From e45cef382463282f886ba301119d8aa71ac15239 Mon Sep 17 00:00:00 2001
From: Mahuwa-Barman <mahuwa.barman@oracle.com>
Date: Thu, 14 Mar 2024 12:29:49 +0530
Subject: [PATCH 1/4] JCS-14325_LB_SSL_secure_mode

---
 terraform/main.tf                            |  7 +++-
 terraform/modules/lb/backends/lb_backends.tf | 40 +++++++++++++++++---
 terraform/modules/lb/backends/variables.tf   | 13 ++++++-
 3 files changed, 52 insertions(+), 8 deletions(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index 77d9770f..67215568 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -64,7 +64,7 @@ module "network-vcn-config" {
   wls_extern_admin_port      = var.wls_extern_admin_port
   wls_expose_admin_port      = var.wls_expose_admin_port
   wls_admin_port_source_cidr = var.wls_admin_port_source_cidr
-  wls_ms_content_port        = local.add_load_balancer ? (var.is_idcs_selected ? var.idcs_cloudgate_port : var.wls_ms_extern_port) : var.wls_ms_extern_ssl_port
+  wls_ms_content_port        = local.add_load_balancer ? (var.is_idcs_selected ? var.idcs_cloudgate_port : (var.configure_secure_mode ? var.wls_ms_extern_ssl_port : var.wls_ms_extern_port)) : var.wls_ms_extern_ssl_port
   assign_backend_public_ip   = local.assign_weblogic_public_ip
   configure_secure_mode      = var.configure_secure_mode
   administration_port        = var.administration_port
@@ -728,8 +728,11 @@ module "load-balancer-backends" {
   lb_backendset_name   = local.lb_backendset_name
   num_vm_instances     = var.wls_node_count
   instance_private_ips = module.compute.instance_private_ips
-  backend_port         = var.is_idcs_selected ? var.idcs_cloudgate_port : var.wls_ms_extern_port
+  backend_port         = var.is_idcs_selected ? var.idcs_cloudgate_port : (var.configure_secure_mode ? var.wls_ms_extern_ssl_port : var.wls_ms_extern_port)
   health_check_url     = var.is_idcs_selected ? "/cloudgate" : "/"
+
+  configure_secure_mode    = var.configure_secure_mode
+  root_ca_id               = local.root_ca_id
 }
 
 module "observability-logging" {
diff --git a/terraform/modules/lb/backends/lb_backends.tf b/terraform/modules/lb/backends/lb_backends.tf
index 939ae35d..09bf785b 100644
--- a/terraform/modules/lb/backends/lb_backends.tf
+++ b/terraform/modules/lb/backends/lb_backends.tf
@@ -1,4 +1,4 @@
-# Copyright (c) 2023, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 locals {
@@ -9,7 +9,7 @@ locals {
 
 resource "oci_load_balancer_backend_set" "wls_lb_backendset" {
   # If using existing load balancer, use per-created backend set of existing lb
-  count = var.use_existing_lb ? 0 : 1
+  count = var.configure_secure_mode ? 0 : var.use_existing_lb ? 0 : 1
 
   name             = var.lb_backendset_name
   load_balancer_id = var.load_balancer_id
@@ -27,11 +27,41 @@ resource "oci_load_balancer_backend_set" "wls_lb_backendset" {
   lb_cookie_session_persistence_configuration {}
 }
 
+resource "oci_load_balancer_backend_set" "wls_lb_backendset_secure_mode" {
+  # If using existing load balancer, use per-created backend set of existing lb
+  count = var.use_existing_lb ? 0 : var.configure_secure_mode ? 1 : 0
+
+  name             = var.lb_backendset_name
+  load_balancer_id = var.load_balancer_id
+  policy           = var.lb_policy
+
+  health_checker {
+    port                = var.backend_port
+    protocol            = var.lb_protocol
+    response_body_regex = ".*"
+    url_path            = local.health_check_url_path
+    return_code         = var.return_code
+  }
+
+  ssl_configuration {
+    trusted_certificate_authority_ids = [var.root_ca_id]
+    verify_depth = 1
+    verify_peer_certificate = true
+  }
+
+  # Set the session persistence to lb-session-persistence with all default values.
+  #lb_cookie_session_persistence_configuration {}
+
+  lifecycle {
+    ignore_changes = [ssl_configuration]
+  }
+}
+
 resource "oci_load_balancer_listener" "wls_lb_listener_https" {
   count                    = local.use_https_listener_count
   load_balancer_id         = var.load_balancer_id
   name                     = "${var.resource_name_prefix}_https"
-  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
+  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[0].name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
   port                     = var.lb_https_lstr_port
   protocol                 = var.lb_protocol
   rule_set_names           = [oci_load_balancer_rule_set.SSL_headers[count.index].name]
@@ -51,10 +81,10 @@ resource "oci_load_balancer_listener" "wls_lb_listener_https" {
 }
 
