From 4f4e3020bc38e60623b040c5fb8d43b3abbec0bb Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Wed, 10 May 2023 11:19:44 -0700 Subject: [PATCH 01/24] New changes. --- terraform/data_sources.tf | 6 ++ terraform/main.tf | 95 ++++++------------- .../modules/network/vcn-config/variables.tf | 1 + terraform/modules/policies/locals.tf | 7 +- .../modules/provisioners/provisioning.tf | 54 ++--------- 5 files changed, 50 insertions(+), 113 deletions(-) diff --git a/terraform/data_sources.tf b/terraform/data_sources.tf index 713a2668..f13d4cf5 100644 --- a/terraform/data_sources.tf +++ b/terraform/data_sources.tf @@ -18,6 +18,12 @@ data "oci_core_instance" "existing_bastion_instance" { instance_id = var.existing_bastion_instance_id } +data "oci_core_instance" "private_endpoint_instance" { + count = var.existing_bastion_instance_id != "" ? 1 : 0 + + instance_id = var.existing_bastion_instance_id +} + data "oci_core_subnet" "wls_subnet" { count = var.wls_subnet_id == "" ? 0 : 1 subnet_id = var.wls_subnet_id diff --git a/terraform/main.tf b/terraform/main.tf index 6c366394..be3e0504 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -93,6 +93,7 @@ module "network-vcn-config" { mount_target_nsg_id = flatten(module.network-mount-target-nsg[*].nsg_id) admin_nsg_id = flatten(module.network-compute-admin-nsg[*].nsg_id) managed_nsg_id = flatten(module.network-compute-managed-nsg[*].nsg_id) + rms_private_endpoint_nsg_id = flatten(module.network-rms-private-endpoint-nsg[*].nsg_id) } tags = { @@ -166,6 +167,19 @@ module "network-compute-managed-nsg" { } } +module "network-rms-private-endpoint-nsg" { + source = "./modules/network/nsg" + count = !local.use_existing_subnets && local.wls_subnet_cidr != "" ? 1 : 0 + compartment_id = local.network_compartment_id + vcn_id = local.vcn_id + nsg_name = "${local.service_name_prefix}-rms-private-endpoint-nsg" + + tags = { + defined_tags = local.defined_tags + freeform_tags = local.free_form_tags + } +} + /* Create primary subnet for Load balancer only */ module "network-lb-subnet-1" { source = "./modules/network/subnet" @@ -206,70 +220,6 @@ module "network-bastion-subnet" { } } -module "policies" { - #depends_on = [module.network-validation] - source = "./modules/policies" - count = var.create_policies ? 1 : 0 - compartment_id = var.compartment_ocid - network_compartment_id = local.network_compartment_id - dynamic_group_rule = local.dynamic_group_rule - resource_name_prefix = local.service_name_prefix - tenancy_id = var.tenancy_ocid - wls_admin_password_id = var.wls_admin_password_id - providers = { - oci = oci.home - } - tags = { - defined_tags = local.defined_tags - freeform_tags = local.free_form_tags - } - atp_db = local.atp_db - oci_db = local.oci_db - vcn_id = element(concat(module.network-vcn[*].vcn_id, [""]), 0) - wls_existing_vcn_id = var.wls_existing_vcn_id - is_idcs_selected = var.is_idcs_selected - idcs_client_secret_id = var.idcs_client_secret_id - use_oci_logging = var.use_oci_logging - use_apm_service = local.use_apm_service - apm_domain_compartment_id = local.apm_domain_compartment_id - use_autoscaling = var.use_autoscaling - ocir_auth_token_id = var.ocir_auth_token_id - add_fss = var.add_fss - add_load_balancer = local.add_load_balancer - fss_compartment_id = var.fss_compartment_id == "" ? var.compartment_ocid : var.fss_compartment_id - mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id -} - - -module "bastion" { - #depends_on = [module.network-validation] - source = "./modules/compute/bastion" - count = (!local.assign_weblogic_public_ip && var.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0 - availability_domain = local.bastion_availability_domain - bastion_subnet_id = var.bastion_subnet_id != "" ? var.bastion_subnet_id : module.network-bastion-subnet[0].subnet_id - - compartment_id = var.compartment_ocid - instance_image_id = var.bastion_image_id - instance_shape = local.bastion_instance_shape - region = var.region - ssh_public_key = var.ssh_public_key - tenancy_id = var.tenancy_ocid - use_existing_subnet = var.bastion_subnet_id != "" - vm_count = var.wls_node_count - instance_name = "${local.service_name_prefix}-bastion-instance" - tags = { - defined_tags = local.defined_tags - freeform_tags = local.free_form_tags - } - is_bastion_with_reserved_public_ip = var.is_bastion_with_reserved_public_ip - bastion_nsg_id = var.bastion_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_bastion_nsg_id] : []) : flatten(module.network-bastion-nsg[*].nsg_id) - - use_bastion_marketplace_image = var.use_bastion_marketplace_image - mp_listing_id = var.bastion_listing_id - mp_listing_resource_version = var.bastion_listing_resource_version -} - - /* Create back end private subnet for wls */ module "network-wls-private-subnet" { source = "./modules/network/subnet" @@ -510,6 +460,22 @@ module "load-balancer" { } } +module "rms-private-endpoint" { + source = "./modules/rms-private-endpoint" + count = !local.use_existing_subnets && local.wls_subnet_cidr != "" ? 1 : 0 + + vcn_id = local.vcn_id + compartment_id = var.compartment_ocid + private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : local.assign_weblogic_public_ip ? element(concat(module.network-wls-public-subnet[*].subnet_id, [""]), 0) : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) + private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_private_endpoint_nsg_id] : []) : element(module.network-rms-private-endpoint-nsg[*].nsg_id, 0) + resource_name_prefix = var.service_name + + tags = { + defined_tags = local.defined_tags + freeform_tags = local.free_form_tags + } +} + module "observability-common" { #depends_on = [module.network-validation] source = "./modules/observability/common" @@ -723,7 +689,6 @@ module "provisioners" { num_vm_instances = var.wls_node_count ssh_private_key = module.compute.ssh_private_key_opc assign_public_ip = local.assign_weblogic_public_ip - bastion_host = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) is_bastion_instance_required = var.is_bastion_instance_required diff --git a/terraform/modules/network/vcn-config/variables.tf b/terraform/modules/network/vcn-config/variables.tf index 36389fe5..05b93f26 100644 --- a/terraform/modules/network/vcn-config/variables.tf +++ b/terraform/modules/network/vcn-config/variables.tf @@ -191,6 +191,7 @@ variable "nsg_ids" { mount_target_nsg_id = "" admin_nsg_id = "" managed_nsg_id = "" + rms_private_endpoint_nsg_id = "" } } diff --git a/terraform/modules/policies/locals.tf b/terraform/modules/policies/locals.tf index 82232519..3204df56 100644 --- a/terraform/modules/policies/locals.tf +++ b/terraform/modules/policies/locals.tf @@ -41,6 +41,11 @@ locals { local.apm_domain_policy_statement, local.lb_policy_statement ]) + #rms private endpoint policies + rms_private_endpoint_statement1 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to manage orm-private-endpoints in tenancy + rms_private_endpoint_statement2 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use virtual-network-family in tenancy where any request.operation={'CreatePrivateEndpoint'}" + rms_policy_statements = compact([local.rms_private_endpoint_statement1, local.rms_private_endpoint_statement2]) + cloning_policy_statement1 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read orm-stacks in compartment id ${var.compartment_id}" cloning_policy_statement2 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to inspect compartments in tenancy" cloning_policy_statement = compact([local.cloning_policy_statement1, local.cloning_policy_statement2]) @@ -106,7 +111,7 @@ locals { ]) #TODO: When other categories with more statements are added here, concat them with service_statements - policy_statements = concat(local.service_statements, local.cloning_policy_statement, local.autoscaling_statements) + policy_statements = concat(local.service_statements, local.cloning_policy_statement, local.autoscaling_statements, local.rms_policy_statements) reserved_ips_info = var.compartment_id == "" ? [{ id = var.resource_name_prefix }] : [] diff --git a/terraform/modules/provisioners/provisioning.tf b/terraform/modules/provisioners/provisioning.tf index 8200eb0e..c299becc 100644 --- a/terraform/modules/provisioners/provisioning.tf +++ b/terraform/modules/provisioners/provisioning.tf @@ -2,20 +2,16 @@ # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. resource "null_resource" "status_check" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.num_vm_instances depends_on = [null_resource.dev_mode_provisioning] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_bastion_instance_required ? var.host_ips[count.index] : data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_ips[count.index].ip_address user = "opc" private_key = var.ssh_private_key - - bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host } // Call check_status.sh 11 more times - if we add additional markers we must add an additional status check call here. @@ -92,6 +88,7 @@ resource "null_resource" "status_check" { provisioner "remote-exec" { inline = [ + "sudo su - oracle -c 'python3 /opt/scripts/check_provisioning_status.py'", ] } @@ -121,20 +118,16 @@ resource "null_resource" "status_check" { } resource "null_resource" "print_service_info" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.num_vm_instances depends_on = [null_resource.status_check] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_bastion_instance_required ? var.host_ips[count.index] : data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_ips[count.index].ip_address user = "opc" private_key = var.ssh_private_key - - bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host } provisioner "remote-exec" { @@ -146,7 +139,7 @@ resource "null_resource" "print_service_info" { } resource "null_resource" "cleanup" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.num_vm_instances depends_on = [null_resource.print_service_info] @@ -154,13 +147,9 @@ resource "null_resource" "cleanup" { connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_bastion_instance_required ? var.host_ips[count.index] : data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_ips[count.index].ip_address user = "opc" private_key = var.ssh_private_key - - bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host } provisioner "remote-exec" { @@ -169,32 +158,3 @@ resource "null_resource" "cleanup" { ] } } - -resource "null_resource" "cleanup_bastion" { - count = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !var.assign_public_ip ? 1 : 0 - depends_on = [null_resource.cleanup] - - // Connection setup for all WLS instances - connection { - agent = false - timeout = "30m" - host = var.bastion_host - user = "opc" - private_key = var.bastion_host_private_key - } - - # run this provisioner everytime new bastion is created during reapply - triggers = { - ip_address = var.bastion_host - } - - provisioner "remote-exec" { - inline = [ - "sudo cp /home/opc/.ssh/authorized_keys.bak /home/opc/.ssh/authorized_keys", - "rm -f /home/opc/.ssh/authorized_keys.bak", - "chown -R opc /home/opc/.ssh/authorized_keys", - "sudo systemctl daemon-reload", - "sudo systemctl restart oracle-cloud-agent.service" - ] - } -} From 873fce2874fc1fe50787e557c547b5098da66103 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Wed, 10 May 2023 18:00:17 -0700 Subject: [PATCH 02/24] Introduced new variable for rms. --- terraform/main.tf | 28 +++------- .../modules/provisioners/provisioning.tf | 54 ++++++++++++++++--- terraform/modules/provisioners/variables.tf | 11 ++++ terraform/schema.yaml | 3 +- terraform/variables.tf | 5 ++ 5 files changed, 73 insertions(+), 28 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index be3e0504..95edac23 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -93,7 +93,6 @@ module "network-vcn-config" { mount_target_nsg_id = flatten(module.network-mount-target-nsg[*].nsg_id) admin_nsg_id = flatten(module.network-compute-admin-nsg[*].nsg_id) managed_nsg_id = flatten(module.network-compute-managed-nsg[*].nsg_id) - rms_private_endpoint_nsg_id = flatten(module.network-rms-private-endpoint-nsg[*].nsg_id) } tags = { @@ -167,19 +166,6 @@ module "network-compute-managed-nsg" { } } -module "network-rms-private-endpoint-nsg" { - source = "./modules/network/nsg" - count = !local.use_existing_subnets && local.wls_subnet_cidr != "" ? 1 : 0 - compartment_id = local.network_compartment_id - vcn_id = local.vcn_id - nsg_name = "${local.service_name_prefix}-rms-private-endpoint-nsg" - - tags = { - defined_tags = local.defined_tags - freeform_tags = local.free_form_tags - } -} - /* Create primary subnet for Load balancer only */ module "network-lb-subnet-1" { source = "./modules/network/subnet" @@ -462,18 +448,18 @@ module "load-balancer" { module "rms-private-endpoint" { source = "./modules/rms-private-endpoint" - count = !local.use_existing_subnets && local.wls_subnet_cidr != "" ? 1 : 0 + count = !local.use_existing_subnets && local.wls_subnet_cidr != "" && var.is_rms_private_endpoint ? 1 : 0 - vcn_id = local.vcn_id - compartment_id = var.compartment_ocid - private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : local.assign_weblogic_public_ip ? element(concat(module.network-wls-public-subnet[*].subnet_id, [""]), 0) : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) - private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_private_endpoint_nsg_id] : []) : element(module.network-rms-private-endpoint-nsg[*].nsg_id, 0) + vcn_id = local.vcn_id + compartment_id = var.compartment_ocid + private_endpoint_subnet_id = element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) + private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0) resource_name_prefix = var.service_name tags = { defined_tags = local.defined_tags freeform_tags = local.free_form_tags - } + } } module "observability-common" { @@ -688,6 +674,8 @@ module "provisioners" { host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""]) num_vm_instances = var.wls_node_count ssh_private_key = module.compute.ssh_private_key_opc + is_rms_private_endpoint = var.is_rms_private_endpoint + rms_private_endpoint_id = var.is_rms_private_endpoint ? module.rms-private-endpoint.rms_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) is_bastion_instance_required = var.is_bastion_instance_required diff --git a/terraform/modules/provisioners/provisioning.tf b/terraform/modules/provisioners/provisioning.tf index c299becc..24832e85 100644 --- a/terraform/modules/provisioners/provisioning.tf +++ b/terraform/modules/provisioners/provisioning.tf @@ -2,16 +2,20 @@ # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. resource "null_resource" "status_check" { - count = var.num_vm_instances + count = var.is_bastion_instance_required || var.is_rms_private_endpoint ? var.num_vm_instances : 0 depends_on = [null_resource.dev_mode_provisioning] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.is_bastion_instance_required ? var.host_ips[count.index] : data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_ips[count.index].ip_address + host = var.is_rms_private_endpoint ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips.ipaddress : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key + + bastion_user = "opc" + bastion_private_key = is_bastion_instance_required ? var.bastion_host_private_key : "" + bastion_host = is_bastion_instance_required ? var.bastion_host : "" } // Call check_status.sh 11 more times - if we add additional markers we must add an additional status check call here. @@ -88,7 +92,6 @@ resource "null_resource" "status_check" { provisioner "remote-exec" { inline = [ - "sudo su - oracle -c 'python3 /opt/scripts/check_provisioning_status.py'", ] } @@ -118,16 +121,20 @@ resource "null_resource" "status_check" { } resource "null_resource" "print_service_info" { - count = var.num_vm_instances + count = var.is_bastion_instance_required ? var.num_vm_instances : 0 depends_on = [null_resource.status_check] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.is_bastion_instance_required ? var.host_ips[count.index] : data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_ips[count.index].ip_address + host = var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key + + bastion_user = "opc" + bastion_private_key = var.bastion_host_private_key + bastion_host = var.bastion_host } provisioner "remote-exec" { @@ -139,7 +146,7 @@ resource "null_resource" "print_service_info" { } resource "null_resource" "cleanup" { - count = var.num_vm_instances + count = var.is_bastion_instance_required ? var.num_vm_instances : 0 depends_on = [null_resource.print_service_info] @@ -147,9 +154,13 @@ resource "null_resource" "cleanup" { connection { agent = false timeout = "30m" - host = var.is_bastion_instance_required ? var.host_ips[count.index] : data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_ips[count.index].ip_address + host = var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key + + bastion_user = "opc" + bastion_private_key = var.bastion_host_private_key + bastion_host = var.bastion_host } provisioner "remote-exec" { @@ -158,3 +169,32 @@ resource "null_resource" "cleanup" { ] } } + +resource "null_resource" "cleanup_bastion" { + count = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !var.assign_public_ip ? 