diff --git a/.github/actions/setupmaven/action.yml b/.github/actions/setupmaven/action.yml index f6dcf9c77..50f50652e 100644 --- a/.github/actions/setupmaven/action.yml +++ b/.github/actions/setupmaven/action.yml @@ -7,10 +7,12 @@ inputs: runs: using: "composite" steps: + - uses: actions/checkout@v4 - name: Set up Apache Maven and JDK - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: - java-version: 1.8 + distribution: 'microsoft' + java-version: 21 server-id: github # Value of the distributionManagement/repository/id field of the pom.xml server-username: MAVEN_USERNAME # env variable for username server-password: MAVEN_TOKEN # env variable for token diff --git a/.github/workflows/testWlsAksWithDependencyCreation.yml b/.github/workflows/testWlsAksWithDependencyCreation.yml index a31d3c338..4c06db9d6 100644 --- a/.github/workflows/testWlsAksWithDependencyCreation.yml +++ b/.github/workflows/testWlsAksWithDependencyCreation.yml @@ -19,6 +19,10 @@ on: description: 'The VM size for the AKS pool' required: true default: Standard_D2s_v3 + location: + description: 'The location for the resources' + required: true + default: eastus # sample cURL # curl --verbose -X POST https://api.github.com/repos//weblogic-azure/dispatches -H 'Accept: application/vnd.github.everest-preview+json' -H 'Authorization: token ' --data '{"event_type": "aks-integration-test-with-dependency-creation", "client_payload": {"gitUserNameForArtifactsLocation": "", "testBranchNameForArtifactsLocation": "", "isForDemo": "false"}}' repository_dispatch: @@ -26,7 +30,6 @@ on: env: azureCredentials: ${{ secrets.AZURE_CREDENTIALS }} - location: eastus resourceGroupForWlsAks: wlsd-aks-${{ github.run_id }}-${{ github.run_number }} dbAdminUser: weblogic dbPassword: ${{ secrets.DB_PASSWORD }} @@ -51,6 +54,7 @@ jobs: testBranchNameForArtifactsLocation: ${{ steps.setup-env-variables-based-on-dispatch-event.outputs.testBranchNameForArtifactsLocation }} azCliVersion: ${{steps.set-az-cli-version.outputs.azCliVersion}} vmSize: ${{ steps.setup-env-variables-based-on-dispatch-event.outputs.vmSize }} + location: ${{ steps.setup-env-variables-based-on-dispatch-event.outputs.location }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v2.3.4 @@ -72,27 +76,32 @@ jobs: - name: Setup environment variables id: setup-env-variables-based-on-dispatch-event run: | + location=eastus # default value if [ ${{ github.event_name }} == 'workflow_dispatch' ]; then isForDemo=${{ github.event.inputs.isForDemo }} gitUserNameForArtifactsLocation=${{ github.event.inputs.gitUserNameForArtifactsLocation }} testBranchNameForArtifactsLocation=${{ github.event.inputs.testBranchNameForArtifactsLocation }} vmSize=${{ github.event.inputs.vmSize }} + location=${{ github.event.inputs.location }} else isForDemo=${{ github.event.client_payload.isForDemo }} gitUserNameForArtifactsLocation=${{ github.event.client_payload.gitUserNameForArtifactsLocation }} testBranchNameForArtifactsLocation=${{ github.event.client_payload.testBranchNameForArtifactsLocation }} vmSize=${{ github.event.client_payload.vmSize }} + location=${{ github.event.client_payload.location }} fi echo "##[set-output name=isForDemo;]${isForDemo}" echo "##[set-output name=gitUserNameForArtifactsLocation;]${gitUserNameForArtifactsLocation}" echo "##[set-output name=testBranchNameForArtifactsLocation;]${testBranchNameForArtifactsLocation}" echo "##[set-output name=vmSize;]${vmSize}" + echo "##[set-output name=location;]${location}" echo "isForDemo=${isForDemo}" >> $GITHUB_ENV echo "gitUserNameForArtifactsLocation=${gitUserNameForArtifactsLocation}" >> $GITHUB_ENV echo "testBranchNameForArtifactsLocation=${testBranchNameForArtifactsLocation}" >> $GITHUB_ENV echo "vmSize=${vmSize}" >> $GITHUB_ENV + echo "location=${location}" >> $GITHUB_ENV - uses: actions/checkout@v2.3.4 - name: Set up Maven with GitHub token uses: ./.github/actions/setupmaven @@ -137,6 +146,7 @@ jobs: - name: Get AZ CLI Version run: | echo "azCliVersion=${{needs.preflight.outputs.azCliVersion}}" >> $GITHUB_ENV + echo "location=${{needs.preflight.outputs.location}}" >> $GITHUB_ENV - uses: azure/login@v1 id: azure-login with: @@ -147,7 +157,7 @@ jobs: azcliversion: ${{ env.azCliVersion }} inlineScript: | echo "create resource group" ${{ env.resourceGroupForDB }} - az group create --verbose --name ${{ env.resourceGroupForDB }} --location ${{ env.location }} + az group create --verbose --name ${{ env.resourceGroupForDB }} --location $location - uses: actions/checkout@v2.3.4 - name: Set up PostgreSQL Flexible Server that allows access from Azure services @@ -157,7 +167,7 @@ jobs: dbName: ${{ env.dbName }} dbPassword: ${{ env.dbPassword }} dbServerName: ${{ env.dbServerName }} - location: ${{ env.location }} + location: $location resourceGroupName: ${{ env.resourceGroupForDB }} deploy-storage-account: @@ -167,14 +177,17 @@ jobs: - name: Get AZ CLI Version run: | echo "azCliVersion=${{needs.preflight.outputs.azCliVersion}}" >> $GITHUB_ENV + echo "location=${{needs.preflight.outputs.location}}" >> $GITHUB_ENV - name: Checkout Azure-Samples/cargotracker-wls-aks uses: actions/checkout@v2 with: repository: Azure-Samples/cargotracker-wls-aks path: cargotracker - - name: Maven build web app - run: | - mvn clean install -PweblogicOnAks --file cargotracker/pom.xml + - uses: actions/setup-java@v4 + with: + distribution: 'microsoft' + java-version: '11' + - run: mvn clean install -PweblogicOnAks --file cargotracker/pom.xml - name: Query version string for deployment verification run: | PROPERTY_FILE="cargotracker/target/cargo-tracker/WEB-INF/classes/org/eclipse/cargotracker/messages.properties" @@ -191,7 +204,7 @@ jobs: azcliversion: ${{ env.azCliVersion }} inlineScript: | echo "create resource group" ${{ env.resourceGroupForStorageAccount }} - az group create --verbose --name ${{ env.resourceGroupForStorageAccount }} --location ${{ env.location }} + az group create --verbose --name ${{ env.resourceGroupForStorageAccount }} --location $location - name: Create Storage Account uses: azure/CLI@v1 with: @@ -199,7 +212,7 @@ jobs: inlineScript: | az storage account create --name ${{ env.storageAccountName }} \ --resource-group ${{ env.resourceGroupForStorageAccount }} \ - --location ${{ env.location }} \ + --location $location \ --sku Standard_LRS \ --kind StorageV2 - name: Create Storage Container @@ -221,6 +234,7 @@ jobs: - name: Get AZ CLI Version run: | echo "azCliVersion=${{needs.preflight.outputs.azCliVersion}}" >> $GITHUB_ENV + echo "location=${{needs.preflight.outputs.location}}" >> $GITHUB_ENV - name: Checkout weblogic-azure uses: actions/checkout@v2 with: @@ -261,7 +275,7 @@ jobs: azcliversion: ${{ env.azCliVersion }} inlineScript: | echo "create resource group" ${{ env.resourceGroupForWlsAks }} - az group create --verbose --name ${{ env.resourceGroupForWlsAks }} --location ${{ env.location }} + az group create --verbose --name ${{ env.resourceGroupForWlsAks }} --location $location - name: Checkout Azure-Samples/cargotracker-wls-aks uses: actions/checkout@v2 with: diff --git a/pom.xml b/pom.xml index 6497997f1..1a6aadab7 100644 --- a/pom.xml +++ b/pom.xml @@ -40,7 +40,7 @@ - 1.0.86 + 1.0.87 1.0.30 1.0.55 diff --git a/resources/azure-common.properties b/resources/azure-common.properties index 1e24b1359..8648bea76 100644 --- a/resources/azure-common.properties +++ b/resources/azure-common.properties @@ -11,9 +11,9 @@ azure.apiVersionForAvailabilitySets=2023-07-01 # Microsoft.Compute/virtualMachines azure.apiVersionForVirtualMachines=2023-07-01 # Microsoft.KeyVault/vaults -azure.apiVersionForKeyVault=2023-02-01 +azure.apiVersionForKeyVault=2024-11-01 # Microsoft.KeyVault/vaults/secrets -azure.apiVersionForKeyVaultSecrets=2023-02-01 +azure.apiVersionForKeyVaultSecrets=2024-11-01 # Microsoft.ManagedIdentity/userAssignedIdentities azure.apiVersionForIdentity=2023-01-31 # Microsoft.Network/networkInterfaces diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json index c84c654ea..e5f6bf90d 100644 --- a/weblogic-azure-aks/src/main/arm/createUiDefinition.json +++ b/weblogic-azure-aks/src/main/arm/createUiDefinition.json @@ -300,6 +300,14 @@ "required": true } }, + { + "name": "infoBoxAks", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(bool(steps('section_aks').clusterInfo.createAKSCluster))]", + "options": { + "text": "Ensure that the AKS cluster is configured with the following networking settings:
  • Container networking: Azure CNI Node Subnet
  • Network policy: Azure
    • " + } + }, { "name": "aksClusterSelector", "type": "Microsoft.Solutions.ResourceSelector", @@ -853,60 +861,11 @@ ], "required": false } - }, - { - "name": "sslText00", - "type": "Microsoft.Common.TextBlock", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "options": { - "text": "Choose an option for providing the TLS/SSL KeyStore and enter the values for the required fields:" - } - }, - { - "name": "sslText01", - "type": "Microsoft.Common.TextBlock", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "options": { - "text": "    ⁃ Upload existing KeyStores." - } - }, - { - "name": "sslText02", - "type": "Microsoft.Common.TextBlock", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "options": { - "text": "    ⁃ Use KeyStores stored in Azure Key Vault.", - "link": { - "label": "Learn more", - "uri": "https://aka.ms/wls-aks-tls-ssl" - } - } - }, - { - "name": "sslConfigurationAccessOption", - "type": "Microsoft.Common.OptionsGroup", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "label": "How would you like to provide required configuration", - "defaultValue": "Upload existing KeyStores", - "toolTip": "Select 'Upload existing KeyStores' to use local stored KeyStores.", - "constraints": { - "allowedValues": [ - { - "label": "Upload existing KeyStores", - "value": "uploadConfig" - }, - { - "label": "Use KeyStores stored in Azure Key Vault", - "value": "keyVaultStoredConfig" - } - ], - "required": false - } - }, + }, { "name": "uploadedCustomSSLSettings", "type": "Microsoft.Common.Section", - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_sslConfiguration').sslConfigurationAccessOption, 'uploadConfig'))]", + "visible": "[steps('section_sslConfiguration').enableCustomSSL]", "label": "TLS/SSL configuration settings", "elements": [ { @@ -1061,182 +1020,6 @@ } } ] - }, - { - "name": "keyVaultStoredCustomSSLSettings", - "type": "Microsoft.Common.Section", - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_sslConfiguration').sslConfigurationAccessOption, 'keyVaultStoredConfig'))]", - "label": "TLS/SSL configuration settings", - "elements": [ - { - "name": "sslKeystoreInfo1", - "type": "Microsoft.Common.InfoBox", - "visible": "true", - "options": { - "icon": "Info", - "text": "You must provide different files for identity and trust KeyStores. Select here for more details.", - "uri": "https://aka.ms/arm-oraclelinux-wls-ssl-configuration" - } - }, - { - "name": "keyVaultText", - "type": "Microsoft.Common.TextBlock", - "visible": "true", - "options": { - "text": "Enabling a HTTPS (Secure) port for the Administration Console requires you to obtain a valid TLS/SSL certificate. The offer will look for the certificate and other configuration items in the Azure Key Vault specified here.", - "link": { - "label": "Learn more", - "uri": "https://aka.ms/wls-aks-ssl-key-vault" - } - } - }, - { - "name": "keyVaultResourceGroup", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "Resource group name in current subscription containing the Key Vault", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z.\\-_()]{0,89}([a-z0-9A-Z\\-_()]{1}){3,63}$", - "validationMessage": "[if(greater(length(steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultResourceGroup), 90),'Resource group names only allow up to 90 characters.', 'Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.')]" - } - }, - { - "name": "keyVaultName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "Name of the Azure Key Vault containing secrets for the TLS/SSL certificate", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^(?=.{3,24}$)[a-zA-Z](?!.