 resource "oci_load_balancer_backend" "wls_lb_backend" {
-  count = var.use_existing_lb || (length(oci_load_balancer_backend_set.wls_lb_backendset) > 0) ? var.num_vm_instances : 0
+  count = var.use_existing_lb || (length(oci_load_balancer_backend_set.wls_lb_backendset) > 0) || (length(oci_load_balancer_backend_set.wls_lb_backendset_secure_mode) > 0) ? var.num_vm_instances : 0
 
   load_balancer_id = var.load_balancer_id
-  backendset_name  = var.use_existing_lb ? var.lb_backendset_name : oci_load_balancer_backend_set.wls_lb_backendset[0].name
+  backendset_name  = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[0].name : oci_load_balancer_backend_set.wls_lb_backendset[0].name
   ip_address       = var.instance_private_ips[count.index]
   port             = var.backend_port
   backup           = false
diff --git a/terraform/modules/lb/backends/variables.tf b/terraform/modules/lb/backends/variables.tf
index 4366d59b..41de8e46 100644
--- a/terraform/modules/lb/backends/variables.tf
+++ b/terraform/modules/lb/backends/variables.tf
@@ -1,4 +1,4 @@
-# Copyright (c) 2023, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 variable "instance_private_ips" {
@@ -78,3 +78,14 @@ variable "resource_name_prefix" {
   type        = string
   description = "Prefix used by the WebLogic for OCI instance of which this compute is part"
 }
+
+# All the variables under this comment belong to Secure Production Mode
+variable "configure_secure_mode" {
+  type        = bool
+  description = "Set to true to configure a secure WebLogic domain"
+}
+
+variable "root_ca_id" {
+  type        = string
+  description = "The OCID of the existing root certificate authority to issue the certificates"
+}

From 422c2002bd8fe74f64d5caedda7217ef4473fcfd Mon Sep 17 00:00:00 2001
From: Mahuwa-Barman <mahuwa.barman@oracle.com>
Date: Thu, 14 Mar 2024 12:35:07 +0530
Subject: [PATCH 2/4] JCS-14325_LB_SSL_secure_mode

---
 terraform/modules/lb/backends/lb_backends.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/modules/lb/backends/lb_backends.tf b/terraform/modules/lb/backends/lb_backends.tf
index 09bf785b..95d73106 100644
--- a/terraform/modules/lb/backends/lb_backends.tf
+++ b/terraform/modules/lb/backends/lb_backends.tf
@@ -28,7 +28,7 @@ resource "oci_load_balancer_backend_set" "wls_lb_backendset" {
 }
 
 resource "oci_load_balancer_backend_set" "wls_lb_backendset_secure_mode" {
-  # If using existing load balancer, use per-created backend set of existing lb
+  # If using existing load balancer in secured production mode, use per-created backend set of existing lb
   count = var.use_existing_lb ? 0 : var.configure_secure_mode ? 1 : 0
 
   name             = var.lb_backendset_name

From acb0f9d9437721f2d7b6cd88f1b2ef0dcc4584ec Mon Sep 17 00:00:00 2001
From: Mahuwa-Barman <mahuwa.barman@oracle.com>
Date: Thu, 14 Mar 2024 13:38:20 +0530
Subject: [PATCH 3/4] JCS-14325_LB_SSL_secure_mode

---
 terraform/modules/lb/backends/lb_backends.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/modules/lb/backends/lb_backends.tf b/terraform/modules/lb/backends/lb_backends.tf
index 95d73106..cdff8c89 100644
--- a/terraform/modules/lb/backends/lb_backends.tf
+++ b/terraform/modules/lb/backends/lb_backends.tf
@@ -50,7 +50,7 @@ resource "oci_load_balancer_backend_set" "wls_lb_backendset_secure_mode" {
   }
 
   # Set the session persistence to lb-session-persistence with all default values.
-  #lb_cookie_session_persistence_configuration {}
+  lb_cookie_session_persistence_configuration {}
 
   lifecycle {
     ignore_changes = [ssl_configuration]

From 4f7fe9abd2d0b758c1879d0f6f2ad9bf68bbd361 Mon Sep 17 00:00:00 2001
From: Mahuwa-Barman <mahuwa.barman@oracle.com>
Date: Fri, 15 Mar 2024 09:53:20 +0530
Subject: [PATCH 4/4] JCS-14325_LB_SSL_secure_mode

---
 terraform/modules/lb/backends/lb_backends.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/modules/lb/backends/lb_backends.tf b/terraform/modules/lb/backends/lb_backends.tf
index cdff8c89..8ebb1139 100644
--- a/terraform/modules/lb/backends/lb_backends.tf
+++ b/terraform/modules/lb/backends/lb_backends.tf
@@ -61,7 +61,7 @@ resource "oci_load_balancer_listener" "wls_lb_listener_https" {
   count                    = local.use_https_listener_count
   load_balancer_id         = var.load_balancer_id
   name                     = "${var.resource_name_prefix}_https"
-  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[0].name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
+  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[count.index].name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
   port                     = var.lb_https_lstr_port
   protocol                 = var.lb_protocol
   rule_set_names           = [oci_load_balancer_rule_set.SSL_headers[count.index].name]