Changes related to Certificate validity & ORM UI

terraform/locals.tf

@@ -190,6 +190,7 @@ locals {
   wls_admin_port                    = var.configure_secure_mode ? var.administration_port : var.wls_admin_port
   keystore_password_id              = var.configure_secure_mode ? var.keystore_password_id : ""
   root_ca_id                        = var.configure_secure_mode ? var.root_ca_id : ""
+  cert_compartment_id               = var.cert_compartment_id == "" ? local.network_compartment_id : var.cert_compartment_id
   wls_domain_configuration          = var.configure_secure_mode ? "Secured Production Mode" : "Production Mode"
   wls_extern_ssl_admin_port         = var.configure_secure_mode ? var.administration_port : var.wls_extern_ssl_admin_port
   wls_admin_user                    = var.configure_secure_mode ? var.wls_primary_admin_user : var.wls_admin_user

terraform/main.tf

@@ -243,6 +243,7 @@ module "policies" {
   is_rms_private_endpoint_required = local.is_rms_private_endpoint_required
   configure_secure_mode            = var.configure_secure_mode
   keystore_password_id             = local.keystore_password_id
+  cert_compartment_id              = local.cert_compartment_id
 }
 
 module "bastion" {
@@ -474,6 +475,8 @@ module "validators" {
   keystore_password_id            = local.keystore_password_id
   root_ca_id                      = local.root_ca_id
   wls_secondary_admin_password_id = local.wls_secondary_admin_password_id
+  administration_port             = var.administration_port
+  ms_administration_port          = var.ms_administration_port
 }
 
 module "fss" {
@@ -627,6 +630,7 @@ module "compute" {
   ms_administration_port             = var.ms_administration_port
   keystore_password_id               = local.keystore_password_id
   root_ca_id                         = local.root_ca_id
+  cert_compartment_id                = local.cert_compartment_id
   thread_pool_limit                  = var.thread_pool_limit
   wls_secondary_admin_user           = var.wls_secondary_admin_user
   wls_secondary_admin_password_id    = local.wls_secondary_admin_password_id

terraform/modules/compute/wls_compute/variables.tf

@@ -326,6 +326,11 @@ variable "root_ca_id" {
   description = "The OCID of the existing root certificate authority to issue the certificates"
 }
 
+variable "cert_compartment_id" {
+  type        = string
+  description = "The OCID of the compartment where the certificate will be created. Leave it blank to use the network compartment for the certificate"
+}
+
 variable "thread_pool_limit" {
   type        = number
   description = "Shared Capacity For Work Managers"

terraform/modules/compute/wls_compute/wls_compute.tf

@@ -76,6 +76,7 @@ module "wls-instances" {
       keystore_dir                       = var.keystore_dir
       keystore_password_id               = var.keystore_password_id
       root_ca_id                         = var.root_ca_id
+      cert_compartment_id                = var.cert_compartment_id
       thread_pool_limit                  = var.thread_pool_limit
       wls_secondary_admin_user           = var.wls_secondary_admin_user
       wls_secondary_admin_password_ocid  = var.wls_secondary_admin_password_id

terraform/modules/policies/locals.tf

@@ -109,9 +109,9 @@ locals {
   ])
 
   #Policies for creating wildcard certificate to configure SSL in secured production mode
-  secure_mode_statement1 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use certificate-authority-delegates in compartment id ${var.compartment_id}" : ""
-  secure_mode_statement2 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to manage leaf-certificates in compartment id ${var.compartment_id}" : ""
-  secure_mode_statement3 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read leaf-certificate-bundles in compartment id ${var.compartment_id} where target.leaf-certificate.bundle-type = 'CERTIFICATE_CONTENT_PUBLIC_ONLY'"  : ""
+  secure_mode_statement1 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use certificate-authority-delegates in compartment id ${var.cert_compartment_id}" : ""
+  secure_mode_statement2 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to manage leaf-certificates in compartment id ${var.cert_compartment_id}" : ""
+  secure_mode_statement3 = var.configure_secure_mode ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read leaf-certificate-bundles in compartment id ${var.cert_compartment_id} where target.leaf-certificate.bundle-type = 'CERTIFICATE_CONTENT_PUBLIC_ONLY'"  : ""
   #Policy for reading keystore password secret
   secure_mode_secrets_policy_statement = (var.configure_secure_mode && var.keystore_password_id != "") ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read secret-bundles in tenancy where target.secret.id = '${var.keystore_password_id}'" : ""
   secure_mode_statement  = compact([local.secure_mode_statement1, local.secure_mode_statement2, local.secure_mode_statement3, local.secure_mode_secrets_policy_statement])

terraform/modules/policies/variables.tf

@@ -202,3 +202,8 @@ variable "keystore_password_id" {
   type        = string
   description = "The OCID of the vault secret with the password for creating the keystore"
 }
+
+variable "cert_compartment_id" {
+  type        = string
+  description = "The OCID of the compartment where the certificate will be created. Leave it blank to use the network compartment for the certificate"
+}

terraform/modules/validators/validators.tf

@@ -61,6 +61,7 @@ locals {
   script_version_msg      = "WLSC-ERROR: The value for tf script version cannot be empty. Please provide valid script version that matches with version on the image."
   validate_script_version = local.invalid_script_version ? local.validators_msg_map[local.script_version_msg] : null
 
