From 4eda65d6255884350c1c55c49ef7459e353cde79 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Thu, 16 Jan 2025 13:20:54 +0800 Subject: [PATCH 01/32] unique name for public ip. --- weblogic-azure-aks/src/main/bicep/mainTemplate.bicep | 5 +++-- weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep | 2 +- .../main/bicep/modules/_azure-resoruces/_appgateway.bicep | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index d119658f2..0d28dd44b 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -337,6 +337,7 @@ var _useExistingAppGatewaySSLCertificate = (appGatewayCertificateOption == const var const_appGatewaySSLCertOptionHaveCert = 'haveCert' var const_appGatewaySSLCertOptionHaveKeyVault = 'haveKeyVault' +var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, uniqueString(utcValue)) var const_azcliVersion = '2.53.0' var const_azureSubjectName = format('{0}.{1}.{2}', name_domainLabelforApplicationGateway, location, 'cloudapp.azure.com') var const_bCreateStorageAccount = (createAKSCluster || !const_hasStorageAccount) && const_enablePV @@ -359,7 +360,7 @@ var const_wlsSSLCertOptionKeyVault = 'keyVaultStoredConfig' var name_appgwFrontendSSLCertName = 'appGatewaySslCert' var name_appgwBackendRootCertName = 'appGatewayTrustedRootCert' var name_defaultPidDeployment = 'pid' -var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${take(utcValue, 6)}' +var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${uniqueString(utcValue)}' var name_domainLabelforApplicationGateway = take('${name_dnsNameforApplicationGateway}-${toLower(name_rgNameWithoutSpecialCharacter)}-${toLower(wlsDomainName)}', 63) var name_identityKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreDataSecretName : 'myIdentityKeyStoreData' var name_identityKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName : 'myIdentityKeyStorePsw' @@ -552,7 +553,7 @@ module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress _pidAppgwEnd: pids.outputs.appgwEnd == '' ? name_defaultPidDeployment : pids.outputs.appgwEnd _pidAppgwStart: pids.outputs.appgwStart == '' ? name_defaultPidDeployment : pids.outputs.appgwStart _pidAppgwWithCustomCert: pids.outputs.customCertForAppgw == '' ? name_defaultPidDeployment : pids.outputs.customCertForAppgw - appgwPublicIPAddressName: appGatewayPublicIPAddressName + appgwPublicIPAddressName: const_appGatewayPublicIPAddressName appgwUsePrivateIP: appgwUsePrivateIP appgwSslCertName: name_appgwFrontendSSLCertName appgwTrustedRootCertName: name_appgwBackendRootCertName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep index c00bedeaf..e19d2e243 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep @@ -4,7 +4,7 @@ param _pidAppgwEnd string = 'pid-networking-appgateway-end' param _pidAppgwStart string = 'pid-networking-appgateway-start' param _pidAppgwWithCustomCert string = 'pid-networking-appgateway-with-custom-certificate' -param appgwPublicIPAddressName string = 'gwip' +param appgwPublicIPAddressName string param appgwUsePrivateIP bool param appgwSslCertName string = 'appGatewaySslCert' param appgwTrustedRootCertName string = 'appGatewayTrustedRootCert' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep index f0672f62c..7595b86a4 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep @@ -5,7 +5,7 @@ param dnsNameforApplicationGateway string = take('wlsgw${uniqueString(utcValue)}', 63) param enableCustomSSL bool = false @description('Public IP Name for the Application Gateway') -param gatewayPublicIPAddressName string = 'gwip' +param gatewayPublicIPAddressName string param gatewaySubnetId string = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resourcegroupname/providers/Microsoft.Network/virtualNetworks/vnetname/subnets/subnetname' param gatewaySslCertName string = 'appGatewaySslCert' param gatewayTrustedRootCertName string = 'appGatewayTrustedRootCert' From 5abd8fc2ddaf709e51f3c48226c6c3ca2a3e783d Mon Sep 17 00:00:00 2001 From: galiacheng Date: Fri, 17 Jan 2025 17:09:19 +0800 Subject: [PATCH 02/32] use global resource name sufix. --- .../main/arm/scripts/queryStorageAccount.sh | 41 -------------- .../src/main/bicep/mainTemplate.bicep | 55 ++++++++----------- .../src/main/bicep/modules/_appGateway.bicep | 7 +++ .../bicep/modules/_azure-resoruces/_acr.bicep | 9 +-- .../bicep/modules/_azure-resoruces/_aks.bicep | 8 +-- .../_azure-resoruces/_appgateway.bicep | 3 +- .../_azure-resoruces/_vnetAppGateway.bicep | 4 +- .../_ds-create-networking.bicep | 3 +- .../_ds-create-wls-cluster.bicep | 3 +- .../_ds-datasource-connection.bicep | 3 +- .../_ds-output-domain-configurations.bicep | 3 +- .../_ds-query-storage-account.bicep | 45 --------------- .../_ds-validate-applications.bicep | 3 +- .../_ds-validate-parameters.bicep | 3 +- .../_deployment-scripts/_ds_enable_hpa.bicep | 2 +- .../_ds_enable_prometheus_metrics.bicep | 3 +- .../_ds_ensure_available_agic.bicep | 2 +- .../_ds_install_agic.bicep | 3 +- ...ery_available_private_ip_from_subnet.bicep | 2 +- .../_ds_update-applications.bicep | 2 +- .../_ds_validate_agic.bicep | 3 +- .../bicep/modules/_enablePromethuesKeda.bicep | 8 ++- .../modules/_preDeployedAzureResources.bicep | 1 + .../_agicRoleAssignment.bicep | 2 +- .../bicep/modules/_setupDBConnection.bicep | 2 + .../_setupPasswordlessDBConnection.bicep | 2 + .../src/main/bicep/modules/networking.bicep | 5 ++ .../bicep/modules/setupWebLogicCluster.bicep | 13 ++--- 28 files changed, 85 insertions(+), 155 deletions(-) delete mode 100644 weblogic-azure-aks/src/main/arm/scripts/queryStorageAccount.sh delete mode 100644 weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-query-storage-account.bicep diff --git a/weblogic-azure-aks/src/main/arm/scripts/queryStorageAccount.sh b/weblogic-azure-aks/src/main/arm/scripts/queryStorageAccount.sh deleted file mode 100644 index fb2a38c12..000000000 --- a/weblogic-azure-aks/src/main/arm/scripts/queryStorageAccount.sh +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright (c) 2021, 2024 Oracle Corporation and/or its affiliates. -# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -# Inputs: -# AKS_CLUSTER_RESOURCEGROUP_NAME -# AKS_CLUSTER_NAME - -echo "Script ${0} starts" - -export currentStorageAccount="null" - -function query_storage_account() { - echo "install kubectl" - az aks install-cli - - echo "get pv name" - pvName=$(kubectl get pv -o json | - jq '.items[] | select(.status.phase=="Bound") | [.metadata.name] | .[0]' | - tr -d "\"") - - if [[ "${pvName}" != "null" ]] && [[ "${pvName}" != "" ]]; then - # this is a workaround for update domain using marketplace offer. - # the offer will create a new storage account in a new resource group if there is no storage attached. - currentStorageAccount=$(kubectl get pv ${pvName} -o json | jq '. | .metadata.labels.storageAccount' | tr -d "\"") - fi -} - -function output_result() { - echo ${currentStorageAccount} - - result=$(jq -n -c \ - --arg storageAccount $currentStorageAccount \ - '{storageAccount: $storageAccount}') - echo "result is: $result" - echo $result >$AZ_SCRIPTS_OUTPUT_PATH -} - -connect_aks $AKS_CLUSTER_NAME $AKS_CLUSTER_RESOURCEGROUP_NAME - -query_storage_account - -output_result diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 0d28dd44b..31347d47a 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -335,21 +335,23 @@ var _objTagsByResource = { } var _useExistingAppGatewaySSLCertificate = (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveCert) ? true : false +var const_aksName = createAKSCluster ? 'wlsonaks${const_globalResourceNameSufix}' : aksClusterName var const_appGatewaySSLCertOptionHaveCert = 'haveCert' var const_appGatewaySSLCertOptionHaveKeyVault = 'haveKeyVault' -var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, uniqueString(utcValue)) +var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, const_globalResourceNameSufix) +var const_acrName = (createACR) ? format('{acrwlsaks{0}',const_globalResourceNameSufix) : acrName var const_azcliVersion = '2.53.0' var const_azureSubjectName = format('{0}.{1}.{2}', name_domainLabelforApplicationGateway, location, 'cloudapp.azure.com') -var const_bCreateStorageAccount = (createAKSCluster || !const_hasStorageAccount) && const_enablePV var const_bValidateApplications= validateApplications && (length(appPackageUrls) > 0) var const_cpuPlatform = (contains(vmSize, 'p') ? 'arm64' : 'amd64') var const_createNewAcr = useOracleImage && createACR var const_defaultKeystoreType = 'PKCS12' var const_enableNetworking = (length(lbSvcValues) > 0) || enableAppGWIngress var const_enablePV = enableCustomSSL || enableAzureFileShare -var const_fileShareName = 'weblogic-${uniqueString(utcValue)}' -var const_hasStorageAccount = !createAKSCluster && queryStorageAccount.outputs.storageAccount != 'null' +var const_fileShareName = 'weblogic-${const_globalResourceNameSufix}' +var const_globalResourceNameSufix = '${uniqueString(utcValue)}' var const_identityKeyStoreType = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreType : sslUploadedCustomIdentityKeyStoreType +var const_nsgName = 'wls-aks-nsg-${const_globalResourceNameSufix}' var const_showAdminConsoleExUrl = (length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForAdminServer) var const_showRemoteAdminConsoleExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && !enableCustomSSL var const_showRemoteAdminConsoleSecuredExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && enableCustomSSL @@ -360,16 +362,16 @@ var const_wlsSSLCertOptionKeyVault = 'keyVaultStoredConfig' var name_appgwFrontendSSLCertName = 'appGatewaySslCert' var name_appgwBackendRootCertName = 'appGatewayTrustedRootCert' var name_defaultPidDeployment = 'pid' -var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${uniqueString(utcValue)}' +var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${const_globalResourceNameSufix}' var name_domainLabelforApplicationGateway = take('${name_dnsNameforApplicationGateway}-${toLower(name_rgNameWithoutSpecialCharacter)}-${toLower(wlsDomainName)}', 63) var name_identityKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreDataSecretName : 'myIdentityKeyStoreData' var name_identityKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName : 'myIdentityKeyStorePsw' -var name_keyVaultName = '${take('wls-kv${uniqueString(utcValue)}', 24)}' +var name_keyVaultName = '${take('wls-kv${const_globalResourceNameSufix}', 24)}' var name_privateKeyAliasSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyAliasSecretName : 'privateKeyAlias' var name_privateKeyPswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyPassPhraseSecretName : 'privateKeyPsw' var name_rgNameWithoutSpecialCharacter = replace(replace(replace(replace(resourceGroup().name, '.', ''), '(', ''), ')', ''), '_', '') // remove . () _ from resource group name var name_rgKeyvaultForWLSSSL = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultResourceGroup : resourceGroup().name -var name_storageAccountName = const_hasStorageAccount ? queryStorageAccount.outputs.storageAccount : 'wls${uniqueString(utcValue)}' +var name_storageAccountName = 'wls${const_globalResourceNameSufix}' var name_trustKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStoreDataSecretName : 'myTrustKeyStoreData' var name_trustKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStorePassPhraseSecretName : 'myTrustKeyStorePsw' var ref_wlsDomainDeployment = _enableCustomSSL ? wlsDomainWithCustomSSLDeployment : wlsDomainDeployment @@ -407,7 +409,7 @@ module uamiDeployment 'modules/_uamiAndRoles.bicep' = { module preAzureResourceDeployment './modules/_preDeployedAzureResources.bicep' = { name: 'prerequisite-resources-deployment' params: { - acrName: acrName + acrName: const_acrName acrResourceGroupName: acrResourceGroupName createNewAcr: const_createNewAcr location: location @@ -418,6 +420,7 @@ module preAzureResourceDeployment './modules/_preDeployedAzureResources.bicep' = module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep' = { name: 'validate-parameters-and-fail-fast' params: { + _globalResourceNameSufix: const_globalResourceNameSufix acrName: preAzureResourceDeployment.outputs.acrName acrResourceGroupName: preAzureResourceDeployment.outputs.acrResourceGroupName aksAgentPoolNodeCount: aksAgentPoolNodeCount @@ -512,20 +515,6 @@ resource sslKeyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' scope: resourceGroup(name_rgKeyvaultForWLSSSL) } -// If updating an existing aks cluster, query the storage account that is being used. -// Return "null" is no storage account is applied. -module queryStorageAccount 'modules/_deployment-scripts/_ds-query-storage-account.bicep' = if (!createAKSCluster) { - name: 'query-existing-storage-account' - params: { - aksClusterName: aksClusterName - aksClusterRGName: aksClusterRGName - azCliVersion: const_azcliVersion - identity: obj_uamiForDeploymentScript - location: location - tagsByResource: _objTagsByResource - } -} - module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultForGateway.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) { name: 'appgateway-certificates-secrets-deployment' params: { @@ -553,6 +542,7 @@ module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress _pidAppgwEnd: pids.outputs.appgwEnd == '' ? name_defaultPidDeployment : pids.outputs.appgwEnd _pidAppgwStart: pids.outputs.appgwStart == '' ? name_defaultPidDeployment : pids.outputs.appgwStart _pidAppgwWithCustomCert: pids.outputs.customCertForAppgw == '' ? name_defaultPidDeployment : pids.outputs.customCertForAppgw + appgwName: 'appgw${const_globalResourceNameSufix}' appgwPublicIPAddressName: const_appGatewayPublicIPAddressName appgwUsePrivateIP: appgwUsePrivateIP appgwSslCertName: name_appgwFrontendSSLCertName @@ -566,6 +556,7 @@ module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress keyvaultBackendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLBackendRootCertDataSecretName : appgwSecretDeployment.outputs.sslBackendCertDataSecretName keyvaultFrontendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertDataSecretName : appgwSecretDeployment.outputs.sslCertDataSecretName keyvaultFrontendCertPswSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertPasswordSecretName : appgwSecretDeployment.outputs.sslCertPwdSecretName + nsgName: const_nsgName location: location newOrExistingVnetForApplicationGateway: newOrExistingVnetForApplicationGateway vnetForApplicationGateway: vnetForApplicationGateway @@ -582,6 +573,7 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: const_globalResourceNameSufix _pidEnd: pids.outputs.wlsAKSEnd == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSEnd _pidSSLEnd: pids.outputs.sslEnd == '' ? name_defaultPidDeployment : pids.outputs.sslEnd _pidSSLStart: pids.outputs.sslStart == '' ? name_defaultPidDeployment : pids.outputs.sslStart @@ -595,16 +587,14 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus aksAgentPoolNodeCount: aksAgentPoolNodeCount aksAgentPoolNodeMaxCount: aksAgentPoolNodeMaxCount vmSize: vmSize - aksClusterNamePrefix: aksClusterNamePrefix aksClusterRGName: aksClusterRGName - aksClusterName: aksClusterName + aksClusterName: const_aksName aksVersion: validateInputs.outputs.aksVersion appPackageUrls: appPackageUrls appReplicas: appReplicas azCliVersion: const_azcliVersion cpuPlatform: const_cpuPlatform createAKSCluster: createAKSCluster - createStorageAccount: const_bCreateStorageAccount databaseType: databaseType dbDriverLibrariesUrls: dbDriverLibrariesUrls enableAzureMonitoring: enableAzureMonitoring @@ -649,7 +639,6 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus } dependsOn: [ validateInputs - queryStorageAccount ] } @@ -658,6 +647,7 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: const_globalResourceNameSufix _pidEnd: pids.outputs.wlsAKSEnd == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSEnd _pidStart: pids.outputs.wlsAKSStart == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSStart aciResourcePermissions: aciResourcePermissions @@ -669,16 +659,14 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i aksAgentPoolNodeCount: aksAgentPoolNodeCount aksAgentPoolNodeMaxCount: aksAgentPoolNodeMaxCount vmSize: vmSize - aksClusterNamePrefix: aksClusterNamePrefix aksClusterRGName: aksClusterRGName - aksClusterName: aksClusterName + aksClusterName: const_aksName aksVersion: validateInputs.outputs.aksVersion appPackageUrls: appPackageUrls appReplicas: appReplicas azCliVersion: const_azcliVersion cpuPlatform: const_cpuPlatform createAKSCluster: createAKSCluster - createStorageAccount: const_bCreateStorageAccount databaseType: databaseType dbDriverLibrariesUrls: dbDriverLibrariesUrls enableAzureMonitoring: enableAzureMonitoring @@ -723,7 +711,6 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i } dependsOn: [ wlsSSLCertSecretsDeployment - queryStorageAccount ] } @@ -732,6 +719,7 @@ module networkingDeployment 'modules/networking.bicep' = if (const_enableNetwork params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: const_globalResourceNameSufix _pidNetworkingEnd: pids.outputs.networkingEnd == '' ? name_defaultPidDeployment : pids.outputs.networkingEnd _pidNetworkingStart: pids.outputs.networkingStart == '' ? name_defaultPidDeployment : pids.outputs.networkingStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName @@ -778,8 +766,9 @@ module datasourceDeployment 'modules/_setupDBConnection.bicep' = if (enableDB && params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: const_globalResourceNameSufix _pidEnd: pids.outputs.dbEnd - _pidStart: pids.outputs.dbStart + _pidStart: pids.outputs.dbStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion @@ -809,6 +798,7 @@ module passwordlessDatasourceDeployment 'modules/_setupPasswordlessDBConnection. params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: const_globalResourceNameSufix _pidEnd: pids.outputs.pswlessDbEnd _pidStart: pids.outputs.pswlessDbStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName @@ -843,6 +833,7 @@ module validateApplciations 'modules/_deployment-scripts/_ds-validate-applicatio params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: const_globalResourceNameSufix aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion @@ -864,6 +855,7 @@ module horizontalAutoscaling 'modules/_enableAutoScaling.bicep' = if (enableAuto params: { _pidCPUUtilization: pids.outputs.cpuUtilization _pidEnd: pids.outputs.autoScalingEnd + _globalResourceNameSufix: const_globalResourceNameSufix _pidMemoryUtilization: pids.outputs.memoryUtilization _pidStart: pids.outputs.autoScalingStart _pidWme: pids.outputs.enableWlsMonitoringExporter @@ -896,6 +888,7 @@ module horizontalAutoscaling 'modules/_enableAutoScaling.bicep' = if (enableAuto module queryWLSDomainConfig 'modules/_deployment-scripts/_ds-output-domain-configurations.bicep' = { name: 'query-wls-domain-configurations' params: { + _globalResourceNameSufix: const_globalResourceNameSufix aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep index e19d2e243..9499b5cfb 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep @@ -4,6 +4,7 @@ param _pidAppgwEnd string = 'pid-networking-appgateway-end' param _pidAppgwStart string = 'pid-networking-appgateway-start' param _pidAppgwWithCustomCert string = 'pid-networking-appgateway-with-custom-certificate' +param appgwName string param appgwPublicIPAddressName string param appgwUsePrivateIP bool param appgwSslCertName string = 'appGatewaySslCert' @@ -17,6 +18,7 @@ param keyVaultResourceGroup string = 'kv-contoso-rg' param