*--)[a-zA-Z0-9-]*[a-zA-Z0-9]$", - "validationMessage": "[if(or(greater(length(steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultName), 24), less(length(steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultName), 3)),'Vault name must be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens.','Vault name must only contain alphanumeric characters and dashes and cannot start with a number')]" - } - }, - { - "name": "keyVaultCustomIdentityKeyStoreDataSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the Identity KeyStore Data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomIdentityKeyStorePassPhraseSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the passphrase for the Identity KeyStore", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomIdentityKeyStoreType", - "type": "Microsoft.Common.DropDown", - "visible": "true", - "label": "The Identity KeyStore type (JKS,PKCS12)", - "defaultValue": "JKS", - "toolTip": "One of the supported KeyStore types", - "constraints": { - "allowedValues": [ - { - "label": "JKS", - "value": "JKS" - }, - { - "label": "PKCS12", - "value": "PKCS12" - } - ], - "required": true - } - }, - { - "name": "keyVaultPrivateKeyAliasSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the Private Key Alias", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultPrivateKeyPassPhraseSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the passphrase for the Private Key", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomTrustKeyStoreDataSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the Trust KeyStore Data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomTrustKeyStorePassPhraseSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the passphrase for the Trust KeyStore", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomTrustKeyStoreType", - "type": "Microsoft.Common.DropDown", - "visible": "true", - "label": "The Trust KeyStore type (JKS,PKCS12)", - "defaultValue": "JKS", - "toolTip": "One of the supported KeyStore types", - "constraints": { - "allowedValues": [ - { - "label": "JKS", - "value": "JKS" - }, - { - "label": "PKCS12", - "value": "PKCS12" - } - ], - "required": true - } - } - ] } ] }, @@ -1354,7 +1137,7 @@ "visible": false }, { - "name": "keyVaultText00", + "name": "sslCertText00", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { @@ -1362,7 +1145,7 @@ } }, { - "name": "keyVaultText01", + "name": "sslCertText01", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { @@ -1370,15 +1153,7 @@ } }, { - "name": "keyVaultText02", - "type": "Microsoft.Common.TextBlock", - "visible": true, - "options": { - "text": "    ⁃ Identify an Azure Key Vault: The Key Vault must already contain the certificate and its password stored as secrets." - } - }, - { - "name": "keyVaultText03", + "name": "sslCertText02", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { @@ -1404,10 +1179,6 @@ { "label": "Upload a TLS/SSL certificate", "value": "haveCert" - }, - { - "label": "Identify an Azure Key Vault", - "value": "haveKeyVault" } ], "required": true @@ -1415,7 +1186,7 @@ "visible": true }, { - "name": "keyVaultSSLCertData", + "name": "appGatewaySSLCertData", "type": "Microsoft.Common.FileUpload", "label": "Front-End TLS/SSL certificate(.pfx)", "toolTip": "TLS/SSL certificate used for App Gateway", @@ -1449,7 +1220,7 @@ "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]" }, { - "name": "keyVaultBackendSSLCertData", + "name": "uploadedSSLCertData", "type": "Microsoft.Common.FileUpload", "label": "Trusted root certificate(.cer, .cert)", "toolTip": "Trusted root certificate (CA certificate) used to set up end to end TLS/SSL", @@ -1462,72 +1233,7 @@ "uploadMode": "file", "openMode": "binary" }, - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, not(equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')))]" - }, - { - "name": "keyVaultResourceGroup", - "type": "Microsoft.Common.TextBox", - "label": "Resource group name in current subscription containing the Key Vault", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z.\\-_()]{0,89}([a-z0-9A-Z\\-_()]{1}){3,63}$", - "validationMessage": "[if(greater(length(steps('section_appGateway').appgwIngress.keyVaultResourceGroup), 90),'Resource group names only allow up to 90 characters.', 'Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.')]" - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultName", - "type": "Microsoft.Common.TextBox", - "label": "Name of the Azure Key Vault containing secrets for the certificate for TLS/SSL Termination", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^(?=.{3,24}$)[a-zA-Z](?!.*--)[a-zA-Z0-9-]*[a-zA-Z0-9]$", - "validationMessage": "[if(or(greater(length(steps('section_appGateway').appgwIngress.keyVaultName), 24), less(length(steps('section_appGateway').appgwIngress.keyVaultName), 3)),'Vault name must be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens.','Vault name must only contain alphanumeric characters and dashes and cannot start with a number')]" - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultSSLCertDataSecretName", - "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the front-end TLS/SSL certificate data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultSSLCertPasswordSecretName", - "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the password for the front-end TLS/SSL certificate", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultBackendSSLCertDataSecretName", - "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the trusted root certificate data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - }, - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault'))]" + "visible": "[steps('section_sslConfiguration').enableCustomSSL]" }, { "name": "enableCookieBasedAffinity", @@ -2372,8 +2078,8 @@ "aksClusterName": "[last(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'))]", "aksClusterRGName": "[last(take(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'), 5))]", "appGatewayCertificateOption": "[steps('section_appGateway').appgwIngress.certificateOption]", - "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertData]", - "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertData]", + "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.uploadedSSLCertData]", + "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertData]", "appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]", "appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]", "appgwForRemoteConsole": "[steps('section_appGateway').appgwIngress.appgwForAdminRemote]", @@ -2415,27 +2121,11 @@ "isSSOSupportEntitled": "[bool(steps('section_aks').imageInfo.isSSOSupportEntitled)]", "lbSvcValues": "[if(not(empty(first(if(empty(steps('section_appGateway').lbSVCInfo.lbSVC),parse('[{\"colName\":\"\"}]'), steps('section_appGateway').lbSVCInfo.lbSVC)).colName)),steps('section_appGateway').lbSVCInfo.lbSVC, parse('[]'))]", "location": "[location()]", - "keyVaultName": "[steps('section_appGateway').appgwIngress.keyVaultName]", - "keyVaultResourceGroup": "[steps('section_appGateway').appgwIngress.keyVaultResourceGroup]", - "keyVaultSSLBackendRootCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertDataSecretName]", - "keyVaultSSLCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertDataSecretName]", - "keyVaultSSLCertPasswordSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertPasswordSecretName]", "hpaScaleType": "[steps('section_autoScaling').autoScalingInfo.kmsMetrics]", "managedServerPrefix": "[basics('basicsOptional').managedServerPrefix]", "newOrExistingVnetForApplicationGateway": "[steps('section_appGateway').appgwIngress.vnetForApplicationGateway.newOrExisting]", "ocrSSOPSW": "[steps('section_aks').imageInfo.ocrSSOPassword]", "ocrSSOUser": "[steps('section_aks').imageInfo.ocrSSOUserName]", - "sslConfigurationAccessOption": "[steps('section_sslConfiguration').sslConfigurationAccessOption]", - "sslKeyVaultCustomIdentityKeyStoreDataSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomIdentityKeyStoreDataSecretName]", - "sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomIdentityKeyStorePassPhraseSecretName]", - "sslKeyVaultCustomIdentityKeyStoreType": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomIdentityKeyStoreType]", - "sslKeyVaultCustomTrustKeyStoreDataSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomTrustKeyStoreDataSecretName]", - "sslKeyVaultCustomTrustKeyStorePassPhraseSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomTrustKeyStorePassPhraseSecretName]", - "sslKeyVaultCustomTrustKeyStoreType": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomTrustKeyStoreType]", - "sslKeyVaultName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultName]", - "sslKeyVaultPrivateKeyAliasSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultPrivateKeyAliasSecretName]", - "sslKeyVaultPrivateKeyPassPhraseSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultPrivateKeyPassPhraseSecretName]", - "sslKeyVaultResourceGroup": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultResourceGroup]", "sslUploadedCustomIdentityKeyStoreData": "[steps('section_sslConfiguration').uploadedCustomSSLSettings.uploadedCustomIdentityKeyStoreData]", "sslUploadedCustomIdentityKeyStorePassphrase": "[steps('section_sslConfiguration').uploadedCustomSSLSettings.uploadedCustomIdentityKeyStorePassphrase]", "sslUploadedCustomIdentityKeyStoreType": "[steps('section_sslConfiguration').uploadedCustomSSLSettings.uploadedCustomIdentityKeyStoreType]", diff --git a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh index 6fbc3872e..801019785 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh @@ -9,16 +9,6 @@ # AKS_CLUSTER_NAME # AKS_CLUSTER_RESOURCEGROUP_NAME # BASE64_FOR_SERVICE_PRINCIPAL -# WLS_SSL_KEYVAULT_NAME -# WLS_SSL_KEYVAULT_RESOURCEGROUP_NAME -# WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME -# WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME -# WLS_SSL_KEYVAULT_IDENTITY_TYPE -# WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME -# WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME -# WLS_SSL_KEYVAULT_TRUST_TYPE -# WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS -# WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD # WLS_SSL_IDENTITY_DATA # WLS_SSL_IDENTITY_PASSWORD # WLS_SSL_IDENTITY_TYPE @@ -27,10 +17,6 @@ # WLS_SSL_TRUST_TYPE # WLS_SSL_PRIVATE_KEY_ALIAS # WLS_SSL_PRIVATE_KEY_PASSWORD -# APPLICATION_GATEWAY_SSL_KEYVAULT_NAME -# APPLICATION_GATEWAY_SSL_KEYVAULT_RESOURCEGROUP -# APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME -# APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME # APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA # APPLICATION_GATEWAY_SSL_FRONTEND_CERT_PASSWORD # DNS_ZONE_NAME @@ -351,106 +337,7 @@ function validate_image_compatibility fi } -function download_wls_ssl_certificates_from_keyvault() { - # check key vault accessibility for template deployment - local enabledForTemplateDeployment=$(az keyvault show --name ${WLS_SSL_KEYVAULT_NAME} --query "properties.enabledForTemplateDeployment") - if [[ "${enabledForTemplateDeployment,,}" != "true" ]]; then - echo_stderr "Make sure Key Vault ${WLS_SSL_KEYVAULT_NAME} is enabled for template deployment. " - exit 1 - fi - - # allow the identity to access the keyvault - local principalId=$(az identity show --ids ${AZ_SCRIPTS_USER_ASSIGNED_IDENTITY} --query "principalId" -o tsv) - az keyvault set-policy --name ${WLS_SSL_KEYVAULT_NAME} --object-id ${principalId} --secret-permissions get list - validate_status "grant identity permission to get/list secrets in key vault ${WLS_SSL_KEYVAULT_NAME}" - - local identityDataFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/identityData.txt - local identityPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/identityPsw.txt - local trustDataFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/trustData.txt - local trustPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/trustPsw.txt - local privateKeyAliasFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/privateKeyData.txt - local privateKeyPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/privateKeyPsw.txt - - rm -f ${identityDataFileName} - rm -f ${identityPswFileName} - rm -f ${trustDataFileName} - rm -f ${trustPswFileName} - rm -f ${privateKeyAliasFileName} - rm -f ${privateKeyPswFileName} - - # download identity data - az keyvault secret download --file ${identityDataFileName} \ - --name ${WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set identity data with values in download file - WLS_SSL_IDENTITY_DATA="$(cat ${identityDataFileName} | base64)" - # remove the data file - rm -f ${identityDataFileName} - - # download identity password - az keyvault secret download --file ${identityPswFileName} \ - --name ${WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set identity psw with values in download file - WLS_SSL_IDENTITY_PASSWORD="$(cat ${identityPswFileName})" - # remove the data file - rm -f ${identityPswFileName} - - # download trust data - az keyvault secret download --file ${trustDataFileName} \ - --name ${WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set trust data with values in download file - WLS_SSL_TRUST_DATA="$(cat ${trustDataFileName} | base64)" - # remove the data file - rm -f ${trustDataFileName} - - # download trust psw - az keyvault secret download --file ${trustPswFileName} \ - --name ${WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set trust psw with values in download file - WLS_SSL_TRUST_PASSWORD="$(cat ${trustPswFileName})" - # remove the data file - rm -f ${trustPswFileName} - - # download alias - az keyvault secret download --file ${privateKeyAliasFileName} \ - --name ${WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set alias with values in download file - WLS_SSL_PRIVATE_KEY_ALIAS="$(cat ${privateKeyAliasFileName})" - # remove the data file - rm -f ${privateKeyAliasFileName} - - # download private key psw - az keyvault secret download --file ${privateKeyPswFileName} \ - --name ${WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set private key psw with values in download file - WLS_SSL_PRIVATE_KEY_PASSWORD="$(cat ${privateKeyPswFileName})" - # remove the data file - rm -f ${privateKeyPswFileName} - - WLS_SSL_IDENTITY_TYPE="${WLS_SSL_KEYVAULT_IDENTITY_TYPE}" - WLS_SSL_TRUST_TYPE="${WLS_SSL_KEYVAULT_TRUST_TYPE}" - - # reset key vault policy - az keyvault delete-policy --name ${WLS_SSL_KEYVAULT_NAME} --object-id ${principalId} - validate_status "delete identity permission to get/list secrets in key vault ${WLS_SSL_KEYVAULT_NAME}" -} - function validate_wls_ssl_certificates() { - if [[ "${sslConfigurationAccessOption}" == "${sslCertificateKeyVaultOption}" ]]; then - download_wls_ssl_certificates_from_keyvault - fi - local wlsIdentityKeyStoreFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/identity.keystore local wlsTrustKeyStoreFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/trust.keystore echo "$WLS_SSL_IDENTITY_DATA" | base64 -d >$wlsIdentityKeyStoreFileName @@ -487,59 +374,11 @@ function validate_wls_ssl_certificates() { echo_stdout "validate SSL key stores: passed!" } -function download_application_gateway_certificate_from_keyvault() { - # check key vault accessibility for template deployment - local enabledForTemplateDeployment=$(az keyvault show --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --query "properties.enabledForTemplateDeployment") - if [[ "${enabledForTemplateDeployment,,}" != "true" ]]; then - echo_stderr "Make sure Key Vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} is enabled for template