diff --git a/builds/build_cli.sh b/builds/build_cli.sh index 06dcb225..4b251cd8 100644 --- a/builds/build_cli.sh +++ b/builds/build_cli.sh @@ -80,6 +80,8 @@ replace_variables() sed -i '/variable "generate_dg_tag" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf sed -i '/variable "use_marketplace_image" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/mp_variables.tf sed -i '/variable "tf_script_version" {/!b;n;n;n;cdefault = \"'"$SCRIPTS_VERSION"'\"' ${TMP_BUILD}/variables.tf + sed -i '/variable "is_rms_private_endpoint_required" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf + sed -i '/variable "is_bastion_instance_required" {/!b;n;n;n;cdefault = true' ${TMP_BUILD}/bastion_variables.tf } diff --git a/solutions/jrf/jrf_instance.tfvars b/solutions/jrf/jrf_instance.tfvars index 72f47213..86182e0d 100644 --- a/solutions/jrf/jrf_instance.tfvars +++ b/solutions/jrf/jrf_instance.tfvars @@ -26,7 +26,10 @@ wls_node_count = 2 wls_availability_domain_name = "" wls_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx" -### Bastion parameters to create new bastion instance +### Resource Manager Private Endpoint parameter +is_rms_private_endpoint_required = false + +### Bastion instance parameters is_bastion_instance_required = true bastion_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx" -bastion_instance_shape = "VM.Standard.E4.Flex" \ No newline at end of file +bastion_instance_shape = "VM.Standard.E4.Flex" diff --git a/terraform/bastion_variables.tf b/terraform/bastion_variables.tf index ffd760e7..2dd3c93e 100644 --- a/terraform/bastion_variables.tf +++ b/terraform/bastion_variables.tf @@ -4,7 +4,7 @@ variable "is_bastion_instance_required" { type = bool description = "Set to true to use a bastion, either new or existing. If existing_bastion_instance_id is blank, a new bastion will be created" - default = true + default = false } variable "existing_bastion_instance_id" { diff --git a/terraform/locals.tf b/terraform/locals.tf index 067d83eb..43e1bb71 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -84,7 +84,6 @@ locals { lb_subnet_1_name = var.is_lb_private ? "lbprist1" : "lbpubst1" lb_subnet_2_name = var.is_lb_private ? "lbprist2" : "lbpubst2" - lb_id = local.use_existing_lb ? var.existing_load_balancer_id : local.new_lb_id lb_ip = local.use_existing_lb ? local.existing_lb_ip : local.new_lb_ip @@ -105,7 +104,7 @@ locals { local.lb_ip, ) : "" - async_prov_mode = !local.assign_weblogic_public_ip && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : "" + async_prov_mode = !local.assign_weblogic_public_ip && !var.is_rms_private_endpoint_required && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : "" jdk_labels = { jdk7 = "JDK 7", jdk8 = "JDK 8", jdk11 = "JDK 11" } jdk_version = var.wls_version == "14.1.1.0" ? local.jdk_labels[var.wls_14c_jdk_version] : (var.wls_version == "11.1.1.7" ? local.jdk_labels["jdk7"] : local.jdk_labels["jdk8"]) @@ -151,13 +150,11 @@ locals { use_apm_service = (var.use_apm_service || var.use_autoscaling) apm_domain_compartment_id = local.use_apm_service ? lookup(data.oci_apm_apm_domain.apm_domain[0], "compartment_id") : "" - - ocir_namespace = data.oci_objectstorage_namespace.object_namespace.namespace - ocir_namespace_with_slash = format("%s/",local.ocir_namespace) - ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash)) - ocir_user = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}" + ocir_namespace_with_slash = format("%s/", local.ocir_namespace) + ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash)) + ocir_user = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}" region_keys = data.oci_identity_regions.all_regions.regions.*.key region_names = data.oci_identity_regions.all_regions.regions.*.name @@ -180,4 +177,11 @@ locals { "instanceShape" = var.bastion_instance_shape, "ocpus" = 1 } + + is_bastion_instance_required = (var.is_bastion_instance_required && var.subnet_type != "Use Public Subnet") || var.wls_existing_vcn_id == "" || (var.wls_existing_vcn_id != "" && var.wls_subnet_id == "") ? true : false + + # Resource Manager Endpoint + is_rms_private_endpoint_required = var.is_rms_private_endpoint_required && var.wls_existing_vcn_id != "" && var.wls_subnet_id != "" && !local.assign_weblogic_public_ip ? true : false + add_new_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Create New Resource Manager Endpoint" ? true : false + add_existing_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Use