1 : 0 + depends_on = [null_resource.cleanup] + + // Connection setup for all WLS instances + connection { + agent = false + timeout = "30m" + host = var.bastion_host + user = "opc" + private_key = var.bastion_host_private_key + } + + # run this provisioner everytime new bastion is created during reapply + triggers = { + ip_address = var.bastion_host + } + + provisioner "remote-exec" { + inline = [ + "sudo cp /home/opc/.ssh/authorized_keys.bak /home/opc/.ssh/authorized_keys", + "rm -f /home/opc/.ssh/authorized_keys.bak", + "chown -R opc /home/opc/.ssh/authorized_keys", + "sudo systemctl daemon-reload", + "sudo systemctl restart oracle-cloud-agent.service" + ] + } +} diff --git a/terraform/modules/provisioners/variables.tf b/terraform/modules/provisioners/variables.tf index ae35a3f6..84d81a28 100644 --- a/terraform/modules/provisioners/variables.tf +++ b/terraform/modules/provisioners/variables.tf @@ -16,6 +16,17 @@ variable "num_vm_instances" { description = "The number of compute instances that are available" } +variable "rms_private_endpoint_id" { + type = string + description = "The OCID of the RMS private endpoint" +} + +variable "is_rms_private_endpoint" { + type = bool + description = "Terms and conditions for user to accept Oracle WebLogic Server Enterprise Edition UCM or Oracle WebLogic Suite UCM license agreement" + default = true +} + variable "mode" { type = string description = "Select mode for development(DEV) or production(PROD). In development mode, local VM scripts zip is seeded on WLS VMs " diff --git a/terraform/schema.yaml b/terraform/schema.yaml index 913c293f..0a37d333 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -222,6 +222,7 @@ groupings: - ${wls_admin_port_source_cidr} - ${wlsoci_vmscripts_zip_bundle_path} - ${tf_script_version} + - ${is_rms_private_endpoint} #- ${use_autoscaling} outputs: @@ -232,7 +233,7 @@ outputs: type: link title: Is VCN Peered visible: false - weblogic_server_administration_console: + weblogic_server_administration_cionsole: type: link title: WebLogic Server Administration Console weblogic_instances: diff --git a/terraform/variables.tf b/terraform/variables.tf index 7e8521cf..dc3a0798 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -121,3 +121,8 @@ variable "tf_script_version" { default = "" } +variable "is_rms_private_endpoint" { + type = bool + description = "Terms and conditions for user to accept Oracle WebLogic Server Enterprise Edition UCM or Oracle WebLogic Suite UCM license agreement" + default = true +} From b772f7c71d4e5dfd840b76de50c64aa20a062601 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 15 May 2023 12:30:10 -0700 Subject: [PATCH 03/24] JCS-13348 Use RMS private endpoint in lieu of bastion host --- terraform/locals.tf | 2 - terraform/main.tf | 71 +++++++++++++++- terraform/modules/policies/locals.tf | 8 +- .../provisioners/dev_mode_provisioning.tf | 14 ++-- .../modules/provisioners/provisioning.tf | 26 +++--- terraform/modules/provisioners/variables.tf | 2 +- .../modules/validators/network_validators.tf | 4 - terraform/outputs.tf | 8 +- terraform/schema.yaml | 76 +++++++++++++++-- terraform/schema_14110.yaml | 83 +++++++++++++++++-- terraform/variables.tf | 22 ++++- 11 files changed, 257 insertions(+), 59 deletions(-) diff --git a/terraform/locals.tf b/terraform/locals.tf index 79496273..d67ef872 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -105,8 +105,6 @@ locals { local.lb_ip, ) : "" - async_prov_mode = !local.assign_weblogic_public_ip && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : "" - jdk_labels = { jdk7 = "JDK 7", jdk8 = "JDK 8", jdk11 = "JDK 11" } jdk_version = var.wls_version == "14.1.1.0" ? local.jdk_labels[var.wls_14c_jdk_version] : (var.wls_version == "11.1.1.7" ? local.jdk_labels["jdk7"] : local.jdk_labels["jdk8"]) diff --git a/terraform/main.tf b/terraform/main.tf index 95edac23..16b80c98 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -206,6 +206,69 @@ module "network-bastion-subnet" { } } +module "policies" { + #depends_on = [module.network-validation] + source = "./modules/policies" + count = var.create_policies ? 1 : 0 + compartment_id = var.compartment_ocid + network_compartment_id = local.network_compartment_id + dynamic_group_rule = local.dynamic_group_rule + resource_name_prefix = local.service_name_prefix + tenancy_id = var.tenancy_ocid + wls_admin_password_id = var.wls_admin_password_id + providers = { + oci = oci.home + } + tags = { + defined_tags = local.defined_tags + freeform_tags = local.free_form_tags + } + atp_db = local.atp_db + oci_db = local.oci_db + vcn_id = element(concat(module.network-vcn[*].vcn_id, [""]), 0) + wls_existing_vcn_id = var.wls_existing_vcn_id + is_idcs_selected = var.is_idcs_selected + idcs_client_secret_id = var.idcs_client_secret_id + use_oci_logging = var.use_oci_logging + use_apm_service = local.use_apm_service + apm_domain_compartment_id = local.apm_domain_compartment_id + use_autoscaling = var.use_autoscaling + ocir_auth_token_id = var.ocir_auth_token_id + add_fss = var.add_fss + add_load_balancer = local.add_load_balancer + fss_compartment_id = var.fss_compartment_id == "" ? var.compartment_ocid : var.fss_compartment_id + mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id +} + +module "bastion" { + #depends_on = [module.network-validation] + source = "./modules/compute/bastion" + count = (!local.assign_weblogic_public_ip && var.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0 + availability_domain = local.bastion_availability_domain + bastion_subnet_id = var.bastion_subnet_id != "" ? var.bastion_subnet_id : module.network-bastion-subnet[0].subnet_id + + compartment_id = var.compartment_ocid + instance_image_id = var.bastion_image_id + instance_shape = local.bastion_instance_shape + region = var.region + ssh_public_key = var.ssh_public_key + tenancy_id = var.tenancy_ocid + use_existing_subnet = var.bastion_subnet_id != "" + vm_count = var.wls_node_count + instance_name = "${local.service_name_prefix}-bastion-instance" + tags = { + defined_tags = local.defined_tags + freeform_tags = local.free_form_tags + } + is_bastion_with_reserved_public_ip = var.is_bastion_with_reserved_public_ip + bastion_nsg_id = var.bastion_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_bastion_nsg_id] : []) : flatten(module.network-bastion-nsg[*].nsg_id) + + use_bastion_marketplace_image = var.use_bastion_marketplace_image + mp_listing_id = var.bastion_listing_id + mp_listing_resource_version = var.bastion_listing_resource_version +} + + /* Create back end private subnet for wls */ module "network-wls-private-subnet" { source = "./modules/network/subnet" @@ -448,11 +511,11 @@ module "load-balancer" { module "rms-private-endpoint" { source = "./modules/rms-private-endpoint" - count = !local.use_existing_subnets && local.wls_subnet_cidr != "" && var.is_rms_private_endpoint ? 1 : 0 + count = (var.is_rms_private_endpoint_required && var.add_new_rms_private_endpoint) || var.wls_existing_vcn_id == "" ? 1 : 0 vcn_id = local.vcn_id compartment_id = var.compartment_ocid - private_endpoint_subnet_id = element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) + private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0) resource_name_prefix = var.service_name @@ -674,8 +737,8 @@ module "provisioners" { host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""]) num_vm_instances = var.wls_node_count ssh_private_key = module.compute.ssh_private_key_opc - is_rms_private_endpoint = var.is_rms_private_endpoint - rms_private_endpoint_id = var.is_rms_private_endpoint ? module.rms-private-endpoint.rms_private_endpoint_id : "" + is_rms_private_endpoint_required = var.is_rms_private_endpoint_required + rms_private_endpoint_id = var.is_rms_private_endpoint_required ? (var.add_new_rms_private_endpoint || var.wls_existing_vcn_id == "") ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) is_bastion_instance_required = var.is_bastion_instance_required diff --git a/terraform/modules/policies/locals.tf b/terraform/modules/policies/locals.tf index 3204df56..ce6af970 100644 --- a/terraform/modules/policies/locals.tf +++ b/terraform/modules/policies/locals.tf @@ -35,17 +35,11 @@ locals { apm_domain_policy_statement = var.use_apm_service ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use apm-domains in compartment id ${var.apm_domain_compartment_id}" : "" # This policy with "use load_balancer" verb is needed to create load balancer for new vcn lb_policy_statement = var.add_load_balancer ? length(oci_identity_dynamic_group.wlsc_instance_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use load-balancers in compartment id ${var.network_compartment_id}" : "" : "" - service_statements = compact([local.core_policy_statement1, local.core_policy_statement2, local.core_policy_statement3, local.network_policy_statement1, local.secrets_policy_statement1, local.secrets_policy_statement2, local.atp_policy_statement1, local.atp_policy_statement2, local.atp_policy_statement3, local.oci_db_policy_statement1, local.oci_db_policy_statement2, local.oci_db_policy_statement3, local.logging_policy, local.apm_domain_policy_statement, local.lb_policy_statement ]) - #rms private endpoint policies - rms_private_endpoint_statement1 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to manage orm-private-endpoints in tenancy - rms_private_endpoint_statement2 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use virtual-network-family in tenancy where any request.operation={'CreatePrivateEndpoint'}" - rms_policy_statements = compact([local.rms_private_endpoint_statement1, local.rms_private_endpoint_statement2]) - cloning_policy_statement1 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read orm-stacks in compartment id ${var.compartment_id}" cloning_policy_statement2 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to inspect compartments in tenancy" cloning_policy_statement = compact([local.cloning_policy_statement1, local.cloning_policy_statement2]) @@ -111,7 +105,7 @@ locals { ]) #TODO: When other categories with more statements are added here, concat them with service_statements - policy_statements = concat(local.service_statements, local.cloning_policy_statement, local.autoscaling_statements, local.rms_policy_statements) + policy_statements = concat(local.service_statements, local.cloning_policy_statement, local.autoscaling_statements) reserved_ips_info = var.compartment_id == "" ? [{ id = var.resource_name_prefix }] : [] diff --git a/terraform/modules/provisioners/dev_mode_provisioning.tf b/terraform/modules/provisioners/dev_mode_provisioning.tf index 2574b27f..99c28f80 100644 --- a/terraform/modules/provisioners/dev_mode_provisioning.tf +++ b/terraform/modules/provisioners/dev_mode_provisioning.tf @@ -2,7 +2,7 @@ # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. resource "null_resource" "dev_mode_provisioning" { - count = var.mode == "DEV" ? var.num_vm_instances : 0 + count = var.mode == "DEV" && (var.is_bastion_instance_required || var.is_rms_private_endpoint_required) ? var.num_vm_instances : 0 // In production we will use the vmscripts.tar.gz already on the image. // In developer mode we will upload the vmscripts to the instance. @@ -14,25 +14,25 @@ resource "null_resource" "dev_mode_provisioning" { connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } } provisioner "remote-exec" { connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } inline = [ diff --git a/terraform/modules/provisioners/provisioning.tf b/terraform/modules/provisioners/provisioning.tf index 24832e85..79a3c8f7 100644 --- a/terraform/modules/provisioners/provisioning.tf +++ b/terraform/modules/provisioners/provisioning.tf @@ -2,20 +2,20 @@ # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. resource "null_resource" "status_check" { - count = var.is_bastion_instance_required || var.is_rms_private_endpoint ? var.num_vm_instances : 0 + count = var.is_bastion_instance_required || var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 depends_on = [null_resource.dev_mode_provisioning] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.is_rms_private_endpoint ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips.ipaddress : var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = is_bastion_instance_required ? var.bastion_host_private_key : "" - bastion_host = is_bastion_instance_required ? var.bastion_host : "" + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } // Call check_status.sh 11 more times - if we add additional markers we must add an additional status check call here. @@ -121,20 +121,20 @@ resource "null_resource" "status_check" { } resource "null_resource" "print_service_info" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.is_bastion_instance_required || var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 depends_on = [null_resource.status_check] // Connection setup for all WLS instances connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { @@ -146,7 +146,7 @@ resource "null_resource" "print_service_info" { } resource "null_resource" "cleanup" { - count = var.is_bastion_instance_required ? var.num_vm_instances : 0 + count = var.is_bastion_instance_required || var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 depends_on = [null_resource.print_service_info] @@ -154,13 +154,13 @@ resource "null_resource" "cleanup" { connection { agent = false timeout = "30m" - host = var.host_ips[count.index] + host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { @@ -171,7 +171,7 @@ resource "null_resource" "cleanup" { } resource "null_resource" "cleanup_bastion" { - count = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !var.assign_public_ip ? 1 : 0 + count = var.is_bastion_instance_required && !var.is_rms_private_endpoint_required && var.existing_bastion_instance_id == "" && !var.assign_public_ip ? 