deployment. " - exit 1 - fi - - # allow the identity to access the keyvault - local principalId=$(az identity show --ids ${AZ_SCRIPTS_USER_ASSIGNED_IDENTITY} --query "principalId" -o tsv) - az keyvault set-policy --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --object-id ${principalId} --secret-permissions get list - validate_status "grant identity permission to get/list secrets in key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" - - local gatewayCertDataFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/gatewayCertData.txt - local gatewayCertPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/gatewayCertPsw.txt - - rm -f ${gatewayCertDataFileName} - rm -f ${gatewayCertPswFileName} - - # download cert data - az keyvault secret download --file ${gatewayCertDataFileName} \ - --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME} \ - --vault-name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} - validate_status "download secret ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME} from key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" - # set cert data with values in download file - APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA=$(cat ${gatewayCertDataFileName}) - # remove the data file - rm -f ${gatewayCertDataFileName} - - # download cert data - az keyvault secret download --file ${gatewayCertPswFileName} \ - --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME} \ - --vault-name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} - validate_status "download secret ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME} from key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" - # set cert data with values in download file - APPLICATION_GATEWAY_SSL_FRONTEND_CERT_PASSWORD=$(cat ${gatewayCertPswFileName}) - # remove the data file - rm -f ${gatewayCertPswFileName} - - # reset key vault policy - az keyvault delete-policy --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --object-id ${principalId} - validate_status "delete identity permission to get/list secrets in key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" -} - function validate_gateway_frontend_certificates() { if [[ "${appGatewayCertificateOption}" == "generateCert" ]]; then return fi - if [[ "${appGatewayCertificateOption}" == "haveKeyVault" ]]; then - download_application_gateway_certificate_from_keyvault - fi - local appgwFrontCertFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/gatewaycert.pfx echo "$APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA" | base64 -d >$appgwFrontCertFileName @@ -602,6 +441,21 @@ function validate_aks_version() { fi } +function validate_aks_networking() { + local networkPluginMode=$(az aks show -g ${AKS_CLUSTER_RESOURCEGROUP_NAME} -n ${AKS_CLUSTER_NAME} | jq '.networkProfile.networkPluginMode' | tr -d "\"") + local networkPlugin=$(az aks show -g ${AKS_CLUSTER_RESOURCEGROUP_NAME} -n ${AKS_CLUSTER_NAME} | jq '.networkProfile.networkPlugin' | tr -d "\"") + + if [[ "${networkPluginMode}" != "null" ]]; then + echo_stderr "ERROR: invalid network plugin mode ${networkPluginMode} for ${AKS_CLUSTER_NAME}." + exit 1 + fi + + if [[ "${networkPlugin}" != "azure" ]]; then + echo_stderr "ERROR: invalid network plugin ${networkPlugin} for ${AKS_CLUSTER_NAME}." + exit 1 + fi +} + function enable_aks_managed_identity() { local identityLength=$(az aks show -g ${AKS_CLUSTER_RESOURCEGROUP_NAME} -n ${AKS_CLUSTER_NAME} | jq '.identity | length') echo "identityLength ${identityLength}" @@ -688,13 +542,11 @@ useOracleImage=$5 wlsImageTag=$6 userProvidedImagePath=$7 enableCustomSSL=$8 -sslConfigurationAccessOption=$9 -appGatewayCertificateOption=${10} -enableAppGWIngress=${11} -checkDNSZone=${12} +appGatewayCertificateOption=${9} +enableAppGWIngress=${10} +checkDNSZone=${11} outputAksVersion=${constDefaultAKSVersion} -sslCertificateKeyVaultOption="keyVaultStoredConfig" # install docker cli install_docker @@ -723,7 +575,9 @@ if [[ "${createAKSCluster,,}" == "true" ]]; then validate_aks_version fi +# validate existing aks cluster if [[ "${createAKSCluster,,}" != "true" ]]; then + validate_aks_networking enable_aks_managed_identity fi diff --git a/weblogic-azure-aks/src/main/arm/scripts/queryStorageAccount.sh b/weblogic-azure-aks/src/main/arm/scripts/queryStorageAccount.sh deleted file mode 100644 index fb2a38c12..000000000 --- a/weblogic-azure-aks/src/main/arm/scripts/queryStorageAccount.sh +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright (c) 2021, 2024 Oracle Corporation and/or its affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -# Inputs: -# AKS_CLUSTER_RESOURCEGROUP_NAME -# AKS_CLUSTER_NAME - -echo "Script ${0} starts" - -export currentStorageAccount="null" - -function query_storage_account() { - echo "install kubectl" - az aks install-cli - - echo "get pv name" - pvName=$(kubectl get pv -o json | - jq '.items[] | select(.status.phase=="Bound") | [.metadata.name] | .[0]' | - tr -d "\"") - - if [[ "${pvName}" != "null" ]] && [[ "${pvName}" != "" ]]; then - # this is a workaround for update domain using marketplace offer. - # the offer will create a new storage account in a new resource group if there is no storage attached. - currentStorageAccount=$(kubectl get pv ${pvName} -o json | jq '. | .metadata.labels.storageAccount' | tr -d "\"") - fi -} - -function output_result() { - echo ${currentStorageAccount} - - result=$(jq -n -c \ - --arg storageAccount $currentStorageAccount \ - '{storageAccount: $storageAccount}') - echo "result is: $result" - echo $result >$AZ_SCRIPTS_OUTPUT_PATH -} - -connect_aks $AKS_CLUSTER_NAME $AKS_CLUSTER_RESOURCEGROUP_NAME - -query_storage_account - -output_result diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index d119658f2..ed56ded0c 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -44,8 +44,6 @@ param aksAgentPoolNodeCount int = 3 param aksAgentPoolNodeMaxCount int = 5 @description('The size of the virtual machines that will form the nodes in the cluster. This cannot be changed after creating the cluster') param vmSize string = 'Standard_DS2_v2' -@description('Prefix for cluster name. Only The name can contain only letters, numbers, underscores and hyphens. The name must start with letter or number.') -param aksClusterNamePrefix string = 'wlsonaks' @description('Resource group name of an existing AKS cluster.') param aksClusterRGName string = 'aks-contoso-rg' @description('Name of an existing AKS cluster.') @@ -54,7 +52,6 @@ param aksClusterName string = 'aks-contoso' param aksVersion string = 'default' @allowed([ 'haveCert' - 'haveKeyVault' 'generateCert' ]) @description('Three scenarios we support for deploying app gateway') @@ -62,9 +59,9 @@ param appGatewayCertificateOption string = 'haveCert' @description('Public IP Name for the Application Gateway') param appGatewayPublicIPAddressName string = 'gwip' @description('The one-line, base64 string of the backend SSL root certificate data.') -param appGatewaySSLBackendRootCertData string = 'appgw-ssl-backend-data' +param appGatewaySSLBackendRootCertData string = newGuid() @description('The one-line, base64 string of the SSL certificate data.') -param appGatewaySSLCertData string = 'appgw-ssl-data' +param appGatewaySSLCertData string = newGuid() @secure() @description('The value of the password for the SSL Certificate') param appGatewaySSLCertPassword string = newGuid() @@ -160,18 +157,6 @@ param hpaScaleType string = 'cpu' param isSSOSupportEntitled bool = false @description('JNDI Name for JDBC Datasource') param jdbcDataSourceName string = 'jdbc/contoso' -@description('Existing Key Vault Name') -param keyVaultName string = 'kv-contoso' -@description('Resource group name in current subscription containing the KeyVault') -param keyVaultResourceGroup string = 'kv-contoso-rg' -@description('Price tier for Key Vault.') -param keyVaultSku string = 'Standard' -@description('The name of the secret in the specified KeyVault whose value is the SSL Root Certificate Data for Appliation Gateway backend TLS/SSL.') -param keyVaultSSLBackendRootCertDataSecretName string = 'kv-ssl-backend-data' -@description('The name of the secret in the specified KeyVault whose value is the SSL Certificate Data for Appliation Gateway frontend TLS/SSL.') -param keyVaultSSLCertDataSecretName string = 'kv-ssl-data' -@description('The name of the secret in the specified KeyVault whose value is the password for the SSL Certificate of Appliation Gateway frontend TLS/SSL') -param keyVaultSSLCertPasswordSecretName string = 'kv-ssl-psw' param location string @description('Object array to define Load Balancer service, each object must include service name, service target[admin-server or cluster-1], port.') param lbSvcValues array = [] @@ -184,40 +169,6 @@ param newOrExistingVnetForApplicationGateway string = 'new' param ocrSSOPSW string = newGuid() @description('User name of Oracle SSO account.') param ocrSSOUser string = 'null' -@allowed([ - 'uploadConfig' - 'keyVaultStoredConfig' -]) -@description('Two scenarios to refer to WebLogic Server TLS/SSL certificates.') -param sslConfigurationAccessOption string = 'uploadConfig' -@description('Secret name in KeyVault containing Weblogic Custom Identity Keystore Data') -param sslKeyVaultCustomIdentityKeyStoreDataSecretName string = 'kv-wls-identity-data' -@description('Secret name in KeyVault containing Weblogic Custom Identity Keystore Passphrase') -param sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName string = 'kv-wls-identity-psw' -@description('Weblogic Custom Identity Keystore type') -@allowed([ - 'JKS' - 'PKCS12' -]) -param sslKeyVaultCustomIdentityKeyStoreType string = 'PKCS12' -@description('Secret name in KeyVault containing Weblogic Custom Trust Store Data') -param sslKeyVaultCustomTrustKeyStoreDataSecretName string = 'kv-wls-trust-data' -@description('Secret name in KeyVault containing Weblogic Custom Trust Store Passphrase') -param sslKeyVaultCustomTrustKeyStorePassPhraseSecretName string = 'kv-wls-trust-psw' -@description('WWeblogic Custom Trust Store type') -@allowed([ - 'JKS' - 'PKCS12' -]) -param sslKeyVaultCustomTrustKeyStoreType string = 'PKCS12' -@description('Resource group containing Weblogic SSL certificates') -param sslKeyVaultName string = 'kv-wls-ssl-name' -@description('Secret name in KeyVault containing Weblogic Server private key alias') -param sslKeyVaultPrivateKeyAliasSecretName string = 'contoso' -@description('Secret name in KeyVault containing Weblogic Server private key passphrase') -param sslKeyVaultPrivateKeyPassPhraseSecretName string = 'kv-wls-ssl-alias' -@description('Keyvault name containing Weblogic SSL certificates') -param sslKeyVaultResourceGroup string = 'rg-kv-wls-ssl-name' @description('Custom Identity Store Data') @secure() param sslUploadedCustomIdentityKeyStoreData string = newGuid() @@ -260,7 +211,6 @@ param useLatestSupportedAksVersion bool = true param useHpa bool = true @description('True to set up internal load balancer service.') param useInternalLB bool = false -@description('ture to upload Java EE applications and deploy the applications to WebLogic domain.') param utcValue string = utcNow() @description('User provided ACR for base image') param userProvidedAcr string = 'null' @@ -333,44 +283,33 @@ var _objTagsByResource = { '${identifier.workspaces}': contains(tagsByResource, '${identifier.workspaces}') ? tagsByResource['${identifier.workspaces}'] : json('{}') '${identifier.deploymentScripts}': contains(tagsByResource, '${identifier.deploymentScripts}') ? tagsByResource['${identifier.deploymentScripts}'] : json('{}') } -var _useExistingAppGatewaySSLCertificate = (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveCert) ? true : false - -var const_appGatewaySSLCertOptionHaveCert = 'haveCert' -var const_appGatewaySSLCertOptionHaveKeyVault = 'haveKeyVault' +var const_aksName = createAKSCluster ? 'wlsonaks${const_globalResourceNameSuffix}' : aksClusterName +var const_appGatewaySSLCertOptionGenerateCert = 'generateCert' +var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, const_globalResourceNameSuffix) +var const_acrName = (createACR) ? 'acrwlsaks${const_globalResourceNameSuffix}' : acrName var const_azcliVersion = '2.53.0' var const_azureSubjectName = format('{0}.{1}.{2}', name_domainLabelforApplicationGateway, location, 'cloudapp.azure.com') -var const_bCreateStorageAccount = (createAKSCluster || !const_hasStorageAccount) && const_enablePV var const_bValidateApplications= validateApplications && (length(appPackageUrls) > 0) var const_cpuPlatform = (contains(vmSize, 'p') ? 'arm64' : 'amd64') var const_createNewAcr = useOracleImage && createACR var const_defaultKeystoreType = 'PKCS12' var const_enableNetworking = (length(lbSvcValues) > 0) || enableAppGWIngress var const_enablePV = enableCustomSSL || enableAzureFileShare -var const_fileShareName = 'weblogic-${uniqueString(utcValue)}' -var const_hasStorageAccount = !createAKSCluster && queryStorageAccount.outputs.storageAccount != 'null' -var const_identityKeyStoreType = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreType : sslUploadedCustomIdentityKeyStoreType +var const_fileShareName = 'weblogic-${const_globalResourceNameSuffix}' +var const_globalResourceNameSuffix = '${uniqueString(utcValue)}' +var const_nsgName = 'wls-aks-nsg-${const_globalResourceNameSuffix}' var const_showAdminConsoleExUrl = (length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForAdminServer) var const_showRemoteAdminConsoleExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && !enableCustomSSL var const_showRemoteAdminConsoleSecuredExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && enableCustomSSL -var const_trustKeyStoreType = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStoreType : sslUploadedCustomTrustKeyStoreType var const_wlsClusterName = 'cluster-1' var const_wlsJavaOptions = wlsJavaOption == '' ? 