Configure OCI Load Balancer backend set to use SSL

terraform/main.tf

@@ -64,7 +64,7 @@ module "network-vcn-config" {
   wls_extern_admin_port      = var.wls_extern_admin_port
   wls_expose_admin_port      = var.wls_expose_admin_port
   wls_admin_port_source_cidr = var.wls_admin_port_source_cidr
-  wls_ms_content_port        = local.add_load_balancer ? (var.is_idcs_selected ? var.idcs_cloudgate_port : var.wls_ms_extern_port) : var.wls_ms_extern_ssl_port
+  wls_ms_content_port        = local.add_load_balancer ? (var.is_idcs_selected ? var.idcs_cloudgate_port : (var.configure_secure_mode ? var.wls_ms_extern_ssl_port : var.wls_ms_extern_port)) : var.wls_ms_extern_ssl_port
   assign_backend_public_ip   = local.assign_weblogic_public_ip
   configure_secure_mode      = var.configure_secure_mode
   administration_port        = var.administration_port
@@ -728,8 +728,11 @@ module "load-balancer-backends" {
   lb_backendset_name   = local.lb_backendset_name
   num_vm_instances     = var.wls_node_count
   instance_private_ips = module.compute.instance_private_ips
-  backend_port         = var.is_idcs_selected ? var.idcs_cloudgate_port : var.wls_ms_extern_port
+  backend_port         = var.is_idcs_selected ? var.idcs_cloudgate_port : (var.configure_secure_mode ? var.wls_ms_extern_ssl_port : var.wls_ms_extern_port)
   health_check_url     = var.is_idcs_selected ? "/cloudgate" : "/"
+
+  configure_secure_mode    = var.configure_secure_mode
+  root_ca_id               = local.root_ca_id
 }
 
 module "observability-logging" {

terraform/modules/lb/backends/lb_backends.tf

@@ -1,4 +1,4 @@
-# Copyright (c) 2023, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 locals {
@@ -9,7 +9,7 @@ locals {
 
 resource "oci_load_balancer_backend_set" "wls_lb_backendset" {
   # If using existing load balancer, use per-created backend set of existing lb
-  count = var.use_existing_lb ? 0 : 1
+  count = var.configure_secure_mode ? 0 : var.use_existing_lb ? 0 : 1
 
   name             = var.lb_backendset_name
   load_balancer_id = var.load_balancer_id
@@ -27,11 +27,41 @@ resource "oci_load_balancer_backend_set" "wls_lb_backendset" {
   lb_cookie_session_persistence_configuration {}
 }
 
+resource "oci_load_balancer_backend_set" "wls_lb_backendset_secure_mode" {
+  # If using existing load balancer in secured production mode, use per-created backend set of existing lb
+  count = var.use_existing_lb ? 0 : var.configure_secure_mode ? 1 : 0
+
+  name             = var.lb_backendset_name
+  load_balancer_id = var.load_balancer_id
+  policy           = var.lb_policy
+
+  health_checker {
+    port                = var.backend_port
+    protocol            = var.lb_protocol
+    response_body_regex = ".*"
+    url_path            = local.health_check_url_path
+    return_code         = var.return_code
+  }
+
+  ssl_configuration {
+    trusted_certificate_authority_ids = [var.root_ca_id]
+    verify_depth = 1
+    verify_peer_certificate = true
+  }
+
+  # Set the session persistence to lb-session-persistence with all default values.
+  lb_cookie_session_persistence_configuration {}
+
+  lifecycle {
+    ignore_changes = [ssl_configuration]
+  }
+}
+
 resource "oci_load_balancer_listener" "wls_lb_listener_https" {
   count                    = local.use_https_listener_count
   load_balancer_id         = var.load_balancer_id
   name                     = "${var.resource_name_prefix}_https"
-  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
+  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[count.index].name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
   port                     = var.lb_https_lstr_port
   protocol                 = var.lb_protocol
   rule_set_names           = [oci_load_balancer_rule_set.SSL_headers[count.index].name]
@@ -51,10 +81,10 @@ resource "oci_load_balancer_listener" "wls_lb_listener_https" {
 }
 
 resource "oci_load_balancer_backend" "wls_lb_backend" {
-  count = var.use_existing_lb || (length(oci_load_balancer_backend_set.wls_lb_backendset) > 0) ? var.num_vm_instances : 0
+  count = var.use_existing_lb || (length(oci_load_balancer_backend_set.wls_lb_backendset) > 0) || (length(oci_load_balancer_backend_set.wls_lb_backendset_secure_mode) > 0) ? var.num_vm_instances : 0
 
   load_balancer_id = var.load_balancer_id
-  backendset_name  = var.use_existing_lb ? var.lb_backendset_name : oci_load_balancer_backend_set.wls_lb_backendset[0].name
+  backendset_name  = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[0].name : oci_load_balancer_backend_set.wls_lb_backendset[0].name
   ip_address       = var.instance_private_ips[count.index]
   port             = var.backend_port
   backup           = false

terraform/modules/lb/backends/variables.tf

@@ -1,4 +1,4 @@
-# Copyright (c) 2023, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 variable "instance_private_ips" {
@@ -78,3 +78,14 @@ variable "resource_name_prefix" {
   type        = string
   description = "Prefix used by the WebLogic for OCI instance of which this compute is part"
 }
+
+# All the variables under this comment belong to Secure Production Mode
+variable "configure_secure_mode" {
+  type        = bool
+  description = "Set to true to configure a secure WebLogic domain"
+}
+
+variable "root_ca_id" {
+  type        = string
+  description = "The OCID of the existing root certificate authority to issue the certificates"
+}