1 : 0 depends_on = [null_resource.cleanup] // Connection setup for all WLS instances diff --git a/terraform/modules/provisioners/variables.tf b/terraform/modules/provisioners/variables.tf index 84d81a28..fad5edb9 100644 --- a/terraform/modules/provisioners/variables.tf +++ b/terraform/modules/provisioners/variables.tf @@ -21,7 +21,7 @@ variable "rms_private_endpoint_id" { description = "The OCID of the RMS private endpoint" } -variable "is_rms_private_endpoint" { +variable "is_rms_private_endpoint_required" { type = bool description = "Terms and conditions for user to accept Oracle WebLogic Server Enterprise Edition UCM or Oracle WebLogic Suite UCM license agreement" default = true diff --git a/terraform/modules/validators/network_validators.tf b/terraform/modules/validators/network_validators.tf index 86af8e32..c1d25bca 100644 --- a/terraform/modules/validators/network_validators.tf +++ b/terraform/modules/validators/network_validators.tf @@ -69,10 +69,6 @@ locals { bastion_ssh_key_file = var.bastion_ssh_private_key == "" ? "missing.txt" : var.bastion_ssh_private_key invalid_bastion_private_key = (local.is_existing_bastion_condition && (var.bastion_ssh_private_key == "" || !fileexists(local.bastion_ssh_key_file))) - invalid_bastion_config = (var.existing_vcn_id == "" || (local.has_existing_vcn && var.wls_subnet_id == "")) ? local.is_bastion_turned_off : false - invalid_bastion_config_msg = "WLSC-ERROR: Provisioning in private subnet without bastion instance has to be limited for VCN with existing subnets." - validate_bastion_config = (local.invalid_bastion_config) ? local.validators_msg_map[local.invalid_bastion_config_msg] : null - invalid_lb_type = var.is_lb_private && var.assign_public_ip # VCN peering diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 5d6c954b..b4c63efc 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -78,14 +78,14 @@ output "listing_version" { value = var.tf_script_version } -output "provisioning_status" { - value = local.async_prov_mode -} - output "jdk_version" { value = local.jdk_version } +output "rms_private_endpoint_id" { + value = var.is_rms_private_endpoint_required ? (var.add_new_rms_private_endpoint || var.wls_existing_vcn_id == "") ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" +} + output "weblogic_agent_configuration_id" { value = element(concat(module.observability-logging[*].agent_config_id, [""]), 0) } diff --git a/terraform/schema.yaml b/terraform/schema.yaml index 0a37d333..3bcfcbd4 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -12,6 +12,7 @@ groupings: - ${ssh_public_key} - ${create_policies} - ${create_new_vcn} + - ${is_rms_private_endpoint_required} - ${is_bastion_instance_required} - ${add_load_balancer} - ${is_idcs_selected} @@ -90,6 +91,12 @@ groupings: - ${existing_admin_server_nsg_id} - ${existing_managed_server_nsg_id} + - title: "Resource Manager Private Endpoint" + variables: + - ${add_existing_rms_private_endpoint} + - ${rms_existing_private_endpoint_id} + - ${add_new_rms_private_endpoint} + - title: "Bastion Instance" variables: - ${is_bastion_with_reserved_public_ip} @@ -222,7 +229,6 @@ groupings: - ${wls_admin_port_source_cidr} - ${wlsoci_vmscripts_zip_bundle_path} - ${tf_script_version} - - ${is_rms_private_endpoint} #- ${use_autoscaling} outputs: @@ -267,6 +273,9 @@ outputs: jdk_version: type: link title: JDK Version + rms_private_endpoint_id: + type: ocid + title: Rsource Manager Private Endpoint bastion_instance_id: type: ocid title: Instance Id @@ -321,6 +330,7 @@ outputGroups: - ${weblogic_version} - ${weblogic_instances} - ${jdk_version} + - ${rms_private_endpoint_id} - title: Networking outputs: - ${virtual_cloud_network_id} @@ -923,6 +933,15 @@ variables: description: "If not selected, the WebLogic Server compute instances are created in a new private subnet. The compute instances, admin console, and applications will not be directly accessible from clients that are external to Oracle Cloud." is_bastion_instance_required: + visible: + and: + - ${orm_create_mode} + type: boolean + default: false + title: "Provision Bastion Instance" + description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + + is_rms_private_endpoint_required: visible: and: - ${orm_create_mode} @@ -937,16 +956,60 @@ variables: - "Use Public Subnet" type: boolean default: true - title: "Provision Bastion Instance" + title: "Provision Resource Manager Private Endpoint" description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + add_existing_rms_private_endpoint: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_vcn} + - not: + - ${add_new_rms_private_endpoint} + type: boolean + default: false + title: "Resource Manager Existing Private Endpoint" + description: "Use existing resource manager private endpoint." + + rms_existing_private_endpoint_id: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - ${add_existing_rms_private_endpoint} + - not: + - ${create_new_vcn} + - not: + - ${add_new_rms_private_endpoint} + dependsOn: + compartmentId: ${compartment_ocid} + vcnId: ${wls_existing_vcn_id} + type: oci:resourcemanager:privateendpoint:id + required: true + title: "Resource Manager Private Endpoint" + description: "Resource manager private endpoint for private access." + + add_new_rms_private_endpoint: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_vcn} + - not: + - ${add_existing_rms_private_endpoint} + type: boolean + default: false + title: "Resource Manager New Private Endpoint" + description: "Create resource manager private endpoint." + is_bastion_with_reserved_public_ip: visible: and: - or: - ${is_bastion_instance_required} - - ${create_new_vcn} - - ${create_new_subnets} - or: - or: - ${create_new_vcn} @@ -974,8 +1037,6 @@ variables: - ${orm_create_mode} - or: - ${is_bastion_instance_required} - - ${create_new_vcn} - - ${create_new_subnets} - and: - or: - ${create_new_vcn} @@ -1028,8 +1089,6 @@ variables: - and: - or: - ${is_bastion_instance_required} - - ${create_new_vcn} - - ${create_new_subnets} - eq: - ${subnet_type} - "Use Private Subnet" @@ -1103,6 +1162,7 @@ variables: compartmentId: ${network_compartment_id} vcnId: ${wls_existing_vcn_id} + # Load Balancer Configuration add_load_balancer: type: boolean diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index 08db092d..984c7d00 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -12,6 +12,7 @@ groupings: - ${ssh_public_key} - ${create_policies} - ${create_new_vcn} + - ${is_rms_private_endpoint_required} - ${is_bastion_instance_required} - ${add_load_balancer} - ${is_idcs_selected} @@ -63,6 +64,12 @@ groupings: - ${existing_admin_server_nsg_id} - ${existing_managed_server_nsg_id} + - title: "Resource Manager Private Endpoint" + variables: + - ${add_existing_rms_private_endpoint} + - ${rms_existing_private_endpoint_id} + - ${add_new_rms_private_endpoint} + - title: "Bastion Instance" variables: - ${is_bastion_with_reserved_public_ip} @@ -264,6 +271,9 @@ outputs: jdk_version: type: link title: JDK Version + rms_private_endpoint_id: + type: ocid + title: Resource Manager Private Endpoint bastion_instance_id: type: ocid title: Instance Id @@ -318,6 +328,7 @@ outputGroups: - ${weblogic_version} - ${weblogic_instances} - ${jdk_version} + - ${rms_private_endpoint_id} - title: Networking outputs: - ${virtual_cloud_network_id} @@ -944,17 +955,79 @@ variables: - ${subnet_type} - "Use Public Subnet" type: boolean - default: true + default: false title: "Provision Bastion Instance" description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + is_rms_private_endpoint_required: + visible: + and: + - ${orm_create_mode} + - and: + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + - not: + - eq: + - ${subnet_type} + - "Use Public Subnet" + type: boolean + default: true + title: "Provision Resource Manager Private Endpoint" + description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + + add_existing_rms_private_endpoint: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_vcn} + - not: + - ${add_new_rms_private_endpoint} + type: boolean + default: false + title: "Resource Manager Existing Private Endpoint" + description: "Use existing resource manager private endpoint." + + rms_existing_private_endpoint_id: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - ${add_existing_rms_private_endpoint} + - not: + - ${create_new_vcn} + - not: + - ${add_new_rms_private_endpoint} + dependsOn: + compartmentId: ${compartment_ocid} + vcnId: ${wls_existing_vcn_id} + type: oci:resourcemanager:privateendpoint:id + required: true + title: "Resource Manager Private Endpoint" + description: "Resource manager private endpoint for private access." + + add_new_rms_private_endpoint: + visible: + and: + - ${orm_create_mode} + - ${is_rms_private_endpoint_required} + - not: + - ${create_new_vcn} + - not: + - ${add_existing_rms_private_endpoint} + type: boolean + default: false + title: "Resource Manager New Private Endpoint" + description: "Create resource manager private endpoint." + is_bastion_with_reserved_public_ip: visible: and: - or: - ${is_bastion_instance_required} - - ${create_new_vcn} - - ${create_new_subnets} - or: - or: - ${create_new_vcn} @@ -982,8 +1055,6 @@ variables: - ${orm_create_mode} - or: - ${is_bastion_instance_required} - - ${create_new_vcn} - - ${create_new_subnets} - and: - or: - ${create_new_vcn} @@ -1036,8 +1107,6 @@ variables: - and: - or: - ${is_bastion_instance_required} - - ${create_new_vcn} - - ${create_new_subnets} - eq: - ${subnet_type} - "Use Private Subnet" diff --git a/terraform/variables.tf b/terraform/variables.tf index dc3a0798..e53e3503 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -121,8 +121,26 @@ variable "tf_script_version" { default = "" } -variable "is_rms_private_endpoint" { +variable "is_rms_private_endpoint_required" { type = bool - description = "Terms and conditions for user to accept Oracle WebLogic Server Enterprise Edition UCM or Oracle WebLogic Suite UCM license agreement" + description = "Set resource manager private endpoint. Default value is true" default = true } + +variable "add_new_rms_private_endpoint" { + type = bool + description = "Add new resource manager private endpoint" + default = false +} + +variable "add_existing_rms_private_endpoint" { + type = bool + description = "Add existing resource manager private endpoint" + default = false +} + +variable "rms_existing_private_endpoint_id" { + type = string + description = "The OCID for the existing resource manager private endpoint" + default = "" +} From 75245dc0f1557680b955dfc044dd26852309fe78 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 15 May 2023 12:45:38 -0700 Subject: [PATCH 04/24] Added module. --- terraform/main.tf | 64 +++++++++---------- .../modules/network/vcn-config/variables.tf | 10 +-- .../modules/rms-private-endpoint/outputs.tf | 7 ++ .../rms-private-endpoint/rms_end_point.tf | 20 ++++++ .../modules/rms-private-endpoint/variables.tf | 44 +++++++++++++ terraform/variables.tf | 2 +- 6 files changed, 109 insertions(+), 38 deletions(-) create mode 100644 terraform/modules/rms-private-endpoint/outputs.tf create mode 100644 terraform/modules/rms-private-endpoint/rms_end_point.tf create mode 100644 terraform/modules/rms-private-endpoint/variables.tf diff --git a/terraform/main.tf b/terraform/main.tf index 16b80c98..e07d0ba1 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -348,7 +348,7 @@ module "vcn-peering" { module "validators" { #depends_on = [module.network-validation] - source = "./modules/validators" + source = "./modules/validators" service_name = var.service_name wls_ms_port = var.wls_ms_extern_port @@ -467,8 +467,8 @@ module "validators" { module "fss" { #depends_on = [module.network-validation] - source = "./modules/fss" - count = var.add_fss ? 1 : 0 + source = "./modules/fss" + count = var.add_fss ? 1 : 0 compartment_id = var.compartment_ocid availability_domain = local.fss_availability_domain @@ -490,8 +490,8 @@ module "fss" { module "load-balancer" { #depends_on = [module.network-validation] - source = "./modules/lb/loadbalancer" - count = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0 + source = "./modules/lb/loadbalancer" + count = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0 compartment_id = local.network_compartment_id lb_reserved_public_ip_id = compact([var.lb_reserved_public_ip_id]) @@ -510,15 +510,15 @@ module "load-balancer" { } module "rms-private-endpoint" { - source = "./modules/rms-private-endpoint" - count = (var.is_rms_private_endpoint_required && var.add_new_rms_private_endpoint) || var.wls_existing_vcn_id == "" ? 1 : 0 + source = "./modules/rms-private-endpoint" + count = (var.is_rms_private_endpoint_required && var.add_new_rms_private_endpoint) || var.wls_existing_vcn_id == "" ? 1 : 0 + + vcn_id = local.vcn_id + compartment_id = var.compartment_ocid + private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) + private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0) + resource_name_prefix = var.service_name - vcn_id = local.vcn_id - compartment_id = var.compartment_ocid - private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) - private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0) - resource_name_prefix = var.service_name - tags = { defined_tags = local.defined_tags freeform_tags = local.free_form_tags @@ -527,8 +527,8 @@ module "rms-private-endpoint" { module "observability-common" { #depends_on = [module.network-validation] - source = "./modules/observability/common" - count = var.use_oci_logging ? 1 : 0 + source = "./modules/observability/common" + count = var.use_oci_logging ? 1 : 0 compartment_id = var.compartment_ocid service_prefix_name = local.service_name_prefix @@ -537,8 +537,8 @@ module "observability-common" { module "observability-autoscaling" { #depends_on = [module.network-validation] - source = "./modules/observability/autoscaling" - count = var.use_autoscaling ? 1 : 0 + source = "./modules/observability/autoscaling" + count = var.use_autoscaling ? 1 : 0 compartment_id = var.compartment_ocid metric_compartment_id = local.apm_domain_compartment_id @@ -698,8 +698,8 @@ module "compute" { module "load-balancer-backends" { #depends_on = [module.network-validation] - source = "./modules/lb/backends" - count = local.add_load_balancer ? 1 : 0 + source = "./modules/lb/backends" + count = local.add_load_balancer ? 1 : 0 resource_name_prefix = local.service_name_prefix load_balancer_id = local.add_load_balancer ? (var.existing_load_balancer_id != "" ? var.existing_load_balancer_id : element(coalescelist(module.load-balancer[*].wls_loadbalancer_id, [""]), 0)) : "" @@ -713,8 +713,8 @@ module "load-balancer-backends" { module "observability-logging" { #depends_on = [module.network-validation] - source = "./modules/observability/logging" - count = var.use_oci_logging ? 1 : 0 + source = "./modules/observability/logging" + count = var.use_oci_logging ? 