keyvaultBackendCertDataSecretName string = 'kv-ssl-backend-data' param keyvaultFrontendCertDataSecretName string = 'kv-ssl-frontend-data' param keyvaultFrontendCertPswSecretName string = 'kv-ssl-frontend-psw' +param nsgName string param location string param newOrExistingVnetForApplicationGateway string param vnetForApplicationGateway object @@ -57,6 +59,7 @@ module networkDeployment '_azure-resoruces/_vnetAppGateway.bicep' = { name: 'vnet-application-gateway' params: { location: location + nsgName: nsgName vnetForApplicationGateway: vnetForApplicationGateway tagsByResource: tagsByResource } @@ -85,6 +88,7 @@ module appgwDeployment1 '_azure-resoruces/_appgateway.bicep' = if (_selfSignedFr params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway gatewaySslCertName: appgwSslCertName @@ -108,6 +112,7 @@ module appgwDeployment2 '_azure-resoruces/_appgateway.bicep' = if (_selfSignedFr params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway gatewaySslCertName: appgwSslCertName @@ -131,6 +136,7 @@ module appgwDeployment3 '_azure-resoruces/_appgateway.bicep' = if (_signedFronte params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway gatewaySslCertName: appgwSslCertName @@ -153,6 +159,7 @@ module appgwDeployment4 '_azure-resoruces/_appgateway.bicep' = if (_signedFronte params: { dnsNameforApplicationGateway: dnsNameforApplicationGateway enableCustomSSL: enableCustomSSL + gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway gatewaySslCertName: appgwSslCertName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep index 6a329db5f..297f81567 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_acr.bicep @@ -1,16 +1,13 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param acrNamePrefix string = 'wlsaksacr' +param acrName string param location string @description('${label.tagsLabel}') param tagsByResource object -param utcValue string = utcNow() - -var name_acr = '${acrNamePrefix}${uniqueString(utcValue)}' resource registries 'Microsoft.ContainerRegistry/registries@${azure.apiVersionForContainerRegistries}' = { - name: name_acr + name: acrName location: location sku: { name: 'Standard' @@ -43,4 +40,4 @@ resource registries 'Microsoft.ContainerRegistry/registries@${azure.apiVersionFo tags: tagsByResource['${identifier.registries}'] } -output acrName string = name_acr +output acrName string = acrName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep index 8eb08964d..a1e52608e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_aks.bicep @@ -20,7 +20,7 @@ param aksAgentPoolNodeMaxCount int = 5 @description('The size of the virtual machines that will form the nodes in the cluster. This cannot be changed after creating the cluster') param aksAgentPoolVMSize string = 'Standard_DS2_v2' @description('Prefix for cluster name. Only The name can contain only letters, numbers, underscores and hyphens. The name must start with letter or number.') -param aksClusterNamePrefix string = 'wlsonaks' +param aksClusterName string param aksVersion string = 'default' @description('In addition to the CPU and memory metrics included in AKS by default, you can enable Container Insights for more comprehensive data on the overall performance and health of your cluster. Billing is based on data ingestion and retention settings.') param enableAzureMonitoring bool = false @@ -32,7 +32,6 @@ param utcValue string = utcNow() var const_aksAgentPoolOSDiskSizeGB = 128 var name_aciWorkspace = 'Workspace-${guid(utcValue)}-${location}' // Generate a unique AKS name scoped to subscription. -var name_aksClusterNameForSV = '${aksClusterNamePrefix}${uniqueString(utcValue)}' var obj_aciDisableOmsAgent = { enabled: false } @@ -61,12 +60,12 @@ resource azureMonitoringWorkspace 'Microsoft.OperationalInsights/workspaces@${az } resource aksCluster 'Microsoft.ContainerService/managedClusters@${azure.apiVersionForManagedClusters}' = { - name: name_aksClusterNameForSV + name: aksClusterName location: location tags: tagsByResource['${identifier.managedClusters}'] properties: { kubernetesVersion: aksVersion - dnsPrefix: '${name_aksClusterNameForSV}-dns' + dnsPrefix: '${aksClusterName}-dns' agentPoolProfiles: [ { name: aksAgentPoolName @@ -109,5 +108,4 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@${azure.apiVersi } } -output aksClusterName string = name_aksClusterNameForSV output aksNodeRgName string = aksCluster.properties.nodeResourceGroup diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep index 7595b86a4..bd4bece62 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep @@ -4,6 +4,7 @@ @description('DNS for ApplicationGateway') param dnsNameforApplicationGateway string = take('wlsgw${uniqueString(utcValue)}', 63) param enableCustomSSL bool = false +param gatewayName string @description('Public IP Name for the Application Gateway') param gatewayPublicIPAddressName string param gatewaySubnetId string = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/resourcegroupname/providers/Microsoft.Network/virtualNetworks/vnetname/subnets/subnetname' @@ -24,7 +25,7 @@ param tagsByResource object param utcValue string = utcNow() var const_sslCertPsw = (noSslCertPsw) ? '' : sslCertPswData -var name_appGateway = 'appgw${uniqueString(utcValue)}' +var name_appGateway = gatewayName var name_backendAddressPool = 'myGatewayBackendPool' var name_frontEndIPConfig = 'appGwPublicFrontendIp' var name_frontEndPrivateIPConfig = 'appGwPrivateFrontendIp' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep index 015998942..2a5badc4e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_vnetAppGateway.bicep @@ -2,6 +2,7 @@ // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. param location string +param nsgName string param vnetForApplicationGateway object = { name: 'wlsaks-app-gateway-vnet' resourceGroup: resourceGroup().name @@ -25,7 +26,6 @@ param utcValue string = utcNow() var const_subnetAddressPrefixes = vnetForApplicationGateway.subnets.gatewaySubnet.addressPrefix var const_vnetAddressPrefixes = vnetForApplicationGateway.addressPrefixes var const_newVnet = (vnetForApplicationGateway.newOrExisting == 'new') ? true : false -var name_nsg = 'wlsaks-nsg-${uniqueString(utcValue)}' var name_subnet = vnetForApplicationGateway.subnets.gatewaySubnet.name var name_vnet = vnetForApplicationGateway.name @@ -43,7 +43,7 @@ resource existingSubnet 'Microsoft.Network/virtualNetworks/subnets@${azure.apiVe // Create new network security group. resource nsg 'Microsoft.Network/networkSecurityGroups@${azure.apiVersionForNetworkSecurityGroups}' = if (const_newVnet) { - name: name_nsg + name: nsgName location: location tags: tagsByResource['${identifier.networkSecurityGroups}'] properties: { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep index 79b4d6c8b..fa8a07c63 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSufix string param appgwAlias string = 'appgw-contoso-alias' param appgwName string = 'appgw-contoso' @@ -46,7 +47,7 @@ var const_primaryScript = 'setupNetworking.sh' var const_utilityScript = 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-networking-deployment' + name: 'ds-networking-deployment-${_globalResourceNameSufix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep index 0f5ee2734..2998320b6 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSufix string param aksClusterRGName string = '' param aksClusterName string = '' @@ -82,7 +83,7 @@ var const_updateDomainConfigScript= 'updateDomainConfig.sh' var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-cluster-creation' + name: 'ds-wls-cluster-creation-${_globalResourceNameSufix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep index 4d01b280a..b8310c1d0 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSufix string param aksClusterName string param aksClusterRGName string @@ -38,7 +39,7 @@ var const_scriptLocation = uri(_artifactsLocation, 'scripts/') var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-db-connection' + name: 'ds-wls-db-connection-${_globalResourceNameSufix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep index 0b6602183..80c726183 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2021, 2024 Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSufix string param aksClusterRGName string = '' param aksClusterName string = '' param azCliVersion string = '' @@ -18,7 +19,7 @@ var base64_queryDomainConfigurations = loadFileAsBase64('../../../arm/scripts/in var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-query-wls-configurations' + name: 'ds-query-wls-configurations-${_globalResourceNameSufix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-query-storage-account.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-query-storage-account.bicep deleted file mode 100644 index 14169e422..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-query-storage-account.bicep +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright (c) 2021, 2024 Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -param aksClusterName string = '' -param aksClusterRGName string = '' -param azCliVersion string = '' - -param identity object = {} -param location string -@description('${label.tagsLabel}') -param tagsByResource object -param utcValue string = utcNow() - -// To mitigate arm-ttk error: Unreferenced variable: $fxv#0 -var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') -var base64_queryStorageAccount = loadFileAsBase64('../../../arm/scripts/queryStorageAccount.sh') -var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName = 'ds-query-storage-account' - -resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: const_deploymentName - location: location - kind: 'AzureCLI' - identity: identity - tags: tagsByResource['${identifier.deploymentScripts}'] - properties: { - azCliVersion: azCliVersion - environmentVariables: [ - { - name: 'AKS_CLUSTER_NAME' - value: aksClusterName - } - { - name: 'AKS_CLUSTER_RESOURCEGROUP_NAME' - value: aksClusterRGName - } - ] - scriptContent: format('{0}\r\n\r\n{1}\r\n\r\n{2}',base64ToString(base64_common), base64ToString(base64_utility), base64ToString(base64_queryStorageAccount)) - cleanupPreference: 'OnSuccess' - retentionInterval: 'P1D' - forceUpdateTag: utcValue - } -} - -output storageAccount string = string(deploymentScript.properties.outputs.storageAccount) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep index 8b4c61ba6..d46457a8e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep @@ -4,6 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSufix string param aksClusterRGName string = '' param aksClusterName string = '' @@ -26,7 +27,7 @@ var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-validate-applications' + name: 'ds-wls-validate-applications-${_globalResourceNameSufix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep index e2fe320bb..1356de28c 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSufix string param acrName string param acrResourceGroupName string param aksAgentPoolNodeCount int @@ -73,7 +74,7 @@ var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') var base64_validateParameters = loadFileAsBase64('../../../arm/scripts/inline-scripts/validateParameters.sh') var const_arguments = '${location} ${createAKSCluster} ${aksAgentPoolVMSize} ${aksAgentPoolNodeCount} ${useOracleImage} ${wlsImageTag} ${userProvidedImagePath} ${enableCustomSSL} ${sslConfigurationAccessOption} ${appGatewayCertificateOption} ${enableAppGWIngress} ${const_checkDNSZone}' var const_checkDNSZone = enableDNSConfiguration && !createDNSZone -var const_deploymentName = 'ds-validate-parameters-and-fail-fast' +var const_deploymentName = 'ds-validate-parameters-and-fail-fast-${_globalResourceNameSufix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep index e22d6f80a..a8b882fbd 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep @@ -22,7 +22,7 @@ param wlsNamespace string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableHpa = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableHpa.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-enable-hpa' +var const_deploymentName='ds-enable-hpa-${uniqueString(utcValue)}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep index a721a9573..8fbe3460f 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSufix string param aksClusterName string param aksClusterRGName string param amaName string @@ -23,7 +24,7 @@ param workspaceId string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableHpa = loadFileAsBase64('../../../arm/scripts/inline-scripts/enablePrometheusMetrics.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName = 'ds-enable-promethues-metrics' +var const_deploymentName = 'ds-enable-promethues-metrics-${_globalResourceNameSufix}' var const_kedaNamespace= 'keda' var const_kedaSa= 'keda-operator' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep index eaa9cfd27..e42042a66 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_ensure_available_agic.bicep @@ -13,7 +13,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-validate-agic' +var const_deploymentName='ds-validate-agic-${uniqueString(utcValue)}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep index a61e5e86d..cb2b4f922 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSufix string param aksClusterName string param aksClusterRGName string param appgwName string = 'appgw-contoso' @@ -15,7 +16,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-install-agic' +var const_deploymentName='ds-install-agic-${_globalResourceNameSufix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep index 5fe795928..ea3ad9025 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_query_available_private_ip_from_subnet.bicep @@ -14,7 +14,7 @@ param utcValue string = utcNow() // To mitigate arm-ttk error: Unreferenced variable: $fxv#0 var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_queryPrivateIPForAppGateway = loadFileAsBase64('../../../arm/scripts/inline-scripts/queryPrivateIPForAppGateway.sh') -var const_deploymentName = 'ds-query-private-ip' +var const_deploymentName = 'ds-query-private-ip-${uniqueString(utcValue)}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep index d3c3139eb..8f0623b14 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_update-applications.bicep @@ -36,7 +36,7 @@ var const_updateAppScript= 'updateApplications.sh' var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-update-applications' + name: 'ds-wls-update-applications-${uniqueString(utcValue)}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep index 93d792e1f..0d901b5d1 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSufix string param aksClusterName string param aksClusterRGName string param azCliVersion string = '' @@ -14,7 +15,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/validateAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-validate-agic' +var const_deploymentName='ds-validate-agic-${_globalResourceNameSufix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep b/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep index 86f5ab7b8..d2ca6cdc5 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep @@ -2,6 +2,7 @@ Copyright (c) 2024, Oracle and/or its affiliates. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ +param _globalResourceNameSufix string param aksClusterName string param aksClusterRGName string param azCliVersion string @@ -19,9 +20,9 @@ param wlsUserName string var const_namespace = '${wlsDomainUID}-ns' // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfMonitorDataReader = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -var name_azureMonitorAccountName = 'ama${uniqueString(utcValue)}' -var name_kedaUserDefinedManagedIdentity = 'kedauami${uniqueString(utcValue)}' -var name_kedaMonitorDataReaderRoleAssignmentName = guid('${resourceGroup().id}${name_kedaUserDefinedManagedIdentity}') +var name_azureMonitorAccountName = 'ama${_globalResourceNameSufix}' +var name_kedaUserDefinedManagedIdentity = 'kedauami${_globalResourceNameSufix}' +var name_kedaMonitorDataReaderRoleAssignmentName = guid('${resourceGroup().id}${name_kedaUserDefinedManagedIdentity}${_globalResourceNameSufix}') resource monitorAccount 'Microsoft.Monitor/accounts@${azure.apiVersionForMonitorAccount}' = { name: name_azureMonitorAccountName @@ -61,6 +62,7 @@ resource kedaUamiRoleAssignment 'Microsoft.Authorization/roleAssignments@${azure module azureMonitorIntegrationDeployment '_deployment-scripts/_ds_enable_prometheus_metrics.bicep' = { name: 'azure-monitor-promethues-keda-deployment' params: { + _globalResourceNameSufix: _globalResourceNameSufix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName amaName: name_azureMonitorAccountName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep b/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep index 2960e3216..0790d55a1 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_preDeployedAzureResources.bicep @@ -14,6 +14,7 @@ param location string module acrDeployment './_azure-resoruces/_acr.bicep' = if (createNewAcr) { name: 'acr-deployment' params: { + acrName: acrName location: location tagsByResource: tagsByResource } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep index 4816f50b8..85f56df12 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicRoleAssignment.bicep @@ -8,7 +8,7 @@ param aksClusterRGName string param utcValue string = utcNow() var const_APIVersion = '2020-12-01' -var name_appGwContributorRoleAssignmentName = guid('${resourceGroup().id}${utcValue}ForApplicationGateway') +var name_appGwContributorRoleAssignmentName = guid('${resourceGroup().id}${uniqueString(utcValue)}ForApplicationGateway') // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep index 1a865cab1..962160010 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep @@ -6,6 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSufix string param _pidEnd string = '' param _pidStart string = '' param _pidOtherDb string = '' @@ -68,6 +69,7 @@ module configDataSource '_deployment-scripts/_ds-datasource-connection.bicep' = params:{ _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: _globalResourceNameSufix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep index 75aa170ca..af430d9df 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep @@ -6,6 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' +param _globalResourceNameSufix string param _pidEnd string = '' param _pidStart string = '' @@ -126,6 +127,7 @@ module configDataSource '_deployment-scripts/_ds-datasource-connection.bicep' = params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: _globalResourceNameSufix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep index ed8e687de..09f1a51bc 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep @@ -10,6 +10,7 @@ param _pidLbEnd string = 'pid-networking-lb-end' param _pidLbStart string = 'pid-networking-lb-start' param _pidNetworkingEnd string = 'pid-networking-end' param _pidNetworkingStart string = 'pid-networking-start' +param _globalResourceNameSufix string @description('Resource group name of an existing AKS cluster.') param aksClusterRGName string = 'aks-contoso-rg' @description('Name of an existing AKS cluster.') @@ -98,6 +99,7 @@ module dnsZoneDeployment '_azure-resoruces/_dnsZones.bicep' = if (enableDNSConfi module installAgic '_deployment-scripts/_ds_install_agic.bicep' = if (enableAppGWIngress) { name: 'install-agic' params: { + _globalResourceNameSufix: _globalResourceNameSufix location: location identity: identity aksClusterRGName: aksClusterRGName @@ -125,6 +127,7 @@ module agicRoleAssignment '_rolesAssignment/_agicRoleAssignment.bicep' = if (ena module validateAgic '_deployment-scripts/_ds_validate_agic.bicep' = if (enableAppGWIngress) { name: 'validate-agic' params: { + _globalResourceNameSufix: _globalResourceNameSufix location: location identity: identity aksClusterRGName: aksClusterRGName @@ -142,6 +145,7 @@ module networkingDeploymentYesAppGW '_deployment-scripts/_ds-create-networking.b params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: _globalResourceNameSufix appgwName: appGatewayName appgwAlias: appGatewayAlias appgwForAdminServer: appgwForAdminServer @@ -182,6 +186,7 @@ module networkingDeploymentNoAppGW '_deployment-scripts/_ds-create-networking.bi params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: _globalResourceNameSufix appgwName: 'null' appgwAlias: 'null' appgwForAdminServer: appgwForAdminServer diff --git a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep index d2481d86e..b26a0f48f 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep @@ -21,6 +21,7 @@ param _pidEnd string = 'pid-wls-end' param _pidStart string = 'pid-wls-start' param _pidSSLEnd string = 'pid-ssl-end' param _pidSSLStart string = 'pid-ssl-start' +param _globalResourceNameSufix string @description('true to use resource or workspace permissions. false to require workspace permissions.') param aciResourcePermissions bool = true @description('Number of days to retain data in Azure Monitor workspace.') @@ -44,8 +45,6 @@ param aksAgentPoolNodeCount int = 3 param aksAgentPoolNodeMaxCount int = 5 @description('The size of the virtual machines that will form the nodes in the cluster. This cannot be changed after creating the cluster') param vmSize string = 'Standard_DS2_v2' -@description('Prefix for cluster name. Only The name can contain only letters, numbers, underscores and hyphens. The name must start with letter or number.') -param aksClusterNamePrefix string = 'wlsonaks' @description('Resource group name of an existing AKS cluster.') param aksClusterRGName string = '' @description('Name of an existing AKS cluster.') @@ -60,7 +59,6 @@ param azCliVersion string = '' param cpuPlatform string = 'linux/amd64' @description('true to create a new AKS cluster.') param createAKSCluster bool = true -param createStorageAccount bool = false param databaseType string = 'oracle' param dbDriverLibrariesUrls array = [] @description('In addition to the CPU and memory metrics included in AKS by default, you can enable Container Insights for more comprehensive data on the overall performance and health of your cluster. Billing is based on data ingestion and retention settings.') @@ -170,7 +168,7 @@ module aksClusterDeployment './_azure-resoruces/_aks.bicep' = if (createAKSClust aksAgentPoolNodeCount: aksAgentPoolNodeCount aksAgentPoolNodeMaxCount: aksAgentPoolNodeMaxCount aksAgentPoolVMSize: vmSize - aksClusterNamePrefix: aksClusterNamePrefix + aksClusterName: aksClusterName aksVersion: aksVersion enableAzureMonitoring: enableAzureMonitoring location: location @@ -182,7 +180,7 @@ module aksClusterDeployment './_azure-resoruces/_aks.bicep' = if (createAKSClust } // enableAppGWIngress: if true, will create storage for certificates. -module storageDeployment './_azure-resoruces/_storage.bicep' = if (createStorageAccount) { +module storageDeployment './_azure-resoruces/_storage.bicep' = { name: 'storage-deployment' params: { fileShareName: fileShareName @@ -203,8 +201,9 @@ module wlsDomainDeployment './_deployment-scripts/_ds-create-wls-cluster.bicep' params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: _globalResourceNameSufix aksClusterRGName: createAKSCluster ? resourceGroup().name : aksClusterRGName - aksClusterName: createAKSCluster ? aksClusterDeployment.outputs.aksClusterName : aksClusterName + aksClusterName: aksClusterName acrName: useOracleImage ? acrName : userProvidedAcr acrResourceGroupName: useOracleImage ? acrResourceGroupName : userProvidedAcrRgName appPackageUrls: appPackageUrls @@ -280,7 +279,7 @@ module pidEnd './_pids/_pid.bicep' = { ] } -output aksClusterName string = createAKSCluster ? aksClusterDeployment.outputs.aksClusterName : aksClusterName +output aksClusterName string = aksClusterName output aksClusterRGName string = createAKSCluster ? resourceGroup().name : aksClusterRGName output aksNodeRgName string = createAKSCluster? aksClusterDeployment.outputs.aksNodeRgName : existingAKSCluster.properties.nodeResourceGroup output adminServerEndPoint string = format('http://{0}-admin-server.{0}-ns.svc.cluster.local:7001/console', wlsDomainUID) From 414f79b208382cb609671c5f8d25ba3a0b8dabf1 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 10:14:55 +0800 Subject: [PATCH 03/32] remove var name_appGateway as there is a param for it. --- .../modules/_azure-resoruces/_appgateway.bicep | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep index bd4bece62..beaa9cad8 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_appgateway.bicep @@ -25,18 +25,17 @@ param tagsByResource object param utcValue string = utcNow() var const_sslCertPsw = (noSslCertPsw) ? '' : sslCertPswData -var name_appGateway = gatewayName var name_backendAddressPool = 'myGatewayBackendPool' var name_frontEndIPConfig = 'appGwPublicFrontendIp' var name_frontEndPrivateIPConfig = 'appGwPrivateFrontendIp' var name_httpListener = 'HTTPListener' var name_httpPort = 'httpport' var name_httpSetting = 'myHTTPSetting' -var ref_backendAddressPool = resourceId('Microsoft.Network/applicationGateways/backendAddressPools', name_appGateway, name_backendAddressPool) -var ref_backendHttpSettings = resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', name_appGateway, name_httpSetting) -var ref_frontendHTTPPort = resourceId('Microsoft.Network/applicationGateways/frontendPorts', name_appGateway, name_httpPort) -var ref_frontendIPConfiguration = resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', name_appGateway, name_frontEndIPConfig) -var ref_httpListener = resourceId('Microsoft.Network/applicationGateways/httpListeners', name_appGateway, name_httpListener) +var ref_backendAddressPool = resourceId('Microsoft.Network/applicationGateways/backendAddressPools', gatewayName, name_backendAddressPool) +var ref_backendHttpSettings = resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', gatewayName, name_httpSetting) +var ref_frontendHTTPPort = resourceId('Microsoft.Network/applicationGateways/frontendPorts', gatewayName, name_httpPort) +var ref_frontendIPConfiguration = resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', gatewayName, name_frontEndIPConfig) +var ref_httpListener = resourceId('Microsoft.Network/applicationGateways/httpListeners', gatewayName, name_httpListener) var ref_publicIPAddress = resourceId('Microsoft.Network/publicIPAddresses', gatewayPublicIPAddressName) var obj_backendTrustedRootCerts = [ { @@ -97,7 +96,7 @@ resource gatewayPublicIP 'Microsoft.Network/publicIPAddresses@${azure.apiVersion } resource wafv2AppGateway 'Microsoft.Network/applicationGateways@${azure.apiVersionForApplicationGateways}' = { - name: name_appGateway + name: gatewayName location: location tags: union(tagsByResource['${identifier.applicationGateways}'], obj_tagIngress) properties: { @@ -198,6 +197,6 @@ resource wafv2AppGateway 'Microsoft.Network/applicationGateways@${azure.apiVersi output appGatewayAlias string = usePrivateIP ? staticPrivateFrontentIP : reference(gatewayPublicIP.id).dnsSettings.fqdn output appGatewayId string = wafv2AppGateway.id -output appGatewayName string = name_appGateway +output appGatewayName string = gatewayName output appGatewayURL string = uri(format('http://{0}/', usePrivateIP ? staticPrivateFrontentIP : reference(gatewayPublicIP.id).dnsSettings.fqdn), '') output appGatewaySecuredURL string = uri(format('https://{0}/', usePrivateIP ? staticPrivateFrontentIP : reference(gatewayPublicIP.id).dnsSettings.fqdn), '') From a1e54cbe7b66906a8685942dea682daa799d7f23 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 10:21:03 +0800 Subject: [PATCH 04/32] define _globalResourceNameSufix: _globalResourceNameSufix in the scaling scripts --- .../bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep | 3 ++- .../src/main/bicep/modules/_enableAutoScaling.bicep | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep index a8b882fbd..a1edfea39 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSufix string param aksClusterName string param aksClusterRGName string param azCliVersion string @@ -22,7 +23,7 @@ param wlsNamespace string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableHpa = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableHpa.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-enable-hpa-${uniqueString(utcValue)}' +var const_deploymentName='ds-enable-hpa-${_globalResourceNameSufix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep b/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep index 9e5abf06b..da1559e3f 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep @@ -3,6 +3,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ +param _globalResourceNameSufix string param _pidCPUUtilization string = '' param _pidEnd string = '' param _pidMemoryUtilization string = '' @@ -72,6 +73,7 @@ module pidWme './_pids/_pid.bicep' = if(!useHpa) { module hapDeployment '_deployment-scripts/_ds_enable_hpa.bicep' = if(useHpa) { name: 'hpa-deployment' params: { + _globalResourceNameSufix: _globalResourceNameSufix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion @@ -91,6 +93,7 @@ module hapDeployment '_deployment-scripts/_ds_enable_hpa.bicep' = if(useHpa) { module promethuesKedaDeployment '_enablePromethuesKeda.bicep' = if (!useHpa) { name: 'promethues-keda-weblogic-monitoring-exporter-deployment' params: { + _globalResourceNameSufix: _globalResourceNameSufix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion From 636c55e140e7b4e38d3467b59611c6067c7c4f69 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 10:28:13 +0800 Subject: [PATCH 05/32] mitigate Bicep warning. --- .../bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep | 4 ++-- .../_deployment-scripts/_ds_enable_prometheus_metrics.bicep | 2 +- .../modules/_rolesAssignment/_roleAssignmentinRgScope.bicep | 4 ++-- .../main/bicep/modules/_setupPasswordlessDBConnection.bicep | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep index a1edfea39..499e288d6 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep @@ -53,11 +53,11 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers } { name: 'UTILIZATION_PERCENTAGE' - value: utilizationPercentage + value: string(utilizationPercentage) } { name: 'WLS_CLUSTER_SIZE' - value: wlsClusterSize + value: string(wlsClusterSize) } { name: 'WLS_NAMESPACE' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep index 8fbe3460f..7aa6574b5 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep @@ -72,7 +72,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers } { name: 'WLS_CLUSTER_SIZE' - value: wlsClusterSize + value: string(wlsClusterSize) } { name: 'WLS_ADMIN_PASSWORD' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep index ca71cfde9..7b47d30ef 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep @@ -16,13 +16,13 @@ Usage: } */ +param _globalResourceNameSufix string // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles param roleDefinitionId string = '' param identity object = {} -param utcValue string = utcNow() var const_identityAPIVersion = '2022-01-31-PREVIEW' -var name_roleAssignmentName = guid('${subscription().id}${utcValue}Role assignment in resource group scope') +var name_roleAssignmentName = guid('${subscription().id}${_globalResourceNameSufix}Role assignment in resource group scope') // Get role resource id resource roleResourceDefinition 'Microsoft.Authorization/roleDefinitions@${azure.apiVersionForRoleDefinitions}' existing = { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep index af430d9df..601eaf03b 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep @@ -81,6 +81,7 @@ module dbIdentityVMContributorRoleAssignment '_rolesAssignment/_roleAssignmentin name: 'assign-db-identity-vm-contributor-role' scope: resourceGroup(aksNodeRGName) params: { + _globalResourceNameSufix: _globalResourceNameSufix identity: dbIdentity roleDefinitionId: const_roleDefinitionIdOfVMContributor } From 822f165f281c5bbd5fa198f2d08f6a86154fc36e Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 11:21:23 +0800 Subject: [PATCH 06/32] add location input parameter to workflow for resource creation --- .../testWlsAksWithDependencyCreation.yml | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/testWlsAksWithDependencyCreation.yml b/.github/workflows/testWlsAksWithDependencyCreation.yml index a31d3c338..fb9416cfc 100644 --- a/.github/workflows/testWlsAksWithDependencyCreation.yml +++ b/.github/workflows/testWlsAksWithDependencyCreation.yml @@ -19,6 +19,10 @@ on: description: 'The VM size for the AKS pool' required: true default: Standard_D2s_v3 + location: + description: 'The location for the resources' + required: true + default: eastus # sample cURL # curl --verbose -X POST https://api.github.com/repos//weblogic-azure/dispatches -H 'Accept: application/vnd.github.everest-preview+json' -H 'Authorization: token ' --data '{"event_type": "aks-integration-test-with-dependency-creation", "client_payload": {"gitUserNameForArtifactsLocation": "", "testBranchNameForArtifactsLocation": "", "isForDemo": "false"}}' repository_dispatch: @@ -26,7 +30,6 @@ on: env: azureCredentials: ${{ secrets.AZURE_CREDENTIALS }} - location: eastus resourceGroupForWlsAks: wlsd-aks-${{ github.run_id }}-${{ github.run_number }} dbAdminUser: weblogic dbPassword: ${{ secrets.DB_PASSWORD }} @@ -51,6 +54,7 @@ jobs: testBranchNameForArtifactsLocation: ${{ steps.setup-env-variables-based-on-dispatch-event.outputs.testBranchNameForArtifactsLocation }} azCliVersion: ${{steps.set-az-cli-version.outputs.azCliVersion}} vmSize: ${{ steps.setup-env-variables-based-on-dispatch-event.outputs.vmSize }} + location: ${{ steps.setup-env-variables-based-on-dispatch-event.outputs.location }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v2.3.4 @@ -72,27 +76,32 @@ jobs: - name: Setup environment variables id: setup-env-variables-based-on-dispatch-event run: | + location=eastus # default value if [ ${{ github.event_name }} == 'workflow_dispatch' ]; then isForDemo=${{ github.event.inputs.isForDemo }} gitUserNameForArtifactsLocation=${{ github.event.inputs.gitUserNameForArtifactsLocation }} testBranchNameForArtifactsLocation=${{ github.event.inputs.testBranchNameForArtifactsLocation }} vmSize=${{ github.event.inputs.vmSize }} + location=${{ github.event.inputs.location }} else isForDemo=${{ github.event.client_payload.isForDemo }} gitUserNameForArtifactsLocation=${{ github.event.client_payload.gitUserNameForArtifactsLocation }} testBranchNameForArtifactsLocation=${{ github.event.client_payload.testBranchNameForArtifactsLocation }} vmSize=${{ github.event.client_payload.vmSize }} + location=${{ github.event.client_payload.location }} fi echo "##[set-output name=isForDemo;]${isForDemo}" echo "##[set-output name=gitUserNameForArtifactsLocation;]${gitUserNameForArtifactsLocation}" echo "##[set-output name=testBranchNameForArtifactsLocation;]${testBranchNameForArtifactsLocation}" echo "##[set-output name=vmSize;]${vmSize}" + echo "##[set-output name=location;]${location}" echo "isForDemo=${isForDemo}" >> $GITHUB_ENV echo "gitUserNameForArtifactsLocation=${gitUserNameForArtifactsLocation}" >> $GITHUB_ENV echo "testBranchNameForArtifactsLocation=${testBranchNameForArtifactsLocation}" >> $GITHUB_ENV echo "vmSize=${vmSize}" >> $GITHUB_ENV + echo "location=${location}" >> $GITHUB_ENV - uses: actions/checkout@v2.3.4 - name: Set up Maven with GitHub token uses: ./.github/actions/setupmaven @@ -137,6 +146,7 @@ jobs: - name: Get AZ CLI Version run: | echo "azCliVersion=${{needs.preflight.outputs.azCliVersion}}" >> $GITHUB_ENV + echo "location=${{needs.preflight.outputs.location}}" >> $GITHUB_ENV - uses: azure/login@v1 id: azure-login with: @@ -147,7 +157,7 @@ jobs: azcliversion: ${{ env.azCliVersion }} inlineScript: | echo "create resource group" ${{ env.resourceGroupForDB }} - az group create --verbose --name ${{ env.resourceGroupForDB }} --location ${{ env.location }} + az group create --verbose --name ${{ env.resourceGroupForDB }} --location $location - uses: actions/checkout@v2.3.4 - name: Set up PostgreSQL Flexible Server that allows access from Azure services @@ -157,7 +167,7 @@ jobs: dbName: ${{ env.dbName }} dbPassword: ${{ env.dbPassword }} dbServerName: ${{ env.dbServerName }} - location: ${{ env.location }} + location: $location resourceGroupName: ${{ env.resourceGroupForDB }} deploy-storage-account: @@ -167,6 +177,7 @@ jobs: - name: Get AZ CLI Version run: | echo "azCliVersion=${{needs.preflight.outputs.azCliVersion}}" >> $GITHUB_ENV + echo "location=${{needs.preflight.outputs.location}}" >> $GITHUB_ENV - name: Checkout Azure-Samples/cargotracker-wls-aks uses: actions/checkout@v2 with: @@ -191,7 +202,7 @@ jobs: azcliversion: ${{ env.azCliVersion }} inlineScript: | echo "create resource group" ${{ env.resourceGroupForStorageAccount }} - az group create --verbose --name ${{ env.resourceGroupForStorageAccount }} --location ${{ env.location }} + az group create --verbose --name ${{ env.resourceGroupForStorageAccount }} --location $location - name: Create Storage Account uses: azure/CLI@v1 with: @@ -199,7 +210,7 @@ jobs: inlineScript: | az storage account create --name ${{ env.storageAccountName }} \ --resource-group ${{ env.resourceGroupForStorageAccount }} \ - --location ${{ env.location }} \ + --location $location \ --sku Standard_LRS \ --kind StorageV2 - name: Create Storage Container @@ -221,6 +232,7 @@ jobs: - name: Get AZ CLI Version run: | echo "azCliVersion=${{needs.preflight.outputs.azCliVersion}}" >> $GITHUB_ENV + echo "location=${{needs.preflight.outputs.location}}" >> $GITHUB_ENV - name: Checkout weblogic-azure uses: actions/checkout@v2 with: @@ -261,7 +273,7 @@ jobs: azcliversion: ${{ env.azCliVersion }} inlineScript: | echo "create resource group" ${{ env.resourceGroupForWlsAks }} - az group create --verbose --name ${{ env.resourceGroupForWlsAks }} --location ${{ env.location }} + az group create --verbose --name ${{ env.resourceGroupForWlsAks }} --location $location - name: Checkout Azure-Samples/cargotracker-wls-aks uses: actions/checkout@v2 with: From b3c355d4932b42c4b65aff7ef22511cbcee86512 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 12:41:44 +0800 Subject: [PATCH 07/32] use java 11 to build cargotracker. --- .github/workflows/testWlsAksWithDependencyCreation.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/testWlsAksWithDependencyCreation.yml b/.github/workflows/testWlsAksWithDependencyCreation.yml index fb9416cfc..4c06db9d6 100644 --- a/.github/workflows/testWlsAksWithDependencyCreation.yml +++ b/.github/workflows/testWlsAksWithDependencyCreation.yml @@ -183,9 +183,11 @@ jobs: with: repository: Azure-Samples/cargotracker-wls-aks path: cargotracker - - name: Maven build web app - run: | - mvn clean install -PweblogicOnAks --file cargotracker/pom.xml + - uses: actions/setup-java@v4 + with: + distribution: 'microsoft' + java-version: '11' + - run: mvn clean install -PweblogicOnAks --file cargotracker/pom.xml - name: Query version string for deployment verification run: | PROPERTY_FILE="cargotracker/target/cargo-tracker/WEB-INF/classes/org/eclipse/cargotracker/messages.properties" From 074e8c04a958abebd1cb787e304976ff0c3d2d8d Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 13:26:52 +0800 Subject: [PATCH 08/32] fix syntax issue --- weblogic-azure-aks/src/main/bicep/mainTemplate.