'null' : wlsJavaOption -var const_wlsSSLCertOptionKeyVault = 'keyVaultStoredConfig' var name_appgwFrontendSSLCertName = 'appGatewaySslCert' var name_appgwBackendRootCertName = 'appGatewayTrustedRootCert' var name_defaultPidDeployment = 'pid' -var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${take(utcValue, 6)}' +var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${const_globalResourceNameSuffix}' var name_domainLabelforApplicationGateway = take('${name_dnsNameforApplicationGateway}-${toLower(name_rgNameWithoutSpecialCharacter)}-${toLower(wlsDomainName)}', 63) -var name_identityKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreDataSecretName : 'myIdentityKeyStoreData' -var name_identityKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName : 'myIdentityKeyStorePsw' -var name_keyVaultName = '${take('wls-kv${uniqueString(utcValue)}', 24)}' -var name_privateKeyAliasSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyAliasSecretName : 'privateKeyAlias' -var name_privateKeyPswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyPassPhraseSecretName : 'privateKeyPsw' var name_rgNameWithoutSpecialCharacter = replace(replace(replace(replace(resourceGroup().name, '.', ''), '(', ''), ')', ''), '_', '') // remove . () _ from resource group name -var name_rgKeyvaultForWLSSSL = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultResourceGroup : resourceGroup().name -var name_storageAccountName = const_hasStorageAccount ? queryStorageAccount.outputs.storageAccount : 'wls${uniqueString(utcValue)}' -var name_trustKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStoreDataSecretName : 'myTrustKeyStoreData' -var name_trustKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStorePassPhraseSecretName : 'myTrustKeyStorePsw' +var name_storageAccountName = 'wls${const_globalResourceNameSuffix}' var ref_wlsDomainDeployment = _enableCustomSSL ? wlsDomainWithCustomSSLDeployment : wlsDomainDeployment var obj_uamiForDeploymentScript = { type: 'UserAssigned' @@ -392,9 +331,10 @@ module partnerCenterPid './modules/_pids/_empty.bicep' = { name: 'pid-a1775ed4-512c-4cfa-9e68-f0b09b36de90-partnercenter' } -module uamiDeployment 'modules/_uamiAndRoles.bicep' = { +module uamiDeployment 'modules/_globalUamiAndRoles.bicep' = { name: 'uami-deployment' params: { + _globalResourceNameSuffix: const_globalResourceNameSuffix location: location tagsByResource: _objTagsByResource } @@ -406,7 +346,7 @@ module uamiDeployment 'modules/_uamiAndRoles.bicep' = { module preAzureResourceDeployment './modules/_preDeployedAzureResources.bicep' = { name: 'prerequisite-resources-deployment' params: { - acrName: acrName + acrName: const_acrName acrResourceGroupName: acrResourceGroupName createNewAcr: const_createNewAcr location: location @@ -417,6 +357,7 @@ module preAzureResourceDeployment './modules/_preDeployedAzureResources.bicep' = module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep' = { name: 'validate-parameters-and-fail-fast' params: { + _globalResourceNameSuffix: const_globalResourceNameSuffix acrName: preAzureResourceDeployment.outputs.acrName acrResourceGroupName: preAzureResourceDeployment.outputs.acrResourceGroupName aksAgentPoolNodeCount: aksAgentPoolNodeCount @@ -436,26 +377,11 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep enableAppGWIngress: enableAppGWIngress enableCustomSSL: enableCustomSSL enableDNSConfiguration: enableDNSConfiguration - keyVaultName: keyVaultName - keyVaultResourceGroup: keyVaultResourceGroup - keyVaultSSLCertDataSecretName: keyVaultSSLCertDataSecretName - keyVaultSSLCertPasswordSecretName: keyVaultSSLCertPasswordSecretName identity: obj_uamiForDeploymentScript isSSOSupportEntitled: isSSOSupportEntitled location: location ocrSSOPSW: ocrSSOPSW ocrSSOUser: ocrSSOUser - sslConfigurationAccessOption: sslConfigurationAccessOption - sslKeyVaultCustomIdentityKeyStoreDataSecretName: sslKeyVaultCustomIdentityKeyStoreDataSecretName - sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName: sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName - sslKeyVaultCustomIdentityKeyStoreType: sslKeyVaultCustomIdentityKeyStoreType - sslKeyVaultCustomTrustKeyStoreDataSecretName: sslKeyVaultCustomTrustKeyStoreDataSecretName - sslKeyVaultCustomTrustKeyStorePassPhraseSecretName: sslKeyVaultCustomTrustKeyStorePassPhraseSecretName - sslKeyVaultCustomTrustKeyStoreType: sslKeyVaultCustomTrustKeyStoreType - sslKeyVaultName: sslKeyVaultName - sslKeyVaultPrivateKeyAliasSecretName: sslKeyVaultPrivateKeyAliasSecretName - sslKeyVaultPrivateKeyPassPhraseSecretName: sslKeyVaultPrivateKeyPassPhraseSecretName - sslKeyVaultResourceGroup: sslKeyVaultResourceGroup sslUploadedCustomIdentityKeyStoreData: sslUploadedCustomIdentityKeyStoreData sslUploadedCustomIdentityKeyStorePassphrase: sslUploadedCustomIdentityKeyStorePassphrase sslUploadedCustomIdentityKeyStoreType: sslUploadedCustomIdentityKeyStoreType @@ -480,99 +406,53 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep ] } -module wlsSSLCertSecretsDeployment 'modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep' = if (enableCustomSSL && sslConfigurationAccessOption != const_wlsSSLCertOptionKeyVault) { - name: 'upload-wls-ssl-cert-to-keyvault' +module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert) { + name: 'auto-generated-ssl-cert-for-app-gateway' params: { - keyVaultName: name_keyVaultName - location: location - sku: keyVaultSku - tagsByResource: _objTagsByResource - wlsIdentityKeyStoreData: sslUploadedCustomIdentityKeyStoreData - wlsIdentityKeyStoreDataSecretName: name_identityKeyStoreDataSecret - wlsIdentityKeyStorePassphrase: sslUploadedCustomIdentityKeyStorePassphrase - wlsIdentityKeyStorePassphraseSecretName: name_identityKeyStorePswSecret - wlsPrivateKeyAlias: sslUploadedPrivateKeyAlias - wlsPrivateKeyAliasSecretName: name_privateKeyAliasSecret - wlsPrivateKeyPassPhrase: sslUploadedPrivateKeyPassPhrase - wlsPrivateKeyPassPhraseSecretName: name_privateKeyPswSecret - wlsTrustKeyStoreData: sslUploadedCustomTrustKeyStoreData - wlsTrustKeyStoreDataSecretName: name_trustKeyStoreDataSecret - wlsTrustKeyStorePassPhrase: sslUploadedCustomTrustKeyStorePassPhrase - wlsTrustKeyStorePassPhraseSecretName: name_trustKeyStorePswSecret - } - dependsOn: [ - validateInputs - ] -} - -// get key vault object in a resource group -resource sslKeyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = if (enableCustomSSL) { - name: (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultName : name_keyVaultName - scope: resourceGroup(name_rgKeyvaultForWLSSSL) -} - -// If updating an existing aks cluster, query the storage account that is being used. -// Return "null" is no storage account is applied. -module queryStorageAccount 'modules/_deployment-scripts/_ds-query-storage-account.bicep' = if (!createAKSCluster) { - name: 'query-existing-storage-account' - params: { - aksClusterName: aksClusterName - aksClusterRGName: aksClusterRGName - azCliVersion: const_azcliVersion - identity: obj_uamiForDeploymentScript - location: location - tagsByResource: _objTagsByResource - } -} - -module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultForGateway.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) { - name: 'appgateway-certificates-secrets-deployment' - params: { - backendCertificateDataValue: appGatewaySSLBackendRootCertData - certificateDataValue: appGatewaySSLCertData - certificatePasswordValue: appGatewaySSLCertPassword - enableCustomSSL: enableCustomSSL + _globalResourceNameSuffix: const_globalResourceNameSuffix identity: obj_uamiForDeploymentScript + keyVaultName: 'wlskv${const_globalResourceNameSuffix}' location: location - sku: keyVaultSku + secretName: name_appgwFrontendSSLCertName subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName) - useExistingAppGatewaySSLCertificate: _useExistingAppGatewaySSLCertificate - keyVaultName: name_keyVaultName tagsByResource: _objTagsByResource } dependsOn: [ - wlsSSLCertSecretsDeployment - ] + uamiDeployment + ] } -// To void space overlap with AKS Vnet, must deploy the Applciation Gateway VNet before AKS deployment. +// To void space overlap with AKS VNet, must deploy the Applciation Gateway VNet before AKS deployment. module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress) { name: 'application-gateway-deployment' params: { _pidAppgwEnd: pids.outputs.appgwEnd == '' ? name_defaultPidDeployment : pids.outputs.appgwEnd _pidAppgwStart: pids.outputs.appgwStart == '' ? name_defaultPidDeployment : pids.outputs.appgwStart _pidAppgwWithCustomCert: pids.outputs.customCertForAppgw == '' ? name_defaultPidDeployment : pids.outputs.customCertForAppgw - appgwPublicIPAddressName: appGatewayPublicIPAddressName + appgwCertificateOption: appGatewayCertificateOption + appgwName: 'appgw${const_globalResourceNameSuffix}' + appgwPublicIPAddressName: const_appGatewayPublicIPAddressName + appgwSSLBackendRootCertData: appGatewaySSLBackendRootCertData appgwUsePrivateIP: appgwUsePrivateIP - appgwSslCertName: name_appgwFrontendSSLCertName - appgwTrustedRootCertName: name_appgwBackendRootCertName azCliVersion: const_azcliVersion + autoGeneratedSSLCertKeyVaultName: appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert ? autoGeneratedSSLCert.outputs.keyVaultName : '' + autoGeneratedSSLCertSecretName: appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert ? autoGeneratedSSLCert.outputs.secretName : '' dnsNameforApplicationGateway: name_domainLabelforApplicationGateway enableCustomSSL: enableCustomSSL - identity: obj_uamiForDeploymentScript - keyVaultName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultName : appgwSecretDeployment.outputs.keyVaultName - keyVaultResourceGroup: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultResourceGroup : resourceGroup().name - keyvaultBackendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLBackendRootCertDataSecretName : appgwSecretDeployment.outputs.sslBackendCertDataSecretName - keyvaultFrontendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertDataSecretName : appgwSecretDeployment.outputs.sslCertDataSecretName - keyvaultFrontendCertPswSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertPasswordSecretName : appgwSecretDeployment.outputs.sslCertPwdSecretName + identity: obj_uamiForDeploymentScript + nsgName: const_nsgName location: location newOrExistingVnetForApplicationGateway: newOrExistingVnetForApplicationGateway + sslCertData: appGatewaySSLCertData + sslCertificateDeploymentName: name_appgwFrontendSSLCertName + sslCertPswData: appGatewaySSLCertPassword + trustedRootCertificateDeploymentName: name_appgwBackendRootCertName vnetForApplicationGateway: vnetForApplicationGateway vnetRGNameForApplicationGateway: vnetRGNameForApplicationGateway tagsByResource: _objTagsByResource } dependsOn: [ - appgwSecretDeployment + autoGeneratedSSLCert ] } @@ -581,6 +461,7 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.wlsAKSEnd == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSEnd _pidSSLEnd: pids.outputs.sslEnd == '' ? name_defaultPidDeployment : pids.outputs.sslEnd _pidSSLStart: pids.outputs.sslStart == '' ? name_defaultPidDeployment : pids.outputs.sslStart @@ -594,16 +475,14 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus aksAgentPoolNodeCount: aksAgentPoolNodeCount aksAgentPoolNodeMaxCount: aksAgentPoolNodeMaxCount vmSize: vmSize - aksClusterNamePrefix: aksClusterNamePrefix aksClusterRGName: aksClusterRGName - aksClusterName: aksClusterName + aksClusterName: const_aksName aksVersion: validateInputs.outputs.aksVersion appPackageUrls: appPackageUrls appReplicas: appReplicas azCliVersion: const_azcliVersion cpuPlatform: const_cpuPlatform createAKSCluster: createAKSCluster - createStorageAccount: const_bCreateStorageAccount databaseType: databaseType dbDriverLibrariesUrls: dbDriverLibrariesUrls enableAzureMonitoring: enableAzureMonitoring @@ -648,7 +527,6 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus } dependsOn: [ validateInputs - queryStorageAccount ] } @@ -657,6 +535,7 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.wlsAKSEnd == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSEnd _pidStart: pids.outputs.wlsAKSStart == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSStart aciResourcePermissions: aciResourcePermissions @@ -668,16 +547,14 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i aksAgentPoolNodeCount: aksAgentPoolNodeCount aksAgentPoolNodeMaxCount: aksAgentPoolNodeMaxCount vmSize: vmSize - aksClusterNamePrefix: aksClusterNamePrefix aksClusterRGName: aksClusterRGName - aksClusterName: aksClusterName + aksClusterName: const_aksName aksVersion: validateInputs.outputs.aksVersion appPackageUrls: appPackageUrls appReplicas: appReplicas azCliVersion: const_azcliVersion cpuPlatform: const_cpuPlatform createAKSCluster: createAKSCluster - createStorageAccount: const_bCreateStorageAccount databaseType: databaseType dbDriverLibrariesUrls: dbDriverLibrariesUrls enableAzureMonitoring: enableAzureMonitoring @@ -706,23 +583,22 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i wlsCPU: wlsCPU wlsDomainName: wlsDomainName wlsDomainUID: wlsDomainUID - wlsIdentityKeyStoreData: sslKeyvault.getSecret(name_identityKeyStoreDataSecret) - wlsIdentityKeyStorePassphrase: sslKeyvault.getSecret(name_identityKeyStorePswSecret) - wlsIdentityKeyStoreType: const_identityKeyStoreType + wlsIdentityKeyStoreData: sslUploadedCustomIdentityKeyStoreData + wlsIdentityKeyStorePassphrase: sslUploadedCustomIdentityKeyStorePassphrase + wlsIdentityKeyStoreType: sslUploadedCustomIdentityKeyStoreType wlsImageTag: wlsImageTag wlsJavaOption: const_wlsJavaOptions wlsMemory: wlsMemory wlsPassword: wlsPassword - wlsPrivateKeyAlias: sslKeyvault.getSecret(name_privateKeyAliasSecret) - wlsPrivateKeyPassPhrase: sslKeyvault.getSecret(name_privateKeyPswSecret) - wlsTrustKeyStoreData: sslKeyvault.getSecret(name_trustKeyStoreDataSecret) - wlsTrustKeyStorePassPhrase: sslKeyvault.getSecret(name_trustKeyStorePswSecret) - wlsTrustKeyStoreType: const_trustKeyStoreType + wlsPrivateKeyAlias: sslUploadedPrivateKeyAlias + wlsPrivateKeyPassPhrase: sslUploadedPrivateKeyPassPhrase + wlsTrustKeyStoreData: sslUploadedCustomTrustKeyStoreData + wlsTrustKeyStorePassPhrase: sslUploadedCustomTrustKeyStorePassPhrase + wlsTrustKeyStoreType: sslUploadedCustomTrustKeyStoreType wlsUserName: wlsUserName } dependsOn: [ - wlsSSLCertSecretsDeployment - queryStorageAccount + validateInputs ] } @@ -731,6 +607,7 @@ module networkingDeployment 'modules/networking.bicep' = if (const_enableNetwork params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidNetworkingEnd: pids.outputs.networkingEnd == '' ? name_defaultPidDeployment : pids.outputs.networkingEnd _pidNetworkingStart: pids.outputs.networkingStart == '' ? name_defaultPidDeployment : pids.outputs.networkingStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName @@ -777,8 +654,9 @@ module datasourceDeployment 'modules/_setupDBConnection.bicep' = if (enableDB && params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.dbEnd - _pidStart: pids.outputs.dbStart + _pidStart: pids.outputs.dbStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion @@ -808,6 +686,7 @@ module passwordlessDatasourceDeployment 'modules/_setupPasswordlessDBConnection. params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.pswlessDbEnd _pidStart: pids.outputs.pswlessDbStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName @@ -842,6 +721,7 @@ module validateApplciations 'modules/_deployment-scripts/_ds-validate-applicatio params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: const_globalResourceNameSuffix aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion @@ -863,6 +743,7 @@ module horizontalAutoscaling 'modules/_enableAutoScaling.bicep' = if (enableAuto params: { _pidCPUUtilization: pids.outputs.cpuUtilization _pidEnd: pids.outputs.autoScalingEnd + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidMemoryUtilization: pids.outputs.memoryUtilization _pidStart: pids.outputs.autoScalingStart _pidWme: pids.outputs.enableWlsMonitoringExporter @@ -895,6 +776,7 @@ module horizontalAutoscaling 'modules/_enableAutoScaling.bicep' = if (enableAuto module queryWLSDomainConfig 'modules/_deployment-scripts/_ds-output-domain-configurations.bicep' = { name: 'query-wls-domain-configurations' params: { + _globalResourceNameSuffix: const_globalResourceNameSuffix aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep index c00bedeaf..3c35a64ce 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep @@ -4,21 +4,32 @@ param _pidAppgwEnd string = 'pid-networking-appgateway-end' param _pidAppgwStart string = 'pid-networking-appgateway-start' param _pidAppgwWithCustomCert string = 'pid-networking-appgateway-with-custom-certificate' -param appgwPublicIPAddressName string = 'gwip' +@allowed([ + 'haveCert' + 'generateCert' +]) +param appgwCertificateOption string +param appgwName string +param appgwPublicIPAddressName string +@secure() +param appgwSSLBackendRootCertData string param appgwUsePrivateIP bool -param appgwSslCertName string = 'appGatewaySslCert' -param appgwTrustedRootCertName string = 'appGatewayTrustedRootCert' param azCliVersion string = '' +param autoGeneratedSSLCertKeyVaultName string +param autoGeneratedSSLCertSecretName string param dnsNameforApplicationGateway string = 'wlsgw' param enableCustomSSL bool param identity object = {} -param keyVaultName string = 'kv-contoso' -param keyVaultResourceGroup string = 'kv-contoso-rg' -param keyvaultBackendCertDataSecretName string = 'kv-ssl-backend-data' -param keyvaultFrontendCertDataSecretName string = 'kv-ssl-frontend-data' -param keyvaultFrontendCertPswSecretName string = 'kv-ssl-frontend-psw' +param nsgName string param location string param newOrExistingVnetForApplicationGateway string +@secure() +param sslCertData string +param sslCertificateDeploymentName string +@secure() +param sslCertPswData string +param trustedRootCertificateDeploymentName string +@secure() param vnetForApplicationGateway object param vnetRGNameForApplicationGateway string @description('${label.tagsLabel}') @@ -26,10 +37,10 @@ param tagsByResource object // To mitigate arm-ttk error: Type Mismatch: Parameter in nested template is defined as string, but the parent template defines it as bool. var _appgwUsePrivateIP = appgwUsePrivateIP -var _selfSignedFrontendCertAndNoBackendCert = empty(keyvaultFrontendCertPswSecretName) && !enableCustomSSL -var _selfSignedFrontendCertAndBackendCert = empty(keyvaultFrontendCertPswSecretName) && enableCustomSSL -var _signedFrontendCertAndNoBackendCert = !empty(keyvaultFrontendCertPswSecretName) && !enableCustomSSL -var _signedFrontendCertAndBackendCert = !empty(keyvaultFrontendCertPswSecretName) && enableCustomSSL +var _selfSignedFrontendCertAndNoBackendCert = appgwCertificateOption == 'generateCert' && !enableCustomSSL +var _selfSignedFrontendCertAndBackendCert = appgwCertificateOption == 'generateCert' && enableCustomSSL +var _signedFrontendCertAndNoBackendCert = appgwCertificateOption == 'haveCert' && !enableCustomSSL +var _signedFrontendCertAndBackendCert = appgwCertificateOption == 'haveCert' && enableCustomSSL var const_null = 'null' // To mitigate arm-ttk error: Parameter-Types-Should-Be-Consistent var name_gatewayDeploymentPrefix = 'app-gateway-deployment-' var ref_gatewayDeployment = _selfSignedFrontendCertAndNoBackendCert ? appgwDeployment1 : (_selfSignedFrontendCertAndBackendCert ? appgwDeployment2 : _signedFrontendCertAndNoBackendCert ? appgwDeployment3 : appgwDeployment4) @@ -49,14 +60,14 @@ module pidAppgwWithCustomCertificate './_pids/_pid.bicep' = if (_signedFrontendC // get key vault object from a resource group resource existingKeyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = { - name: keyVaultName - scope: resourceGroup(keyVaultResourceGroup) + name: autoGeneratedSSLCertKeyVaultName } module networkDeployment '_azure-resoruces/_vnetAppGateway.bicep' = { name: 'vnet-application-gateway' params: { location: location + nsgName: nsgName vnetForApplicationGateway: vnetForApplicationGateway tagsByResource: tagsByResource } @@ -85,13 +96,14 @@ module appgwDeployment1 '_azure-resoruces/_appgateway.bicep' = if (_selfSignedFr params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location noSslCertPsw: true - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) + sslCertData: existingKeyvault.getSecret(autoGeneratedSSLCertSecretName) sslCertPswData: const_null staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' trustedRootCertData: const_null @@ -108,16 +120,17 @@ module appgwDeployment2 '_azure-resoruces/_appgateway.bicep' = if (_selfSignedFr params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location noSslCertPsw: true - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) + sslCertData: existingKeyvault.getSecret(autoGeneratedSSLCertSecretName) sslCertPswData: const_null staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' - trustedRootCertData: existingKeyvault.getSecret(keyvaultBackendCertDataSecretName) + trustedRootCertData: appgwSSLBackendRootCertData usePrivateIP: appgwUsePrivateIP tagsByResource: tagsByResource } @@ -131,13 +144,14 @@ module appgwDeployment3 '_azure-resoruces/_appgateway.bicep' = if (_signedFronte params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) - sslCertPswData: existingKeyvault.getSecret(keyvaultFrontendCertPswSecretName) + sslCertData: sslCertData + sslCertPswData: sslCertPswData staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' trustedRootCertData: const_null usePrivateIP: appgwUsePrivateIP @@ -153,15 +167,16 @@ module appgwDeployment4 '_azure-resoruces/_appgateway.bicep' = if (_signedFronte params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) - sslCertPswData: existingKeyvault.getSecret(keyvaultFrontendCertPswSecretName) + sslCertData: sslCertData + sslCertPswData: sslCertPswData staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' - trustedRootCertData: existingKeyvault.getSecret(keyvaultBackendCertDataSecretName) + trustedRootCertData: appgwSSLBackendRootCertData usePrivateIP: appgwUsePrivateIP tagsByResource: tagsByResource } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep index 6a329db5f..297f81567 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep @@ -1,16 +1,13 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param acrNamePrefix string = 'wlsaksacr' +param acrName string param location string @description('${label.tagsLabel}') param tagsByResource object -param utcValue string = utcNow() - -var name_acr = '${acrNamePrefix}${uniqueString(utcValue)}' resource registries 'Microsoft.ContainerRegistry/registries@${azure.apiVersionForContainerRegistries}' = { - name: name_acr + name: acrName location: location sku: { name: 'Standard' @@ -43,4 +40,4 @@ resource registries 'Microsoft.ContainerRegistry/registries@${azure.apiVersionFo tags: tagsByResource['${identifier.registries}'] } -output acrName string = name_acr +output acrName string = acrName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep index 8eb08964d..a1e52608e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep @@ -20,7 +20,7 @@ param aksAgentPoolNodeMaxCount int = 5 @description('The size of the virtual machines that will form the nodes in the cluster. This cannot be changed after creating the cluster') param aksAgentPoolVMSize string = 'Standard_DS2_v2' @description('Prefix for cluster name. Only The name can contain only letters, numbers, underscores and hyphens. The name must start with letter or number.') -param aksClusterNamePrefix string = 'wlsonaks' +param aksClusterName string param aksVersion string = 'default' @description('In addition to the CPU and memory metrics included in AKS by default, you can enable Container Insights for more comprehensive data on the overall performance and health of your cluster. Billing is based on data ingestion and retention settings.') param enableAzureMonitoring bool = false @@ -32,7 +32,6 @@ param utcValue string = utcNow() var const_aksAgentPoolOSDiskSizeGB = 128 var name_aciWorkspace = 'Workspace-${guid(utcValue)}-${location}' // Generate a unique AKS name scoped to subscription. -var name_aksClusterNameForSV = '${aksClusterNamePrefix}${uniqueString(utcValue)}' var obj_aciDisableOmsAgent = { enabled: false } @@ -61,12 +60,12 @@ resource azureMonitoringWorkspace 'Microsoft.OperationalInsights/workspaces@${az } resource aksCluster 'Microsoft.ContainerService/managedClusters@${azure.apiVersionForManagedClusters}' = { - name: name_aksClusterNameForSV + name: aksClusterName location: location tags: tagsByResource['${identifier.managedClusters}'] properties: { kubernetesVersion: aksVersion - dnsPrefix: '${name_aksClusterNameForSV}-dns' + dnsPrefix: '${aksClusterName}-dns' agentPoolProfiles: [ { name: aksAgentPoolName @@ -109,5 +108,4 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@${azure.apiVersi } } -output aksClusterName string = name_aksClusterNameForSV output aksNodeRgName string = aksCluster.properties.nodeResourceGroup diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep index f0672f62c..beaa9cad8 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep @@ -4,8 +4,9 @@ @description('DNS for ApplicationGateway') param dnsNameforApplicationGateway string = take('wlsgw${uniqueString(utcValue)}', 63) param enableCustomSSL bool = false +param gatewayName string @description('Public IP Name for the Application Gateway') -param gatewayPublicIPAddressName string = 'gwip' +param gatewayPublicIPAddressName string param gatewaySubnetId string = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resourcegroupname/providers/Microsoft.Network/virtualNetworks/vnetname/subnets/subnetname' param gatewaySslCertName string = 'appGatewaySslCert' param gatewayTrustedRootCertName string = 'appGatewayTrustedRootCert' @@ -24,18 +25,17 @@ param tagsByResource object param utcValue string = utcNow() var const_sslCertPsw = (noSslCertPsw) ? '' : sslCertPswData -var name_appGateway = 'appgw${uniqueString(utcValue)}' var name_backendAddressPool = 'myGatewayBackendPool' var name_frontEndIPConfig = 'appGwPublicFrontendIp' var name_frontEndPrivateIPConfig = 'appGwPrivateFrontendIp' var name_httpListener = 'HTTPListener' var name_httpPort = 'httpport' var name_httpSetting = 'myHTTPSetting' -var ref_backendAddressPool = resourceId('Microsoft.Network/applicationGateways/backendAddressPools', name_appGateway, name_backendAddressPool) -var ref_backendHttpSettings = resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', name_appGateway, name_httpSetting) -var ref_frontendHTTPPort = resourceId('Microsoft.Network/applicationGateways/frontendPorts', name_appGateway, name_httpPort) -var ref_frontendIPConfiguration = resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', name_appGateway, name_frontEndIPConfig) -var ref_httpListener = resourceId('Microsoft.Network/applicationGateways/httpListeners', name_appGateway, name_httpListener) +var ref_backendAddressPool = resourceId('Microsoft.Network/applicationGateways/backendAddressPools', gatewayName, name_backendAddressPool) +var ref_backendHttpSettings = resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', gatewayName, name_httpSetting) +var ref_frontendHTTPPort = resourceId('Microsoft.Network/applicationGateways/frontendPorts', gatewayName, name_httpPort) +var ref_frontendIPConfiguration = resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', gatewayName, name_frontEndIPConfig) +var ref_httpListener = resourceId('Microsoft.Network/applicationGateways/httpListeners', gatewayName, name_httpListener) var ref_publicIPAddress = resourceId('Microsoft.Network/publicIPAddresses', gatewayPublicIPAddressName) var obj_backendTrustedRootCerts = [ { @@ -96,7 +96,7 @@ resource gatewayPublicIP 'Microsoft.Network/publicIPAddresses@${azure.apiVersion } resource wafv2AppGateway 'Microsoft.Network/applicationGateways@${azure.apiVersionForApplicationGateways}' = { - name: name_appGateway + name: gatewayName location: location tags: union(tagsByResource['${identifier.applicationGateways}'], obj_tagIngress) properties: { @@ -197,6 +197,6 @@ resource wafv2AppGateway 'Microsoft.Network/applicationGateways@${azure.apiVersi output appGatewayAlias string = usePrivateIP ? staticPrivateFrontentIP : reference(gatewayPublicIP.id).dnsSettings.fqdn output appGatewayId string = wafv2AppGateway.id -output appGatewayName string = name_appGateway +output appGatewayName string = gatewayName output appGatewayURL string = uri(format('http://{0}/', usePrivateIP ? staticPrivateFrontentIP : reference(gatewayPublicIP.id).dnsSettings.fqdn), '') output appGatewaySecuredURL string = uri(format('https://{0}/', usePrivateIP ? staticPrivateFrontentIP : reference(gatewayPublicIP.id).dnsSettings.fqdn), '') diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep similarity index 96% rename from weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep rename to weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep index e785e12d2..c7f4022f2 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep @@ -1,11 +1,12 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSuffix string @description('Managed identity to be used for the deployment script. Currently, only user-assigned MSI is supported.') param identity object = {} @description('Used to name the new Azure Key Vault resoure.') -param keyVaultName string = 'wls-kv-${uniqueString(utcValue)}' +param keyVaultName string = 'wlskv${uniqueString(utcValue)}' param location string @@ -58,11 +59,12 @@ resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { enabledForDiskEncryption: false enabledForTemplateDeployment: true enableSoftDelete: true + enableRbacAuthorization: false } } resource createAddCertificate 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-create-add-appgw-certificate' + name: 'ds-create-add-appgw-certificate-${_globalResourceNameSuffix}' location: location identity: identity kind: 'AzurePowerShell' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep deleted file mode 100644 index 77e495329..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -@description('Secret name of certificate data.') -param certificateDataName string = newGuid() - -@description('Certificate data to store in the secret') -param certificateDataValue string = newGuid() - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true - -@description('Name of the vault') -param keyVaultName string - -param location string - -@description('Price tier for Key Vault.') -param sku string = 'Standard' - -@description('${label.tagsLabel}') -param tagsByResource object - -param utcValue string = utcNow() - -var obj_extraTag= { - 'created-by-azure-weblogic': utcValue -} - -resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVaultName - location: location - properties: { - accessPolicies: [] - enabledForTemplateDeployment: enabledForTemplateDeployment - sku: { - name: sku - family: 'A' - } - tenantId: subscription().tenantId - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) -} - -resource secretForCertificate 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${certificateDataName}' - properties: { - value: certificateDataValue - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) - dependsOn: [ - keyvault - ] -} - -output keyVaultName string = keyVaultName -output sslBackendCertDataSecretName string = certificateDataName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep deleted file mode 100644 index 93893d289..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep +++ /dev/null @@ -1,116 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true -@description('Name of the vault') -param keyVaultName string -param location string -@description('Price tier for Key Vault.') -param sku string = 'Standard' -@description('${label.tagsLabel}') -param tagsByResource object -param utcValue string = utcNow() -@secure() -param wlsIdentityKeyStoreData string = newGuid() -param wlsIdentityKeyStoreDataSecretName string = 'myIdentityKeyStoreData' -@secure() -param wlsIdentityKeyStorePassphrase string = newGuid() -param wlsIdentityKeyStorePassphraseSecretName string = 'myIdentityKeyStorePsw' -@secure() -param wlsPrivateKeyAlias string = newGuid() -param wlsPrivateKeyAliasSecretName string = 'privateKeyAlias' -@secure() -param wlsPrivateKeyPassPhrase string = newGuid() -param wlsPrivateKeyPassPhraseSecretName string = 'privateKeyPsw' -@secure() -param wlsTrustKeyStoreData string = newGuid() -param wlsTrustKeyStoreDataSecretName string = 'myTrustKeyStoreData' -@secure() -param wlsTrustKeyStorePassPhrase string = newGuid() -param wlsTrustKeyStorePassPhraseSecretName string = 'myTrustKeyStorePsw' - -var obj_extraTag= { - 'created-by-azure-weblogic': utcValue -} - -resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVaultName - location: location - properties: { - accessPolicies: [] - enabledForTemplateDeployment: enabledForTemplateDeployment - sku: { - name: sku - family: 'A' - } - tenantId: subscription().tenantId - } - tags: union(tagsByResource['${identifier.vaults}'],obj_extraTag) -} - -resource identityKeyStoreDataSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsIdentityKeyStoreDataSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsIdentityKeyStoreData - } - dependsOn: [ - keyvault - ] -} - -resource identityKeyStorePswSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsIdentityKeyStorePassphraseSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsIdentityKeyStorePassphrase - } - dependsOn: [ - keyvault - ] -} - -resource privateKeyAliasSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsPrivateKeyAliasSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsPrivateKeyAlias - } - dependsOn: [ - keyvault - ] -} - -resource privateKeyPswSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsPrivateKeyPassPhraseSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsPrivateKeyPassPhrase - } - dependsOn: [ - keyvault - ] -} - -resource trustKeyStoreDataSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsTrustKeyStoreDataSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsTrustKeyStoreData - } - dependsOn: [ - keyvault - ] -} - -resource trustKeyStorePswSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsTrustKeyStorePassPhraseSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsTrustKeyStorePassPhrase - } - dependsOn: [ - keyvault - ] -} diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithExistingCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithExistingCert.bicep deleted file mode 100644 index 155c97432..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithExistingCert.bicep +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -@description('Secret name of certificate data.') -param certificateDataName string = 'myIdentityKeyStoreData' - -@description('Certificate data to store in the secret') -param certificateDataValue string = newGuid() - -@description('Secret name of certificate password.') -param certificatePswSecretName string = 'myIdentityKeyStorePsw' - -@secure() -@description('Certificate password to store in the secret') -param certificatePasswordValue string = newGuid() - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true - -@description('Name of the vault') -param keyVaultName string = 'kv-contoso' - -param location string - -@description('Price tier for Key Vault.') -param sku string = 'Standard' - -@description('${label.tagsLabel}') -param tagsByResource object - -param utcValue string = utcNow() - -var obj_extraTag= { - 'created-by-azure-weblogic': utcValue -} - -resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVaultName - location: location - properties: { - accessPolicies: [] - enabledForTemplateDeployment: enabledForTemplateDeployment - sku: { - name: sku - family: 'A' - } - tenantId: subscription().tenantId - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) -} - -resource secretForCertificate 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVault}' = { - name: '${keyVaultName}/${certificateDataName}' - properties: { - value: certificateDataValue - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) - dependsOn: [ - keyvault - ] -} - -resource secretForCertPassword 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${certificatePswSecretName}' - properties: { - value: certificatePasswordValue - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) - dependsOn: [ - keyvault - ] -} - -output keyVaultName string = keyVaultName -output sslCertDataSecretName string = certificateDataName -output sslCertPwdSecretName string = certificatePswSecretName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep deleted file mode 100644 index 153b93f38..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep +++ /dev/null @@ -1,100 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -// Deploy Application Gateway certificate secrets. - -@description('Backend certificate data to store in the secret') -param backendCertificateDataValue string = newGuid() - -@description('Certificate data to store in the secret') -param certificateDataValue string = newGuid() - -@secure() -@description('Certificate password to store in the secret') -param certificatePasswordValue string = newGuid() - -@description('true to upload trusted root certificate') -param enableCustomSSL bool = false - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true - -param identity object = {} -param location string -param permission object = { - certificates: [ - 'get' - 'list' - 'update' - 'create' - ] -} - -@description('Price tier for Key Vault.') -param sku string = 'Standard' - -@description('Subject name to create a certificate.') -param subjectName string = '' - -@description('If false, will create a certificate.') -param useExistingAppGatewaySSLCertificate bool = false - -@description('Current deployment time. Used as a tag in deployment script.') -param keyVaultName string = 'GEN_UNIQUE' - -@description('${label.tagsLabel}') -param tagsByResource object - -var name_sslBackendCertSercretName= 'myAppGatewaySSLBackendRootCert' -var name_sslCertSecretName = 'myAppGatewaySSLCert' -var name_sslCertPasswordSecretName = 'myAppGatewaySSLCertPassword' - -module keyVaultwithSelfSignedAppGatewaySSLCert '_keyvault/_keyvaultWithNewCert.bicep' = if (!useExistingAppGatewaySSLCertificate) { - name: 'kv-appgw-selfsigned-certificate-deployment' - params: { - identity: identity - keyVaultName: keyVaultName - location: location - permission: permission - subjectName: subjectName - sku: sku - tagsByResource: tagsByResource - } -} - -module keyVaultwithExistingAppGatewaySSLCert '_keyvault/_keyvaultWithExistingCert.bicep' = if (useExistingAppGatewaySSLCertificate) { - name: 'kv-appgw-existing-certificate-deployment' - params: { - certificateDataName: name_sslCertSecretName - certificateDataValue: certificateDataValue - certificatePswSecretName: name_sslCertPasswordSecretName - certificatePasswordValue: certificatePasswordValue - enabledForTemplateDeployment: enabledForTemplateDeployment - keyVaultName: keyVaultName - location: location - sku: sku - tagsByResource: tagsByResource - } -} - -module keyvaultBackendRootCert '_keyvault/_keyvaultForGatewayBackendCert.bicep' = if (enableCustomSSL) { - name: 'kv-appgw-e2e-ssl-backend-certificate' - params:{ - certificateDataName: name_sslBackendCertSercretName - certificateDataValue: backendCertificateDataValue - enabledForTemplateDeployment: enabledForTemplateDeployment - keyVaultName: keyVaultName - location: location - sku: sku - tagsByResource: tagsByResource - } - dependsOn:[ - keyVaultwithSelfSignedAppGatewaySSLCert - keyVaultwithExistingAppGatewaySSLCert - ] -} - -output keyVaultName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.keyVaultName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.keyVaultName) -output sslCertDataSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertDataSecretName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.secretName) -output sslCertPwdSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertPwdSecretName: '') -output sslBackendCertDataSecretName string = (enableCustomSSL) ? keyvaultBackendRootCert.outputs.sslBackendCertDataSecretName : '' - diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep index 015998942..2a5badc4e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep @@ -2,6 +2,7 @@ // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. param location string +param nsgName string param vnetForApplicationGateway object = { name: 'wlsaks-app-gateway-vnet' resourceGroup: resourceGroup().name @@ -25,7 +26,6 @@ param utcValue string = utcNow() var const_subnetAddressPrefixes = vnetForApplicationGateway.subnets.gatewaySubnet.addressPrefix var const_vnetAddressPrefixes = vnetForApplicationGateway.addressPrefixes var const_newVnet = (vnetForApplicationGateway.newOrExisting == 'new') ? true : false -var name_nsg = 'wlsaks-nsg-${uniqueString(utcValue)}' var name_subnet = vnetForApplicationGateway.subnets.gatewaySubnet.name var name_vnet = vnetForApplicationGateway.name @@ -43,7 +43,7 @@ resource existingSubnet 'Microsoft.Network/virtualNetworks/subnets@${azure.apiVe // Create new network security group. resource nsg 'Microsoft.Network/networkSecurityGroups@${azure.apiVersionForNetworkSecurityGroups}' = if (const_newVnet) { - name: name_nsg + name: nsgName location: location tags: tagsByResource['${identifier.networkSecurityGroups}'] properties: { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep index 79b4d6c8b..901fe4f83 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSuffix string param appgwAlias string = 'appgw-contoso-alias' param appgwName string = 'appgw-contoso' @@ -46,7 +47,7 @@ var const_primaryScript = 'setupNetworking.sh' var const_utilityScript = 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-networking-deployment' + name: 'ds-networking-deployment-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep index 0f5ee2734..2db8542ca 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSuffix string param aksClusterRGName string = '' param aksClusterName string = '' @@ -82,7 +83,7 @@ var const_updateDomainConfigScript= 'updateDomainConfig.sh' var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-cluster-creation' + name: 'ds-wls-cluster-creation-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep index 4d01b280a..19d5678d3 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string @@ -38,7 +39,7 @@ var const_scriptLocation = uri(_artifactsLocation, 'scripts/') var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-db-connection' + name: 'ds-wls-db-connection-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep index 0b6602183..d86fc1353 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2021, 2024 Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSuffix string param aksClusterRGName string = '' param aksClusterName string = '' param azCliVersion string = '' @@ -18,7 +19,7 @@ var base64_queryDomainConfigurations = loadFileAsBase64('../../../arm/scripts/in var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-query-wls-configurations' + name: 'ds-query-wls-configurations-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-query-storage-account.