From d10eccf6fc012c12ce300426acc4e11ae05ad3ce Mon Sep 17 00:00:00 2001 From: Mahuwa-Barman Date: Thu, 9 May 2024 17:22:58 +0530 Subject: [PATCH 1/3] JCS-14447_JCS-14448_JCS-14449_secure_mode --- terraform/locals.tf | 1 + terraform/main.tf | 2 ++ .../modules/compute/wls_compute/variables.tf | 5 +++++ .../modules/compute/wls_compute/wls_compute.tf | 1 + terraform/modules/policies/locals.tf | 6 +++--- terraform/modules/policies/variables.tf | 5 +++++ terraform/schema.yaml | 15 ++++++++++++++- terraform/schema_14110.yaml | 15 ++++++++++++++- terraform/weblogic_variables.tf | 8 +++++++- 9 files changed, 52 insertions(+), 6 deletions(-) diff --git a/terraform/locals.tf b/terraform/locals.tf index 2cbadbe..68e723a 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -190,6 +190,7 @@ locals { wls_admin_port = var.configure_secure_mode ? var.administration_port : var.wls_admin_port keystore_password_id = var.configure_secure_mode ? var.keystore_password_id : "" root_ca_id = var.configure_secure_mode ? var.root_ca_id : "" + cert_compartment_id = var.cert_compartment_id == "" ? local.network_compartment_id : var.cert_compartment_id wls_domain_configuration = var.configure_secure_mode ? "Secured Production Mode" : "Production Mode" wls_extern_ssl_admin_port = var.configure_secure_mode ? var.administration_port : var.wls_extern_ssl_admin_port wls_admin_user = var.configure_secure_mode ? var.wls_primary_admin_user : var.wls_admin_user diff --git a/terraform/main.tf b/terraform/main.tf index a54bfc9..f34f627 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -243,6 +243,7 @@ module "policies" { is_rms_private_endpoint_required = local.is_rms_private_endpoint_required configure_secure_mode = var.configure_secure_mode keystore_password_id = local.keystore_password_id + cert_compartment_id = local.cert_compartment_id } module "bastion" { @@ -627,6 +628,7 @@ module "compute" { ms_administration_port = var.ms_administration_port keystore_password_id = local.keystore_password_id root_ca_id = local.root_ca_id + cert_compartment_id = local.cert_compartment_id thread_pool_limit = var.thread_pool_limit wls_secondary_admin_user = var.wls_secondary_admin_user wls_secondary_admin_password_id = local.wls_secondary_admin_password_id diff --git a/terraform/modules/compute/wls_compute/variables.tf b/terraform/modules/compute/wls_compute/variables.tf index d0a426c..ae7f920 100644 --- a/terraform/modules/compute/wls_compute/variables.tf +++ b/terraform/modules/compute/wls_compute/variables.tf @@ -326,6 +326,11 @@ variable "root_ca_id" { description = "The OCID of the existing root certificate authority to issue the certificates" } +variable "cert_compartment_id" { + type = string + description = "The OCID of the compartment where the certificate will be created. Leave it blank to use the network compartment for the certificate" +} + variable "thread_pool_limit" { type = number description = "Shared Capacity For Work Managers" diff --git a/terraform/modules/compute/wls_compute/wls_compute.tf b/terraform/modules/compute/wls_compute/wls_compute.tf index e004443..3ec2d24 100644 --- a/terraform/modules/compute/wls_compute/wls_compute.tf +++ b/terraform/modules/compute/wls_compute/wls_compute.tf @@ -76,6 +76,7 @@ module "wls-instances" { keystore_dir = var.keystore_dir keystore_password_id = var.keystore_password_id root_ca_id = var.root_ca_id + cert_compartment_id = var.cert_compartment_id thread_pool_limit = var.thread_pool_limit wls_secondary_admin_user = var.wls_secondary_admin_user wls_secondary_admin_password_ocid = var.wls_secondary_admin_password_id diff --git a/terraform/modules/policies/locals.tf b/terraform/modules/policies/locals.tf index e75f482..3707c18 100644 --- a/terraform/modules/policies/locals.tf +++ b/terraform/modules/policies/locals.tf @@ -109,9 +109,9 @@ locals { ]) #Policies for creating wildcard certificate to configure SSL in secured production mode - secure_mode_statement1 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use certificate-authority-delegates in compartment id ${var.compartment_id}" : "" - secure_mode_statement2 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to manage leaf-certificates in compartment id ${var.compartment_id}" : "" - secure_mode_statement3 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read leaf-certificate-bundles in compartment id ${var.compartment_id} where target.leaf-certificate.bundle-type = 'CERTIFICATE_CONTENT_PUBLIC_ONLY'" : "" + secure_mode_statement1 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use certificate-authority-delegates in compartment id ${var.cert_compartment_id}" : "" + secure_mode_statement2 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to