1 : 0 compartment_id = var.compartment_ocid oci_managed_instances_principal_group = element(concat(module.policies[*].oci_managed_instances_principal_group, [""]), 0) @@ -731,17 +731,17 @@ module "observability-logging" { module "provisioners" { #depends_on = [module.network-validation] - source = "./modules/provisioners" - - existing_bastion_instance_id = var.existing_bastion_instance_id - host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""]) - num_vm_instances = var.wls_node_count - ssh_private_key = module.compute.ssh_private_key_opc - is_rms_private_endpoint_required = var.is_rms_private_endpoint_required - rms_private_endpoint_id = var.is_rms_private_endpoint_required ? (var.add_new_rms_private_endpoint || var.wls_existing_vcn_id == "") ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" - assign_public_ip = local.assign_weblogic_public_ip - bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) - is_bastion_instance_required = var.is_bastion_instance_required + source = "./modules/provisioners" + + existing_bastion_instance_id = var.existing_bastion_instance_id + host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""]) + num_vm_instances = var.wls_node_count + ssh_private_key = module.compute.ssh_private_key_opc + is_rms_private_endpoint_required = var.is_rms_private_endpoint_required + rms_private_endpoint_id = var.is_rms_private_endpoint_required ? (var.add_new_rms_private_endpoint || var.wls_existing_vcn_id == "") ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" + assign_public_ip = local.assign_weblogic_public_ip + bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) + is_bastion_instance_required = var.is_bastion_instance_required mode = var.mode wlsoci_vmscripts_zip_bundle_path = var.wlsoci_vmscripts_zip_bundle_path diff --git a/terraform/modules/network/vcn-config/variables.tf b/terraform/modules/network/vcn-config/variables.tf index 05b93f26..94870a8b 100644 --- a/terraform/modules/network/vcn-config/variables.tf +++ b/terraform/modules/network/vcn-config/variables.tf @@ -186,11 +186,11 @@ variable "nsg_ids" { type = map(any) description = "A map of nsg ids for load balancer, bastion, fss, admin server instance, and managed server instance" default = { - lb_nsg_id = "" - bastion_nsg_id = "" - mount_target_nsg_id = "" - admin_nsg_id = "" - managed_nsg_id = "" + lb_nsg_id = "" + bastion_nsg_id = "" + mount_target_nsg_id = "" + admin_nsg_id = "" + managed_nsg_id = "" rms_private_endpoint_nsg_id = "" } } diff --git a/terraform/modules/rms-private-endpoint/outputs.tf b/terraform/modules/rms-private-endpoint/outputs.tf new file mode 100644 index 00000000..115099db --- /dev/null +++ b/terraform/modules/rms-private-endpoint/outputs.tf @@ -0,0 +1,7 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +output "rms_private_endpoint_id" { + value = oci_resourcemanager_private_endpoint.rms_private_endpoint.id + description = "The OCID of the RMS private endpoint" +} \ No newline at end of file diff --git a/terraform/modules/rms-private-endpoint/rms_end_point.tf b/terraform/modules/rms-private-endpoint/rms_end_point.tf new file mode 100644 index 00000000..bc6b8e33 --- /dev/null +++ b/terraform/modules/rms-private-endpoint/rms_end_point.tf @@ -0,0 +1,20 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +resource "oci_resourcemanager_private_endpoint" "rms_private_endpoint" { + + vcn_id = var.vcn_id + compartment_id = var.compartment_id + subnet_id = var.private_endpoint_subnet_id + nsg_id_list = var.private_endpoint_nsg_id + + display_name = "${var.resource_name_prefix}-pvtEndpoint" + + defined_tags = var.tags.defined_tags + freeform_tags = var.tags.freeform_tags + + lifecycle { + ignore_changes = [defined_tags, freeform_tags] + } + +} diff --git a/terraform/modules/rms-private-endpoint/variables.tf b/terraform/modules/rms-private-endpoint/variables.tf new file mode 100644 index 00000000..1af76933 --- /dev/null +++ b/terraform/modules/rms-private-endpoint/variables.tf @@ -0,0 +1,44 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +variable "compartment_id" { + type = string + description = "The OCID of the compartment where the file system exists" + validation { + condition = length(regexall("^ocid1.compartment.*$", var.compartment_id)) > 0 + error_message = "WLSC-ERROR: The value for compartment_id should start with \"ocid1.compartment.\"." + } +} + +variable "vcn_id" { + type = string + description = "The OCID of the VCN where the rms private endpoint will be created" +} + +variable "private_endpoint_subnet_id" { + type = string + description = "The OCID of the subnet where the rms private endpoint exists" +} + +variable "private_endpoint_nsg_id" { + type = list(any) + description = "The list of NSG OCIDs associated with the rms private endpoint" + default = [] +} + +variable "tags" { + type = object({ + defined_tags = map(any), + freeform_tags = map(any), + }) + description = "Defined tags and freeform tags to be added to the rms endpoint resources" + default = { + defined_tags = {}, + freeform_tags = {}, + } +} + +variable "resource_name_prefix" { + type = string + description = "Prefix which will be used to create rms private endpoint resources" +} diff --git a/terraform/variables.tf b/terraform/variables.tf index e53e3503..973f0655 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -128,7 +128,7 @@ variable "is_rms_private_endpoint_required" { } variable "add_new_rms_private_endpoint" { - type = bool + type = bool description = "Add new resource manager private endpoint" default = false } From 988fc151db52871ebeb3c1f8948c71afdb4be7aa Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 15 May 2023 12:49:48 -0700 Subject: [PATCH 05/24] Fix the data source. --- terraform/data_sources.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/terraform/data_sources.tf b/terraform/data_sources.tf index f13d4cf5..713a2668 100644 --- a/terraform/data_sources.tf +++ b/terraform/data_sources.tf @@ -18,12 +18,6 @@ data "oci_core_instance" "existing_bastion_instance" { instance_id = var.existing_bastion_instance_id } -data "oci_core_instance" "private_endpoint_instance" { - count = var.existing_bastion_instance_id != "" ? 1 : 0 - - instance_id = var.existing_bastion_instance_id -} - data "oci_core_subnet" "wls_subnet" { count = var.wls_subnet_id == "" ? 0 : 1 subnet_id = var.wls_subnet_id From 855e7c63d90fe2d9cb69ea8cb92c8aeb4ef8ebb7 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 15 May 2023 12:52:19 -0700 Subject: [PATCH 06/24] Remove unnecessary variables. --- terraform/modules/network/vcn-config/variables.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/modules/network/vcn-config/variables.tf b/terraform/modules/network/vcn-config/variables.tf index 94870a8b..820192cc 100644 --- a/terraform/modules/network/vcn-config/variables.tf +++ b/terraform/modules/network/vcn-config/variables.tf @@ -191,7 +191,6 @@ variable "nsg_ids" { mount_target_nsg_id = "" admin_nsg_id = "" managed_nsg_id = "" - rms_private_endpoint_nsg_id = "" } } From 285841ca9158f255fad5e14ad440de97c5a03ab8 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 15 May 2023 13:26:07 -0700 Subject: [PATCH 07/24] Fix the names. --- terraform/modules/provisioners/variables.tf | 4 ++-- terraform/modules/rms-private-endpoint/outputs.tf | 4 ++-- terraform/schema.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/modules/provisioners/variables.tf b/terraform/modules/provisioners/variables.tf index fad5edb9..0d77e93b 100644 --- a/terraform/modules/provisioners/variables.tf +++ b/terraform/modules/provisioners/variables.tf @@ -18,12 +18,12 @@ variable "num_vm_instances" { variable "rms_private_endpoint_id" { type = string - description = "The OCID of the RMS private endpoint" + description = "The OCID of the resource manager private endpoint" } variable "is_rms_private_endpoint_required" { type = bool - description = "Terms and conditions for user to accept Oracle WebLogic Server Enterprise Edition UCM or Oracle WebLogic Suite UCM license agreement" + description = "Set resource manager private endpoint" default = true } diff --git a/terraform/modules/rms-private-endpoint/outputs.tf b/terraform/modules/rms-private-endpoint/outputs.tf index 115099db..9716b01b 100644 --- a/terraform/modules/rms-private-endpoint/outputs.tf +++ b/terraform/modules/rms-private-endpoint/outputs.tf @@ -3,5 +3,5 @@ output "rms_private_endpoint_id" { value = oci_resourcemanager_private_endpoint.rms_private_endpoint.id - description = "The OCID of the RMS private endpoint" -} \ No newline at end of file + description = "The OCID of the resource manager private endpoint" +} diff --git a/terraform/schema.yaml b/terraform/schema.yaml index 3bcfcbd4..f5656701 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -239,7 +239,7 @@ outputs: type: link title: Is VCN Peered visible: false - weblogic_server_administration_cionsole: + weblogic_server_administration_console: type: link title: WebLogic Server Administration Console weblogic_instances: From 0430d54b5cb6fb0138c03a28b865c69fc57a0ef2 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Tue, 16 May 2023 00:56:54 -0700 Subject: [PATCH 08/24] Validation for rms private endpoint. --- terraform/main.tf | 4 ++++ .../modules/validators/network_validators.tf | 4 ++++ terraform/modules/validators/variables.tf | 15 +++++++++++++++ terraform/schema.yaml | 4 ++-- terraform/schema_14110.yaml | 2 +- 5 files changed, 26 insertions(+), 3 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index e07d0ba1..2274453e 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -444,6 +444,10 @@ module "validators" { min_threshold_counter = var.min_threshold_counter min_threshold_percent = var.min_threshold_percent + is_rms_private_endpoint_required = var.is_rms_private_endpoint_required + add_existing_rms_private_endpoint = var.add_existing_rms_private_endpoint + add_new_rms_private_endpoint = var.add_new_rms_private_endpoint + generate_dg_tag = var.generate_dg_tag service_tags = var.service_tags tags = { diff --git a/terraform/modules/validators/network_validators.tf b/terraform/modules/validators/network_validators.tf index c1d25bca..1b9af582 100644 --- a/terraform/modules/validators/network_validators.tf +++ b/terraform/modules/validators/network_validators.tf @@ -36,6 +36,7 @@ locals { missing_vcn_id = (var.existing_vcn_id == "" && (local.has_wls_subnet_id || local.has_lb_backend_subnet_id || local.has_lb_frontend_subnet_id)) missing_private_subnet_vcn_id = (var.is_bastion_instance_required && (var.bastion_subnet_id != "" || var.existing_bastion_instance_id != "") && var.existing_vcn_id == "") + missing_rms_private_endpoint_id = var.wls_existing_vcn_id != "" && var.is_rms_private_endpoint_required && !var.add_new_rms_private_endpoint && !var.add_existing_rms_private_endpoint #existing subnets # If load balancer selected, check LB and WLS have existing subnet IDs specified else, if load balancer is not selected, check if WLS is using existing subnet id @@ -102,6 +103,9 @@ locals { missing_private_subnet_vcn_id_msg = "WLSC-ERROR: The value for existing_vcn_id is required if existing bastion subnet id is used for provisioning." validate_missing_private_subnet_vcn_id = local.missing_private_subnet_vcn_id ? local.validators_msg_map[local.missing_private_subnet_vcn_id_msg] : null + missing_rms_private_endpoint_id_msg = "WLSC-ERROR: The new or existing resource manager private endpoint id is required if is_rms_private_endpoint_required is set to true." + validate_missing_rms_private_endpoint_id_msg = local.missing_rms_private_endpoint_id ? local.validators_msg_map[local.missing_missing_rms_private_endpoint_id] : null + wls_subnet_cidr_msg = "WLSC-ERROR: WebLogic subnet CIDR has to be unique value." duplicate_wls_subnet_cidr = local.check_duplicate_wls_subnet_cidr == true ? local.validators_msg_map[local.wls_subnet_cidr_msg] : null diff --git a/terraform/modules/validators/variables.tf b/terraform/modules/validators/variables.tf index 7e12497d..6a5e1fcb 100644 --- a/terraform/modules/validators/variables.tf +++ b/terraform/modules/validators/variables.tf @@ -528,3 +528,18 @@ variable "tf_script_version" { type = string description = "The version of the provisioning scripts located in the OCI image used to create the WebLogic compute instances" } + +variable "is_rms_private_endpoint_required" { + type = bool + description = "Set resource manager private endpoint. Default value is true" +} + +variable "add_new_rms_private_endpoint" { + type = bool + description = "Add new resource manager private endpoint" +} + +variable "add_existing_rms_private_endpoint" { + type = bool + description = "Add existing resource manager private endpoint" +} diff --git a/terraform/schema.yaml b/terraform/schema.yaml index f5656701..7a90a3f1 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -275,7 +275,7 @@ outputs: title: JDK Version rms_private_endpoint_id: type: ocid - title: Rsource Manager Private Endpoint + title: Resource Manager Private Endpoint bastion_instance_id: type: ocid title: Instance Id @@ -957,7 +957,7 @@ variables: type: boolean default: true title: "Provision Resource Manager Private Endpoint" - description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + description: "Provision a resource manager private end point on a private subnet to check the provisioning status of the private resources. if this is not selected then you will need to get the status of domain creation from /u01/logs/provisioning.log on the Compute instance. If not selected, then domain creation failures will not be reported." add_existing_rms_private_endpoint: visible: diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index 984c7d00..74abaf1f 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -975,7 +975,7 @@ variables: type: boolean default: true title: "Provision Resource Manager Private Endpoint" - description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + description: "Provision a resource manager private end point on a private subnet to check the provisioning status of the private resources. if this is not selected then you will need to get the status of domain creation from /u01/logs/provisioning.log on the Compute instance. If not selected, then domain creation failures will not be reported." add_existing_rms_private_endpoint: visible: From dbf14085c10f2f2b483c143868673944a26203c1 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Tue, 16 May 2023 10:00:00 -0700 Subject: [PATCH 09/24] Fix validation. --- terraform/modules/validators/network_validators.