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-query-storage-account.bicep deleted file mode 100644 index 14169e422..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-query-storage-account.bicep +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright (c) 2021, 2024 Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -param aksClusterName string = '' -param aksClusterRGName string = '' -param azCliVersion string = '' - -param identity object = {} -param location string -@description('${label.tagsLabel}') -param tagsByResource object -param utcValue string = utcNow() - -// To mitigate arm-ttk error: Unreferenced variable: $fxv#0 -var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') -var base64_queryStorageAccount = loadFileAsBase64('../../../arm/scripts/queryStorageAccount.sh') -var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName = 'ds-query-storage-account' - -resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: const_deploymentName - location: location - kind: 'AzureCLI' - identity: identity - tags: tagsByResource['${identifier.deploymentScripts}'] - properties: { - azCliVersion: azCliVersion - environmentVariables: [ - { - name: 'AKS_CLUSTER_NAME' - value: aksClusterName - } - { - name: 'AKS_CLUSTER_RESOURCEGROUP_NAME' - value: aksClusterRGName - } - ] - scriptContent: format('{0}\r\n\r\n{1}\r\n\r\n{2}',base64ToString(base64_common), base64ToString(base64_utility), base64ToString(base64_queryStorageAccount)) - cleanupPreference: 'OnSuccess' - retentionInterval: 'P1D' - forceUpdateTag: utcValue - } -} - -output storageAccount string = string(deploymentScript.properties.outputs.storageAccount) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep index 8b4c61ba6..ff4568f73 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSuffix string param aksClusterRGName string = '' param aksClusterName string = '' @@ -26,7 +27,7 @@ var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-validate-applications' + name: 'ds-wls-validate-applications-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep index e2fe320bb..c865a2e6a 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSuffix string param acrName string param acrResourceGroupName string param aksAgentPoolNodeCount int @@ -21,27 +22,12 @@ param dnszoneRGName string param enableAppGWIngress bool param enableCustomSSL bool param enableDNSConfiguration bool -param keyVaultName string -param keyVaultResourceGroup string -param keyVaultSSLCertDataSecretName string -param keyVaultSSLCertPasswordSecretName string param identity object = {} param isSSOSupportEntitled bool param location string @secure() param ocrSSOPSW string param ocrSSOUser string -param sslConfigurationAccessOption string -param sslKeyVaultCustomIdentityKeyStoreDataSecretName string -param sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName string -param sslKeyVaultCustomIdentityKeyStoreType string -param sslKeyVaultCustomTrustKeyStoreDataSecretName string -param sslKeyVaultCustomTrustKeyStorePassPhraseSecretName string -param sslKeyVaultCustomTrustKeyStoreType string -param sslKeyVaultName string -param sslKeyVaultPrivateKeyAliasSecretName string -param sslKeyVaultPrivateKeyPassPhraseSecretName string -param sslKeyVaultResourceGroup string @secure() param sslUploadedCustomIdentityKeyStoreData string @secure() @@ -71,9 +57,9 @@ param wlsImageTag string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') var base64_validateParameters = loadFileAsBase64('../../../arm/scripts/inline-scripts/validateParameters.sh') -var const_arguments = '${location} ${createAKSCluster} ${aksAgentPoolVMSize} ${aksAgentPoolNodeCount} ${useOracleImage} ${wlsImageTag} ${userProvidedImagePath} ${enableCustomSSL} ${sslConfigurationAccessOption} ${appGatewayCertificateOption} ${enableAppGWIngress} ${const_checkDNSZone}' +var const_arguments = '${location} ${createAKSCluster} ${aksAgentPoolVMSize} ${aksAgentPoolNodeCount} ${useOracleImage} ${wlsImageTag} ${userProvidedImagePath} ${enableCustomSSL} ${appGatewayCertificateOption} ${enableAppGWIngress} ${const_checkDNSZone}' var const_checkDNSZone = enableDNSConfiguration && !createDNSZone -var const_deploymentName = 'ds-validate-parameters-and-fail-fast' +var const_deploymentName = 'ds-validate-parameters-and-fail-fast-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName @@ -129,46 +115,6 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers name: 'APP_REPLICAS' value: appReplicas } - { - name: 'WLS_SSL_KEYVAULT_NAME' - value: sslKeyVaultName - } - { - name: 'WLS_SSL_KEYVAULT_RESOURCEGROUP_NAME' - value: sslKeyVaultResourceGroup - } - { - name: 'WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME' - value: sslKeyVaultCustomIdentityKeyStoreDataSecretName - } - { - name: 'WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME' - value: sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName - } - { - name: 'WLS_SSL_KEYVAULT_IDENTITY_TYPE' - value: sslKeyVaultCustomIdentityKeyStoreType - } - { - name: 'WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME' - value: sslKeyVaultCustomTrustKeyStoreDataSecretName - } - { - name: 'WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME' - value: sslKeyVaultCustomTrustKeyStorePassPhraseSecretName - } - { - name: 'WLS_SSL_KEYVAULT_TRUST_TYPE' - value: sslKeyVaultCustomTrustKeyStoreType - } - { - name: 'WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS' - value: sslKeyVaultPrivateKeyAliasSecretName - } - { - name: 'WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD' - value: sslKeyVaultPrivateKeyPassPhraseSecretName - } { name: 'WLS_SSL_IDENTITY_DATA' secureValue: sslUploadedCustomIdentityKeyStoreData @@ -201,22 +147,6 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers name: 'WLS_SSL_PRIVATE_KEY_PASSWORD' secureValue: sslUploadedPrivateKeyPassPhrase } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_NAME' - value: keyVaultName - } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_RESOURCEGROUP' - value: keyVaultResourceGroup - } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME' - value: keyVaultSSLCertDataSecretName - } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME' - value: keyVaultSSLCertPasswordSecretName - } { name: 'APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA' value: appGatewaySSLCertData diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep index e22d6f80a..ec3571b0f 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param azCliVersion string @@ -22,7 +23,7 @@ param wlsNamespace string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableHpa = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableHpa.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-enable-hpa' +var const_deploymentName='ds-enable-hpa-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName @@ -52,11 +53,11 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers } { name: 'UTILIZATION_PERCENTAGE' - value: utilizationPercentage + value: string(utilizationPercentage) } { name: 'WLS_CLUSTER_SIZE' - value: wlsClusterSize + value: string(wlsClusterSize) } { name: 'WLS_NAMESPACE' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep index a721a9573..3be6c611a 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param amaName string @@ -23,7 +24,7 @@ param workspaceId string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableHpa = loadFileAsBase64('../../../arm/scripts/inline-scripts/enablePrometheusMetrics.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName = 'ds-enable-promethues-metrics' +var const_deploymentName = 'ds-enable-promethues-metrics-${_globalResourceNameSuffix}' var const_kedaNamespace= 'keda' var const_kedaSa= 'keda-operator' @@ -71,7 +72,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers } { name: 'WLS_CLUSTER_SIZE' - value: wlsClusterSize + value: string(wlsClusterSize) } { name: 'WLS_ADMIN_PASSWORD' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep index eaa9cfd27..e42042a66 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep @@ -13,7 +13,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-validate-agic' +var const_deploymentName='ds-validate-agic-${uniqueString(utcValue)}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep index a61e5e86d..fc355f699 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param appgwName string = 'appgw-contoso' @@ -15,7 +16,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-install-agic' +var const_deploymentName='ds-install-agic-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep index 5fe795928..ea3ad9025 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep @@ -14,7 +14,7 @@ param utcValue string = utcNow() // To mitigate arm-ttk error: Unreferenced variable: $fxv#0 var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_queryPrivateIPForAppGateway = loadFileAsBase64('../../../arm/scripts/inline-scripts/queryPrivateIPForAppGateway.sh') -var const_deploymentName = 'ds-query-private-ip' +var const_deploymentName = 'ds-query-private-ip-${uniqueString(utcValue)}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep index d3c3139eb..8f0623b14 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep @@ -36,7 +36,7 @@ var const_updateAppScript= 'updateApplications.sh' var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-update-applications' + name: 'ds-wls-update-applications-${uniqueString(utcValue)}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep index 93d792e1f..437ac0128 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param azCliVersion string = '' @@ -14,7 +15,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/validateAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-validate-agic' +var const_deploymentName='ds-validate-agic-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep b/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep index 9e5abf06b..59d78778a 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep @@ -3,6 +3,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ +param _globalResourceNameSuffix string param _pidCPUUtilization string = '' param _pidEnd string = '' param _pidMemoryUtilization string = '' @@ -72,6 +73,7 @@ module pidWme './_pids/_pid.bicep' = if(!useHpa) { module hapDeployment '_deployment-scripts/_ds_enable_hpa.bicep' = if(useHpa) { name: 'hpa-deployment' params: { + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion @@ -91,6 +93,7 @@ module hapDeployment '_deployment-scripts/_ds_enable_hpa.bicep' = if(useHpa) { module promethuesKedaDeployment '_enablePromethuesKeda.bicep' = if (!useHpa) { name: 'promethues-keda-weblogic-monitoring-exporter-deployment' params: { + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep b/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep index 86f5ab7b8..fc5aa1a2e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep @@ -2,6 +2,7 @@ Copyright (c) 2024, Oracle and/or its affiliates. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param azCliVersion string @@ -19,9 +20,9 @@ param wlsUserName string var const_namespace = '${wlsDomainUID}-ns' // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfMonitorDataReader = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -var name_azureMonitorAccountName = 'ama${uniqueString(utcValue)}' -var name_kedaUserDefinedManagedIdentity = 'kedauami${uniqueString(utcValue)}' -var name_kedaMonitorDataReaderRoleAssignmentName = guid('${resourceGroup().id}${name_kedaUserDefinedManagedIdentity}') +var name_azureMonitorAccountName = 'ama${_globalResourceNameSuffix}' +var name_kedaUserDefinedManagedIdentity = 'kedauami${_globalResourceNameSuffix}' +var name_kedaMonitorDataReaderRoleAssignmentName = guid('${resourceGroup().id}${name_kedaUserDefinedManagedIdentity}${_globalResourceNameSuffix}') resource monitorAccount 'Microsoft.Monitor/accounts@${azure.apiVersionForMonitorAccount}' = { name: name_azureMonitorAccountName @@ -61,6 +62,7 @@ resource kedaUamiRoleAssignment 'Microsoft.Authorization/roleAssignments@${azure module azureMonitorIntegrationDeployment '_deployment-scripts/_ds_enable_prometheus_metrics.bicep' = { name: 'azure-monitor-promethues-keda-deployment' params: { + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName amaName: name_azureMonitorAccountName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep similarity index 91% rename from weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep rename to weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index 1bb159faf..e5acfe269 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -3,6 +3,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ +param _globalResourceNameSuffix string param location string @description('${label.tagsLabel}') param tagsByResource object @@ -10,8 +11,7 @@ param name_deploymentScriptContributorRoleAssignmentName string = newGuid() // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${substring(uniqueString(name_deploymentScriptContributorRoleAssignmentName),0,5)}' - +var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${_globalResourceNameSuffix}' // UAMI for deployment script resource uamiForDeploymentScript 'Microsoft.ManagedIdentity/userAssignedIdentities@${azure.apiVersionForIdentity}' = { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep b/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep index 2960e3216..0790d55a1 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep @@ -14,6 +14,7 @@ param location string module acrDeployment './_azure-resoruces/_acr.bicep' = if (createNewAcr) { name: 'acr-deployment' params: { + acrName: acrName location: location tagsByResource: tagsByResource } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep index 4816f50b8..85f56df12 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep @@ -8,7 +8,7 @@ param aksClusterRGName string param utcValue string = utcNow() var const_APIVersion = '2020-12-01' -var name_appGwContributorRoleAssignmentName = guid('${resourceGroup().id}${utcValue}ForApplicationGateway') +var name_appGwContributorRoleAssignmentName = guid('${resourceGroup().id}${uniqueString(utcValue)}ForApplicationGateway') // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep index ca71cfde9..f5b50c20d 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep @@ -16,13 +16,13 @@ Usage: } */ +param _globalResourceNameSuffix string // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles param roleDefinitionId string = '' param identity object = {} -param utcValue string = utcNow() var const_identityAPIVersion = '2022-01-31-PREVIEW' -var name_roleAssignmentName = guid('${subscription().id}${utcValue}Role assignment in resource group scope') +var name_roleAssignmentName = guid('${subscription().id}${_globalResourceNameSuffix}Role assignment in resource group scope') // Get role resource id resource roleResourceDefinition 'Microsoft.Authorization/roleDefinitions@${azure.apiVersionForRoleDefinitions}' existing = { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep index 1a865cab1..fb2a44eed 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep @@ -6,6 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSuffix string param _pidEnd string = '' param _pidStart string = '' param _pidOtherDb string = '' @@ -68,6 +69,7 @@ module configDataSource '_deployment-scripts/_ds-datasource-connection.bicep' = params:{ _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep index 75aa170ca..a431ba321 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep @@ -6,6 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSuffix string param _pidEnd string = '' param _pidStart string = '' @@ -80,6 +81,7 @@ module dbIdentityVMContributorRoleAssignment '_rolesAssignment/_roleAssignmentin name: 'assign-db-identity-vm-contributor-role' scope: resourceGroup(aksNodeRGName) params: { + _globalResourceNameSuffix: _globalResourceNameSuffix identity: dbIdentity roleDefinitionId: const_roleDefinitionIdOfVMContributor } @@ -126,6 +128,7 @@ module configDataSource '_deployment-scripts/_ds-datasource-connection.bicep' = params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep index ed8e687de..20f9071ac 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep @@ -10,6 +10,7 @@ param _pidLbEnd string = 'pid-networking-lb-end' param _pidLbStart string = 'pid-networking-lb-start' param _pidNetworkingEnd string = 'pid-networking-end' param _pidNetworkingStart string = 'pid-networking-start' +param _globalResourceNameSuffix string @description('Resource group name of an existing AKS cluster.') param aksClusterRGName string = 'aks-contoso-rg' @description('Name of an existing AKS cluster.') @@ -98,6 +99,7 @@ module dnsZoneDeployment '_azure-resoruces/_dnsZones.bicep' = if (enableDNSConfi module installAgic '_deployment-scripts/_ds_install_agic.bicep' = if (enableAppGWIngress) { name: 'install-agic' params: { + _globalResourceNameSuffix: _globalResourceNameSuffix location: location identity: identity aksClusterRGName: aksClusterRGName @@ -125,6 +127,7 @@ module agicRoleAssignment '_rolesAssignment/_agicRoleAssignment.bicep' = if (ena module validateAgic '_deployment-scripts/_ds_validate_agic.bicep' = if (enableAppGWIngress) { name: 'validate-agic' params: { + _globalResourceNameSuffix: _globalResourceNameSuffix location: location identity: identity aksClusterRGName: aksClusterRGName @@ -142,6 +145,7 @@ module networkingDeploymentYesAppGW '_deployment-scripts/_ds-create-networking.b params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: _globalResourceNameSuffix appgwName: appGatewayName appgwAlias: appGatewayAlias appgwForAdminServer: appgwForAdminServer @@ -182,6 +186,7 @@ module networkingDeploymentNoAppGW '_deployment-scripts/_ds-create-networking.bi params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: _globalResourceNameSuffix appgwName: 'null' appgwAlias: 'null' appgwForAdminServer: appgwForAdminServer diff --git a/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep index ab6546fce..5f7486dd3 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep @@ -65,6 +65,7 @@ param identity object = {} @description('JNDI Name for JDBC Datasource') param jdbcDataSourceName string = 'jdbc/contoso' +param utcValue string = utcNow() @description('UID of WebLogic domain, used in WebLogic Operator.') param wlsDomainUID string = 'sample-domain1' @secure() @@ -74,6 +75,24 @@ param wlsUserName string = 'weblogic' // This template is used for post deployment, hard code the CLI version with a variable. var const_azCliVersion = '2.33.1' +var _objTagsByResource = { + 'Microsoft.Monitor/accounts': contains(tagsByResource, 'Microsoft.Monitor/accounts') ? tagsByResource['Microsoft.Monitor/accounts'] : json('{}') + 'Microsoft.ContainerService/managedClusters': contains(tagsByResource, 'Microsoft.ContainerService/managedClusters') ? tagsByResource['Microsoft.ContainerService/managedClusters'] : json('{}') + 'Microsoft.Network/applicationGateways': contains(tagsByResource, 'Microsoft.Network/applicationGateways') ? tagsByResource['Microsoft.Network/applicationGateways'] : json('{}') + 'Microsoft.ContainerRegistry/registries': contains(tagsByResource, 'Microsoft.ContainerRegistry/registries') ? tagsByResource['Microsoft.ContainerRegistry/registries'] : json('{}') + 'Microsoft.Compute/virtualMachines': contains(tagsByResource, 'Microsoft.Compute/virtualMachines') ? tagsByResource['Microsoft.Compute/virtualMachines'] : json('{}') + 'Virtual machine extension': contains(tagsByResource, 'Virtual machine extension') ? tagsByResource['Virtual machine extension'] : json('{}') + 'Microsoft.Network/virtualNetworks': contains(tagsByResource, 'Microsoft.Network/virtualNetworks') ? tagsByResource['Microsoft.Network/virtualNetworks'] : json('{}') + 'Microsoft.Network/networkInterfaces': contains(tagsByResource, 'Microsoft.Network/networkInterfaces') ? tagsByResource['Microsoft.Network/networkInterfaces'] : json('{}') + 'Microsoft.Network/networkSecurityGroups': contains(tagsByResource, 'Microsoft.Network/networkSecurityGroups') ? tagsByResource['Microsoft.Network/networkSecurityGroups'] : json('{}') + 'Microsoft.Network/publicIPAddresses': contains(tagsByResource, 'Microsoft.Network/publicIPAddresses') ? tagsByResource['Microsoft.Network/publicIPAddresses'] : json('{}') + 'Microsoft.Storage/storageAccounts': contains(tagsByResource, 'Microsoft.Storage/storageAccounts') ? tagsByResource['Microsoft.Storage/storageAccounts'] : json('{}') + 'Microsoft.KeyVault/vaults': contains(tagsByResource, 'Microsoft.KeyVault/vaults') ? tagsByResource['Microsoft.KeyVault/vaults'] : json('{}') + 'Microsoft.ManagedIdentity/userAssignedIdentities': contains(tagsByResource, 'Microsoft.ManagedIdentity/userAssignedIdentities') ? tagsByResource['Microsoft.ManagedIdentity/userAssignedIdentities'] : json('{}') + 'Microsoft.Network/dnszones': contains(tagsByResource, 'Microsoft.Network/dnszones') ? tagsByResource['Microsoft.Network/dnszones'] : json('{}') + 'Microsoft.OperationalInsights/workspaces': contains(tagsByResource, 'Microsoft.OperationalInsights/workspaces') ? tagsByResource['Microsoft.OperationalInsights/workspaces'] : json('{}') + 'Microsoft.Resources/deploymentScripts': contains(tagsByResource, 'Microsoft.Resources/deploymentScripts') ? tagsByResource['Microsoft.Resources/deploymentScripts'] : json('{}') +} module pids './_pids/_pid.bicep' = { name: 'initialization' @@ -87,6 +106,7 @@ module configDataSource './_setupDBConnection.bicep' = { _pidStart: pids.outputs.dbStart _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: uniqueString(utcValue) aksClusterName: aksClusterName aksClusterRGName: resourceGroup().name azCliVersion: const_azCliVersion @@ -99,6 +119,7 @@ module configDataSource './_setupDBConnection.bicep' = { identity: identity jdbcDataSourceName: jdbcDataSourceName location: resourceGroup().location + tagsByResource: _objTagsByResource wlsDomainUID: wlsDomainUID wlsPassword: wlsPassword wlsUserName: wlsUserName diff --git a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep index d2481d86e..ec0325055 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep @@ -21,6 +21,7 @@ param _pidEnd string = 'pid-wls-end' param _pidStart string = 'pid-wls-start' param _pidSSLEnd string = 'pid-ssl-end' param _pidSSLStart string = 'pid-ssl-start' +param _globalResourceNameSuffix string @description('true to use resource or workspace permissions. false to require workspace permissions.') param aciResourcePermissions bool = true @description('Number of days to retain data in Azure Monitor workspace.') @@ -44,8 +45,6 @@ param aksAgentPoolNodeCount int = 3 param aksAgentPoolNodeMaxCount int = 5 @description('The size of the virtual machines that will form the nodes in the cluster. This cannot be changed after creating the cluster') param vmSize string = 'Standard_DS2_v2' -@description('Prefix for cluster name. Only The name can contain only letters, numbers, underscores and hyphens. The name must start with letter or number.') -param aksClusterNamePrefix string = 'wlsonaks' @description('Resource group name of an existing AKS cluster.') param aksClusterRGName string = '' @description('Name of an existing AKS cluster.') @@ -60,7 +59,6 @@ param azCliVersion string = '' param cpuPlatform string = 'linux/amd64' @description('true to create a new AKS cluster.') param createAKSCluster bool = true -param createStorageAccount bool = false param databaseType string = 'oracle' param dbDriverLibrariesUrls array = [] @description('In addition to the CPU and memory metrics included in AKS by default, you can enable Container Insights for more comprehensive data on the overall performance and health of your cluster. Billing is based on data ingestion and retention settings.') @@ -170,7 +168,7 @@ module aksClusterDeployment './_azure-resoruces/_aks.bicep' = if (createAKSClust aksAgentPoolNodeCount: aksAgentPoolNodeCount aksAgentPoolNodeMaxCount: aksAgentPoolNodeMaxCount aksAgentPoolVMSize: vmSize - aksClusterNamePrefix: aksClusterNamePrefix + aksClusterName: aksClusterName aksVersion: aksVersion enableAzureMonitoring: enableAzureMonitoring location: location @@ -182,7 +180,7 @@ module aksClusterDeployment './_azure-resoruces/_aks.bicep' = if (createAKSClust } // enableAppGWIngress: if true, will create storage for certificates. -module storageDeployment './_azure-resoruces/_storage.bicep' = if (createStorageAccount) { +module storageDeployment './_azure-resoruces/_storage.bicep' = { name: 'storage-deployment' params: { fileShareName: fileShareName @@ -203,8 +201,9 @@ module wlsDomainDeployment './_deployment-scripts/_ds-create-wls-cluster.bicep' params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterRGName: createAKSCluster ? resourceGroup().name : aksClusterRGName - aksClusterName: createAKSCluster ? aksClusterDeployment.outputs.aksClusterName : aksClusterName + aksClusterName: aksClusterName acrName: useOracleImage ? acrName : userProvidedAcr acrResourceGroupName: useOracleImage ? acrResourceGroupName : userProvidedAcrRgName appPackageUrls: appPackageUrls @@ -280,7 +279,7 @@ module pidEnd './_pids/_pid.bicep' = { ] } -output aksClusterName string = createAKSCluster ? aksClusterDeployment.outputs.aksClusterName : aksClusterName +output aksClusterName string = aksClusterName output aksClusterRGName string = createAKSCluster ? resourceGroup().name : aksClusterRGName output aksNodeRgName string = createAKSCluster? aksClusterDeployment.outputs.aksNodeRgName : existingAKSCluster.properties.nodeResourceGroup output adminServerEndPoint string = format('http://{0}-admin-server.{0}-ns.svc.cluster.local:7001/console', wlsDomainUID) diff --git a/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json b/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json index 8e355c7c2..3b8c596c6 100644 --- a/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json +++ b/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json @@ -1,6 +1,6 @@ { "name": "Known-good version of Azure Kubernetes Service", "description": "This version is known to work for all the features of Azure WebLogic on AKS offer.", - "value": "1.28.10", - "testedDate": "2024-07-15" + "value": "1.30.7", + "testedDate": "2025-02-10" }