Existing Resource Manager Endpoint" ? true : false } diff --git a/terraform/main.tf b/terraform/main.tf index 95d60271..8a0bd348 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -72,7 +72,7 @@ module "network-vcn-config" { create_load_balancer = local.add_load_balancer resource_name_prefix = local.service_name_prefix bastion_subnet_cidr = local.bastion_subnet_cidr - is_bastion_instance_required = var.is_bastion_instance_required + is_bastion_instance_required = local.is_bastion_instance_required existing_bastion_instance_id = var.existing_bastion_instance_id vcn_cidr = var.wls_vcn_name == "" ? data.oci_core_vcn.wls_vcn[0].cidr_block : element(concat(module.network-vcn.*.vcn_cidr, tolist([""])), 0) existing_mt_subnet_id = var.mount_target_subnet_id @@ -116,7 +116,7 @@ module "network-lb-nsg" { module "network-bastion-nsg" { source = "./modules/network/nsg" - count = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0 + count = local.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0 compartment_id = local.network_compartment_id vcn_id = local.vcn_id nsg_name = "${local.service_name_prefix}-bastion-nsg" @@ -190,13 +190,13 @@ module "network-lb-subnet-1" { /* Create back end subnet for bastion subnet */ module "network-bastion-subnet" { source = "./modules/network/subnet" - count = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && var.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0 + count = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && local.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0 compartment_id = local.network_compartment_id vcn_id = local.vcn_id dhcp_options_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].dhcp_options_id : "" route_table_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].route_table_id : "" subnet_name = "${local.service_name_prefix}-${var.bastion_subnet_name}" - dns_label = "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}" + dns_label = local.is_bastion_instance_required && local.is_rms_private_endpoint_required ? format("%s-%s", var.bastion_subnet_name, substr(strrev(var.service_name), 0, 7)) : "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}" cidr_block = local.bastion_subnet_cidr prohibit_public_ip = false @@ -223,28 +223,29 @@ module "policies" { defined_tags = local.defined_tags freeform_tags = local.free_form_tags } - atp_db = local.atp_db - oci_db = local.oci_db - vcn_id = element(concat(module.network-vcn[*].vcn_id, [""]), 0) - wls_existing_vcn_id = var.wls_existing_vcn_id - is_idcs_selected = var.is_idcs_selected - idcs_client_secret_id = var.idcs_client_secret_id - use_oci_logging = var.use_oci_logging - use_apm_service = local.use_apm_service - apm_domain_compartment_id = local.apm_domain_compartment_id - use_autoscaling = var.use_autoscaling - ocir_auth_token_id = var.ocir_auth_token_id - add_fss = var.add_fss - add_load_balancer = local.add_load_balancer - fss_compartment_id = var.fss_compartment_id == "" ? var.compartment_ocid : var.fss_compartment_id - mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id -} + atp_db = local.atp_db + oci_db = local.oci_db + vcn_id = element(concat(module.network-vcn[*].vcn_id, [""]), 0) + wls_existing_vcn_id = var.wls_existing_vcn_id + is_idcs_selected = var.is_idcs_selected + idcs_client_secret_id = var.idcs_client_secret_id + use_oci_logging = var.use_oci_logging + use_apm_service = local.use_apm_service + apm_domain_compartment_id = local.apm_domain_compartment_id + use_autoscaling = var.use_autoscaling + ocir_auth_token_id = var.ocir_auth_token_id + add_fss = var.add_fss + add_load_balancer = local.add_load_balancer + fss_compartment_id = var.fss_compartment_id == "" ? var.compartment_ocid : var.fss_compartment_id + mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id + is_rms_private_endpoint_required = local.is_rms_private_endpoint_required +} module "bastion" { #depends_on = [module.network-validation] source = "./modules/compute/bastion" - count = (!local.assign_weblogic_public_ip && var.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0 + count = (!local.assign_weblogic_public_ip && local.