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/validators/network_validators.tf b/terraform/modules/validators/network_validators.tf index 1b9af582..1597eba0 100644 --- a/terraform/modules/validators/network_validators.tf +++ b/terraform/modules/validators/network_validators.tf @@ -36,7 +36,7 @@ locals { missing_vcn_id = (var.existing_vcn_id == "" && (local.has_wls_subnet_id || local.has_lb_backend_subnet_id || local.has_lb_frontend_subnet_id)) missing_private_subnet_vcn_id = (var.is_bastion_instance_required && (var.bastion_subnet_id != "" || var.existing_bastion_instance_id != "") && var.existing_vcn_id == "") - missing_rms_private_endpoint_id = var.wls_existing_vcn_id != "" && var.is_rms_private_endpoint_required && !var.add_new_rms_private_endpoint && !var.add_existing_rms_private_endpoint + missing_rms_private_endpoint_id = var.existing_vcn_id != "" && var.is_rms_private_endpoint_required && !var.add_new_rms_private_endpoint && !var.add_existing_rms_private_endpoint #existing subnets # If load balancer selected, check LB and WLS have existing subnet IDs specified else, if load balancer is not selected, check if WLS is using existing subnet id @@ -104,7 +104,7 @@ locals { validate_missing_private_subnet_vcn_id = local.missing_private_subnet_vcn_id ? local.validators_msg_map[local.missing_private_subnet_vcn_id_msg] : null missing_rms_private_endpoint_id_msg = "WLSC-ERROR: The new or existing resource manager private endpoint id is required if is_rms_private_endpoint_required is set to true." - validate_missing_rms_private_endpoint_id_msg = local.missing_rms_private_endpoint_id ? local.validators_msg_map[local.missing_missing_rms_private_endpoint_id] : null + validate_missing_rms_private_endpoint_id_msg = local.missing_rms_private_endpoint_id ? local.validators_msg_map[local.missing_rms_private_endpoint_id_msg] : null wls_subnet_cidr_msg = "WLSC-ERROR: WebLogic subnet CIDR has to be unique value." duplicate_wls_subnet_cidr = local.check_duplicate_wls_subnet_cidr == true ? local.validators_msg_map[local.wls_subnet_cidr_msg] : null From e29a094917c49375926abc429ff4c24fd372dda3 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Tue, 16 May 2023 10:19:46 -0700 Subject: [PATCH 10/24] terraform fmt. --- terraform/main.tf | 4 ++-- terraform/modules/network/vcn-config/variables.tf | 10 +++++----- terraform/modules/validators/network_validators.tf | 4 ++-- terraform/modules/validators/variables.tf | 10 +++++----- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 2274453e..454acf10 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -444,9 +444,9 @@ module "validators" { min_threshold_counter = var.min_threshold_counter min_threshold_percent = var.min_threshold_percent - is_rms_private_endpoint_required = var.is_rms_private_endpoint_required + is_rms_private_endpoint_required = var.is_rms_private_endpoint_required add_existing_rms_private_endpoint = var.add_existing_rms_private_endpoint - add_new_rms_private_endpoint = var.add_new_rms_private_endpoint + add_new_rms_private_endpoint = var.add_new_rms_private_endpoint generate_dg_tag = var.generate_dg_tag service_tags = var.service_tags diff --git a/terraform/modules/network/vcn-config/variables.tf b/terraform/modules/network/vcn-config/variables.tf index 820192cc..36389fe5 100644 --- a/terraform/modules/network/vcn-config/variables.tf +++ b/terraform/modules/network/vcn-config/variables.tf @@ -186,11 +186,11 @@ variable "nsg_ids" { type = map(any) description = "A map of nsg ids for load balancer, bastion, fss, admin server instance, and managed server instance" default = { - lb_nsg_id = "" - bastion_nsg_id = "" - mount_target_nsg_id = "" - admin_nsg_id = "" - managed_nsg_id = "" + lb_nsg_id = "" + bastion_nsg_id = "" + mount_target_nsg_id = "" + admin_nsg_id = "" + managed_nsg_id = "" } } diff --git a/terraform/modules/validators/network_validators.tf b/terraform/modules/validators/network_validators.tf index 1597eba0..d061c105 100644 --- a/terraform/modules/validators/network_validators.tf +++ b/terraform/modules/validators/network_validators.tf @@ -36,7 +36,7 @@ locals { missing_vcn_id = (var.existing_vcn_id == "" && (local.has_wls_subnet_id || local.has_lb_backend_subnet_id || local.has_lb_frontend_subnet_id)) missing_private_subnet_vcn_id = (var.is_bastion_instance_required && (var.bastion_subnet_id != "" || var.existing_bastion_instance_id != "") && var.existing_vcn_id == "") - missing_rms_private_endpoint_id = var.existing_vcn_id != "" && var.is_rms_private_endpoint_required && !var.add_new_rms_private_endpoint && !var.add_existing_rms_private_endpoint + missing_rms_private_endpoint_id = var.existing_vcn_id != "" && var.is_rms_private_endpoint_required && !var.add_new_rms_private_endpoint && !var.add_existing_rms_private_endpoint #existing subnets # If load balancer selected, check LB and WLS have existing subnet IDs specified else, if load balancer is not selected, check if WLS is using existing subnet id @@ -103,7 +103,7 @@ locals { missing_private_subnet_vcn_id_msg = "WLSC-ERROR: The value for existing_vcn_id is required if existing bastion subnet id is used for provisioning." validate_missing_private_subnet_vcn_id = local.missing_private_subnet_vcn_id ? local.validators_msg_map[local.missing_private_subnet_vcn_id_msg] : null - missing_rms_private_endpoint_id_msg = "WLSC-ERROR: The new or existing resource manager private endpoint id is required if is_rms_private_endpoint_required is set to true." + missing_rms_private_endpoint_id_msg = "WLSC-ERROR: The new or existing resource manager private endpoint id is required if is_rms_private_endpoint_required is set to true." validate_missing_rms_private_endpoint_id_msg = local.missing_rms_private_endpoint_id ? local.validators_msg_map[local.missing_rms_private_endpoint_id_msg] : null wls_subnet_cidr_msg = "WLSC-ERROR: WebLogic subnet CIDR has to be unique value." diff --git a/terraform/modules/validators/variables.tf b/terraform/modules/validators/variables.tf index 6a5e1fcb..b7e9afb6 100644 --- a/terraform/modules/validators/variables.tf +++ b/terraform/modules/validators/variables.tf @@ -529,17 +529,17 @@ variable "tf_script_version" { description = "The version of the provisioning scripts located in the OCI image used to create the WebLogic compute instances" } -variable "is_rms_private_endpoint_required" { +variable "is_rms_private_endpoint_required" { type = bool description = "Set resource manager private endpoint. Default value is true" -} - +} + variable "add_new_rms_private_endpoint" { type = bool description = "Add new resource manager private endpoint" } - + variable "add_existing_rms_private_endpoint" { type = bool description = "Add existing resource manager private endpoint" -} +} From 60af6f54cf7c3fb6613c47c77a12957b52b0d1bd Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 22 May 2023 03:13:58 -0700 Subject: [PATCH 11/24] New updates. --- terraform/locals.tf | 3 ++ terraform/main.tf | 8 ++--- .../modules/validators/network_validators.tf | 4 +-- terraform/outputs.tf | 2 +- terraform/schema.yaml | 31 ++----------------- terraform/schema_14110.yaml | 2 +- terraform/variables.tf | 6 ---- 7 files changed, 13 insertions(+), 43 deletions(-) diff --git a/terraform/locals.tf b/terraform/locals.tf index d67ef872..9e0ead49 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -175,4 +175,7 @@ locals { "instanceShape" = var.bastion_instance_shape, "ocpus" = 1 } + + # Resource Manager + add_new_rms_private_endpoint = !var.add_existing_rms_private_endpoint && var.rms_existing_private_endpoint_id == "" ? true : false } diff --git a/terraform/main.tf b/terraform/main.tf index 454acf10..32a96257 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -196,7 +196,7 @@ module "network-bastion-subnet" { dhcp_options_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].dhcp_options_id : "" route_table_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].route_table_id : "" subnet_name = "${local.service_name_prefix}-${var.bastion_subnet_name}" - dns_label = "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}" + dns_label = var.is_bastion_instance_required && !var.is_rms_private_endpoint_required ? "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}" : format("%s-%s", var.bastion_subnet_name, substr(strrev(var.service_name), 0, 7)) cidr_block = local.bastion_subnet_cidr prohibit_public_ip = false @@ -446,7 +446,7 @@ module "validators" { is_rms_private_endpoint_required = var.is_rms_private_endpoint_required add_existing_rms_private_endpoint = var.add_existing_rms_private_endpoint - add_new_rms_private_endpoint = var.add_new_rms_private_endpoint + add_new_rms_private_endpoint = local.add_new_rms_private_endpoint generate_dg_tag = var.generate_dg_tag service_tags = var.service_tags @@ -515,7 +515,7 @@ module "load-balancer" { module "rms-private-endpoint" { source = "./modules/rms-private-endpoint" - count = (var.is_rms_private_endpoint_required && var.add_new_rms_private_endpoint) || var.wls_existing_vcn_id == "" ? 1 : 0 + count = (var.is_rms_private_endpoint_required && local.add_new_rms_private_endpoint) == "" ? 1 : 0 vcn_id = local.vcn_id compartment_id = var.compartment_ocid @@ -742,7 +742,7 @@ module "provisioners" { num_vm_instances = var.wls_node_count ssh_private_key = module.compute.ssh_private_key_opc is_rms_private_endpoint_required = var.is_rms_private_endpoint_required - rms_private_endpoint_id = var.is_rms_private_endpoint_required ? (var.add_new_rms_private_endpoint || var.wls_existing_vcn_id == "") ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" + rms_private_endpoint_id = var.is_rms_private_endpoint_required ? (local.add_new_rms_private_endpoint) ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) is_bastion_instance_required = var.is_bastion_instance_required diff --git a/terraform/modules/validators/network_validators.tf b/terraform/modules/validators/network_validators.tf index d061c105..4c2d0f52 100644 --- a/terraform/modules/validators/network_validators.tf +++ b/terraform/modules/validators/network_validators.tf @@ -36,7 +36,7 @@ locals { missing_vcn_id = (var.existing_vcn_id == "" && (local.has_wls_subnet_id || local.has_lb_backend_subnet_id || local.has_lb_frontend_subnet_id)) missing_private_subnet_vcn_id = (var.is_bastion_instance_required && (var.bastion_subnet_id != "" || var.existing_bastion_instance_id != "") && var.existing_vcn_id == "") - missing_rms_private_endpoint_id = var.existing_vcn_id != "" && var.is_rms_private_endpoint_required && !var.add_new_rms_private_endpoint && !var.add_existing_rms_private_endpoint + missing_rms_private_endpoint_id = !var.is_rms_private_endpoint_required && !var.is_bastion_instance_required #existing subnets # If load balancer selected, check LB and WLS have existing subnet IDs specified else, if load balancer is not selected, check if WLS is using existing subnet id @@ -103,7 +103,7 @@ locals { missing_private_subnet_vcn_id_msg = "WLSC-ERROR: The value for existing_vcn_id is required if existing bastion subnet id is used for provisioning." validate_missing_private_subnet_vcn_id = local.missing_private_subnet_vcn_id ? local.validators_msg_map[local.missing_private_subnet_vcn_id_msg] : null - missing_rms_private_endpoint_id_msg = "WLSC-ERROR: The new or existing resource manager private endpoint id is required if is_rms_private_endpoint_required is set to true." + missing_rms_private_endpoint_id_msg = "WLSC-ERROR: Atleast one of the is_bastion_instance_required or is_rms_private_endpoint_required is set to true" validate_missing_rms_private_endpoint_id_msg = local.missing_rms_private_endpoint_id ? local.validators_msg_map[local.missing_rms_private_endpoint_id_msg] : null wls_subnet_cidr_msg = "WLSC-ERROR: WebLogic subnet CIDR has to be unique value." diff --git a/terraform/outputs.tf b/terraform/outputs.tf index b4c63efc..74ec79e8 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -83,7 +83,7 @@ output "jdk_version" { } output "rms_private_endpoint_id" { - value = var.is_rms_private_endpoint_required ? (var.add_new_rms_private_endpoint || var.wls_existing_vcn_id == "") ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" + value = var.is_rms_private_endpoint_required ? local.add_new_rms_private_endpoint ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" } output "weblogic_agent_configuration_id" { diff --git a/terraform/schema.yaml b/terraform/schema.yaml index 7a90a3f1..fd4c25a3 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -95,7 +95,6 @@ groupings: variables: - ${add_existing_rms_private_endpoint} - ${rms_existing_private_endpoint_id} - - ${add_new_rms_private_endpoint} - title: "Bastion Instance" variables: @@ -946,17 +945,13 @@ variables: and: - ${orm_create_mode} - and: - - not: - - ${create_new_subnets} - - not: - - ${create_new_vcn} - not: - eq: - ${subnet_type} - "Use Public Subnet" type: boolean default: true - title: "Provision Resource Manager Private Endpoint" + title: "Use Resource Manager Private Endpoint" description: "Provision a resource manager private end point on a private subnet to check the provisioning status of the private resources. if this is not selected then you will need to get the status of domain creation from /u01/logs/provisioning.log on the Compute instance. If not selected, then domain creation failures will not be reported." add_existing_rms_private_endpoint: @@ -964,12 +959,8 @@ variables: and: - ${orm_create_mode} - ${is_rms_private_endpoint_required} - - not: - - ${create_new_vcn} - - not: - - ${add_new_rms_private_endpoint} type: boolean - default: false + default: true title: "Resource Manager Existing Private Endpoint" description: "Use existing resource manager private endpoint." @@ -979,10 +970,6 @@ variables: - ${orm_create_mode} - ${is_rms_private_endpoint_required} - ${add_existing_rms_private_endpoint} - - not: - - ${create_new_vcn} - - not: - - ${add_new_rms_private_endpoint} dependsOn: compartmentId: ${compartment_ocid} vcnId: ${wls_existing_vcn_id} @@ -991,20 +978,6 @@ variables: title: "Resource Manager Private Endpoint" description: "Resource manager private endpoint for private access." - add_new_rms_private_endpoint: - visible: - and: - - ${orm_create_mode} - - ${is_rms_private_endpoint_required} - - not: - - ${create_new_vcn} - - not: - - ${add_existing_rms_private_endpoint} - type: boolean - default: false - title: "Resource Manager New Private Endpoint" - description: "Create resource manager private endpoint." - is_bastion_with_reserved_public_ip: visible: and: diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index 74abaf1f..9c209e31 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -1002,7 +1002,7 @@ variables: - not: - ${add_new_rms_private_endpoint} dependsOn: - compartmentId: ${compartment_ocid} + compartmentId: ${subnet_compartment_id} vcnId: ${wls_existing_vcn_id} type: oci:resourcemanager:privateendpoint:id required: true diff --git a/terraform/variables.tf b/terraform/variables.tf index 973f0655..65a5a178 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -127,12 +127,6 @@ variable "is_rms_private_endpoint_required" { default = true } -variable "add_new_rms_private_endpoint" { - type = bool - description = "Add new resource manager private endpoint" - default = false -} - variable "add_existing_rms_private_endpoint" { type = bool description = "Add existing resource manager private endpoint" From d9be36472b954a04b326803cce919eda3d2c8287 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Wed, 24 May 2023 04:38:26 -0700 Subject: [PATCH 12/24] Updates based on review comments from support and dev team. --- solutions/jrf/jrf_instance.tfvars | 8 ++- terraform/bastion_variables.tf | 2 +- terraform/locals.tf | 13 +++-- terraform/main.tf | 29 +++++------ terraform/modules/provisioners/variables.tf | 2 - .../modules/validators/network_validators.tf | 5 -- terraform/modules/validators/variables.tf | 15 ------ terraform/outputs.tf | 4 ++ terraform/schema.yaml | 51 +++++++++++++++---- terraform/variables.tf | 6 +-- 10 files changed, 77 insertions(+), 58 deletions(-) diff --git a/solutions/jrf/jrf_instance.tfvars b/solutions/jrf/jrf_instance.tfvars index 72f47213..d8c3ac34 100644 --- a/solutions/jrf/jrf_instance.tfvars +++ b/solutions/jrf/jrf_instance.tfvars @@ -26,7 +26,11 @@ wls_node_count = 2 wls_availability_domain_name = "" wls_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx" -### Bastion parameters to create new bastion instance +### Resource Manager Private Endpoint parameters to create new endpoint +is_rms_private_endpoint_required = true +add_rms_private_endpoint = "Create New Resource Manager Endpoint" + +### Bastion instance parameters is_bastion_instance_required = true bastion_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx" -bastion_instance_shape = "VM.Standard.E4.Flex" \ No newline at end of file +bastion_instance_shape = "VM.Standard.E4.Flex" diff --git a/terraform/bastion_variables.tf b/terraform/bastion_variables.tf index ffd760e7..2dd3c93e 100644 --- a/terraform/bastion_variables.tf +++ b/terraform/bastion_variables.tf @@ -4,7 +4,7 @@ variable "is_bastion_instance_required" { type = bool description = "Set to true to use a bastion, either new or existing. If existing_bastion_instance_id is blank, a new bastion will be created" - default = true + default = false } variable "existing_bastion_instance_id" { diff --git a/terraform/locals.tf b/terraform/locals.tf index 9e0ead49..069e1be7 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -84,7 +84,6 @@ locals { lb_subnet_1_name = var.is_lb_private ? "lbprist1" : "lbpubst1" lb_subnet_2_name = var.is_lb_private ? "lbprist2" : "lbpubst2" - lb_id = local.use_existing_lb ? var.existing_load_balancer_id : local.new_lb_id lb_ip = local.use_existing_lb ? local.existing_lb_ip : local.new_lb_ip @@ -105,6 +104,8 @@ locals { local.lb_ip, ) : "" + async_prov_mode = !local.assign_weblogic_public_ip && !var.is_rms_private_endpoint_required && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : "" + jdk_labels = { jdk7 = "JDK 7", jdk8 = "JDK 8", jdk11 = "JDK 11" } jdk_version = var.wls_version == "14.1.1.0" ? local.jdk_labels[var.wls_14c_jdk_version] : (var.wls_version == "11.1.1.7" ? local.jdk_labels["jdk7"] : local.jdk_labels["jdk8"]) @@ -149,8 +150,6 @@ locals { use_apm_service = (var.use_apm_service || var.use_autoscaling) apm_domain_compartment_id = local.use_apm_service ? lookup(data.oci_apm_apm_domain.apm_domain[0], "compartment_id") : "" - - ocir_namespace = data.oci_objectstorage_namespace.object_namespace.namespace ocir_user = format("%s/%s", local.ocir_namespace, var.ocir_user) @@ -176,6 +175,10 @@ locals { "ocpus" = 1 } - # Resource Manager - add_new_rms_private_endpoint = !var.add_existing_rms_private_endpoint && var.rms_existing_private_endpoint_id == "" ? true : false + is_bastion_instance_required = (var.is_bastion_instance_required && var.subnet_type != "Use Public Subnet") || var.wls_existing_vcn_id == "" || (var.wls_existing_vcn_id != "" && var.wls_subnet_id == "") ? true : false + + # Resource Manager Endpoint + add_new_rms_private_endpoint = var.