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 31347d47a..16ca16490 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -339,7 +339,7 @@ var const_aksName = createAKSCluster ? 'wlsonaks${const_globalResourceNameSufix} var const_appGatewaySSLCertOptionHaveCert = 'haveCert' var const_appGatewaySSLCertOptionHaveKeyVault = 'haveKeyVault' var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, const_globalResourceNameSufix) -var const_acrName = (createACR) ? format('{acrwlsaks{0}',const_globalResourceNameSufix) : acrName +var const_acrName = (createACR) ? 'acrwlsaks${const_globalResourceNameSufix}' : acrName var const_azcliVersion = '2.53.0' var const_azureSubjectName = format('{0}.{1}.{2}', name_domainLabelforApplicationGateway, location, 'cloudapp.azure.com') var const_bValidateApplications= validateApplications && (length(appPackageUrls) > 0) From c4f6ef9c5e5fe3c59e154a0cbd3800c35a752a8f Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 14:56:11 +0800 Subject: [PATCH 09/32] add sufix to the uami name. --- weblogic-azure-aks/src/main/bicep/mainTemplate.bicep | 1 + weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 16ca16490..c33097070 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -398,6 +398,7 @@ module partnerCenterPid './modules/_pids/_empty.bicep' = { module uamiDeployment 'modules/_uamiAndRoles.bicep' = { name: 'uami-deployment' params: { + _globalResourceNameSufix: const_globalResourceNameSufix location: location tagsByResource: _objTagsByResource } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep index 1bb159faf..cac84ea95 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep @@ -3,6 +3,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ +param _globalResourceNameSufix string param location string @description('${label.tagsLabel}') param tagsByResource object @@ -10,7 +11,7 @@ param name_deploymentScriptContributorRoleAssignmentName string = newGuid() // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${substring(uniqueString(name_deploymentScriptContributorRoleAssignmentName),0,5)}' +var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${_globalResourceNameSufix}' // UAMI for deployment script From ba1458d8ccfb0b08fa4f4585057486e962adf178 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 20 Jan 2025 16:04:45 +0800 Subject: [PATCH 10/32] ensure all the depoyment script deployments have unique name. --- weblogic-azure-aks/src/main/bicep/mainTemplate.bicep | 1 + .../_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep | 3 ++- .../bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index c33097070..9debc6245 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -519,6 +519,7 @@ resource sslKeyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultForGateway.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) { name: 'appgateway-certificates-secrets-deployment' params: { + _globalResourceNameSufix: const_globalResourceNameSufix backendCertificateDataValue: appGatewaySSLBackendRootCertData certificateDataValue: appGatewaySSLCertData certificatePasswordValue: appGatewaySSLCertPassword diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep index e785e12d2..cfe2a66f3 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep @@ -1,6 +1,7 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param _globalResourceNameSufix string @description('Managed identity to be used for the deployment script. Currently, only user-assigned MSI is supported.') param identity object = {} @@ -62,7 +63,7 @@ resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { } resource createAddCertificate 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-create-add-appgw-certificate' + name: 'ds-create-add-appgw-certificate-${_globalResourceNameSufix}' location: location identity: identity kind: 'AzurePowerShell' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep index 153b93f38..be920a1a9 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep @@ -2,6 +2,7 @@ // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. // Deploy Application Gateway certificate secrets. +param _globalResourceNameSufix string @description('Backend certificate data to store in the secret') param backendCertificateDataValue string = newGuid() @@ -51,6 +52,7 @@ var name_sslCertPasswordSecretName = 'myAppGatewaySSLCertPassword' module keyVaultwithSelfSignedAppGatewaySSLCert '_keyvault/_keyvaultWithNewCert.bicep' = if (!useExistingAppGatewaySSLCertificate) { name: 'kv-appgw-selfsigned-certificate-deployment' params: { + _globalResourceNameSufix: _globalResourceNameSufix identity: identity keyVaultName: keyVaultName location: location From 52b9d870a402f159d656526aa2f2ceafbf2633d6 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Tue, 21 Jan 2025 14:17:38 +0800 Subject: [PATCH 11/32] ensure key vault permission model is vault access policy. --- .../scripts/inline-scripts/validateParameters.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh index 6fbc3872e..c5cfc6b5e 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh @@ -359,6 +359,13 @@ function download_wls_ssl_certificates_from_keyvault() { exit 1 fi + # check key vault permission model, current support model is Vault access policy. + local enableRbacAuthorization=$(az keyvault show --name ${WLS_SSL_KEYVAULT_NAME} --query "properties.enableRbacAuthorization") + if [[ "${enableRbacAuthorization,,}" != "false" ]]; then + echo_stderr "Make sure Key Vault ${WLS_SSL_KEYVAULT_NAME} is using Vault access policy, not using RBAC authorization. " + exit 1 + fi + # allow the identity to access the keyvault local principalId=$(az identity show --ids ${AZ_SCRIPTS_USER_ASSIGNED_IDENTITY} --query "principalId" -o tsv) az keyvault set-policy --name ${WLS_SSL_KEYVAULT_NAME} --object-id ${principalId} --secret-permissions get list @@ -495,6 +502,13 @@ function download_application_gateway_certificate_from_keyvault() { exit 1 fi + # check key vault permission model, current support model is Vault access policy. + local enableRbacAuthorization=$(az keyvault show --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --query "properties.enableRbacAuthorization") + if [[ "${enableRbacAuthorization,,}" != "false" ]]; then + echo_stderr "Make sure Key Vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} is using Vault access policy, not using RBAC authorization. " + exit 1 + fi + # allow the identity to access the keyvault local principalId=$(az identity show --ids ${AZ_SCRIPTS_USER_ASSIGNED_IDENTITY} --query "principalId" -o tsv) az keyvault set-policy --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --object-id ${principalId} --secret-permissions get list From 444027b47ca11f1ca4c1cdb72b3342141b9b384a Mon Sep 17 00:00:00 2001 From: galiacheng Date: Tue, 21 Jan 2025 15:18:03 +0800 Subject: [PATCH 12/32] enable global uami to access existing key vault. --- .../src/main/bicep/mainTemplate.bicep | 16 ++-- .../_keyvault/_keyvaultWithNewCert.bicep | 2 +- .../bicep/modules/_globalUamiAndRoles.bicep | 86 +++++++++++++++++++ .../main/bicep/modules/_uamiAndRoles.bicep | 34 -------- 4 files changed, 98 insertions(+), 40 deletions(-) create mode 100644 weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep delete mode 100644 weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 9debc6245..dc7577acb 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -44,8 +44,6 @@ param aksAgentPoolNodeCount int = 3 param aksAgentPoolNodeMaxCount int = 5 @description('The size of the virtual machines that will form the nodes in the cluster. This cannot be changed after creating the cluster') param vmSize string = 'Standard_DS2_v2' -@description('Prefix for cluster name. Only The name can contain only letters, numbers, underscores and hyphens. The name must start with letter or number.') -param aksClusterNamePrefix string = 'wlsonaks' @description('Resource group name of an existing AKS cluster.') param aksClusterRGName string = 'aks-contoso-rg' @description('Name of an existing AKS cluster.') @@ -160,9 +158,9 @@ param hpaScaleType string = 'cpu' param isSSOSupportEntitled bool = false @description('JNDI Name for JDBC Datasource') param jdbcDataSourceName string = 'jdbc/contoso' -@description('Existing Key Vault Name') +@description('Existing Key Vault Name that stores certificate of Application Gateway backend TLS/SSL.') param keyVaultName string = 'kv-contoso' -@description('Resource group name in current subscription containing the KeyVault') +@description('Resource group name in current subscription containing the KeyVault that stores certificate of Application Gateway backend TLS/SSL.') param keyVaultResourceGroup string = 'kv-contoso-rg' @description('Price tier for Key Vault.') param keyVaultSku string = 'Standard' @@ -395,10 +393,18 @@ module partnerCenterPid './modules/_pids/_empty.bicep' = { name: 'pid-a1775ed4-512c-4cfa-9e68-f0b09b36de90-partnercenter' } -module uamiDeployment 'modules/_uamiAndRoles.bicep' = { +module uamiDeployment 'modules/_globalUamiAndRoles.bicep' = { name: 'uami-deployment' params: { _globalResourceNameSufix: const_globalResourceNameSufix + enableCustomSSL: enableCustomSSL + sslConfigurationAccessOption: sslConfigurationAccessOption + sslKeyVaultName: sslKeyVaultName + sslKeyVaultResourceGroup: sslKeyVaultResourceGroup + enableAppGWIngress: enableAppGWIngress + appGatewayCertificateOption: appGatewayCertificateOption + keyVaultName: keyVaultName + keyVaultResourceGroup: keyVaultResourceGroup location: location tagsByResource: _objTagsByResource } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep index cfe2a66f3..fa792a2b3 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep @@ -12,7 +12,7 @@ param location string @description('Access permission of the key vault, will applied to all access policies.') param permission object = { - certificates: [ + secrets: [ 'get' 'list' 'update' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep new file mode 100644 index 000000000..caacde2e0 --- /dev/null +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -0,0 +1,86 @@ +/* + Copyright (c) 2021, Oracle and/or its affiliates. +Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +*/ + +param _globalResourceNameSufix string +param enableCustomSSL bool +@allowed([ + 'uploadConfig' + 'keyVaultStoredConfig' +]) +param sslConfigurationAccessOption string +param sslKeyVaultName string +param sslKeyVaultResourceGroup string +param enableAppGWIngress bool +@allowed([ + 'haveCert' + 'haveKeyVault' + 'generateCert' +]) +param appGatewayCertificateOption string +param keyVaultName string +param keyVaultResourceGroup string +param location string +@description('${label.tagsLabel}') +param tagsByResource object +param name_deploymentScriptContributorRoleAssignmentName string = newGuid() + +// https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles +var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' +var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${_globalResourceNameSufix}' +var obj_permission = { + secrets: [ + 'get' + 'list' + ] +} + +// UAMI for deployment script +resource uamiForDeploymentScript 'Microsoft.ManagedIdentity/userAssignedIdentities@${azure.apiVersionForIdentity}' = { + name: name_deploymentScriptUserDefinedManagedIdentity + location: location + tags: tagsByResource['${identifier.userAssignedIdentities}'] +} + +// Assign Contributor role in subscription scope, we need the permission to get/update resource cross resource group. +module deploymentScriptUAMICotibutorRoleAssignment '_rolesAssignment/_roleAssignmentinSubscription.bicep' = { + name: name_deploymentScriptContributorRoleAssignmentName + scope: subscription() + params: { + roleDefinitionId: const_roleDefinitionIdOfContributor + principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId + } +} + +resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = if (enableCustomSSL && sslConfigurationAccessOption == 'keyVaultStoredConfig') { + name: sslKeyVaultName + resourceGroup: sslKeyVaultResourceGroup + properties: { + accessPolicies: [ + { + objectId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId + tenantId: subscription().tenantId + permissions: obj_permission + } + ] + enabledForTemplateDeployment: true + } +} + +resource updateKeyvaultStoringAppGwCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = if (enableAppGWIngress && appGatewayCertificateOption == 'haveKeyVault') { + name: keyVaultName + resourceGroup: keyVaultResourceGroup + properties: { + accessPolicies: [ + { + objectId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId + tenantId: subscription().tenantId + permissions: obj_permission + } + ] + enabledForTemplateDeployment: true + } +} + +output uamiIdForDeploymentScript string = uamiForDeploymentScript.id diff --git a/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep deleted file mode 100644 index cac84ea95..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_uamiAndRoles.bicep +++ /dev/null @@ -1,34 +0,0 @@ -/* - Copyright (c) 2021, Oracle and/or its affiliates. -Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -*/ - -param _globalResourceNameSufix string -param location string -@description('${label.tagsLabel}') -param tagsByResource object -param name_deploymentScriptContributorRoleAssignmentName string = newGuid() - -// https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles -var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${_globalResourceNameSufix}' - - -// UAMI for deployment script -resource uamiForDeploymentScript 'Microsoft.ManagedIdentity/userAssignedIdentities@${azure.apiVersionForIdentity}' = { - name: name_deploymentScriptUserDefinedManagedIdentity - location: location - tags: tagsByResource['${identifier.userAssignedIdentities}'] -} - -// Assign Contributor role in subscription scope, we need the permission to get/update resource cross resource group. -module deploymentScriptUAMICotibutorRoleAssignment '_rolesAssignment/_roleAssignmentinSubscription.bicep' = { - name: name_deploymentScriptContributorRoleAssignmentName - scope: subscription() - params: { - roleDefinitionId: const_roleDefinitionIdOfContributor - principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId - } -} - -output uamiIdForDeploymentScript string = uamiForDeploymentScript.id From 054f171afff4981a19ee40200d30c1f7d2d50b9d Mon Sep 17 00:00:00 2001 From: galiacheng Date: Tue, 21 Jan 2025 15:42:10 +0800 Subject: [PATCH 13/32] create a seperate module to update access policy of key vault. --- .../_keyvaultGetListAccessPolicy.bicep | 32 +++++++++++++++++ .../bicep/modules/_globalUamiAndRoles.bicep | 36 +++++++------------ 2 files changed, 44 insertions(+), 24 deletions(-) create mode 100644 weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep new file mode 100644 index 000000000..3b832dd69 --- /dev/null +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep @@ -0,0 +1,32 @@ +/* + Copyright (c) 2021, 2025 Oracle and/or its affiliates. +Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +*/ + +// This script is to update existing keyvault with access policy for global uami. +// And enable template deployment for the keyvault. + +param sslKeyVaultName string +param principalId string + +var obj_permission = { + secrets: [ + 'get' + 'list' + ] +} + +resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { + name: sslKeyVaultName + resourceGroup: sslKeyVaultResourceGroup + properties: { + accessPolicies: [ + { + objectId: principalId + tenantId: subscription().tenantId + permissions: obj_permission + } + ] + enabledForTemplateDeployment: true + } +} diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index caacde2e0..23b5ada3b 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -53,33 +53,21 @@ module deploymentScriptUAMICotibutorRoleAssignment '_rolesAssignment/_roleAssign } } -resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = if (enableCustomSSL && sslConfigurationAccessOption == 'keyVaultStoredConfig') { - name: sslKeyVaultName - resourceGroup: sslKeyVaultResourceGroup - properties: { - accessPolicies: [ - { - objectId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId - tenantId: subscription().tenantId - permissions: obj_permission - } - ] - enabledForTemplateDeployment: true +module updateKeyvaultStoringWLSSSLCerts '_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep' = if (enableCustomSSL && sslConfigurationAccessOption == 'keyVaultStoredConfig') { + name: 'update-keyvault-storing-wls-ssl-certs-with-getlist-permission' + scope: resourceGroup(sslKeyVaultResourceGroup) + params: { + sslKeyVaultName: sslKeyVaultName + principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId } } -resource updateKeyvaultStoringAppGwCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = if (enableAppGWIngress && appGatewayCertificateOption == 'haveKeyVault') { - name: keyVaultName - resourceGroup: keyVaultResourceGroup - properties: { - accessPolicies: [ - { - objectId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId - tenantId: subscription().tenantId - permissions: obj_permission - } - ] - enabledForTemplateDeployment: true +module updateKeyvaultStoringAppgwCerts '_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == 'haveKeyVault') { + name: 'update-keyvault-storing-wls-ssl-certs-with-getlist-permission' + scope: resourceGroup(keyVaultResourceGroup) + params: { + sslKeyVaultName: keyVaultName + principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId } } From d84d94227bdf6c802cb77b34e388e78445c3d145 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Tue, 21 Jan 2025 15:43:43 +0800 Subject: [PATCH 14/32] set enableRbacAuthorization with false. --- .../_keyvault/_keyvaultGetListAccessPolicy.bicep | 2 +- .../src/main/bicep/modules/_globalUamiAndRoles.bicep | 8 +------- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep index 3b832dd69..6b9e15cab 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep @@ -18,7 +18,6 @@ var obj_permission = { resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { name: sslKeyVaultName - resourceGroup: sslKeyVaultResourceGroup properties: { accessPolicies: [ { @@ -28,5 +27,6 @@ resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.api } ] enabledForTemplateDeployment: true + enableRbacAuthorization: false } } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index 23b5ada3b..11dab490c 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -29,12 +29,6 @@ param name_deploymentScriptContributorRoleAssignmentName string = newGuid() // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${_globalResourceNameSufix}' -var obj_permission = { - secrets: [ - 'get' - 'list' - ] -} // UAMI for deployment script resource uamiForDeploymentScript 'Microsoft.ManagedIdentity/userAssignedIdentities@${azure.apiVersionForIdentity}' = { @@ -63,7 +57,7 @@ module updateKeyvaultStoringWLSSSLCerts '_azure-resoruces/_keyvault/_keyvaultGet } module updateKeyvaultStoringAppgwCerts '_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == 'haveKeyVault') { - name: 'update-keyvault-storing-wls-ssl-certs-with-getlist-permission' + name: 'update-keyvault-storing-appgw-certs-with-getlist-permission' scope: resourceGroup(keyVaultResourceGroup) params: { sslKeyVaultName: keyVaultName From 3b718e1b0b29a4f6f1ce026ab808d986c8114ce2 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 22 Jan 2025 13:42:52 +0800 Subject: [PATCH 15/32] specify location. --- .../_keyvault/_keyvaultGetListAccessPolicy.bicep | 6 ++++-- .../main/bicep/modules/_globalUamiAndRoles.bicep | 16 ++++++++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep index 6b9e15cab..ea701478f 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep @@ -6,7 +6,8 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or // This script is to update existing keyvault with access policy for global uami. // And enable template deployment for the keyvault. -param sslKeyVaultName string +param keyVaultName string +param location string param principalId string var obj_permission = { @@ -17,7 +18,8 @@ var obj_permission = { } resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: sslKeyVaultName + name: keyVaultName + location: location properties: { accessPolicies: [ { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index 11dab490c..0b3f3acb0 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -47,11 +47,22 @@ module deploymentScriptUAMICotibutorRoleAssignment '_rolesAssignment/_roleAssign } } +resource keyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = { + name: sslKeyVaultName + scope: resourceGroup(sslKeyVaultResourceGroup) +} + +resource keyvaultStoringAppgwCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = { + name: keyVaultName + scope: resourceGroup(keyVaultResourceGroup) +} + module updateKeyvaultStoringWLSSSLCerts '_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep' = if (enableCustomSSL && sslConfigurationAccessOption == 'keyVaultStoredConfig') { name: 'update-keyvault-storing-wls-ssl-certs-with-getlist-permission' scope: resourceGroup(sslKeyVaultResourceGroup) params: { - sslKeyVaultName: sslKeyVaultName + location: keyvaultStoringWLSSSLCerts.location + keyVaultName: sslKeyVaultName principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId } } @@ -60,7 +71,8 @@ module updateKeyvaultStoringAppgwCerts '_azure-resoruces/_keyvault/_keyvaultGetL name: 'update-keyvault-storing-appgw-certs-with-getlist-permission' scope: resourceGroup(keyVaultResourceGroup) params: { - sslKeyVaultName: keyVaultName + location: keyvaultStoringAppgwCerts.location + keyVaultName: keyVaultName principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId } } From ccd943389cde7f7b213e5693bcee96e3d6965de1 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 22 Jan 2025 14:36:48 +0800 Subject: [PATCH 16/32] fix build error --- .../src/main/bicep/modules/_setupDBConnection.