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0 availability_domain = local.bastion_availability_domain bastion_subnet_id = var.bastion_subnet_id != "" ? var.bastion_subnet_id : module.network-bastion-subnet[0].subnet_id @@ -349,7 +350,7 @@ module "vcn-peering" { module "validators" { #depends_on = [module.network-validation] - source = "./modules/validators" + source = "./modules/validators" compartment_id = var.compartment_ocid service_name = var.service_name wls_ms_port = var.wls_ms_extern_port @@ -394,7 +395,7 @@ module "validators" { lb_subnet_1_cidr = var.lb_subnet_1_cidr bastion_subnet_cidr = local.bastion_subnet_cidr assign_public_ip = local.assign_weblogic_public_ip - is_bastion_instance_required = var.is_bastion_instance_required + is_bastion_instance_required = local.is_bastion_instance_required existing_bastion_instance_id = var.existing_bastion_instance_id bastion_ssh_private_key = var.bastion_ssh_private_key @@ -468,8 +469,8 @@ module "validators" { module "fss" { #depends_on = [module.network-validation] - source = "./modules/fss" - count = var.add_fss ? 1 : 0 + source = "./modules/fss" + count = var.add_fss ? 1 : 0 compartment_id = var.compartment_ocid availability_domain = local.fss_availability_domain @@ -491,8 +492,8 @@ module "fss" { module "load-balancer" { #depends_on = [module.network-validation] - source = "./modules/lb/loadbalancer" - count = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0 + source = "./modules/lb/loadbalancer" + count = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0 compartment_id = local.network_compartment_id lb_reserved_public_ip_id = compact([var.lb_reserved_public_ip_id]) @@ -510,10 +511,26 @@ module "load-balancer" { } } +module "rms-private-endpoint" { + source = "./modules/rms-private-endpoint" + count = local.is_rms_private_endpoint_required && local.add_new_rms_private_endpoint ? 1 : 0 + + vcn_id = local.vcn_id + compartment_id = local.network_compartment_id + private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) + private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0) + resource_name_prefix = var.service_name + + tags = { + defined_tags = local.defined_tags + freeform_tags = local.free_form_tags + } +} + module "observability-common" { #depends_on = [module.network-validation] - source = "./modules/observability/common" - count = var.use_oci_logging ? 1 : 0 + source = "./modules/observability/common" + count = var.use_oci_logging ? 1 : 0 compartment_id = var.compartment_ocid service_prefix_name = local.service_name_prefix @@ -522,8 +539,8 @@ module "observability-common" { module "observability-autoscaling" { #depends_on = [module.network-validation] - source = "./modules/observability/autoscaling" - count = var.use_autoscaling ? 1 : 0 + source = "./modules/observability/autoscaling" + count = var.use_autoscaling ? 1 : 0 compartment_id = var.compartment_ocid metric_compartment_id = local.apm_domain_compartment_id @@ -608,7 +625,7 @@ module "compute" { deploy_sample_app = local.deploy_sample_app - is_bastion_instance_required = var.is_bastion_instance_required + is_bastion_instance_required = local.is_bastion_instance_required is_idcs_selected = var.is_idcs_selected idcs_host = var.idcs_host @@ -683,8 +700,8 @@ module "compute" { module "load-balancer-backends" { #depends_on = [module.network-validation] - source = "./modules/lb/backends" - count = local.add_load_balancer ? 1 : 0 + source = "./modules/lb/backends" + count = local.add_load_balancer ? 1 : 0 resource_name_prefix = local.service_name_prefix load_balancer_id = local.add_load_balancer ? (var.existing_load_balancer_id != "" ? var.existing_load_balancer_id : element(coalescelist(module.load-balancer[*].wls_loadbalancer_id, [""]), 0)) : "" @@ -698,8 +715,8 @@ module "load-balancer-backends" { module "observability-logging" { #depends_on = [module.network-validation] - source = "./modules/observability/logging" - count = var.use_oci_logging ? 1 : 0 + source = "./modules/observability/logging" + count = var.use_oci_logging ? 1 : 0 compartment_id = var.compartment_ocid oci_managed_instances_principal_group = element(concat(module.policies[*].oci_managed_instances_principal_group, [""]), 0) @@ -716,16 +733,18 @@ module "observability-logging" { module "provisioners" { #depends_on = [module.network-validation] - source = "./modules/provisioners" - - existing_bastion_instance_id = var.existing_bastion_instance_id - host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""]) - num_vm_instances = var.wls_node_count - ssh_private_key = module.compute.ssh_private_key_opc - assign_public_ip = local.assign_weblogic_public_ip - bastion_host = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip - bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) - is_bastion_instance_required = var.is_bastion_instance_required + source = "./modules/provisioners" + + existing_bastion_instance_id = var.existing_bastion_instance_id + host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""]) + num_vm_instances = var.wls_node_count + ssh_private_key = module.compute.ssh_private_key_opc + is_rms_private_endpoint_required = local.is_rms_private_endpoint_required + rms_private_endpoint_id = local.is_rms_private_endpoint_required ? local.add_new_rms_private_endpoint ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" + assign_public_ip = local.assign_weblogic_public_ip + bastion_host = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip + bastion_host_private_key = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) + is_bastion_instance_required = local.is_bastion_instance_required mode = var.mode wlsoci_vmscripts_zip_bundle_path = var.wlsoci_vmscripts_zip_bundle_path diff --git a/terraform/modules/policies/locals.tf b/terraform/modules/policies/locals.tf index 82232519..f30cad62 100644 --- a/terraform/modules/policies/locals.tf +++ b/terraform/modules/policies/locals.tf @@ -35,7 +35,6 @@ locals { apm_domain_policy_statement = var.use_apm_service ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use apm-domains in compartment id ${var.apm_domain_compartment_id}" : "" # This policy with "use load_balancer" verb is needed to create load balancer for new vcn lb_policy_statement = var.add_load_balancer ? length(oci_identity_dynamic_group.wlsc_instance_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use load-balancers in compartment id ${var.network_compartment_id}" : "" : "" - service_statements = compact([local.core_policy_statement1, local.core_policy_statement2, local.core_policy_statement3, local.network_policy_statement1, local.secrets_policy_statement1, local.secrets_policy_statement2, local.atp_policy_statement1, local.atp_policy_statement2, local.atp_policy_statement3, local.oci_db_policy_statement1, local.oci_db_policy_statement2, local.oci_db_policy_statement3, local.logging_policy, local.apm_domain_policy_statement, local.lb_policy_statement @@ -76,6 +75,7 @@ locals { autoscaling_statement25 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect dynamic-groups in tenancy" : "" : "" autoscaling_statement26 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage policies in tenancy" : "" : "" autoscaling_statement27 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to use tag-namespaces in tenancy" : "" : "" + autoscaling_statement28 = var.use_autoscaling && var.network_compartment_id != var.compartment_id && var.is_rms_private_endpoint_required ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage orm-family in compartment id ${var.network_compartment_id}" : "" : "" autoscaling_atp_policy_statement = (var.atp_db.is_atp && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect autonomous-transaction-processing-family in compartment id ${var.atp_db.compartment_id}" : "" : "" autoscaling_db_policy_statement = (local.is_oci_db && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect database-family in compartment id ${var.oci_db.compartment_id}" : "" : "" autoscaling_fss_mount_target_policy_statement = (var.add_fss && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage mount-targets in compartment id ${var.mount_target_compartment_id}" : "" : "" @@ -96,7 +96,7 @@ locals { local.autoscaling_statement18, local.autoscaling_statement19, local.autoscaling_statement20, local.autoscaling_statement21, local.autoscaling_statement22, local.autoscaling_statement23, local.autoscaling_statement24, local.autoscaling_statement25, local.autoscaling_statement26, - local.autoscaling_statement27, + local.autoscaling_statement27, local.autoscaling_statement28, local.autoscaling_logging_policy_1, local.autoscaling_logging_policy_2, local.autoscaling_logging_policy_3, local.autoscaling_atp_policy_statement, local.autoscaling_db_policy_statement, diff --git a/terraform/modules/policies/variables.tf b/terraform/modules/policies/variables.tf index 1f88a114..f9101e6d 100644 --- a/terraform/modules/policies/variables.tf +++ b/terraform/modules/policies/variables.tf @@ -187,3 +187,8 @@ variable "add_load_balancer" { description = "If this variable is true and existing_load_balancer is blank, a new load balancer will be created for the stack. If existing_load_balancer_id is not blank, the specified load balancer will