+  # Validations related to Secure Production Mode
   missing_keystore_password_id          = var.configure_secure_mode && var.keystore_password_id == ""
   keystore_password_id_required_msg     = "WLSC-ERROR: The value for keystore_password_id is required when enabling secure production mode."
   validate_missing_keystore_password_id = local.missing_keystore_password_id ? local.validators_msg_map[local.keystore_password_id_required_msg] : null
@@ -74,4 +75,8 @@ locals {
   invalid_wls_secondary_admin_password_id              = var.configure_secure_mode && length(regexall("^ocid1.vaultsecret.", var.wls_secondary_admin_password_id)) <= 0
   invalid_wls_secondary_admin_password_id_required_msg = "WLSC-ERROR: The value for wls_secondary_admin_password_id should start with \"ocid1.vaultsecret.\""
   validate_wls_secondary_admin_password_id             = local.missing_wls_secondary_admin_password_id ? local.validators_msg_map[local.missing_wls_secondary_admin_password_id_required_msg] : (local.invalid_wls_secondary_admin_password_id ? local.validators_msg_map[local.invalid_wls_secondary_admin_password_id_required_msg] : null)
+
+  invalid_administration_ports     = var.configure_secure_mode && var.administration_port == var.ms_administration_port
+  invalid_administration_ports_msg = "WLSC-ERROR: The value for administration_port=[${var.administration_port}] and ms_administration_port=[${var.ms_administration_port}] cannot be same."
+  validate_administration_ports    = local.invalid_administration_ports ? local.validators_msg_map[local.invalid_administration_ports_msg] : null
 }

terraform/modules/validators/variables.tf

@@ -553,4 +553,14 @@ variable "root_ca_id" {
 variable "wls_secondary_admin_password_id" {
   type        = string
   description = "The OCID of the vault secret with the password for secondary WebLogic administration user"
+}
+
+variable "administration_port" {
+  type        = number
+  description = "The domain-wide administration port to configure a secure WebLogic domain"
+}
+
+variable "ms_administration_port" {
+  type        = number
+  description = "The administration port for managed servers to configure a secure WebLogic domain"
 }

terraform/schema.yaml

@@ -44,6 +44,7 @@ groupings:
       - ${wls_secondary_admin_password_id}
       - ${keystore_password_id}
       - ${root_ca_id}
+      - ${cert_compartment_id}
       - ${preserve_boot_properties}
       - ${add_JRF}
       #Start of JRF fields
@@ -551,6 +552,8 @@ variables:
       and:
         - ${orm_create_mode}
         - ${configure_wls_ports}
+        - not:
+            - ${configure_secure_mode}
     type: integer
     default: 7002
     minimum: 1024
@@ -807,7 +810,7 @@ variables:
         - ${configure_secure_mode}
     type: boolean
     required: true
-    default: true
+    default: false
     title: "Preserve the boot.properties file for administration server and managed servers"
     description: "Preserve the boot.properties file for administration server and managed servers. NOTE: Leaving this unchecked (false) will result in node manager being unable to revive servers if they are killed."
 
@@ -866,6 +869,18 @@ variables:
     title: "Existing Root Certificate Authority ID"
     description: "The OCID of the existing root certificate authority to issue the certificates"
 
+  cert_compartment_id:
+    visible:
+      and:
+        - ${orm_create_mode}
+        - ${configure_secure_mode}
+        - ${create_policies}
+    type: oci:identity:compartment:id
+    required: false
+    title: "Certificate Compartment"
+    description: "The compartment where you want to create the certificate"
+    default: ${network_compartment_id}
+
   thread_pool_limit:
     visible:
       and:

terraform/schema_14110.yaml

@@ -44,6 +44,7 @@ groupings:
       - ${wls_secondary_admin_password_id}
       - ${keystore_password_id}
       - ${root_ca_id}
+      - ${cert_compartment_id}
       - ${preserve_boot_properties}
       - ${wls_14c_jdk_version}
       - ${deploy_sample_app}
@@ -560,6 +561,8 @@ variables:
       and:
         - ${orm_create_mode}
         - ${configure_wls_ports}
+        - not:
+            - ${configure_secure_mode}
     type: integer
     default: 7002
     minimum: 1024
@@ -816,7 +819,7 @@ variables:
         - ${configure_secure_mode}
     type: boolean
     required: true
-    default: true
+    default: false
     title: "Preserve the boot.properties file for administration server and managed servers"
     description: "Preserve the boot.properties file for administration server and managed servers. NOTE: Leaving this unchecked (false) will result in node manager being unable to revive servers if they are killed."
 
@@ -875,6 +878,18 @@ variables:
     title: "Existing Root Certificate Authority ID"
     description: "The OCID of the existing root certificate authority to issue the certificates"
 
+  cert_compartment_id:
+    visible:
+      and:
+        - ${orm_create_mode}
+        - ${configure_secure_mode}
+        - ${create_policies}
+    type: oci:identity:compartment:id
+    required: false
+    title: "Certificate Compartment"
+    description: "The compartment where you want to create the certificate"
+    default: ${network_compartment_id}
+
   thread_pool_limit:
     visible:
       and:

terraform/weblogic_variables.tf

@@ -207,7 +207,7 @@ variable "configure_secure_mode" {
 variable "preserve_boot_properties" {
   type        = bool
   description = "Set to true to preserve the boot.properties file for administration server and managed servers"
-  default     = "true"
+  default     = "false"
 }
 
 variable "keystore_password_id" {
@@ -222,6 +222,12 @@ variable "root_ca_id" {
   default     = ""
 }
 
+variable "cert_compartment_id" {
+  type        = string
+  description = "The OCID of the compartment where the certificate will be created. Leave it blank to use the network compartment for the certificate"
+  default     = ""
+}
+
 variable "administration_port" {
   type        = number
   description = "The domain-wide administration port to configure a secure WebLogic domain"