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Create New Resource Manager Endpoint" ? true : false + add_existing_rms_private_endpoint = var.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Use Existing Resource Manager Endpoint" ? true : false + is_rms_private_endpoint_required = var.is_rms_private_endpoint_required && var.wls_existing_vcn_id != "" && var.wls_subnet_id != "" && var.subnet_type != "Use Public Subnet" ? true : false } diff --git a/terraform/main.tf b/terraform/main.tf index 32a96257..04e378f5 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -72,7 +72,7 @@ module "network-vcn-config" { create_load_balancer = local.add_load_balancer resource_name_prefix = local.service_name_prefix bastion_subnet_cidr = local.bastion_subnet_cidr - is_bastion_instance_required = var.is_bastion_instance_required + is_bastion_instance_required = local.is_bastion_instance_required existing_bastion_instance_id = var.existing_bastion_instance_id vcn_cidr = var.wls_vcn_name == "" ? data.oci_core_vcn.wls_vcn[0].cidr_block : element(concat(module.network-vcn.*.vcn_cidr, tolist([""])), 0) existing_mt_subnet_id = var.mount_target_subnet_id @@ -116,7 +116,7 @@ module "network-lb-nsg" { module "network-bastion-nsg" { source = "./modules/network/nsg" - count = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0 + count = local.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0 compartment_id = local.network_compartment_id vcn_id = local.vcn_id nsg_name = "${local.service_name_prefix}-bastion-nsg" @@ -190,13 +190,13 @@ module "network-lb-subnet-1" { /* Create back end subnet for bastion subnet */ module "network-bastion-subnet" { source = "./modules/network/subnet" - count = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && var.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0 + count = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && local.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0 compartment_id = local.network_compartment_id vcn_id = local.vcn_id dhcp_options_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].dhcp_options_id : "" route_table_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].route_table_id : "" subnet_name = "${local.service_name_prefix}-${var.bastion_subnet_name}" - dns_label = var.is_bastion_instance_required && !var.is_rms_private_endpoint_required ? "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}" : format("%s-%s", var.bastion_subnet_name, substr(strrev(var.service_name), 0, 7)) + dns_label = local.is_bastion_instance_required && local.is_rms_private_endpoint_required ? format("%s-%s", var.bastion_subnet_name, substr(strrev(var.service_name), 0, 7)) : "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}" cidr_block = local.bastion_subnet_cidr prohibit_public_ip = false @@ -243,7 +243,7 @@ module "policies" { module "bastion" { #depends_on = [module.network-validation] source = "./modules/compute/bastion" - count = (!local.assign_weblogic_public_ip && var.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0 + count = (!local.assign_weblogic_public_ip && local.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0 availability_domain = local.bastion_availability_domain bastion_subnet_id = var.bastion_subnet_id != "" ? var.bastion_subnet_id : module.network-bastion-subnet[0].subnet_id @@ -393,7 +393,7 @@ module "validators" { lb_subnet_1_cidr = var.lb_subnet_1_cidr bastion_subnet_cidr = local.bastion_subnet_cidr assign_public_ip = local.assign_weblogic_public_ip - is_bastion_instance_required = var.is_bastion_instance_required + is_bastion_instance_required = local.is_bastion_instance_required existing_bastion_instance_id = var.existing_bastion_instance_id bastion_ssh_private_key = var.bastion_ssh_private_key @@ -444,10 +444,6 @@ module "validators" { min_threshold_counter = var.min_threshold_counter min_threshold_percent = var.min_threshold_percent - is_rms_private_endpoint_required = var.is_rms_private_endpoint_required - add_existing_rms_private_endpoint = var.add_existing_rms_private_endpoint - add_new_rms_private_endpoint = local.add_new_rms_private_endpoint - generate_dg_tag = var.generate_dg_tag service_tags = var.service_tags tags = { @@ -515,7 +511,7 @@ module "load-balancer" { module "rms-private-endpoint" { source = "./modules/rms-private-endpoint" - count = (var.is_rms_private_endpoint_required && local.add_new_rms_private_endpoint) == "" ? 1 : 0 + count = local.is_rms_private_endpoint_required && local.add_new_rms_private_endpoint ? 1 : 0 vcn_id = local.vcn_id compartment_id = var.compartment_ocid @@ -627,7 +623,7 @@ module "compute" { deploy_sample_app = local.deploy_sample_app - is_bastion_instance_required = var.is_bastion_instance_required + is_bastion_instance_required = local.is_bastion_instance_required is_idcs_selected = var.is_idcs_selected idcs_host = var.idcs_host @@ -741,11 +737,12 @@ module "provisioners" { host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""]) num_vm_instances = var.wls_node_count ssh_private_key = module.compute.ssh_private_key_opc - is_rms_private_endpoint_required = var.is_rms_private_endpoint_required - rms_private_endpoint_id = var.is_rms_private_endpoint_required ? (local.add_new_rms_private_endpoint) ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" + is_rms_private_endpoint_required = local.is_rms_private_endpoint_required + rms_private_endpoint_id = local.is_rms_private_endpoint_required ? (local.add_new_rms_private_endpoint) ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip - bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) - is_bastion_instance_required = var.is_bastion_instance_required + bastion_host = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip + bastion_host_private_key = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) + is_bastion_instance_required = local.is_bastion_instance_required mode = var.mode wlsoci_vmscripts_zip_bundle_path = var.wlsoci_vmscripts_zip_bundle_path diff --git a/terraform/modules/provisioners/variables.tf b/terraform/modules/provisioners/variables.tf index 0d77e93b..004538ab 100644 --- a/terraform/modules/provisioners/variables.tf +++ b/terraform/modules/provisioners/variables.tf @@ -24,7 +24,6 @@ variable "rms_private_endpoint_id" { variable "is_rms_private_endpoint_required" { type = bool description = "Set resource manager private endpoint" - default = true } variable "mode" { @@ -59,7 +58,6 @@ variable "assign_public_ip" { variable "is_bastion_instance_required" { type = bool description = "Whether bastion instance is required to connect to the compute instance" - default = true } variable "existing_bastion_instance_id" { diff --git a/terraform/modules/validators/network_validators.tf b/terraform/modules/validators/network_validators.tf index 4c2d0f52..0381c69f 100644 --- a/terraform/modules/validators/network_validators.tf +++ b/terraform/modules/validators/network_validators.tf @@ -36,8 +36,6 @@ locals { missing_vcn_id = (var.existing_vcn_id == "" && (local.has_wls_subnet_id || local.has_lb_backend_subnet_id || local.has_lb_frontend_subnet_id)) missing_private_subnet_vcn_id = (var.is_bastion_instance_required && (var.bastion_subnet_id != "" || var.existing_bastion_instance_id != "") && var.existing_vcn_id == "") - missing_rms_private_endpoint_id = !var.is_rms_private_endpoint_required && !var.is_bastion_instance_required - #existing subnets # If load balancer selected, check LB and WLS have existing subnet IDs specified else, if load balancer is not selected, check if WLS is using existing subnet id has_all_existing_subnets = (local.add_new_load_balancer && local.has_wls_subnet_id && local.has_lb_backend_subnet_id && local.has_lb_frontend_subnet_id) || (!local.add_new_load_balancer && local.has_wls_subnet_id) @@ -103,9 +101,6 @@ locals { missing_private_subnet_vcn_id_msg = "WLSC-ERROR: The value for existing_vcn_id is required if existing bastion subnet id is used for provisioning." validate_missing_private_subnet_vcn_id = local.missing_private_subnet_vcn_id ? local.validators_msg_map[local.missing_private_subnet_vcn_id_msg] : null - missing_rms_private_endpoint_id_msg = "WLSC-ERROR: Atleast one of the is_bastion_instance_required or is_rms_private_endpoint_required is set to true" - validate_missing_rms_private_endpoint_id_msg = local.missing_rms_private_endpoint_id ? local.validators_msg_map[local.missing_rms_private_endpoint_id_msg] : null - wls_subnet_cidr_msg = "WLSC-ERROR: WebLogic subnet CIDR has to be unique value." duplicate_wls_subnet_cidr = local.check_duplicate_wls_subnet_cidr == true ? local.validators_msg_map[local.wls_subnet_cidr_msg] : null diff --git a/terraform/modules/validators/variables.tf b/terraform/modules/validators/variables.tf index b7e9afb6..7e12497d 100644 --- a/terraform/modules/validators/variables.tf +++ b/terraform/modules/validators/variables.tf @@ -528,18 +528,3 @@ variable "tf_script_version" { type = string description = "The version of the provisioning scripts located in the OCI image used to create the WebLogic compute instances" } - -variable "is_rms_private_endpoint_required" { - type = bool - description = "Set resource manager private endpoint. Default value is true" -} - -variable "add_new_rms_private_endpoint" { - type = bool - description = "Add new resource manager private endpoint" -} - -variable "add_existing_rms_private_endpoint" { - type = bool - description = "Add existing resource manager private endpoint" -} diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 74ec79e8..48908a34 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -78,6 +78,10 @@ output "listing_version" { value = var.tf_script_version } +output "provisioning_status" { + value = local.async_prov_mode +} + output "jdk_version" { value = local.jdk_version } diff --git a/terraform/schema.yaml b/terraform/schema.yaml index fd4c25a3..ec41ae51 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -93,7 +93,7 @@ groupings: - title: "Resource Manager Private Endpoint" variables: - - ${add_existing_rms_private_endpoint} + - ${add_rms_private_endpoint} - ${rms_existing_private_endpoint_id} - title: "Bastion Instance" @@ -935,6 +935,15 @@ variables: visible: and: - ${orm_create_mode} + - and: + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + - not: + - eq: + - ${subnet_type} + - "Use Public Subnet" type: boolean default: false title: "Provision Bastion Instance" @@ -945,6 +954,10 @@ variables: and: - ${orm_create_mode} - and: + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} - not: - eq: - ${subnet_type} @@ -954,24 +967,38 @@ variables: title: "Use Resource Manager Private Endpoint" description: "Provision a resource manager private end point on a private subnet to check the provisioning status of the private resources. if this is not selected then you will need to get the status of domain creation from /u01/logs/provisioning.log on the Compute instance. If not selected, then domain creation failures will not be reported." - add_existing_rms_private_endpoint: + add_rms_private_endpoint: visible: and: - ${orm_create_mode} - ${is_rms_private_endpoint_required} - type: boolean - default: true - title: "Resource Manager Existing Private Endpoint" - description: "Use existing resource manager private endpoint." - + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + type: enum + enum: + - "Use Existing Resource Manager Endpoint" + - "Create New Resource Manager Endpoint" + default: "Use Existing Resource Manager Endpoint" + title: "Create or Use Existing Resource Manager Endpoint" + description: "Configure a new or existing resource manager private endpoint." + required: true + rms_existing_private_endpoint_id: visible: and: - ${orm_create_mode} - ${is_rms_private_endpoint_required} - - ${add_existing_rms_private_endpoint} + - not: + - ${create_new_subnets} + - not: + - ${create_new_vcn} + - eq: + - ${add_rms_private_endpoint} + - "Use Existing Resource Manager Endpoint" dependsOn: - compartmentId: ${compartment_ocid} + compartmentId: ${network_compartment_id} vcnId: ${wls_existing_vcn_id} type: oci:resourcemanager:privateendpoint:id required: true @@ -983,6 +1010,8 @@ variables: and: - or: - ${is_bastion_instance_required} + - ${create_new_vcn} + - ${create_new_subnets} - or: - or: - ${create_new_vcn} @@ -1010,6 +1039,8 @@ variables: - ${orm_create_mode} - or: - ${is_bastion_instance_required} + - ${create_new_vcn} + - ${create_new_subnets} - and: - or: - ${create_new_vcn} @@ -1062,6 +1093,8 @@ variables: - and: - or: - ${is_bastion_instance_required} + - ${create_new_vcn} + - ${create_new_subnets} - eq: - ${subnet_type} - "Use Private Subnet" diff --git a/terraform/variables.tf b/terraform/variables.tf index 65a5a178..ca25b621 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -127,10 +127,10 @@ variable "is_rms_private_endpoint_required" { default = true } -variable "add_existing_rms_private_endpoint" { - type = bool +variable "add_rms_private_endpoint" { + type = string description = "Add existing resource manager private endpoint" - default = false + default = "Use Existing Resource Manager Endpoint" } variable "rms_existing_private_endpoint_id" { From ea96efe41bd1f05811650d4520ed90f29569eb67 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Wed, 24 May 2023 04:59:36 -0700 Subject: [PATCH 13/24] Fix compartment id. --- terraform/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/main.tf b/terraform/main.tf index 04e378f5..8ae51353 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -514,7 +514,7 @@ module "rms-private-endpoint" { count = local.is_rms_private_endpoint_required && local.add_new_rms_private_endpoint ? 