be used" default = false } + +variable "is_rms_private_endpoint_required" { + type = bool + description = "Set resource manager private endpoint" +} diff --git a/terraform/modules/provisioners/data_sources.tf b/terraform/modules/provisioners/data_sources.tf new file mode 100644 index 00000000..a27592b6 --- /dev/null +++ b/terraform/modules/provisioners/data_sources.tf @@ -0,0 +1,10 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + + +// Resolves the private IP of the customer's private endpoint to a NAT IP. Used as the host address in the "remote-exec" resource +data "oci_resourcemanager_private_endpoint_reachable_ip" "private_endpoint_reachable_ips" { + count = var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 + private_endpoint_id = var.rms_private_endpoint_id + private_ip = var.host_ips[count.index] +} diff --git a/terraform/modules/provisioners/provisioning.tf b/terraform/modules/provisioners/provisioning.tf index 8200eb0e..79a3c8f7 100644 --- a/terraform/modules/provisioners/provisioning.tf +++ b/terraform/modules/provisioners/provisioning.tf @@ -2,20 +2,20 @@ # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. resource "null_resource" "status_check" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.is_bastion_instance_required || var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 depends_on = [null_resource.dev_mode_provisioning] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } // Call check_status.sh 11 more times - if we add additional markers we must add an additional status check call here. @@ -121,20 +121,20 @@ resource "null_resource" "status_check" { } resource "null_resource" "print_service_info" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.is_bastion_instance_required || var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 depends_on = [null_resource.status_check] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { @@ -146,7 +146,7 @@ resource "null_resource" "print_service_info" { } resource "null_resource" "cleanup" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.is_bastion_instance_required || var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 depends_on = [null_resource.print_service_info] @@ -154,13 +154,13 @@ resource "null_resource" "cleanup" { connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { @@ -171,7 +171,7 @@ resource "null_resource" "cleanup" { } resource "null_resource" "cleanup_bastion" { - count = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !var.assign_public_ip ? 1 : 0 + count = var.is_bastion_instance_required && !var.is_rms_private_endpoint_required && var.existing_bastion_instance_id == "" && !var.assign_public_ip ? 1 : 0 depends_on = [null_resource.cleanup] // Connection setup for all WLS instances diff --git a/terraform/modules/provisioners/variables.tf b/terraform/modules/provisioners/variables.tf index ae35a3f6..004538ab 100644 --- a/terraform/modules/provisioners/variables.tf +++ b/terraform/modules/provisioners/variables.tf @@ -16,6 +16,16 @@ variable "num_vm_instances" { description = "The number of compute instances that are available" } +variable "rms_private_endpoint_id" { + type = string + description = "The OCID of the resource manager private endpoint" +} + +variable "is_rms_private_endpoint_required" { + type = bool + description = "Set resource manager private endpoint" +} + variable "mode" { type = string description = "Select mode for development(DEV) or production(PROD). In development mode, local VM scripts zip is seeded on WLS VMs " @@ -48,7 +58,6 @@ variable "assign_public_ip" { variable "is_bastion_instance_required" { type = bool description = "Whether bastion instance is required to connect to the compute instance" - default = true } variable "existing_bastion_instance_id" { diff --git a/terraform/modules/rms-private-endpoint/outputs.tf b/terraform/modules/rms-private-endpoint/outputs.tf new file mode 100644 index 00000000..9716b01b --- /dev/null +++ b/terraform/modules/rms-private-endpoint/outputs.tf @@ -0,0 +1,7 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +output "rms_private_endpoint_id" { + value = oci_resourcemanager_private_endpoint.rms_private_endpoint.id + description = "The OCID of the resource manager private endpoint" +} diff --git a/terraform/modules/rms-private-endpoint/rms_end_point.tf b/terraform/modules/rms-private-endpoint/rms_end_point.tf new file mode 100644 index 00000000..bc6b8e33 --- /dev/null +++ b/terraform/modules/rms-private-endpoint/rms_end_point.tf @@ -0,0 +1,20 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +resource "oci_resourcemanager_private_endpoint" "rms_private_endpoint" { + + vcn_id = var.vcn_id + compartment_id = var.compartment_id + subnet_id = var.private_endpoint_subnet_id + nsg_id_list = var.private_endpoint_nsg_id + + display_name = "${var.resource_name_prefix}-pvtEndpoint" + + defined_tags = var.tags.defined_tags + freeform_tags = var.tags.freeform_tags + + lifecycle { + ignore_changes = [defined_tags, freeform_tags] + } + +} diff --git a/terraform/modules/rms-private-endpoint/variables.tf b/terraform/modules/rms-private-endpoint/variables.tf new file mode 100644 index 00000000..1af76933 --- /dev/null +++ b/terraform/modules/rms-private-endpoint/variables.tf @@ -0,0 +1,44 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +variable "compartment_id" { + type = string + description = "The OCID of the compartment where the file system exists" + validation { + condition = length(regexall("^ocid1.compartment.*$", var.compartment_id)) > 0 + error_message = "WLSC-ERROR: The value for compartment_id should start with \"ocid1.compartment.\"." + } +} + +variable "vcn_id" { + type = string + description = "The OCID of the VCN where the rms private endpoint will be created" +} + +variable "private_endpoint_subnet_id" { + type = string + description = "The OCID of the subnet where the rms private endpoint exists" +} + +variable "private_endpoint_nsg_id" { + type = list(any) + description = "The list of NSG OCIDs associated with the rms private endpoint" + default = [] +} + +variable "tags" { + type = object({ + defined_tags = map(any), + freeform_tags = map(any), + }) + description = "Defined tags and freeform tags to be added to the rms endpoint resources" + default = { + defined_tags = {}, + freeform_tags = {}, + } +} + +variable "resource_name_prefix" { + type = string + description = "Prefix which will be used to create rms private endpoint resources" +} diff --git a/terraform/modules/rms-private-endpoint/versions.tf b/terraform/modules/rms-private-endpoint/versions.tf new file mode 100644 index 00000000..779e92ea --- /dev/null +++ b/terraform/modules/rms-private-endpoint/versions.tf @@ -0,0 +1,10 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +terraform { + required_providers { + oci = { + source = "oracle/oci" + } + } +} diff --git a/terraform/modules/validators/network_validators.tf b/terraform/modules/validators/network_validators.tf index 86af8e32..0381c69f 100644 --- a/terraform/modules/validators/network_validators.tf +++ b/terraform/modules/validators/network_validators.tf @@ -36,7 +36,6 @@ locals { missing_vcn_id = (var.existing_vcn_id == "" && (local.has_wls_subnet_id || local.has_lb_backend_subnet_id || local.has_lb_frontend_subnet_id)) missing_private_subnet_vcn_id = (var.is_bastion_instance_required && (var.bastion_subnet_id != "" || var.existing_bastion_instance_id != "") && var.existing_vcn_id == "") - #existing subnets # If load balancer selected, check LB and WLS have existing subnet IDs specified else, if load balancer is not selected, check if WLS is using existing subnet id has_all_existing_subnets = (local.add_new_load_balancer && local.has_wls_subnet_id && local.has_lb_backend_subnet_id && local.has_lb_frontend_subnet_id) || (!local.add_new_load_balancer && local.has_wls_subnet_id) @@ -69,10 +68,6 @@ locals { bastion_ssh_key_file = var.bastion_ssh_private_key == "" ? "missing.txt" : var.bastion_ssh_private_key invalid_bastion_private_key = (local.is_existing_bastion_condition && (var.bastion_ssh_private_key == "" || !fileexists(local.bastion_ssh_key_file))) - invalid_bastion_config = (var.existing_vcn_id == "" || (local.has_existing_vcn && var.wls_subnet_id == "")) ? local.is_bastion_turned_off : false - invalid_bastion_config_msg = "WLSC-ERROR: Provisioning in private subnet without bastion instance has to be limited for VCN with existing subnets." - validate_bastion_config = (local.invalid_bastion_config) ? local.validators_msg_map[local.invalid_bastion_config_msg] : null - invalid_lb_type = var.is_lb_private && var.assign_public_ip # VCN peering diff --git a/terraform/modules/validators/stack_validators.tf b/terraform/modules/validators/stack_validators.tf index e416f38e..3f09da5c 100644 --- a/terraform/modules/validators/stack_validators.tf +++ b/terraform/modules/validators/stack_validators.tf @@ -14,7 +14,7 @@ data "oci_resourcemanager_stacks" "all_stacks_in_the_compartment" { locals { stack_list = data.oci_resourcemanager_stacks.all_stacks_in_the_compartment.stacks num_stacks = length(local.stack_list) - stack_ids = [for stack in local.stack_list : { id = stack.id }] + stack_ids = [for stack in local.stack_list : { id = stack.id }] } # get details of each stack from the list of stack_ids @@ -25,11 +25,11 @@ data "oci_resourcemanager_stack" "all_stacks" { } locals { - stack_variables = [for stack in data.oci_resourcemanager_stack.all_stacks : { variables = stack.variables }] + stack_variables = [for stack in data.oci_resourcemanager_stack.all_stacks : { variables = stack.variables }] service_names_used_by_existing_stacks = [for stack_variables in local.stack_variables : lookup(stack_variables.variables, "service_name", "?_not_found_?")] - duplicate_service_names_list = [for service_name in local.service_names_used_by_existing_stacks : service_name if service_name == var.service_name] + duplicate_service_names_list = [for service_name in local.service_names_used_by_existing_stacks : service_name if service_name == var.service_name] # There will be always one entry for the name of the current stack. Set duplicate to true if there are more than one entries. - service_name_already_exists = length(local.duplicate_service_names_list) > 1 ? true : false - service_name_already_exists_msg = "WLSC-ERROR: Another stack with the service_name [${var.service_name}] already exisits in the stack compartment. Try again with a different service name." + service_name_already_exists = length(local.duplicate_service_names_list) > 1 ? true : false + service_name_already_exists_msg = "WLSC-ERROR: Another stack with the service_name [${var.service_name}] already exisits in the stack compartment. Try again with a different service name." validate_service_name_is_not_already_used = local.service_name_already_exists ? local.validators_msg_map[local.service_name_already_exists_msg] : null } diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 5d6c954b..48908a34 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -86,6 +86,10 @@ output "jdk_version" { value = local.jdk_version } +output "rms_private_endpoint_id" { + value = var.is_rms_private_endpoint_required ? local.add_new_rms_private_endpoint ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" +} + output "weblogic_agent_configuration_id" { value = element(concat(module.observability-logging[*].agent_config_id, [""]), 0) } diff --git a/terraform/schema.yaml b/terraform/schema.yaml index 913c293f..05d40b72 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -12,6 +12,7 @@ groupings: - ${ssh_public_key} - ${create_policies} - ${create_new_vcn} + - ${is_rms_private_endpoint_required} - ${is_bastion_instance_required} - ${add_load_balancer} - ${is_idcs_selected} @@ -90,6 +91,11 @@ groupings: - ${existing_admin_server_nsg_id} - ${existing_managed_server_nsg_id} + - title: "Resource Manager Private Endpoint" + variables: + - ${add_rms_private_endpoint} + - ${rms_existing_private_endpoint_id} + - title: "Bastion Instance" variables: - ${is_bastion_with_reserved_public_ip} @@ -266,6 +272,9 @@ outputs: jdk_version: type: link title: JDK Version + rms_private_endpoint_id: + type: ocid + title: Resource Manager Private Endpoint bastion_instance_id: type: ocid title: Instance Id @@ -320,6 +329,7 @@ outputGroups: - ${weblogic_version} - ${weblogic_instances} - ${jdk_version} + - ${rms_private_endpoint_id} - title: Networking outputs: - ${virtual_cloud_network_id} @@ -935,10 +945,66 @@ variables: - ${subnet_type} - "Use Public Subnet" type: boolean - default: true + default: false title: "Provision Bastion Instance" - description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If this and resource manager private endpoint are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." + + is_rms_private_endpoint_required: + visible: + and: + - ${orm_create_mode} + - and: + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + - not: + - eq: + - ${subnet_type} + - "Use Public Subnet" + type: boolean + default: true + title: "Use Resource Manager Private Endpoint" + description: "Provision a resource manager private endpoint on a private subnet to check the provisioning status of the private resources. If this and bastion are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." + + add_rms_private_endpoint: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + type: enum + enum: + - "Use Existing Resource Manager Endpoint" + - "Create New Resource Manager Endpoint" + default: "Use Existing Resource Manager Endpoint" + title: "Create or Use Existing Resource Manager Endpoint" + description: "Configure a new or existing resource manager private endpoint." + required: true + rms_existing_private_endpoint_id: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + - eq: + - ${add_rms_private_endpoint} + - "Use Existing Resource Manager Endpoint" + dependsOn: + compartmentId: ${network_compartment_id} + vcnId: ${wls_existing_vcn_id} + type: oci:resourcemanager:privateendpoint:id + required: true + title: "Resource Manager Private Endpoint" + description: "Resource manager private endpoint for private access." + is_bastion_with_reserved_public_ip: visible: and: @@ -1102,6 +1168,7 @@ variables: compartmentId: ${network_compartment_id} vcnId: ${wls_existing_vcn_id} + # Load Balancer Configuration add_load_balancer: type: boolean diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index 08db092d..85723255 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -12,6 +12,7 @@ groupings: - ${ssh_public_key} - ${create_policies} - ${create_new_vcn} + - ${is_rms_private_endpoint_required} - ${is_bastion_instance_required} - ${add_load_balancer} - ${is_idcs_selected} @@ -63,6 +64,11 @@ groupings: - ${existing_admin_server_nsg_id} - ${existing_managed_server_nsg_id} + - title: "Resource Manager Private Endpoint" + variables: + - ${add_rms_private_endpoint} + - ${rms_existing_private_endpoint_id} + - title: "Bastion Instance" variables: - ${is_bastion_with_reserved_public_ip} @@ -264,6 +270,9 @@ outputs: jdk_version: type: link title: JDK Version + rms_private_endpoint_id: + type: ocid + title: Resource Manager Private Endpoint bastion_instance_id: type: ocid title: Instance Id @@ -318,6 +327,7 @@ outputGroups: - ${weblogic_version} - ${weblogic_instances} - ${jdk_version} + - ${rms_private_endpoint_id} - title: Networking outputs: - ${virtual_cloud_network_id} @@ -944,9 +954,65 @@ variables: - ${subnet_type} - "Use Public Subnet" type: boolean - default: true + default: false title: "Provision Bastion Instance" - description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If this and resource manager private endpoint are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." + + is_rms_private_endpoint_required: + visible: + and: + - ${orm_create_mode} + - and: + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + - not: + - eq: + - ${subnet_type} + - "Use Public Subnet" + type: boolean + default: true + title: "Use Resource Manager Private Endpoint" + description: "Provision a resource manager private endpoint on a private subnet to check the provisioning status of the private resources. If this and bastion are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." + + add_rms_private_endpoint: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + type: enum + enum: + - "Use Existing Resource Manager Endpoint" + - "Create New Resource Manager Endpoint" + default: "Use Existing Resource Manager Endpoint" + title: "Create or Use Existing Resource Manager Endpoint" + description: "Configure a new or existing resource manager private endpoint." + required: true + + rms_existing_private_endpoint_id: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + - eq: + - ${add_rms_private_endpoint} + - "Use Existing Resource Manager Endpoint" + dependsOn: + compartmentId: ${network_compartment_id} + vcnId: ${wls_existing_vcn_id} + type: oci:resourcemanager:privateendpoint:id + required: true + title: "Resource Manager Private Endpoint" + description: "Resource manager private endpoint for private access." is_bastion_with_reserved_public_ip: visible: diff --git a/terraform/variables.tf b/terraform/variables.tf index 7e8521cf..ca25b621 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -121,3 +121,20 @@ variable "tf_script_version" { default = "" } +variable "is_rms_private_endpoint_required" { + type = bool + description = "Set resource manager private endpoint. Default value is true" + default = true +} + +variable "add_rms_private_endpoint" { + type = string + description = "Add existing resource manager private endpoint" + default = "Use Existing Resource Manager Endpoint" +} + +variable "rms_existing_private_endpoint_id" { + type = string + description = "The OCID for the existing resource manager private endpoint" + default = "" +}