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep index 962160010..0f36da82f 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep @@ -6,7 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string +param _globalResourceNameSufix string = uniqueString(utcNow()) param _pidEnd string = '' param _pidStart string = '' param _pidOtherDb string = '' From e98a2721aa4620d2eab9d6d8236a6f6443d5f57d Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 22 Jan 2025 14:47:45 +0800 Subject: [PATCH 17/32] Error BCP035: The specified "object" declaration is missing the following required properties: "tagsByResource" --- pom.xml | 2 +- .../src/main/bicep/modules/_setupDBConnection.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 6497997f1..1a6aadab7 100644 --- a/pom.xml +++ b/pom.xml @@ -40,7 +40,7 @@ - 1.0.86 + 1.0.87 1.0.30 1.0.55 diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep index 0f36da82f..ff955555b 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep @@ -42,7 +42,7 @@ param identity object = {} param jdbcDataSourceName string = 'jdbc/contoso' param location string @description('${label.tagsLabel}') -param tagsByResource object +param tagsByResource object = {} @description('UID of WebLogic domain, used in WebLogic Operator.') param wlsDomainUID string = 'sample-domain1' @secure() From 6d1c1f22dd3618a5f1ff37f2a9c5c429b34d158d Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 22 Jan 2025 16:42:42 +0800 Subject: [PATCH 18/32] set vault sku --- .../_keyvault/_keyvaultGetListAccessPolicy.bicep | 8 ++++---- .../src/main/bicep/modules/_globalUamiAndRoles.bicep | 6 ++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep index ea701478f..22a57d797 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep @@ -6,8 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or // This script is to update existing keyvault with access policy for global uami. // And enable template deployment for the keyvault. -param keyVaultName string -param location string +param keyVault object param principalId string var obj_permission = { @@ -18,8 +17,9 @@ var obj_permission = { } resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVaultName - location: location + name: keyVault.name + location: keyVault.location + sku: keyVault.sku properties: { accessPolicies: [ { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index 0b3f3acb0..3d7cb9e76 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -61,8 +61,7 @@ module updateKeyvaultStoringWLSSSLCerts '_azure-resoruces/_keyvault/_keyvaultGet name: 'update-keyvault-storing-wls-ssl-certs-with-getlist-permission' scope: resourceGroup(sslKeyVaultResourceGroup) params: { - location: keyvaultStoringWLSSSLCerts.location - keyVaultName: sslKeyVaultName + keyVault: keyvaultStoringWLSSSLCerts principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId } } @@ -71,8 +70,7 @@ module updateKeyvaultStoringAppgwCerts '_azure-resoruces/_keyvault/_keyvaultGetL name: 'update-keyvault-storing-appgw-certs-with-getlist-permission' scope: resourceGroup(keyVaultResourceGroup) params: { - location: keyvaultStoringAppgwCerts.location - keyVaultName: keyVaultName + keyVault: keyvaultStoringAppgwCerts principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId } } From 896ee0d947fe4297da96511494fd49864a706198 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 22 Jan 2025 17:16:07 +0800 Subject: [PATCH 19/32] rename key vault resource --- .../_keyvault/_keyvaultGetListAccessPolicy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep index 22a57d797..546c5dfca 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep @@ -16,7 +16,7 @@ var obj_permission = { ] } -resource updateKeyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { +resource updateExistingKeyVault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { name: keyVault.name location: keyVault.location sku: keyVault.sku From ad5f0385b7b8ffbad0bb208d4b9d2444e93d1829 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 5 Feb 2025 13:02:14 +0800 Subject: [PATCH 20/32] remove key vault from ui. --- .../src/main/arm/createUiDefinition.json | 343 +----------------- 1 file changed, 4 insertions(+), 339 deletions(-) diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json index c84c654ea..721784536 100644 --- a/weblogic-azure-aks/src/main/arm/createUiDefinition.json +++ b/weblogic-azure-aks/src/main/arm/createUiDefinition.json @@ -853,60 +853,11 @@ ], "required": false } - }, - { - "name": "sslText00", - "type": "Microsoft.Common.TextBlock", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "options": { - "text": "Choose an option for providing the TLS/SSL KeyStore and enter the values for the required fields:" - } - }, - { - "name": "sslText01", - "type": "Microsoft.Common.TextBlock", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "options": { - "text": "    ⁃ Upload existing KeyStores." - } - }, - { - "name": "sslText02", - "type": "Microsoft.Common.TextBlock", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "options": { - "text": "    ⁃ Use KeyStores stored in Azure Key Vault.", - "link": { - "label": "Learn more", - "uri": "https://aka.ms/wls-aks-tls-ssl" - } - } - }, - { - "name": "sslConfigurationAccessOption", - "type": "Microsoft.Common.OptionsGroup", - "visible": "[steps('section_sslConfiguration').enableCustomSSL]", - "label": "How would you like to provide required configuration", - "defaultValue": "Upload existing KeyStores", - "toolTip": "Select 'Upload existing KeyStores' to use local stored KeyStores.", - "constraints": { - "allowedValues": [ - { - "label": "Upload existing KeyStores", - "value": "uploadConfig" - }, - { - "label": "Use KeyStores stored in Azure Key Vault", - "value": "keyVaultStoredConfig" - } - ], - "required": false - } - }, + }, { "name": "uploadedCustomSSLSettings", "type": "Microsoft.Common.Section", - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_sslConfiguration').sslConfigurationAccessOption, 'uploadConfig'))]", + "visible": "[steps('section_sslConfiguration').enableCustomSSL]", "label": "TLS/SSL configuration settings", "elements": [ { @@ -1061,182 +1012,6 @@ } } ] - }, - { - "name": "keyVaultStoredCustomSSLSettings", - "type": "Microsoft.Common.Section", - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_sslConfiguration').sslConfigurationAccessOption, 'keyVaultStoredConfig'))]", - "label": "TLS/SSL configuration settings", - "elements": [ - { - "name": "sslKeystoreInfo1", - "type": "Microsoft.Common.InfoBox", - "visible": "true", - "options": { - "icon": "Info", - "text": "You must provide different files for identity and trust KeyStores. Select here for more details.", - "uri": "https://aka.ms/arm-oraclelinux-wls-ssl-configuration" - } - }, - { - "name": "keyVaultText", - "type": "Microsoft.Common.TextBlock", - "visible": "true", - "options": { - "text": "Enabling a HTTPS (Secure) port for the Administration Console requires you to obtain a valid TLS/SSL certificate. The offer will look for the certificate and other configuration items in the Azure Key Vault specified here.", - "link": { - "label": "Learn more", - "uri": "https://aka.ms/wls-aks-ssl-key-vault" - } - } - }, - { - "name": "keyVaultResourceGroup", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "Resource group name in current subscription containing the Key Vault", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z.\\-_()]{0,89}([a-z0-9A-Z\\-_()]{1}){3,63}$", - "validationMessage": "[if(greater(length(steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultResourceGroup), 90),'Resource group names only allow up to 90 characters.', 'Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.')]" - } - }, - { - "name": "keyVaultName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "Name of the Azure Key Vault containing secrets for the TLS/SSL certificate", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^(?=.{3,24}$)[a-zA-Z](?!.*--)[a-zA-Z0-9-]*[a-zA-Z0-9]$", - "validationMessage": "[if(or(greater(length(steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultName), 24), less(length(steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultName), 3)),'Vault name must be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens.','Vault name must only contain alphanumeric characters and dashes and cannot start with a number')]" - } - }, - { - "name": "keyVaultCustomIdentityKeyStoreDataSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the Identity KeyStore Data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomIdentityKeyStorePassPhraseSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the passphrase for the Identity KeyStore", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomIdentityKeyStoreType", - "type": "Microsoft.Common.DropDown", - "visible": "true", - "label": "The Identity KeyStore type (JKS,PKCS12)", - "defaultValue": "JKS", - "toolTip": "One of the supported KeyStore types", - "constraints": { - "allowedValues": [ - { - "label": "JKS", - "value": "JKS" - }, - { - "label": "PKCS12", - "value": "PKCS12" - } - ], - "required": true - } - }, - { - "name": "keyVaultPrivateKeyAliasSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the Private Key Alias", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultPrivateKeyPassPhraseSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the passphrase for the Private Key", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomTrustKeyStoreDataSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the Trust KeyStore Data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomTrustKeyStorePassPhraseSecretName", - "type": "Microsoft.Common.TextBox", - "visible": "true", - "label": "The name of the secret in the specified Key Vault whose value is the passphrase for the Trust KeyStore", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - } - }, - { - "name": "keyVaultCustomTrustKeyStoreType", - "type": "Microsoft.Common.DropDown", - "visible": "true", - "label": "The Trust KeyStore type (JKS,PKCS12)", - "defaultValue": "JKS", - "toolTip": "One of the supported KeyStore types", - "constraints": { - "allowedValues": [ - { - "label": "JKS", - "value": "JKS" - }, - { - "label": "PKCS12", - "value": "PKCS12" - } - ], - "required": true - } - } - ] } ] }, @@ -1373,14 +1148,6 @@ "name": "keyVaultText02", "type": "Microsoft.Common.TextBlock", "visible": true, - "options": { - "text": "    ⁃ Identify an Azure Key Vault: The Key Vault must already contain the certificate and its password stored as secrets." - } - }, - { - "name": "keyVaultText03", - "type": "Microsoft.Common.TextBlock", - "visible": true, "options": { "text": "    ⁃ Generate a self-signed front-end certificate: Generate a self-signed front-end certificate and apply it during deployment.", "link": { @@ -1404,10 +1171,6 @@ { "label": "Upload a TLS/SSL certificate", "value": "haveCert" - }, - { - "label": "Identify an Azure Key Vault", - "value": "haveKeyVault" } ], "required": true @@ -1415,7 +1178,7 @@ "visible": true }, { - "name": "keyVaultSSLCertData", + "name": "appGatewaySSLCertData", "type": "Microsoft.Common.FileUpload", "label": "Front-End TLS/SSL certificate(.pfx)", "toolTip": "TLS/SSL certificate used for App Gateway", @@ -1448,87 +1211,6 @@ }, "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]" }, - { - "name": "keyVaultBackendSSLCertData", - "type": "Microsoft.Common.FileUpload", - "label": "Trusted root certificate(.cer, .cert)", - "toolTip": "Trusted root certificate (CA certificate) used to set up end to end TLS/SSL", - "constraints": { - "required": true, - "accept": ".cer, .cert" - }, - "options": { - "multiple": false, - "uploadMode": "file", - "openMode": "binary" - }, - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, not(equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')))]" - }, - { - "name": "keyVaultResourceGroup", - "type": "Microsoft.Common.TextBox", - "label": "Resource group name in current subscription containing the Key Vault", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z.\\-_()]{0,89}([a-z0-9A-Z\\-_()]{1}){3,63}$", - "validationMessage": "[if(greater(length(steps('section_appGateway').appgwIngress.keyVaultResourceGroup), 90),'Resource group names only allow up to 90 characters.', 'Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period.')]" - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultName", - "type": "Microsoft.Common.TextBox", - "label": "Name of the Azure Key Vault containing secrets for the certificate for TLS/SSL Termination", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^(?=.{3,24}$)[a-zA-Z](?!.*--)[a-zA-Z0-9-]*[a-zA-Z0-9]$", - "validationMessage": "[if(or(greater(length(steps('section_appGateway').appgwIngress.keyVaultName), 24), less(length(steps('section_appGateway').appgwIngress.keyVaultName), 3)),'Vault name must be between 3-24 alphanumeric characters. The name must begin with a letter, end with a letter or digit, and not contain consecutive hyphens.','Vault name must only contain alphanumeric characters and dashes and cannot start with a number')]" - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultSSLCertDataSecretName", - "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the front-end TLS/SSL certificate data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultSSLCertPasswordSecretName", - "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the password for the front-end TLS/SSL certificate", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - }, - "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault')]" - }, - { - "name": "keyVaultBackendSSLCertDataSecretName", - "type": "Microsoft.Common.TextBox", - "label": "The name of the secret in the specified Key Vault whose value is the trusted root certificate data", - "defaultValue": "", - "toolTip": "Use only letters and numbers", - "constraints": { - "required": true, - "regex": "^[a-z0-9A-Z]{1,30}$", - "validationMessage": "The value must be 1-30 characters long and must only contain letters and numbers." - }, - "visible": "[and(steps('section_sslConfiguration').enableCustomSSL, equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveKeyVault'))]" - }, { "name": "enableCookieBasedAffinity", "type": "Microsoft.Common.CheckBox", @@ -2372,8 +2054,7 @@ "aksClusterName": "[last(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'))]", "aksClusterRGName": "[last(take(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'), 5))]", "appGatewayCertificateOption": "[steps('section_appGateway').appgwIngress.certificateOption]", - "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertData]", - "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertData]", + "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertData]", "appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]", "appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]", "appgwForRemoteConsole": "[steps('section_appGateway').appgwIngress.appgwForAdminRemote]", @@ -2415,27 +2096,11 @@ "isSSOSupportEntitled": "[bool(steps('section_aks').imageInfo.isSSOSupportEntitled)]", "lbSvcValues": "[if(not(empty(first(if(empty(steps('section_appGateway').lbSVCInfo.lbSVC),parse('[{\"colName\":\"\"}]'), steps('section_appGateway').lbSVCInfo.lbSVC)).colName)),steps('section_appGateway').lbSVCInfo.lbSVC, parse('[]'))]", "location": "[location()]", - "keyVaultName": "[steps('section_appGateway').appgwIngress.keyVaultName]", - "keyVaultResourceGroup": "[steps('section_appGateway').appgwIngress.keyVaultResourceGroup]", - "keyVaultSSLBackendRootCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertDataSecretName]", - "keyVaultSSLCertDataSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertDataSecretName]", - "keyVaultSSLCertPasswordSecretName": "[steps('section_appGateway').appgwIngress.keyVaultSSLCertPasswordSecretName]", "hpaScaleType": "[steps('section_autoScaling').autoScalingInfo.kmsMetrics]", "managedServerPrefix": "[basics('basicsOptional').managedServerPrefix]", "newOrExistingVnetForApplicationGateway": "[steps('section_appGateway').appgwIngress.vnetForApplicationGateway.newOrExisting]", "ocrSSOPSW": "[steps('section_aks').imageInfo.ocrSSOPassword]", "ocrSSOUser": "[steps('section_aks').imageInfo.ocrSSOUserName]", - "sslConfigurationAccessOption": "[steps('section_sslConfiguration').sslConfigurationAccessOption]", - "sslKeyVaultCustomIdentityKeyStoreDataSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomIdentityKeyStoreDataSecretName]", - "sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomIdentityKeyStorePassPhraseSecretName]", - "sslKeyVaultCustomIdentityKeyStoreType": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomIdentityKeyStoreType]", - "sslKeyVaultCustomTrustKeyStoreDataSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomTrustKeyStoreDataSecretName]", - "sslKeyVaultCustomTrustKeyStorePassPhraseSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomTrustKeyStorePassPhraseSecretName]", - "sslKeyVaultCustomTrustKeyStoreType": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultCustomTrustKeyStoreType]", - "sslKeyVaultName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultName]", - "sslKeyVaultPrivateKeyAliasSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultPrivateKeyAliasSecretName]", - "sslKeyVaultPrivateKeyPassPhraseSecretName": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultPrivateKeyPassPhraseSecretName]", - "sslKeyVaultResourceGroup": "[steps('section_sslConfiguration').keyVaultStoredCustomSSLSettings.keyVaultResourceGroup]", "sslUploadedCustomIdentityKeyStoreData": "[steps('section_sslConfiguration').uploadedCustomSSLSettings.uploadedCustomIdentityKeyStoreData]", "sslUploadedCustomIdentityKeyStorePassphrase": "[steps('section_sslConfiguration').uploadedCustomSSLSettings.uploadedCustomIdentityKeyStorePassphrase]", "sslUploadedCustomIdentityKeyStoreType": "[steps('section_sslConfiguration').uploadedCustomSSLSettings.uploadedCustomIdentityKeyStoreType]", From 