot_domain_id = oci_iot_iot_domain.this.id
   depends_on = [
-    terraform_data.oci_cli_configure_direct_database_access_db_groups
+    oci_iot_iot_domain_configure_data_access.direct
   ]
 }
@@ -10,8 +10,8 @@
 
 # Locals used for resource naming conventions.
 locals {
-  environment_name        = "-${lower(replace(var.environment_id, " ", "-"))}"
-  environment_description = " (${var.environment_id})"
+  org_name        = lower(replace(var.org_id, " ", ""))
+  org_description = " (${var.org_id})"
   region_short_name = [
     for region in data.oci_identity_regions.all.regions :
     lower(region.key) if region.name == var.region
@@ -43,16 +43,16 @@ locals {
   iot_digital_twin_instances = merge(
     {
       for index, secret in oci_vault_secret.this :
-      "${var.iot_digital_twin_basic_name}-${format("%02d", index + 1)}" => {
-        description  = "Digital Twin ${var.iot_digital_twin_basic_name}-${format("%02d", index + 1)}"
+      "${local.org_name}-${var.app_id}-iotdti-${local.region_short_name}-${var.iot_digital_twin_basic_name}-${format("%02d", index + 1)}" => {
+        description  = "Digital Twin Instance ${var.iot_digital_twin_basic_name}-${format("%02d", index + 1)}"
         external_key = secret.metadata.externalKey
         auth_id      = secret.id
       }
     },
     {
       for index, cert in oci_certificates_management_certificate.this :
-      "${var.iot_digital_twin_cert_name}-${format("%02d", index + 1)}" => {
-        description  = "Digital Twin ${var.iot_digital_twin_cert_name}-${format("%02d", index + 1)}"
+      "${local.org_name}-${var.app_id}-iotdti-${local.region_short_name}-${var.iot_digital_twin_cert_name}-${format("%02d", index + 1)}" => {
+        description  = "Digital Twin Instance ${var.iot_digital_twin_cert_name}-${format("%02d", index + 1)}"
         external_key = cert.subject[0].common_name
         auth_id      = cert.id
       }

@@ -117,7 +117,7 @@ output "iot_data_access_ords_confidential_app" {
     Use the OCI console to create the Confidential App or run the following CLI command:
       oci identity-domains app create \
         --endpoint "https://${local.identity_domain_endpoint}" \
-        --display-name "app${local.environment_name}" \
+        --display-name "app${local.org_name}" \
         --based-on-template '{
             "$ref": "${local.identity_domain_endpoint}/admin/v1/AppTemplates/CustomWebAppTemplateId",
             "value": "CustomWebAppTemplateId",
@@ -137,7 +137,7 @@ output "iot_data_access_ords_confidential_app" {
         ]' \
         --audience "/${split(".", oci_iot_iot_domain_group.this.data_host)[0]}" \
         --client-type confidential \
-        --description "Confidential App${local.environment_description}" \
+        --description "Confidential App${local.org_description}" \
         --is-login-target true \
         --is-o-auth-client true \
         --is-o-auth-resource true \