1 : 0 vcn_id = local.vcn_id - compartment_id = var.compartment_ocid + compartment_id = local.network_compartment_id private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0) private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0) resource_name_prefix = var.service_name From 40a9385f54152f0eac6bb712c3bbda08a908e331 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Wed, 24 May 2023 12:29:51 -0700 Subject: [PATCH 14/24] Missed 14c changes. --- terraform/schema_14110.yaml | 50 ++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index 9c209e31..cb9f586d 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -974,60 +974,54 @@ variables: - "Use Public Subnet" type: boolean default: true - title: "Provision Resource Manager Private Endpoint" + title: "Use Resource Manager Private Endpoint" description: "Provision a resource manager private end point on a private subnet to check the provisioning status of the private resources. if this is not selected then you will need to get the status of domain creation from /u01/logs/provisioning.log on the Compute instance. If not selected, then domain creation failures will not be reported." - add_existing_rms_private_endpoint: + add_rms_private_endpoint: visible: and: - ${orm_create_mode} - ${is_rms_private_endpoint_required} - not: - - ${create_new_vcn} + - ${create_new_subnets} - not: - - ${add_new_rms_private_endpoint} - type: boolean - default: false - title: "Resource Manager Existing Private Endpoint" - description: "Use existing resource manager private endpoint." + - ${create_new_vcn} + type: enum + enum: + - "Use Existing Resource Manager Endpoint" + - "Create New Resource Manager Endpoint" + default: "Use Existing Resource Manager Endpoint" + title: "Create or Use Existing Resource Manager Endpoint" + description: "Configure a new or existing resource manager private endpoint." + required: true rms_existing_private_endpoint_id: visible: and: - ${orm_create_mode} - ${is_rms_private_endpoint_required} - - ${add_existing_rms_private_endpoint} - not: - - ${create_new_vcn} + - ${create_new_subnets} - not: - - ${add_new_rms_private_endpoint} + - ${create_new_vcn} + - eq: + - ${add_rms_private_endpoint} + - "Use Existing Resource Manager Endpoint" dependsOn: - compartmentId: ${subnet_compartment_id} + compartmentId: ${network_compartment_id} vcnId: ${wls_existing_vcn_id} type: oci:resourcemanager:privateendpoint:id required: true title: "Resource Manager Private Endpoint" description: "Resource manager private endpoint for private access." - add_new_rms_private_endpoint: - visible: - and: - - ${orm_create_mode} - - ${is_rms_private_endpoint_required} - - not: - - ${create_new_vcn} - - not: - - ${add_existing_rms_private_endpoint} - type: boolean - default: false - title: "Resource Manager New Private Endpoint" - description: "Create resource manager private endpoint." - is_bastion_with_reserved_public_ip: visible: and: - or: - ${is_bastion_instance_required} + - ${create_new_vcn} + - ${create_new_subnets} - or: - or: - ${create_new_vcn} @@ -1055,6 +1049,8 @@ variables: - ${orm_create_mode} - or: - ${is_bastion_instance_required} + - ${create_new_vcn} + - ${create_new_subnets} - and: - or: - ${create_new_vcn} @@ -1107,6 +1103,8 @@ variables: - and: - or: - ${is_bastion_instance_required} + - ${create_new_vcn} + - ${create_new_subnets} - eq: - ${subnet_type} - "Use Private Subnet" From eea22ea3fe89f0ad821e54e47e024d9c5de4ba81 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Fri, 26 May 2023 10:54:53 -0700 Subject: [PATCH 15/24] Fix the review comments. --- solutions/jrf/jrf_instance.tfvars | 5 ++--- terraform/main.tf | 4 ++-- .../modules/provisioners/dev_mode_provisioning.tf | 14 +++++++------- terraform/modules/provisioners/provisioning.tf | 12 ++++++------ 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/solutions/jrf/jrf_instance.tfvars b/solutions/jrf/jrf_instance.tfvars index d8c3ac34..86182e0d 100644 --- a/solutions/jrf/jrf_instance.tfvars +++ b/solutions/jrf/jrf_instance.tfvars @@ -26,9 +26,8 @@ wls_node_count = 2 wls_availability_domain_name = "" wls_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx" -### Resource Manager Private Endpoint parameters to create new endpoint -is_rms_private_endpoint_required = true -add_rms_private_endpoint = "Create New Resource Manager Endpoint" +### Resource Manager Private Endpoint parameter +is_rms_private_endpoint_required = false ### Bastion instance parameters is_bastion_instance_required = true diff --git a/terraform/main.tf b/terraform/main.tf index 8ae51353..a35034c6 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -740,8 +740,8 @@ module "provisioners" { is_rms_private_endpoint_required = local.is_rms_private_endpoint_required rms_private_endpoint_id = local.is_rms_private_endpoint_required ? (local.add_new_rms_private_endpoint) ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip - bastion_host = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip - bastion_host_private_key = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) + bastion_host = var.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip) + bastion_host_private_key = var.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)) is_bastion_instance_required = local.is_bastion_instance_required mode = var.mode diff --git a/terraform/modules/provisioners/dev_mode_provisioning.tf b/terraform/modules/provisioners/dev_mode_provisioning.tf index 99c28f80..ef0785ba 100644 --- a/terraform/modules/provisioners/dev_mode_provisioning.tf +++ b/terraform/modules/provisioners/dev_mode_provisioning.tf @@ -2,7 +2,7 @@ # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. resource "null_resource" "dev_mode_provisioning" { - count = var.mode == "DEV" && (var.is_bastion_instance_required || var.is_rms_private_endpoint_required) ? var.num_vm_instances : 0 + count = var.mode == "DEV" ? var.num_vm_instances : 0 // In production we will use the vmscripts.tar.gz already on the image. // In developer mode we will upload the vmscripts to the instance. @@ -14,25 +14,25 @@ resource "null_resource" "dev_mode_provisioning" { connection { agent = false timeout = "30m" - host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] + host = var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.bastion_host_private_key + bastion_host = var.bastion_host } } provisioner "remote-exec" { connection { agent = false timeout = "30m" - host = var.is_rms_private_endpoint_required ? data.oci_resourcemanager_private_endpoint_reachable_ip.private_endpoint_reachable_ips[count.index].ip_address : var.host_ips[count.index] + host = var.host_ips[count.index] user = "opc" private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.bastion_host_private_key + bastion_host = var.bastion_host } inline = [ diff --git a/terraform/modules/provisioners/provisioning.tf b/terraform/modules/provisioners/provisioning.tf index 79a3c8f7..a2665c49 100644 --- a/terraform/modules/provisioners/provisioning.tf +++ b/terraform/modules/provisioners/provisioning.tf @@ -14,8 +14,8 @@ resource "null_resource" "status_check" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.bastion_host_private_key + bastion_host = var.bastion_host } // Call check_status.sh 11 more times - if we add additional markers we must add an additional status check call here. @@ -133,8 +133,8 @@ resource "null_resource" "print_service_info" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.bastion_host_private_key + bastion_host = var.bastion_host } provisioner "remote-exec" { @@ -159,8 +159,8 @@ resource "null_resource" "cleanup" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.bastion_host_private_key + bastion_host = var.bastion_host } provisioner "remote-exec" { From ed9c32c0ed402e395467632cc0ec4825f219ee50 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Fri, 26 May 2023 12:07:15 -0700 Subject: [PATCH 16/24] Fix the review comments. --- terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index a35034c6..2dccc2a4 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -740,8 +740,8 @@ module "provisioners" { is_rms_private_endpoint_required = local.is_rms_private_endpoint_required rms_private_endpoint_id = local.is_rms_private_endpoint_required ? (local.add_new_rms_private_endpoint) ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip - bastion_host = var.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip) - bastion_host_private_key = var.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)) + bastion_host = local.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip) + bastion_host_private_key = local.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)) is_bastion_instance_required = local.is_bastion_instance_required mode = var.mode From de8c2cf4fe18014c061f1c90b75c44135ce375fa Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Fri, 26 May 2023 16:21:40 -0700 Subject: [PATCH 17/24] FIx few minor issues. --- terraform/main.tf | 6 +++--- terraform/modules/provisioners/provisioning.tf | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 2dccc2a4..f80dd858 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -738,10 +738,10 @@ module "provisioners" { num_vm_instances = var.wls_node_count ssh_private_key = module.compute.ssh_private_key_opc is_rms_private_endpoint_required = local.is_rms_private_endpoint_required - rms_private_endpoint_id = local.is_rms_private_endpoint_required ? (local.add_new_rms_private_endpoint) ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" + rms_private_endpoint_id = local.is_rms_private_endpoint_required ? local.add_new_rms_private_endpoint ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip - bastion_host = local.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip) - bastion_host_private_key = local.is_rms_private_endpoint_required ? "" : (local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)) + bastion_host = local.assign_weblogic_public_ip || (local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip) + bastion_host_private_key = local.is_rms_private_endpoint_required ? "" : local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) is_bastion_instance_required = local.is_bastion_instance_required mode = var.mode diff --git a/terraform/modules/provisioners/provisioning.tf b/terraform/modules/provisioners/provisioning.tf index a2665c49..4e3e3a66 100644 --- a/terraform/modules/provisioners/provisioning.tf +++ b/terraform/modules/provisioners/provisioning.tf @@ -14,8 +14,8 @@ resource "null_resource" "status_check" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = local.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = local.is_rms_private_endpoint_required ? "" : var.bastion_host } // Call check_status.sh 11 more times - if we add additional markers we must add an additional status check call here. @@ -133,8 +133,8 @@ resource "null_resource" "print_service_info" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = local.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = local.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { @@ -159,8 +159,8 @@ resource "null_resource" "cleanup" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_private_key = local.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = local.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { From bccec3329bdbab367c6dba77141ec66ece2dc86c Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Sun, 28 May 2023 23:00:14 -0700 Subject: [PATCH 18/24] Fix dev mode provisioning. --- terraform/main.tf | 4 ++-- terraform/modules/provisioners/provisioning.tf | 12 ++++++------ terraform/schema_14110.yaml | 3 +-- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index f80dd858..76ef0d9c 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -740,8 +740,8 @@ module "provisioners" { is_rms_private_endpoint_required = local.is_rms_private_endpoint_required rms_private_endpoint_id = local.is_rms_private_endpoint_required ? local.add_new_rms_private_endpoint ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : "" assign_public_ip = local.assign_weblogic_public_ip - bastion_host = local.assign_weblogic_public_ip || (local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip) - bastion_host_private_key = local.is_rms_private_endpoint_required ? "" : local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) + bastion_host = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip + bastion_host_private_key = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key) is_bastion_instance_required = local.is_bastion_instance_required mode = var.mode diff --git a/terraform/modules/provisioners/provisioning.tf b/terraform/modules/provisioners/provisioning.tf index 4e3e3a66..79a3c8f7 100644 --- a/terraform/modules/provisioners/provisioning.tf +++ b/terraform/modules/provisioners/provisioning.tf @@ -14,8 +14,8 @@ resource "null_resource" "status_check" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = local.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = local.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } // Call check_status.sh 11 more times - if we add additional markers we must add an additional status check call here. @@ -133,8 +133,8 @@ resource "null_resource" "print_service_info" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = local.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = local.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { @@ -159,8 +159,8 @@ resource "null_resource" "cleanup" { private_key = var.ssh_private_key bastion_user = "opc" - bastion_private_key = local.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key - bastion_host = local.is_rms_private_endpoint_required ? "" : var.bastion_host + bastion_private_key = var.is_rms_private_endpoint_required ? "" : var.bastion_host_private_key + bastion_host = var.is_rms_private_endpoint_required ? "" : var.bastion_host } provisioner "remote-exec" { diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index cb9f586d..94ffabf4 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -66,9 +66,8 @@ groupings: - title: "Resource Manager Private Endpoint" variables: - - ${add_existing_rms_private_endpoint} + - ${add_rms_private_endpoint} - ${rms_existing_private_endpoint_id} - - ${add_new_rms_private_endpoint} - title: "Bastion Instance" variables: From bf2e31804ab60fa803f099395a8fb595e70acff9 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Sun, 28 May 2023 23:22:37 -0700 Subject: [PATCH 19/24] Missed file in checkin. --- terraform/modules/provisioners/data_sources.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 terraform/modules/provisioners/data_sources.tf diff --git a/terraform/modules/provisioners/data_sources.tf b/terraform/modules/provisioners/data_sources.tf new file mode 100644 index 00000000..a27592b6 --- /dev/null +++ b/terraform/modules/provisioners/data_sources.tf @@ -0,0 +1,10 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + + +// Resolves the private IP of the customer's private endpoint to a NAT IP. Used as the host address in the "remote-exec" resource +data "oci_resourcemanager_private_endpoint_reachable_ip" "private_endpoint_reachable_ips" { + count = var.is_rms_private_endpoint_required ? var.num_vm_instances : 0 + private_endpoint_id = var.rms_private_endpoint_id + private_ip = var.host_ips[count.index] +} From e91297c4c876f8a572e8dbb9395f01a4dc953d1d Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Sun, 28 May 2023 23:39:55 -0700 Subject: [PATCH 20/24] fix terraform fmt. --- terraform/modules/provisioners/dev_mode_provisioning.