manage leaf-certificates in compartment id ${var.cert_compartment_id}" : "" + secure_mode_statement3 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read leaf-certificate-bundles in compartment id ${var.cert_compartment_id} where target.leaf-certificate.bundle-type = 'CERTIFICATE_CONTENT_PUBLIC_ONLY'" : "" #Policy for reading keystore password secret secure_mode_secrets_policy_statement = (var.configure_secure_mode && var.keystore_password_id != "") ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read secret-bundles in tenancy where target.secret.id = '${var.keystore_password_id}'" : "" secure_mode_statement = compact([local.secure_mode_statement1, local.secure_mode_statement2, local.secure_mode_statement3, local.secure_mode_secrets_policy_statement]) diff --git a/terraform/modules/policies/variables.tf b/terraform/modules/policies/variables.tf index f2c46d2..f5dd5ac 100644 --- a/terraform/modules/policies/variables.tf +++ b/terraform/modules/policies/variables.tf @@ -202,3 +202,8 @@ variable "keystore_password_id" { type = string description = "The OCID of the vault secret with the password for creating the keystore" } + +variable "cert_compartment_id" { + type = string + description = "The OCID of the compartment where the certificate will be created. Leave it blank to use the network compartment for the certificate" +} diff --git a/terraform/schema.yaml b/terraform/schema.yaml index ad1a5f9..16cfe30 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -44,6 +44,7 @@ groupings: - ${wls_secondary_admin_password_id} - ${keystore_password_id} - ${root_ca_id} + - ${cert_compartment_id} - ${preserve_boot_properties} - ${add_JRF} #Start of JRF fields @@ -807,7 +808,7 @@ variables: - ${configure_secure_mode} type: boolean required: true - default: true + default: false title: "Preserve the boot.properties file for administration server and managed servers" description: "Preserve the boot.properties file for administration server and managed servers. NOTE: Leaving this unchecked (false) will result in node manager being unable to revive servers if they are killed." @@ -866,6 +867,18 @@ variables: title: "Existing Root Certificate Authority ID" description: "The OCID of the existing root certificate authority to issue the certificates" + cert_compartment_id: + visible: + and: + - ${orm_create_mode} + - ${configure_secure_mode} + - ${create_policies} + type: oci:identity:compartment:id + required: false + title: "Certificate Compartment" + description: "The compartment where you want to create the certificate" + default: ${network_compartment_id} + thread_pool_limit: visible: and: diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index b904a9f..e77ede6 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -44,6 +44,7 @@ groupings: - ${wls_secondary_admin_password_id} - ${keystore_password_id} - ${root_ca_id} + - ${cert_compartment_id} - ${preserve_boot_properties} - ${wls_14c_jdk_version} - ${deploy_sample_app} @@ -816,7 +817,7 @@ variables: - ${configure_secure_mode} type: boolean required: true - default: true + default: false title: "Preserve the boot.properties file for administration server and managed servers" description: "Preserve the boot.properties file for administration server and managed servers. NOTE: Leaving this unchecked (false) will result in node manager being unable to revive servers if they are killed." @@ -875,6 +876,18 @@ variables: title: "Existing Root Certificate Authority ID" description: "The OCID of the existing root certificate authority to issue the certificates" + cert_compartment_id: + visible: + and: + - ${orm_create_mode} + - ${configure_secure_mode} + - ${create_policies} + type: oci:identity:compartment:id + required: false + title: "Certificate Compartment" + description: "The compartment where you want to create the certificate" + default: ${network_compartment_id} + thread_pool_limit: visible: and: diff --git a/terraform/weblogic_variables.tf b/terraform/weblogic_variables.tf index 8f124b8..dce9fd8 100644 --- a/terraform/weblogic_variables.tf +++ b/terraform/weblogic_variables.tf @@ -207,7 +207,7 @@ variable "configure_secure_mode" { variable "preserve_boot_properties" { type = bool description = "Set to true to preserve the boot.properties file for administration server and managed servers" - default = "true" + default = "false" } variable "keystore_password_id" { @@ -222,6 +222,12 @@ variable "root_ca_id" { default = "" } +variable "cert_compartment_id" { + type = string + description = "The OCID of the compartment where the certificate will be created. Leave it blank to use the network compartment for the certificate" + default = "" +} + variable "administration_port" { type = number description = "The domain-wide administration port to configure a secure WebLogic domain" From fb3a11564602a47e1d74e36d51d77e9a8ad7eb53 Mon Sep 17 00:00:00 2001 From: Mahuwa-Barman Date: Fri, 10 May 2024 15:17:07 +0530 Subject: [PATCH 2/3] JCS-14447_JCS-14448_JCS-14449_secure_mode --- terraform/schema.yaml | 2 ++ terraform/schema_14110.