10496569692037b967f2fedcc5a62caa470d48dc Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 5 Feb 2025 14:38:00 +0800 Subject: [PATCH 21/32] remove key vault --- .../src/main/arm/createUiDefinition.json | 17 ++ .../src/main/bicep/mainTemplate.bicep | 175 +++--------------- .../src/main/bicep/modules/_appGateway.bicep | 66 ++++--- .../_keyvaultForGatewayBackendCert.bicep | 57 ------ .../_keyvault/_keyvaultForWLSSSLCert.bicep | 116 ------------ .../_keyvaultGetListAccessPolicy.bicep | 34 ---- .../_keyvault/_keyvaultWithExistingCert.bicep | 76 -------- .../_keyvault/_keyvaultWithNewCert.bicep | 1 + .../_keyvaultForGateway.bicep | 102 ---------- .../bicep/modules/_globalUamiAndRoles.bicep | 46 ----- 10 files changed, 80 insertions(+), 610 deletions(-) delete mode 100644 weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep delete mode 100644 weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep delete mode 100644 weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep delete mode 100644 weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithExistingCert.bicep delete mode 100644 weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json index 721784536..b34dee1e9 100644 --- a/weblogic-azure-aks/src/main/arm/createUiDefinition.json +++ b/weblogic-azure-aks/src/main/arm/createUiDefinition.json @@ -1211,6 +1211,22 @@ }, "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]" }, + { + "name": "keyVaultBackendSSLCertData", + "type": "Microsoft.Common.FileUpload", + "label": "Trusted root certificate(.cer, .cert)", + "toolTip": "Trusted root certificate (CA certificate) used to set up end to end TLS/SSL", + "constraints": { + "required": true, + "accept": ".cer, .cert" + }, + "options": { + "multiple": false, + "uploadMode": "file", + "openMode": "binary" + }, + "visible": "[steps('section_sslConfiguration').enableCustomSSL]" + }, { "name": "enableCookieBasedAffinity", "type": "Microsoft.Common.CheckBox", @@ -2054,6 +2070,7 @@ "aksClusterName": "[last(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'))]", "aksClusterRGName": "[last(take(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'), 5))]", "appGatewayCertificateOption": "[steps('section_appGateway').appgwIngress.certificateOption]", + "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertData]", "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertData]", "appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]", "appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]", diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index dc7577acb..279596feb 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -52,7 +52,6 @@ param aksClusterName string = 'aks-contoso' param aksVersion string = 'default' @allowed([ 'haveCert' - 'haveKeyVault' 'generateCert' ]) @description('Three scenarios we support for deploying app gateway') @@ -60,9 +59,9 @@ param appGatewayCertificateOption string = 'haveCert' @description('Public IP Name for the Application Gateway') param appGatewayPublicIPAddressName string = 'gwip' @description('The one-line, base64 string of the backend SSL root certificate data.') -param appGatewaySSLBackendRootCertData string = 'appgw-ssl-backend-data' +param appGatewaySSLBackendRootCertData string = newGuid() @description('The one-line, base64 string of the SSL certificate data.') -param appGatewaySSLCertData string = 'appgw-ssl-data' +param appGatewaySSLCertData string = newGuid() @secure() @description('The value of the password for the SSL Certificate') param appGatewaySSLCertPassword string = newGuid() @@ -158,18 +157,6 @@ param hpaScaleType string = 'cpu' param isSSOSupportEntitled bool = false @description('JNDI Name for JDBC Datasource') param jdbcDataSourceName string = 'jdbc/contoso' -@description('Existing Key Vault Name that stores certificate of Application Gateway backend TLS/SSL.') -param keyVaultName string = 'kv-contoso' -@description('Resource group name in current subscription containing the KeyVault that stores certificate of Application Gateway backend TLS/SSL.') -param keyVaultResourceGroup string = 'kv-contoso-rg' -@description('Price tier for Key Vault.') -param keyVaultSku string = 'Standard' -@description('The name of the secret in the specified KeyVault whose value is the SSL Root Certificate Data for Appliation Gateway backend TLS/SSL.') -param keyVaultSSLBackendRootCertDataSecretName string = 'kv-ssl-backend-data' -@description('The name of the secret in the specified KeyVault whose value is the SSL Certificate Data for Appliation Gateway frontend TLS/SSL.') -param keyVaultSSLCertDataSecretName string = 'kv-ssl-data' -@description('The name of the secret in the specified KeyVault whose value is the password for the SSL Certificate of Appliation Gateway frontend TLS/SSL') -param keyVaultSSLCertPasswordSecretName string = 'kv-ssl-psw' param location string @description('Object array to define Load Balancer service, each object must include service name, service target[admin-server or cluster-1], port.') param lbSvcValues array = [] @@ -182,40 +169,6 @@ param newOrExistingVnetForApplicationGateway string = 'new' param ocrSSOPSW string = newGuid() @description('User name of Oracle SSO account.') param ocrSSOUser string = 'null' -@allowed([ - 'uploadConfig' - 'keyVaultStoredConfig' -]) -@description('Two scenarios to refer to WebLogic Server TLS/SSL certificates.') -param sslConfigurationAccessOption string = 'uploadConfig' -@description('Secret name in KeyVault containing Weblogic Custom Identity Keystore Data') -param sslKeyVaultCustomIdentityKeyStoreDataSecretName string = 'kv-wls-identity-data' -@description('Secret name in KeyVault containing Weblogic Custom Identity Keystore Passphrase') -param sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName string = 'kv-wls-identity-psw' -@description('Weblogic Custom Identity Keystore type') -@allowed([ - 'JKS' - 'PKCS12' -]) -param sslKeyVaultCustomIdentityKeyStoreType string = 'PKCS12' -@description('Secret name in KeyVault containing Weblogic Custom Trust Store Data') -param sslKeyVaultCustomTrustKeyStoreDataSecretName string = 'kv-wls-trust-data' -@description('Secret name in KeyVault containing Weblogic Custom Trust Store Passphrase') -param sslKeyVaultCustomTrustKeyStorePassPhraseSecretName string = 'kv-wls-trust-psw' -@description('WWeblogic Custom Trust Store type') -@allowed([ - 'JKS' - 'PKCS12' -]) -param sslKeyVaultCustomTrustKeyStoreType string = 'PKCS12' -@description('Resource group containing Weblogic SSL certificates') -param sslKeyVaultName string = 'kv-wls-ssl-name' -@description('Secret name in KeyVault containing Weblogic Server private key alias') -param sslKeyVaultPrivateKeyAliasSecretName string = 'contoso' -@description('Secret name in KeyVault containing Weblogic Server private key passphrase') -param sslKeyVaultPrivateKeyPassPhraseSecretName string = 'kv-wls-ssl-alias' -@description('Keyvault name containing Weblogic SSL certificates') -param sslKeyVaultResourceGroup string = 'rg-kv-wls-ssl-name' @description('Custom Identity Store Data') @secure() param sslUploadedCustomIdentityKeyStoreData string = newGuid() @@ -331,11 +284,8 @@ var _objTagsByResource = { '${identifier.workspaces}': contains(tagsByResource, '${identifier.workspaces}') ? tagsByResource['${identifier.workspaces}'] : json('{}') '${identifier.deploymentScripts}': contains(tagsByResource, '${identifier.deploymentScripts}') ? tagsByResource['${identifier.deploymentScripts}'] : json('{}') } -var _useExistingAppGatewaySSLCertificate = (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveCert) ? true : false - var const_aksName = createAKSCluster ? 'wlsonaks${const_globalResourceNameSufix}' : aksClusterName var const_appGatewaySSLCertOptionHaveCert = 'haveCert' -var const_appGatewaySSLCertOptionHaveKeyVault = 'haveKeyVault' var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, const_globalResourceNameSufix) var const_acrName = (createACR) ? 'acrwlsaks${const_globalResourceNameSufix}' : acrName var const_azcliVersion = '2.53.0' @@ -348,30 +298,19 @@ var const_enableNetworking = (length(lbSvcValues) > 0) || enableAppGWIngress var const_enablePV = enableCustomSSL || enableAzureFileShare var const_fileShareName = 'weblogic-${const_globalResourceNameSufix}' var const_globalResourceNameSufix = '${uniqueString(utcValue)}' -var const_identityKeyStoreType = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreType : sslUploadedCustomIdentityKeyStoreType var const_nsgName = 'wls-aks-nsg-${const_globalResourceNameSufix}' var const_showAdminConsoleExUrl = (length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForAdminServer) var const_showRemoteAdminConsoleExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && !enableCustomSSL var const_showRemoteAdminConsoleSecuredExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && enableCustomSSL -var const_trustKeyStoreType = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStoreType : sslUploadedCustomTrustKeyStoreType var const_wlsClusterName = 'cluster-1' var const_wlsJavaOptions = wlsJavaOption == '' ? 'null' : wlsJavaOption -var const_wlsSSLCertOptionKeyVault = 'keyVaultStoredConfig' var name_appgwFrontendSSLCertName = 'appGatewaySslCert' var name_appgwBackendRootCertName = 'appGatewayTrustedRootCert' var name_defaultPidDeployment = 'pid' var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${const_globalResourceNameSufix}' var name_domainLabelforApplicationGateway = take('${name_dnsNameforApplicationGateway}-${toLower(name_rgNameWithoutSpecialCharacter)}-${toLower(wlsDomainName)}', 63) -var name_identityKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreDataSecretName : 'myIdentityKeyStoreData' -var name_identityKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName : 'myIdentityKeyStorePsw' -var name_keyVaultName = '${take('wls-kv${const_globalResourceNameSufix}', 24)}' -var name_privateKeyAliasSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyAliasSecretName : 'privateKeyAlias' -var name_privateKeyPswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyPassPhraseSecretName : 'privateKeyPsw' var name_rgNameWithoutSpecialCharacter = replace(replace(replace(replace(resourceGroup().name, '.', ''), '(', ''), ')', ''), '_', '') // remove . () _ from resource group name -var name_rgKeyvaultForWLSSSL = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultResourceGroup : resourceGroup().name var name_storageAccountName = 'wls${const_globalResourceNameSufix}' -var name_trustKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStoreDataSecretName : 'myTrustKeyStoreData' -var name_trustKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStorePassPhraseSecretName : 'myTrustKeyStorePsw' var ref_wlsDomainDeployment = _enableCustomSSL ? wlsDomainWithCustomSSLDeployment : wlsDomainDeployment var obj_uamiForDeploymentScript = { type: 'UserAssigned' @@ -396,15 +335,6 @@ module partnerCenterPid './modules/_pids/_empty.bicep' = { module uamiDeployment 'modules/_globalUamiAndRoles.bicep' = { name: 'uami-deployment' params: { - _globalResourceNameSufix: const_globalResourceNameSufix - enableCustomSSL: enableCustomSSL - sslConfigurationAccessOption: sslConfigurationAccessOption - sslKeyVaultName: sslKeyVaultName - sslKeyVaultResourceGroup: sslKeyVaultResourceGroup - enableAppGWIngress: enableAppGWIngress - appGatewayCertificateOption: appGatewayCertificateOption - keyVaultName: keyVaultName - keyVaultResourceGroup: keyVaultResourceGroup location: location tagsByResource: _objTagsByResource } @@ -447,26 +377,11 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep enableAppGWIngress: enableAppGWIngress enableCustomSSL: enableCustomSSL enableDNSConfiguration: enableDNSConfiguration - keyVaultName: keyVaultName - keyVaultResourceGroup: keyVaultResourceGroup - keyVaultSSLCertDataSecretName: keyVaultSSLCertDataSecretName - keyVaultSSLCertPasswordSecretName: keyVaultSSLCertPasswordSecretName identity: obj_uamiForDeploymentScript isSSOSupportEntitled: isSSOSupportEntitled location: location ocrSSOPSW: ocrSSOPSW ocrSSOUser: ocrSSOUser - sslConfigurationAccessOption: sslConfigurationAccessOption - sslKeyVaultCustomIdentityKeyStoreDataSecretName: sslKeyVaultCustomIdentityKeyStoreDataSecretName - sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName: sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName - sslKeyVaultCustomIdentityKeyStoreType: sslKeyVaultCustomIdentityKeyStoreType - sslKeyVaultCustomTrustKeyStoreDataSecretName: sslKeyVaultCustomTrustKeyStoreDataSecretName - sslKeyVaultCustomTrustKeyStorePassPhraseSecretName: sslKeyVaultCustomTrustKeyStorePassPhraseSecretName - sslKeyVaultCustomTrustKeyStoreType: sslKeyVaultCustomTrustKeyStoreType - sslKeyVaultName: sslKeyVaultName - sslKeyVaultPrivateKeyAliasSecretName: sslKeyVaultPrivateKeyAliasSecretName - sslKeyVaultPrivateKeyPassPhraseSecretName: sslKeyVaultPrivateKeyPassPhraseSecretName - sslKeyVaultResourceGroup: sslKeyVaultResourceGroup sslUploadedCustomIdentityKeyStoreData: sslUploadedCustomIdentityKeyStoreData sslUploadedCustomIdentityKeyStorePassphrase: sslUploadedCustomIdentityKeyStorePassphrase sslUploadedCustomIdentityKeyStoreType: sslUploadedCustomIdentityKeyStoreType @@ -491,56 +406,17 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep ] } -module wlsSSLCertSecretsDeployment 'modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep' = if (enableCustomSSL && sslConfigurationAccessOption != const_wlsSSLCertOptionKeyVault) { - name: 'upload-wls-ssl-cert-to-keyvault' +module autoGeneratedSSLCert './_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep' = if (enableAppGWIngress && appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveCert) { + name: 'auto-generated-ssl-cert-for-app-gateway' params: { - keyVaultName: name_keyVaultName + _globalResourceNameSufix: _globalResourceNameSufix location: location - sku: keyVaultSku - tagsByResource: _objTagsByResource - wlsIdentityKeyStoreData: sslUploadedCustomIdentityKeyStoreData - wlsIdentityKeyStoreDataSecretName: name_identityKeyStoreDataSecret - wlsIdentityKeyStorePassphrase: sslUploadedCustomIdentityKeyStorePassphrase - wlsIdentityKeyStorePassphraseSecretName: name_identityKeyStorePswSecret - wlsPrivateKeyAlias: sslUploadedPrivateKeyAlias - wlsPrivateKeyAliasSecretName: name_privateKeyAliasSecret - wlsPrivateKeyPassPhrase: sslUploadedPrivateKeyPassPhrase - wlsPrivateKeyPassPhraseSecretName: name_privateKeyPswSecret - wlsTrustKeyStoreData: sslUploadedCustomTrustKeyStoreData - wlsTrustKeyStoreDataSecretName: name_trustKeyStoreDataSecret - wlsTrustKeyStorePassPhrase: sslUploadedCustomTrustKeyStorePassPhrase - wlsTrustKeyStorePassPhraseSecretName: name_trustKeyStorePswSecret - } - dependsOn: [ - validateInputs - ] -} - -// get key vault object in a resource group -resource sslKeyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = if (enableCustomSSL) { - name: (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultName : name_keyVaultName - scope: resourceGroup(name_rgKeyvaultForWLSSSL) -} - -module appgwSecretDeployment 'modules/_azure-resoruces/_keyvaultForGateway.bicep' = if (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)) { - name: 'appgateway-certificates-secrets-deployment' - params: { - _globalResourceNameSufix: const_globalResourceNameSufix - backendCertificateDataValue: appGatewaySSLBackendRootCertData - certificateDataValue: appGatewaySSLCertData - certificatePasswordValue: appGatewaySSLCertPassword - enableCustomSSL: enableCustomSSL - identity: obj_uamiForDeploymentScript - location: location - sku: keyVaultSku subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName) - useExistingAppGatewaySSLCertificate: _useExistingAppGatewaySSLCertificate - keyVaultName: name_keyVaultName - tagsByResource: _objTagsByResource + tagsByResource: tagsByResource } dependsOn: [ - wlsSSLCertSecretsDeployment - ] + pidAppgwStart + ] } // To void space overlap with AKS Vnet, must deploy the Applciation Gateway VNet before AKS deployment. @@ -550,29 +426,28 @@ module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress _pidAppgwEnd: pids.outputs.appgwEnd == '' ? name_defaultPidDeployment : pids.outputs.appgwEnd _pidAppgwStart: pids.outputs.appgwStart == '' ? name_defaultPidDeployment : pids.outputs.appgwStart _pidAppgwWithCustomCert: pids.outputs.customCertForAppgw == '' ? name_defaultPidDeployment : pids.outputs.customCertForAppgw + appgwCertificateOption: appGatewayCertificateOption appgwName: 'appgw${const_globalResourceNameSufix}' appgwPublicIPAddressName: const_appGatewayPublicIPAddressName + appgwSSLBackendRootCertData: appGatewaySSLBackendRootCertData appgwUsePrivateIP: appgwUsePrivateIP - appgwSslCertName: name_appgwFrontendSSLCertName - appgwTrustedRootCertName: name_appgwBackendRootCertName azCliVersion: const_azcliVersion dnsNameforApplicationGateway: name_domainLabelforApplicationGateway enableCustomSSL: enableCustomSSL - identity: obj_uamiForDeploymentScript - keyVaultName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultName : appgwSecretDeployment.outputs.keyVaultName - keyVaultResourceGroup: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultResourceGroup : resourceGroup().name - keyvaultBackendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLBackendRootCertDataSecretName : appgwSecretDeployment.outputs.sslBackendCertDataSecretName - keyvaultFrontendCertDataSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertDataSecretName : appgwSecretDeployment.outputs.sslCertDataSecretName - keyvaultFrontendCertPswSecretName: (!enableAppGWIngress || (appGatewayCertificateOption == const_appGatewaySSLCertOptionHaveKeyVault)) ? keyVaultSSLCertPasswordSecretName : appgwSecretDeployment.outputs.sslCertPwdSecretName + identity: obj_uamiForDeploymentScript nsgName: const_nsgName location: location newOrExistingVnetForApplicationGateway: newOrExistingVnetForApplicationGateway + sslCertData: appGatewaySSLCertData + sslCertificateDeploymentName: name_appgwFrontendSSLCertName + sslCertPswData: appGatewaySSLCertPassword + trustedRootCertificateDeploymentName: name_appgwBackendRootCertName vnetForApplicationGateway: vnetForApplicationGateway vnetRGNameForApplicationGateway: vnetRGNameForApplicationGateway tagsByResource: _objTagsByResource } dependsOn: [ - appgwSecretDeployment + autoGeneratedSSLCert ] } @@ -703,22 +578,22 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i wlsCPU: wlsCPU wlsDomainName: wlsDomainName wlsDomainUID: wlsDomainUID - wlsIdentityKeyStoreData: sslKeyvault.getSecret(name_identityKeyStoreDataSecret) - wlsIdentityKeyStorePassphrase: sslKeyvault.getSecret(name_identityKeyStorePswSecret) - wlsIdentityKeyStoreType: const_identityKeyStoreType + wlsIdentityKeyStoreData: sslUploadedCustomIdentityKeyStoreData + wlsIdentityKeyStorePassphrase: sslUploadedCustomIdentityKeyStorePassphrase + wlsIdentityKeyStoreType: sslUploadedCustomIdentityKeyStoreType wlsImageTag: wlsImageTag wlsJavaOption: const_wlsJavaOptions wlsMemory: wlsMemory wlsPassword: wlsPassword - wlsPrivateKeyAlias: sslKeyvault.getSecret(name_privateKeyAliasSecret) - wlsPrivateKeyPassPhrase: sslKeyvault.getSecret(name_privateKeyPswSecret) - wlsTrustKeyStoreData: sslKeyvault.getSecret(name_trustKeyStoreDataSecret) - wlsTrustKeyStorePassPhrase: sslKeyvault.getSecret(name_trustKeyStorePswSecret) - wlsTrustKeyStoreType: const_trustKeyStoreType + wlsPrivateKeyAlias: sslUploadedPrivateKeyAlias + wlsPrivateKeyPassPhrase: sslUploadedPrivateKeyPassPhrase + wlsTrustKeyStoreData: sslUploadedCustomTrustKeyStoreData + wlsTrustKeyStorePassPhrase: sslUploadedCustomTrustKeyStorePassPhrase + wlsTrustKeyStoreType: sslUploadedCustomTrustKeyStoreType wlsUserName: wlsUserName } dependsOn: [ - wlsSSLCertSecretsDeployment + validateInputs ] } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep index 9499b5cfb..3c35a64ce 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_appGateway.bicep @@ -4,23 +4,32 @@ param _pidAppgwEnd string = 'pid-networking-appgateway-end' param _pidAppgwStart string = 'pid-networking-appgateway-start' param _pidAppgwWithCustomCert string = 'pid-networking-appgateway-with-custom-certificate' +@allowed([ + 'haveCert' + 'generateCert' +]) +param appgwCertificateOption string param appgwName string param appgwPublicIPAddressName string +@secure() +param appgwSSLBackendRootCertData string param appgwUsePrivateIP bool -param appgwSslCertName string = 'appGatewaySslCert' -param appgwTrustedRootCertName string = 'appGatewayTrustedRootCert' param azCliVersion string = '' +param autoGeneratedSSLCertKeyVaultName string +param autoGeneratedSSLCertSecretName string param dnsNameforApplicationGateway string = 'wlsgw' param enableCustomSSL bool param identity object = {} -param keyVaultName string = 'kv-contoso' -param keyVaultResourceGroup string = 'kv-contoso-rg' -param keyvaultBackendCertDataSecretName string = 'kv-ssl-backend-data' -param keyvaultFrontendCertDataSecretName string = 'kv-ssl-frontend-data' -param keyvaultFrontendCertPswSecretName string = 'kv-ssl-frontend-psw' param nsgName string param location string param newOrExistingVnetForApplicationGateway string +@secure() +param sslCertData string +param sslCertificateDeploymentName string +@secure() +param sslCertPswData string +param trustedRootCertificateDeploymentName string +@secure() param vnetForApplicationGateway object param vnetRGNameForApplicationGateway string @description('${label.tagsLabel}') @@ -28,10 +37,10 @@ param tagsByResource object // To mitigate arm-ttk error: Type Mismatch: Parameter in nested template is defined as string, but the parent template defines it as bool. var _appgwUsePrivateIP = appgwUsePrivateIP -var _selfSignedFrontendCertAndNoBackendCert = empty(keyvaultFrontendCertPswSecretName) && !enableCustomSSL -var _selfSignedFrontendCertAndBackendCert = empty(keyvaultFrontendCertPswSecretName) && enableCustomSSL -var _signedFrontendCertAndNoBackendCert = !empty(keyvaultFrontendCertPswSecretName) && !enableCustomSSL -var _signedFrontendCertAndBackendCert = !empty(keyvaultFrontendCertPswSecretName) && enableCustomSSL +var _selfSignedFrontendCertAndNoBackendCert = appgwCertificateOption == 'generateCert' && !enableCustomSSL +var _selfSignedFrontendCertAndBackendCert = appgwCertificateOption == 'generateCert' && enableCustomSSL +var _signedFrontendCertAndNoBackendCert = appgwCertificateOption == 'haveCert' && !enableCustomSSL +var _signedFrontendCertAndBackendCert = appgwCertificateOption == 'haveCert' && enableCustomSSL var const_null = 'null' // To mitigate arm-ttk error: Parameter-Types-Should-Be-Consistent var name_gatewayDeploymentPrefix = 'app-gateway-deployment-' var ref_gatewayDeployment = _selfSignedFrontendCertAndNoBackendCert ? appgwDeployment1 : (_selfSignedFrontendCertAndBackendCert ? appgwDeployment2 : _signedFrontendCertAndNoBackendCert ? appgwDeployment3 : appgwDeployment4) @@ -51,8 +60,7 @@ module pidAppgwWithCustomCertificate './_pids/_pid.bicep' = if (_signedFrontendC // get key vault object from a resource group resource existingKeyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = { - name: keyVaultName - scope: resourceGroup(keyVaultResourceGroup) + name: autoGeneratedSSLCertKeyVaultName } module networkDeployment '_azure-resoruces/_vnetAppGateway.bicep' = { @@ -91,11 +99,11 @@ module appgwDeployment1 '_azure-resoruces/_appgateway.bicep' = if (_selfSignedFr gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location noSslCertPsw: true - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) + sslCertData: existingKeyvault.getSecret(autoGeneratedSSLCertSecretName) sslCertPswData: const_null staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' trustedRootCertData: const_null @@ -115,14 +123,14 @@ module appgwDeployment2 '_azure-resoruces/_appgateway.bicep' = if (_selfSignedFr gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location noSslCertPsw: true - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) + sslCertData: existingKeyvault.getSecret(autoGeneratedSSLCertSecretName) sslCertPswData: const_null staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' - trustedRootCertData: existingKeyvault.getSecret(keyvaultBackendCertDataSecretName) + trustedRootCertData: appgwSSLBackendRootCertData usePrivateIP: appgwUsePrivateIP tagsByResource: tagsByResource } @@ -139,11 +147,11 @@ module appgwDeployment3 '_azure-resoruces/_appgateway.bicep' = if (_signedFronte gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) - sslCertPswData: existingKeyvault.getSecret(keyvaultFrontendCertPswSecretName) + sslCertData: sslCertData + sslCertPswData: sslCertPswData staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' trustedRootCertData: const_null usePrivateIP: appgwUsePrivateIP @@ -162,13 +170,13 @@ module appgwDeployment4 '_azure-resoruces/_appgateway.bicep' = if (_signedFronte gatewayName: appgwName gatewayPublicIPAddressName: appgwPublicIPAddressName gatewaySubnetId: networkDeployment.outputs.subIdForApplicationGateway - gatewaySslCertName: appgwSslCertName - gatewayTrustedRootCertName: appgwTrustedRootCertName + gatewaySslCertName: sslCertificateDeploymentName + gatewayTrustedRootCertName: trustedRootCertificateDeploymentName location: location - sslCertData: existingKeyvault.getSecret(keyvaultFrontendCertDataSecretName) - sslCertPswData: existingKeyvault.getSecret(keyvaultFrontendCertPswSecretName) + sslCertData: sslCertData + sslCertPswData: sslCertPswData staticPrivateFrontentIP: _appgwUsePrivateIP ? queryPrivateIPFromSubnet.outputs.privateIP : '' - trustedRootCertData: existingKeyvault.getSecret(keyvaultBackendCertDataSecretName) + trustedRootCertData: appgwSSLBackendRootCertData usePrivateIP: appgwUsePrivateIP tagsByResource: tagsByResource } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep deleted file mode 100644 index 77e495329..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForGatewayBackendCert.bicep +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -@description('Secret name of certificate data.') -param certificateDataName string = newGuid() - -@description('Certificate data to store in the secret') -param certificateDataValue string = newGuid() - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true - -@description('Name of the vault') -param keyVaultName string - -param location string - -@description('Price tier for Key Vault.') -param sku string = 'Standard' - -@description('${label.tagsLabel}') -param tagsByResource object - -param utcValue string = utcNow() - -var obj_extraTag= { - 'created-by-azure-weblogic': utcValue -} - -resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVaultName - location: location - properties: { - accessPolicies: [] - enabledForTemplateDeployment: enabledForTemplateDeployment - sku: { - name: sku - family: 'A' - } - tenantId: subscription().tenantId - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) -} - -resource secretForCertificate 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${certificateDataName}' - properties: { - value: certificateDataValue - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) - dependsOn: [ - keyvault - ] -} - -output keyVaultName string = keyVaultName -output sslBackendCertDataSecretName string = certificateDataName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep deleted file mode 100644 index 93893d289..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultForWLSSSLCert.bicep +++ /dev/null @@ -1,116 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true -@description('Name of the vault') -param keyVaultName string -param location string -@description('Price tier for Key Vault.') -param sku string = 'Standard' -@description('${label.tagsLabel}') -param tagsByResource object -param utcValue string = utcNow() -@secure() -param wlsIdentityKeyStoreData string = newGuid() -param wlsIdentityKeyStoreDataSecretName string = 'myIdentityKeyStoreData' -@secure() -param wlsIdentityKeyStorePassphrase string = newGuid() -param wlsIdentityKeyStorePassphraseSecretName string = 'myIdentityKeyStorePsw' -@secure() -param wlsPrivateKeyAlias string = newGuid() -param wlsPrivateKeyAliasSecretName string = 'privateKeyAlias' -@secure() -param wlsPrivateKeyPassPhrase string = newGuid() -param wlsPrivateKeyPassPhraseSecretName string = 'privateKeyPsw' -@secure() -param wlsTrustKeyStoreData string = newGuid() -param wlsTrustKeyStoreDataSecretName string = 'myTrustKeyStoreData' -@secure() -param wlsTrustKeyStorePassPhrase string = newGuid() -param wlsTrustKeyStorePassPhraseSecretName string = 'myTrustKeyStorePsw' - -var obj_extraTag= { - 'created-by-azure-weblogic': utcValue -} - -resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVaultName - location: location - properties: { - accessPolicies: [] - enabledForTemplateDeployment: enabledForTemplateDeployment - sku: { - name: sku - family: 'A' - } - tenantId: subscription().tenantId - } - tags: union(tagsByResource['${identifier.vaults}'],obj_extraTag) -} - -resource identityKeyStoreDataSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsIdentityKeyStoreDataSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsIdentityKeyStoreData - } - dependsOn: [ - keyvault - ] -} - -resource identityKeyStorePswSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsIdentityKeyStorePassphraseSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsIdentityKeyStorePassphrase - } - dependsOn: [ - keyvault - ] -} - -resource privateKeyAliasSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsPrivateKeyAliasSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsPrivateKeyAlias - } - dependsOn: [ - keyvault - ] -} - -resource privateKeyPswSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsPrivateKeyPassPhraseSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsPrivateKeyPassPhrase - } - dependsOn: [ - keyvault - ] -} - -resource trustKeyStoreDataSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsTrustKeyStoreDataSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsTrustKeyStoreData - } - dependsOn: [ - keyvault - ] -} - -resource trustKeyStorePswSecret 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${wlsTrustKeyStorePassPhraseSecretName}' - tags: tagsByResource['${identifier.vaults}'] - properties: { - value: wlsTrustKeyStorePassPhrase - } - dependsOn: [ - keyvault - ] -} diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep deleted file mode 100644 index 546c5dfca..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep +++ /dev/null @@ -1,34 +0,0 @@ -/* - Copyright (c) 2021, 2025 Oracle and/or its affiliates. -Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -*/ - -// This script is to update existing keyvault with access policy for global uami. -// And enable template deployment for the keyvault. - -param keyVault object -param principalId string - -var obj_permission = { - secrets: [ - 'get' - 'list' - ] -} - -resource updateExistingKeyVault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVault.name - location: keyVault.location - sku: keyVault.sku - properties: { - accessPolicies: [ - { - objectId: principalId - tenantId: subscription().tenantId - permissions: obj_permission - } - ] - enabledForTemplateDeployment: true - enableRbacAuthorization: false - } -} diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithExistingCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithExistingCert.bicep deleted file mode 100644 index 155c97432..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithExistingCert.bicep +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. - -@description('Secret name of certificate data.') -param certificateDataName string = 'myIdentityKeyStoreData' - -@description('Certificate data to store in the secret') -param certificateDataValue string = newGuid() - -@description('Secret name of certificate password.') -param certificatePswSecretName string = 'myIdentityKeyStorePsw' - -@secure() -@description('Certificate password to store in the secret') -param certificatePasswordValue string = newGuid() - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true - -@description('Name of the vault') -param keyVaultName string = 'kv-contoso' - -param location string - -@description('Price tier for Key Vault.') -param sku string = 'Standard' - -@description('${label.tagsLabel}') -param tagsByResource object - -param utcValue string = utcNow() - -var obj_extraTag= { - 'created-by-azure-weblogic': utcValue -} - -resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { - name: keyVaultName - location: location - properties: { - accessPolicies: [] - enabledForTemplateDeployment: enabledForTemplateDeployment - sku: { - name: sku - family: 'A' - } - tenantId: subscription().tenantId - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) -} - -resource secretForCertificate 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVault}' = { - name: '${keyVaultName}/${certificateDataName}' - properties: { - value: certificateDataValue - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) - dependsOn: [ - keyvault - ] -} - -resource secretForCertPassword 'Microsoft.KeyVault/vaults/secrets@${azure.apiVersionForKeyVaultSecrets}' = { - name: '${keyVaultName}/${certificatePswSecretName}' - properties: { - value: certificatePasswordValue - } - tags: union(tagsByResource['${identifier.vaults}'], obj_extraTag) - dependsOn: [ - keyvault - ] -} - -output keyVaultName string = keyVaultName -output sslCertDataSecretName string = certificateDataName -output sslCertPwdSecretName string = certificatePswSecretName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep index fa792a2b3..f0d63dce4 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep @@ -59,6 +59,7 @@ resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { enabledForDiskEncryption: false enabledForTemplateDeployment: true enableSoftDelete: true + enableRbacAuthorization: false } } diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep deleted file mode 100644 index be920a1a9..000000000 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvaultForGateway.bicep +++ /dev/null @@ -1,102 +0,0 @@ -// Copyright (c) 2021, Oracle Corporation and/or its affiliates. -// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -// Deploy Application Gateway certificate secrets. - -param _globalResourceNameSufix string -@description('Backend certificate data to store in the secret') -param backendCertificateDataValue string = newGuid() - -@description('Certificate data to store in the secret') -param certificateDataValue string = newGuid() - -@secure() -@description('Certificate password to store in the secret') -param certificatePasswordValue string = newGuid() - -@description('true to upload trusted root certificate') -param enableCustomSSL bool = false - -@description('Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.') -param enabledForTemplateDeployment bool = true - -param identity object = {} -param location string -param permission object = { - certificates: [ - 'get' - 'list' - 'update' - 'create' - ] -} - -@description('Price tier for Key Vault.') -param sku string = 'Standard' - -@description('Subject name to create a certificate.') -param subjectName string = '' - -@description('If false, will create a certificate.') -param useExistingAppGatewaySSLCertificate bool = false - -@description('Current deployment time. Used as a tag in deployment script.') -param keyVaultName string = 'GEN_UNIQUE' - -@description('${label.tagsLabel}') -param tagsByResource object - -var name_sslBackendCertSercretName= 'myAppGatewaySSLBackendRootCert' -var name_sslCertSecretName = 'myAppGatewaySSLCert' -var name_sslCertPasswordSecretName = 'myAppGatewaySSLCertPassword' - -module keyVaultwithSelfSignedAppGatewaySSLCert '_keyvault/_keyvaultWithNewCert.bicep' = if (!useExistingAppGatewaySSLCertificate) { - name: 'kv-appgw-selfsigned-certificate-deployment' - params: { - _globalResourceNameSufix: _globalResourceNameSufix - identity: identity - keyVaultName: keyVaultName - location: location - permission: permission - subjectName: subjectName - sku: sku - tagsByResource: tagsByResource - } -} - -module keyVaultwithExistingAppGatewaySSLCert '_keyvault/_keyvaultWithExistingCert.bicep' = if (useExistingAppGatewaySSLCertificate) { - name: 'kv-appgw-existing-certificate-deployment' - params: { - certificateDataName: name_sslCertSecretName - certificateDataValue: certificateDataValue - certificatePswSecretName: name_sslCertPasswordSecretName - certificatePasswordValue: certificatePasswordValue - enabledForTemplateDeployment: enabledForTemplateDeployment - keyVaultName: keyVaultName - location: location - sku: sku - tagsByResource: tagsByResource - } -} - -module keyvaultBackendRootCert '_keyvault/_keyvaultForGatewayBackendCert.bicep' = if (enableCustomSSL) { - name: 'kv-appgw-e2e-ssl-backend-certificate' - params:{ - certificateDataName: name_sslBackendCertSercretName - certificateDataValue: backendCertificateDataValue - enabledForTemplateDeployment: enabledForTemplateDeployment - keyVaultName: keyVaultName - location: location - sku: sku - tagsByResource: tagsByResource - } - dependsOn:[ - keyVaultwithSelfSignedAppGatewaySSLCert - keyVaultwithExistingAppGatewaySSLCert - ] -} - -output keyVaultName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.keyVaultName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.keyVaultName) -output sslCertDataSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertDataSecretName : keyVaultwithSelfSignedAppGatewaySSLCert.outputs.secretName) -output sslCertPwdSecretName string = (useExistingAppGatewaySSLCertificate ? keyVaultwithExistingAppGatewaySSLCert.outputs.sslCertPwdSecretName: '') -output sslBackendCertDataSecretName string = (enableCustomSSL) ? keyvaultBackendRootCert.outputs.sslBackendCertDataSecretName : '' - diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index 3d7cb9e76..0756c4858 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -3,24 +3,6 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ -param _globalResourceNameSufix string -param enableCustomSSL bool -@allowed([ - 'uploadConfig' - 'keyVaultStoredConfig' -]) -param sslConfigurationAccessOption string -param sslKeyVaultName string -param sslKeyVaultResourceGroup string -param enableAppGWIngress bool -@allowed([ - 'haveCert' - 'haveKeyVault' - 'generateCert' -]) -param appGatewayCertificateOption string -param keyVaultName string -param keyVaultResourceGroup string param location string @description('${label.tagsLabel}') param tagsByResource object @@ -47,32 +29,4 @@ module deploymentScriptUAMICotibutorRoleAssignment '_rolesAssignment/_roleAssign } } -resource keyvaultStoringWLSSSLCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = { - name: sslKeyVaultName - scope: resourceGroup(sslKeyVaultResourceGroup) -} - -resource keyvaultStoringAppgwCerts 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' existing = { - name: keyVaultName - scope: resourceGroup(keyVaultResourceGroup) -} - -module updateKeyvaultStoringWLSSSLCerts '_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep' = if (enableCustomSSL && sslConfigurationAccessOption == 'keyVaultStoredConfig') { - name: 'update-keyvault-storing-wls-ssl-certs-with-getlist-permission' - scope: resourceGroup(sslKeyVaultResourceGroup) - params: { - keyVault: keyvaultStoringWLSSSLCerts - principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId - } -} - -module updateKeyvaultStoringAppgwCerts '_azure-resoruces/_keyvault/_keyvaultGetListAccessPolicy.