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/provisioners/dev_mode_provisioning.tf b/terraform/modules/provisioners/dev_mode_provisioning.tf index ef0785ba..2574b27f 100644 --- a/terraform/modules/provisioners/dev_mode_provisioning.tf +++ b/terraform/modules/provisioners/dev_mode_provisioning.tf @@ -32,7 +32,7 @@ resource "null_resource" "dev_mode_provisioning" { private_key = var.ssh_private_key bastion_user = "opc" bastion_private_key = var.bastion_host_private_key - bastion_host = var.bastion_host + bastion_host = var.bastion_host } inline = [ From ca29abc39e99c5d118756b4b5e336138ab4915bc Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 29 May 2023 16:59:37 -0700 Subject: [PATCH 21/24] Updates for cli. --- builds/build_cli.sh | 2 ++ terraform/modules/rms-private-endpoint/versions.tf | 10 ++++++++++ 2 files changed, 12 insertions(+) create mode 100644 terraform/modules/rms-private-endpoint/versions.tf diff --git a/builds/build_cli.sh b/builds/build_cli.sh index 807a220a..8c728a03 100644 --- a/builds/build_cli.sh +++ b/builds/build_cli.sh @@ -79,6 +79,8 @@ replace_variables() sed -i '/variable "generate_dg_tag" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf sed -i '/variable "use_marketplace_image" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/mp_variables.tf sed -i '/variable "tf_script_version" {/!b;n;n;n;cdefault = \"'"$SCRIPTS_VERSION"'\"' ${TMP_BUILD}/variables.tf + sed -i '/variable "is_rms_private_endpoint_required" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf + sed -i '/variable "is_bastion_instance_required" {/!b;n;n;n;cdefault = true' ${TMP_BUILD}/bastion_variables.tf } diff --git a/terraform/modules/rms-private-endpoint/versions.tf b/terraform/modules/rms-private-endpoint/versions.tf new file mode 100644 index 00000000..779e92ea --- /dev/null +++ b/terraform/modules/rms-private-endpoint/versions.tf @@ -0,0 +1,10 @@ +# Copyright (c) 2023, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl. + +terraform { + required_providers { + oci = { + source = "oracle/oci" + } + } +} From 0652d0f1f4fb66acbdf3c8f2c782ce92dc417e45 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Mon, 29 May 2023 17:25:36 -0700 Subject: [PATCH 22/24] Updated description based on vanaja's input. --- terraform/schema.yaml | 4 ++-- terraform/schema_14110.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/schema.yaml b/terraform/schema.yaml index ec41ae51..05d40b72 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -947,7 +947,7 @@ variables: type: boolean default: false title: "Provision Bastion Instance" - description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If this and resource manager private endpoint are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." is_rms_private_endpoint_required: visible: @@ -965,7 +965,7 @@ variables: type: boolean default: true title: "Use Resource Manager Private Endpoint" - description: "Provision a resource manager private end point on a private subnet to check the provisioning status of the private resources. if this is not selected then you will need to get the status of domain creation from /u01/logs/provisioning.log on the Compute instance. If not selected, then domain creation failures will not be reported." + description: "Provision a resource manager private endpoint on a private subnet to check the provisioning status of the private resources. If this and bastion are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." add_rms_private_endpoint: visible: diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index 94ffabf4..85723255 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -956,7 +956,7 @@ variables: type: boolean default: false title: "Provision Bastion Instance" - description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If not selected, you must check the status of the compute instances after the stack job is complete." + description: "Provision a bastion compute instance on a public subnet to provide access to the WebLogic Server compute instances on a private subnet. If this and resource manager private endpoint are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." is_rms_private_endpoint_required: visible: @@ -974,7 +974,7 @@ variables: type: boolean default: true title: "Use Resource Manager Private Endpoint" - description: "Provision a resource manager private end point on a private subnet to check the provisioning status of the private resources. if this is not selected then you will need to get the status of domain creation from /u01/logs/provisioning.log on the Compute instance. If not selected, then domain creation failures will not be reported." + description: "Provision a resource manager private endpoint on a private subnet to check the provisioning status of the private resources. If this and bastion are not selected, you must check the status of domain creation on the compute instance using /u01/logs/provisioning.log file, and any failures during domain creation are reported." add_rms_private_endpoint: visible: From 7d7183ceb1e2f4784f44ecd4945cdd86f6e02427 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Tue, 30 May 2023 20:23:33 -0700 Subject: [PATCH 23/24] terraform fmt and policies. --- terraform/locals.tf | 12 ++++++------ terraform/main.tf | 2 +- terraform/modules/policies/locals.tf | 3 ++- terraform/modules/validators/stack_validators.tf | 10 +++++----- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/terraform/locals.tf b/terraform/locals.tf index e49347a9..43e1bb71 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -152,9 +152,9 @@ locals { ocir_namespace = data.oci_objectstorage_namespace.object_namespace.namespace - ocir_namespace_with_slash = format("%s/",local.ocir_namespace) - ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash)) - ocir_user = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}" + ocir_namespace_with_slash = format("%s/", local.ocir_namespace) + ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash)) + ocir_user = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}" region_keys = data.oci_identity_regions.all_regions.regions.*.key region_names = data.oci_identity_regions.all_regions.regions.*.name @@ -181,7 +181,7 @@ locals { is_bastion_instance_required = (var.is_bastion_instance_required && var.subnet_type != "Use Public Subnet") || var.wls_existing_vcn_id == "" || (var.wls_existing_vcn_id != "" && var.wls_subnet_id == "") ? true : false # Resource Manager Endpoint - add_new_rms_private_endpoint = var.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Create New Resource Manager Endpoint" ? true : false - add_existing_rms_private_endpoint = var.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Use Existing Resource Manager Endpoint" ? true : false - is_rms_private_endpoint_required = var.is_rms_private_endpoint_required && var.wls_existing_vcn_id != "" && var.wls_subnet_id != "" && var.subnet_type != "Use Public Subnet" ? true : false + is_rms_private_endpoint_required = var.is_rms_private_endpoint_required && var.wls_existing_vcn_id != "" && var.wls_subnet_id != "" && !local.assign_weblogic_public_ip ? true : false + add_new_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Create New Resource Manager Endpoint" ? true : false + add_existing_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Use Existing Resource Manager Endpoint" ? true : false } diff --git a/terraform/main.tf b/terraform/main.tf index 47ec2a1b..691c9c3e 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -348,7 +348,7 @@ module "vcn-peering" { module "validators" { #depends_on = [module.network-validation] - source = "./modules/validators" + source = "./modules/validators" compartment_id = var.compartment_ocid service_name = var.service_name wls_ms_port = var.wls_ms_extern_port diff --git a/terraform/modules/policies/locals.tf b/terraform/modules/policies/locals.tf index ce6af970..dbbc02d3 100644 --- a/terraform/modules/policies/locals.tf +++ b/terraform/modules/policies/locals.tf @@ -75,6 +75,7 @@ locals { autoscaling_statement25 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect dynamic-groups in tenancy" : "" : "" autoscaling_statement26 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage policies in tenancy" : "" : "" autoscaling_statement27 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to use tag-namespaces in tenancy" : "" : "" + autoscaling_statement28 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage orm-family in compartment id ${var.network_compartment_id}" : "" : "" autoscaling_atp_policy_statement = (var.atp_db.is_atp && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect autonomous-transaction-processing-family in compartment id ${var.atp_db.compartment_id}" : "" : "" autoscaling_db_policy_statement = (local.is_oci_db && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect database-family in compartment id ${var.oci_db.compartment_id}" : "" : "" autoscaling_fss_mount_target_policy_statement = (var.add_fss && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage mount-targets in compartment id ${var.mount_target_compartment_id}" : "" : "" @@ -95,7 +96,7 @@ locals { local.autoscaling_statement18, local.autoscaling_statement19, local.autoscaling_statement20, local.autoscaling_statement21, local.autoscaling_statement22, local.autoscaling_statement23, local.autoscaling_statement24, local.autoscaling_statement25, local.autoscaling_statement26, - local.autoscaling_statement27, + local.autoscaling_statement27, local.autoscaling_statement28, local.autoscaling_logging_policy_1, local.autoscaling_logging_policy_2, local.autoscaling_logging_policy_3, local.autoscaling_atp_policy_statement, local.autoscaling_db_policy_statement, diff --git a/terraform/modules/validators/stack_validators.tf b/terraform/modules/validators/stack_validators.tf index e416f38e..3f09da5c 100644 --- a/terraform/modules/validators/stack_validators.tf +++ b/terraform/modules/validators/stack_validators.tf @@ -14,7 +14,7 @@ data "oci_resourcemanager_stacks" "all_stacks_in_the_compartment" { locals { stack_list = data.oci_resourcemanager_stacks.all_stacks_in_the_compartment.stacks num_stacks = length(local.stack_list) - stack_ids = [for stack in local.stack_list : { id = stack.id }] + stack_ids = [for stack in local.stack_list : { id = stack.id }] } # get details of each stack from the list of stack_ids @@ -25,11 +25,11 @@ data "oci_resourcemanager_stack" "all_stacks" { } locals { - stack_variables = [for stack in data.oci_resourcemanager_stack.all_stacks : { variables = stack.variables }] + stack_variables = [for stack in data.oci_resourcemanager_stack.all_stacks : { variables = stack.variables }] service_names_used_by_existing_stacks = [for stack_variables in local.stack_variables : lookup(stack_variables.variables, "service_name", "?_not_found_?")] - duplicate_service_names_list = [for service_name in local.service_names_used_by_existing_stacks : service_name if service_name == var.service_name] + duplicate_service_names_list = [for service_name in local.service_names_used_by_existing_stacks : service_name if service_name == var.service_name] # There will be always one entry for the name of the current stack. Set duplicate to true if there are more than one entries. - service_name_already_exists = length(local.duplicate_service_names_list) > 1 ? true : false - service_name_already_exists_msg = "WLSC-ERROR: Another stack with the service_name [${var.service_name}] already exisits in the stack compartment. Try again with a different service name." + service_name_already_exists = length(local.duplicate_service_names_list) > 1 ? true : false + service_name_already_exists_msg = "WLSC-ERROR: Another stack with the service_name [${var.service_name}] already exisits in the stack compartment. Try again with a different service name." validate_service_name_is_not_already_used = local.service_name_already_exists ? local.validators_msg_map[local.service_name_already_exists_msg] : null } From f433f13877529e4d53130b933efc10d535f25a67 Mon Sep 17 00:00:00 2001 From: Sarada Kommalapati Date: Tue, 30 May 2023 21:51:32 -0700 Subject: [PATCH 24/24] Missed one condition. --- terraform/main.tf | 32 +++++++++++++------------ terraform/modules/policies/locals.tf | 2 +- terraform/modules/policies/variables.tf | 5 ++++ 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/terraform/main.tf b/terraform/main.tf index 691c9c3e..8a0bd348 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -223,21 +223,23 @@ module "policies" { defined_tags = local.defined_tags freeform_tags = local.free_form_tags } - atp_db = local.atp_db - oci_db = local.oci_db - vcn_id = element(concat(module.network-vcn[*].vcn_id, [""]), 0) - wls_existing_vcn_id = var.wls_existing_vcn_id - is_idcs_selected = var.is_idcs_selected - idcs_client_secret_id = var.idcs_client_secret_id - use_oci_logging = var.use_oci_logging - use_apm_service = local.use_apm_service - apm_domain_compartment_id = local.apm_domain_compartment_id - use_autoscaling = var.use_autoscaling - ocir_auth_token_id = var.ocir_auth_token_id - add_fss = var.add_fss - add_load_balancer = local.add_load_balancer - fss_compartment_id = var.fss_compartment_id == "" ? var.compartment_ocid : var.fss_compartment_id - mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id + atp_db = local.atp_db + oci_db = local.oci_db + vcn_id = element(concat(module.network-vcn[*].vcn_id, [""]), 0) + wls_existing_vcn_id = var.wls_existing_vcn_id + is_idcs_selected = var.is_idcs_selected + idcs_client_secret_id = var.idcs_client_secret_id + use_oci_logging = var.use_oci_logging + use_apm_service = local.use_apm_service + apm_domain_compartment_id = local.apm_domain_compartment_id + use_autoscaling = var.use_autoscaling + ocir_auth_token_id = var.ocir_auth_token_id + add_fss = var.add_fss + add_load_balancer = local.add_load_balancer + fss_compartment_id = var.fss_compartment_id == "" ? var.compartment_ocid : var.fss_compartment_id + mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id + is_rms_private_endpoint_required = local.is_rms_private_endpoint_required + } module "bastion" { diff --git a/terraform/modules/policies/locals.tf b/terraform/modules/policies/locals.tf index dbbc02d3..f30cad62 100644 --- a/terraform/modules/policies/locals.tf +++ b/terraform/modules/policies/locals.tf @@ -75,7 +75,7 @@ locals { autoscaling_statement25 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect dynamic-groups in tenancy" : "" : "" autoscaling_statement26 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage policies in tenancy" : "" : "" autoscaling_statement27 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to use tag-namespaces in tenancy" : "" : "" - autoscaling_statement28 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage orm-family in compartment id ${var.network_compartment_id}" : "" : "" + autoscaling_statement28 = var.use_autoscaling && var.network_compartment_id != var.compartment_id && var.is_rms_private_endpoint_required ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage orm-family in compartment id ${var.network_compartment_id}" : "" : "" autoscaling_atp_policy_statement = (var.atp_db.is_atp && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect autonomous-transaction-processing-family in compartment id ${var.atp_db.compartment_id}" : "" : "" autoscaling_db_policy_statement = (local.is_oci_db && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect database-family in compartment id ${var.oci_db.compartment_id}" : "" : "" autoscaling_fss_mount_target_policy_statement = (var.add_fss && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage mount-targets in compartment id ${var.mount_target_compartment_id}" : "" : "" diff --git a/terraform/modules/policies/variables.tf b/terraform/modules/policies/variables.tf index 1f88a114..f9101e6d 100644 --- a/terraform/modules/policies/variables.tf +++ b/terraform/modules/policies/variables.tf @@ -187,3 +187,8 @@ variable "add_load_balancer" { description = "If this variable is true and existing_load_balancer is blank, a new load balancer will be created for the stack. If existing_load_balancer_id is not blank, the specified load balancer will be used" default = false } + +variable "is_rms_private_endpoint_required" { + type = bool + description = "Set resource manager private endpoint" +}