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/terraform/schema.yaml b/terraform/schema.yaml index 16cfe30..d13a19f 100644 --- a/terraform/schema.yaml +++ b/terraform/schema.yaml @@ -552,6 +552,8 @@ variables: and: - ${orm_create_mode} - ${configure_wls_ports} + - not: + - ${configure_secure_mode} type: integer default: 7002 minimum: 1024 diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml index e77ede6..c138e30 100644 --- a/terraform/schema_14110.yaml +++ b/terraform/schema_14110.yaml @@ -561,6 +561,8 @@ variables: and: - ${orm_create_mode} - ${configure_wls_ports} + - not: + - ${configure_secure_mode} type: integer default: 7002 minimum: 1024 From 2cebdcd26e7c40ffc158ef455394699429906f79 Mon Sep 17 00:00:00 2001 From: Mahuwa-Barman Date: Fri, 10 May 2024 17:16:26 +0530 Subject: [PATCH 3/3] JCS-14447_JCS-14448_JCS-14449_secure_mode --- terraform/main.tf | 2 ++ terraform/modules/validators/validators.tf | 5 +++++ terraform/modules/validators/variables.tf | 10 ++++++++++ 3 files changed, 17 insertions(+) diff --git a/terraform/main.tf b/terraform/main.tf index f34f627..10e68de 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -475,6 +475,8 @@ module "validators" { keystore_password_id = local.keystore_password_id root_ca_id = local.root_ca_id wls_secondary_admin_password_id = local.wls_secondary_admin_password_id + administration_port = var.administration_port + ms_administration_port = var.ms_administration_port } module "fss" { diff --git a/terraform/modules/validators/validators.tf b/terraform/modules/validators/validators.tf index 3134fda..f978714 100644 --- a/terraform/modules/validators/validators.tf +++ b/terraform/modules/validators/validators.tf @@ -61,6 +61,7 @@ locals { script_version_msg = "WLSC-ERROR: The value for tf script version cannot be empty. Please provide valid script version that matches with version on the image." validate_script_version = local.invalid_script_version ? local.validators_msg_map[local.script_version_msg] : null + # Validations related to Secure Production Mode missing_keystore_password_id = var.configure_secure_mode && var.keystore_password_id == "" keystore_password_id_required_msg = "WLSC-ERROR: The value for keystore_password_id is required when enabling secure production mode." validate_missing_keystore_password_id = local.missing_keystore_password_id ? local.validators_msg_map[local.keystore_password_id_required_msg] : null @@ -74,4 +75,8 @@ locals { invalid_wls_secondary_admin_password_id = var.configure_secure_mode && length(regexall("^ocid1.vaultsecret.", var.wls_secondary_admin_password_id)) <= 0 invalid_wls_secondary_admin_password_id_required_msg = "WLSC-ERROR: The value for wls_secondary_admin_password_id should start with \"ocid1.vaultsecret.\"" validate_wls_secondary_admin_password_id = local.missing_wls_secondary_admin_password_id ? local.validators_msg_map[local.missing_wls_secondary_admin_password_id_required_msg] : (local.invalid_wls_secondary_admin_password_id ? local.validators_msg_map[local.invalid_wls_secondary_admin_password_id_required_msg] : null) + + invalid_administration_ports = var.configure_secure_mode && var.administration_port == var.ms_administration_port + invalid_administration_ports_msg = "WLSC-ERROR: The value for administration_port=[${var.administration_port}] and ms_administration_port=[${var.ms_administration_port}] cannot be same." + validate_administration_ports = local.invalid_administration_ports ? local.validators_msg_map[local.invalid_administration_ports_msg] : null } diff --git a/terraform/modules/validators/variables.tf b/terraform/modules/validators/variables.tf index 522bc89..5657d0a 100644 --- a/terraform/modules/validators/variables.tf +++ b/terraform/modules/validators/variables.tf @@ -553,4 +553,14 @@ variable "root_ca_id" { variable "wls_secondary_admin_password_id" { type = string description = "The OCID of the vault secret with the password for secondary WebLogic administration user" +} + +variable "administration_port" { + type = number + description = "The domain-wide administration port to configure a secure WebLogic domain" +} + +variable "ms_administration_port" { + type = number + description = "The administration port for managed servers to configure a secure WebLogic domain" } \ No newline at end of file