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == 'haveKeyVault') { - name: 'update-keyvault-storing-appgw-certs-with-getlist-permission' - scope: resourceGroup(keyVaultResourceGroup) - params: { - keyVault: keyvaultStoringAppgwCerts - principalId: reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', name_deploymentScriptUserDefinedManagedIdentity)).principalId - } -} - output uamiIdForDeploymentScript string = uamiForDeploymentScript.id From 8982ab4c4c56c75dc173a9666e0fe2bd597032af Mon Sep 17 00:00:00 2001 From: galiacheng Date: Wed, 5 Feb 2025 14:45:29 +0800 Subject: [PATCH 22/32] remove key vault validation in fail fast stage. --- .../inline-scripts/validateParameters.sh | 183 +----------------- .../src/main/bicep/mainTemplate.bicep | 14 +- ...toGeneratedPfxCertandSaveinKeyvault.bicep} | 2 +- .../_ds-validate-parameters.bicep | 73 +------ .../bicep/modules/_globalUamiAndRoles.bicep | 1 + 5 files changed, 16 insertions(+), 257 deletions(-) rename weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/{_keyvault/_keyvaultWithNewCert.bicep => _autoGeneratedPfxCertandSaveinKeyvault.bicep} (98%) diff --git a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh index c5cfc6b5e..9267aca03 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh @@ -9,16 +9,6 @@ # AKS_CLUSTER_NAME # AKS_CLUSTER_RESOURCEGROUP_NAME # BASE64_FOR_SERVICE_PRINCIPAL -# WLS_SSL_KEYVAULT_NAME -# WLS_SSL_KEYVAULT_RESOURCEGROUP_NAME -# WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME -# WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME -# WLS_SSL_KEYVAULT_IDENTITY_TYPE -# WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME -# WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME -# WLS_SSL_KEYVAULT_TRUST_TYPE -# WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS -# WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD # WLS_SSL_IDENTITY_DATA # WLS_SSL_IDENTITY_PASSWORD # WLS_SSL_IDENTITY_TYPE @@ -27,10 +17,6 @@ # WLS_SSL_TRUST_TYPE # WLS_SSL_PRIVATE_KEY_ALIAS # WLS_SSL_PRIVATE_KEY_PASSWORD -# APPLICATION_GATEWAY_SSL_KEYVAULT_NAME -# APPLICATION_GATEWAY_SSL_KEYVAULT_RESOURCEGROUP -# APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME -# APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME # APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA # APPLICATION_GATEWAY_SSL_FRONTEND_CERT_PASSWORD # DNS_ZONE_NAME @@ -351,113 +337,7 @@ function validate_image_compatibility fi } -function download_wls_ssl_certificates_from_keyvault() { - # check key vault accessibility for template deployment - local enabledForTemplateDeployment=$(az keyvault show --name ${WLS_SSL_KEYVAULT_NAME} --query "properties.enabledForTemplateDeployment") - if [[ "${enabledForTemplateDeployment,,}" != "true" ]]; then - echo_stderr "Make sure Key Vault ${WLS_SSL_KEYVAULT_NAME} is enabled for template deployment. " - exit 1 - fi - - # check key vault permission model, current support model is Vault access policy. - local enableRbacAuthorization=$(az keyvault show --name ${WLS_SSL_KEYVAULT_NAME} --query "properties.enableRbacAuthorization") - if [[ "${enableRbacAuthorization,,}" != "false" ]]; then - echo_stderr "Make sure Key Vault ${WLS_SSL_KEYVAULT_NAME} is using Vault access policy, not using RBAC authorization. " - exit 1 - fi - - # allow the identity to access the keyvault - local principalId=$(az identity show --ids ${AZ_SCRIPTS_USER_ASSIGNED_IDENTITY} --query "principalId" -o tsv) - az keyvault set-policy --name ${WLS_SSL_KEYVAULT_NAME} --object-id ${principalId} --secret-permissions get list - validate_status "grant identity permission to get/list secrets in key vault ${WLS_SSL_KEYVAULT_NAME}" - - local identityDataFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/identityData.txt - local identityPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/identityPsw.txt - local trustDataFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/trustData.txt - local trustPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/trustPsw.txt - local privateKeyAliasFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/privateKeyData.txt - local privateKeyPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/privateKeyPsw.txt - - rm -f ${identityDataFileName} - rm -f ${identityPswFileName} - rm -f ${trustDataFileName} - rm -f ${trustPswFileName} - rm -f ${privateKeyAliasFileName} - rm -f ${privateKeyPswFileName} - - # download identity data - az keyvault secret download --file ${identityDataFileName} \ - --name ${WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set identity data with values in download file - WLS_SSL_IDENTITY_DATA="$(cat ${identityDataFileName} | base64)" - # remove the data file - rm -f ${identityDataFileName} - - # download identity password - az keyvault secret download --file ${identityPswFileName} \ - --name ${WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set identity psw with values in download file - WLS_SSL_IDENTITY_PASSWORD="$(cat ${identityPswFileName})" - # remove the data file - rm -f ${identityPswFileName} - - # download trust data - az keyvault secret download --file ${trustDataFileName} \ - --name ${WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set trust data with values in download file - WLS_SSL_TRUST_DATA="$(cat ${trustDataFileName} | base64)" - # remove the data file - rm -f ${trustDataFileName} - - # download trust psw - az keyvault secret download --file ${trustPswFileName} \ - --name ${WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set trust psw with values in download file - WLS_SSL_TRUST_PASSWORD="$(cat ${trustPswFileName})" - # remove the data file - rm -f ${trustPswFileName} - - # download alias - az keyvault secret download --file ${privateKeyAliasFileName} \ - --name ${WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set alias with values in download file - WLS_SSL_PRIVATE_KEY_ALIAS="$(cat ${privateKeyAliasFileName})" - # remove the data file - rm -f ${privateKeyAliasFileName} - - # download private key psw - az keyvault secret download --file ${privateKeyPswFileName} \ - --name ${WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD} \ - --vault-name ${WLS_SSL_KEYVAULT_NAME} - validate_status "download secret ${WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD} from key vault ${WLS_SSL_KEYVAULT_NAME}" - # set private key psw with values in download file - WLS_SSL_PRIVATE_KEY_PASSWORD="$(cat ${privateKeyPswFileName})" - # remove the data file - rm -f ${privateKeyPswFileName} - - WLS_SSL_IDENTITY_TYPE="${WLS_SSL_KEYVAULT_IDENTITY_TYPE}" - WLS_SSL_TRUST_TYPE="${WLS_SSL_KEYVAULT_TRUST_TYPE}" - - # reset key vault policy - az keyvault delete-policy --name ${WLS_SSL_KEYVAULT_NAME} --object-id ${principalId} - validate_status "delete identity permission to get/list secrets in key vault ${WLS_SSL_KEYVAULT_NAME}" -} - function validate_wls_ssl_certificates() { - if [[ "${sslConfigurationAccessOption}" == "${sslCertificateKeyVaultOption}" ]]; then - download_wls_ssl_certificates_from_keyvault - fi - local wlsIdentityKeyStoreFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/identity.keystore local wlsTrustKeyStoreFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/trust.keystore echo "$WLS_SSL_IDENTITY_DATA" | base64 -d >$wlsIdentityKeyStoreFileName @@ -494,66 +374,11 @@ function validate_wls_ssl_certificates() { echo_stdout "validate SSL key stores: passed!" } -function download_application_gateway_certificate_from_keyvault() { - # check key vault accessibility for template deployment - local enabledForTemplateDeployment=$(az keyvault show --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --query "properties.enabledForTemplateDeployment") - if [[ "${enabledForTemplateDeployment,,}" != "true" ]]; then - echo_stderr "Make sure Key Vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} is enabled for template deployment. " - exit 1 - fi - - # check key vault permission model, current support model is Vault access policy. - local enableRbacAuthorization=$(az keyvault show --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --query "properties.enableRbacAuthorization") - if [[ "${enableRbacAuthorization,,}" != "false" ]]; then - echo_stderr "Make sure Key Vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} is using Vault access policy, not using RBAC authorization. " - exit 1 - fi - - # allow the identity to access the keyvault - local principalId=$(az identity show --ids ${AZ_SCRIPTS_USER_ASSIGNED_IDENTITY} --query "principalId" -o tsv) - az keyvault set-policy --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --object-id ${principalId} --secret-permissions get list - validate_status "grant identity permission to get/list secrets in key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" - - local gatewayCertDataFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/gatewayCertData.txt - local gatewayCertPswFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/gatewayCertPsw.txt - - rm -f ${gatewayCertDataFileName} - rm -f ${gatewayCertPswFileName} - - # download cert data - az keyvault secret download --file ${gatewayCertDataFileName} \ - --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME} \ - --vault-name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} - validate_status "download secret ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME} from key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" - # set cert data with values in download file - APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA=$(cat ${gatewayCertDataFileName}) - # remove the data file - rm -f ${gatewayCertDataFileName} - - # download cert data - az keyvault secret download --file ${gatewayCertPswFileName} \ - --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME} \ - --vault-name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} - validate_status "download secret ${APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME} from key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" - # set cert data with values in download file - APPLICATION_GATEWAY_SSL_FRONTEND_CERT_PASSWORD=$(cat ${gatewayCertPswFileName}) - # remove the data file - rm -f ${gatewayCertPswFileName} - - # reset key vault policy - az keyvault delete-policy --name ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME} --object-id ${principalId} - validate_status "delete identity permission to get/list secrets in key vault ${APPLICATION_GATEWAY_SSL_KEYVAULT_NAME}" -} - function validate_gateway_frontend_certificates() { if [[ "${appGatewayCertificateOption}" == "generateCert" ]]; then return fi - if [[ "${appGatewayCertificateOption}" == "haveKeyVault" ]]; then - download_application_gateway_certificate_from_keyvault - fi - local appgwFrontCertFileName=${AZ_SCRIPTS_PATH_OUTPUT_DIRECTORY}/gatewaycert.pfx echo "$APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA" | base64 -d >$appgwFrontCertFileName @@ -702,13 +527,11 @@ useOracleImage=$5 wlsImageTag=$6 userProvidedImagePath=$7 enableCustomSSL=$8 -sslConfigurationAccessOption=$9 -appGatewayCertificateOption=${10} -enableAppGWIngress=${11} -checkDNSZone=${12} +appGatewayCertificateOption=${9} +enableAppGWIngress=${10} +checkDNSZone=${11} outputAksVersion=${constDefaultAKSVersion} -sslCertificateKeyVaultOption="keyVaultStoredConfig" # install docker cli install_docker diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 279596feb..3e88b1ff8 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -335,6 +335,7 @@ module partnerCenterPid './modules/_pids/_empty.bicep' = { module uamiDeployment 'modules/_globalUamiAndRoles.bicep' = { name: 'uami-deployment' params: { + _globalResourceNameSufix: const_globalResourceNameSufix location: location tagsByResource: _objTagsByResource } @@ -406,20 +407,23 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep ] } -module autoGeneratedSSLCert './_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep' = if (enableAppGWIngress && appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveCert) { +module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep' = if (enableAppGWIngress && appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveCert) { name: 'auto-generated-ssl-cert-for-app-gateway' params: { - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSufix: const_globalResourceNameSufix + identity: obj_uamiForDeploymentScript + keyVaultName: 'wlskv${const_globalResourceNameSufix}' location: location + secretName: name_appgwFrontendSSLCertName subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName) tagsByResource: tagsByResource } dependsOn: [ - pidAppgwStart + uamiDeployment ] } -// To void space overlap with AKS Vnet, must deploy the Applciation Gateway VNet before AKS deployment. +// To void space overlap with AKS VNet, must deploy the Applciation Gateway VNet before AKS deployment. module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress) { name: 'application-gateway-deployment' params: { @@ -432,6 +436,8 @@ module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress appgwSSLBackendRootCertData: appGatewaySSLBackendRootCertData appgwUsePrivateIP: appgwUsePrivateIP azCliVersion: const_azcliVersion + autoGeneratedSSLCertKeyVaultName: autoGeneratedSSLCert.outputs.keyVaultName + autoGeneratedSSLCertSecretName: autoGeneratedSSLCert.outputs.secretName dnsNameforApplicationGateway: name_domainLabelforApplicationGateway enableCustomSSL: enableCustomSSL identity: obj_uamiForDeploymentScript diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep similarity index 98% rename from weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep rename to weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep index f0d63dce4..018e5ba83 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_keyvault/_keyvaultWithNewCert.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep @@ -6,7 +6,7 @@ param _globalResourceNameSufix string param identity object = {} @description('Used to name the new Azure Key Vault resoure.') -param keyVaultName string = 'wls-kv-${uniqueString(utcValue)}' +param keyVaultName string = 'wlskv${uniqueString(utcValue)}' param location string diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep index 1356de28c..ffbd1759a 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep @@ -22,27 +22,12 @@ param dnszoneRGName string param enableAppGWIngress bool param enableCustomSSL bool param enableDNSConfiguration bool -param keyVaultName string -param keyVaultResourceGroup string -param keyVaultSSLCertDataSecretName string -param keyVaultSSLCertPasswordSecretName string param identity object = {} param isSSOSupportEntitled bool param location string @secure() param ocrSSOPSW string param ocrSSOUser string -param sslConfigurationAccessOption string -param sslKeyVaultCustomIdentityKeyStoreDataSecretName string -param sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName string -param sslKeyVaultCustomIdentityKeyStoreType string -param sslKeyVaultCustomTrustKeyStoreDataSecretName string -param sslKeyVaultCustomTrustKeyStorePassPhraseSecretName string -param sslKeyVaultCustomTrustKeyStoreType string -param sslKeyVaultName string -param sslKeyVaultPrivateKeyAliasSecretName string -param sslKeyVaultPrivateKeyPassPhraseSecretName string -param sslKeyVaultResourceGroup string @secure() param sslUploadedCustomIdentityKeyStoreData string @secure() @@ -72,7 +57,7 @@ param wlsImageTag string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') var base64_validateParameters = loadFileAsBase64('../../../arm/scripts/inline-scripts/validateParameters.sh') -var const_arguments = '${location} ${createAKSCluster} ${aksAgentPoolVMSize} ${aksAgentPoolNodeCount} ${useOracleImage} ${wlsImageTag} ${userProvidedImagePath} ${enableCustomSSL} ${sslConfigurationAccessOption} ${appGatewayCertificateOption} ${enableAppGWIngress} ${const_checkDNSZone}' +var const_arguments = '${location} ${createAKSCluster} ${aksAgentPoolVMSize} ${aksAgentPoolNodeCount} ${useOracleImage} ${wlsImageTag} ${userProvidedImagePath} ${enableCustomSSL} ${appGatewayCertificateOption} ${enableAppGWIngress} ${const_checkDNSZone}' var const_checkDNSZone = enableDNSConfiguration && !createDNSZone var const_deploymentName = 'ds-validate-parameters-and-fail-fast-${_globalResourceNameSufix}' @@ -130,46 +115,6 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers name: 'APP_REPLICAS' value: appReplicas } - { - name: 'WLS_SSL_KEYVAULT_NAME' - value: sslKeyVaultName - } - { - name: 'WLS_SSL_KEYVAULT_RESOURCEGROUP_NAME' - value: sslKeyVaultResourceGroup - } - { - name: 'WLS_SSL_KEYVAULT_IDENTITY_DATA_SECRET_NAME' - value: sslKeyVaultCustomIdentityKeyStoreDataSecretName - } - { - name: 'WLS_SSL_KEYVAULT_IDENTITY_PASSWORD_SECRET_NAME' - value: sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName - } - { - name: 'WLS_SSL_KEYVAULT_IDENTITY_TYPE' - value: sslKeyVaultCustomIdentityKeyStoreType - } - { - name: 'WLS_SSL_KEYVAULT_TRUST_DATA_SECRET_NAME' - value: sslKeyVaultCustomTrustKeyStoreDataSecretName - } - { - name: 'WLS_SSL_KEYVAULT_TRUST_PASSWORD_SECRET_NAME' - value: sslKeyVaultCustomTrustKeyStorePassPhraseSecretName - } - { - name: 'WLS_SSL_KEYVAULT_TRUST_TYPE' - value: sslKeyVaultCustomTrustKeyStoreType - } - { - name: 'WLS_SSL_KEYVAULT_PRIVATE_KEY_ALIAS' - value: sslKeyVaultPrivateKeyAliasSecretName - } - { - name: 'WLS_SSL_KEYVAULT_PRIVATE_KEY_PASSWORD' - value: sslKeyVaultPrivateKeyPassPhraseSecretName - } { name: 'WLS_SSL_IDENTITY_DATA' secureValue: sslUploadedCustomIdentityKeyStoreData @@ -202,22 +147,6 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers name: 'WLS_SSL_PRIVATE_KEY_PASSWORD' secureValue: sslUploadedPrivateKeyPassPhrase } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_NAME' - value: keyVaultName - } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_RESOURCEGROUP' - value: keyVaultResourceGroup - } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_DATA_SECRET_NAME' - value: keyVaultSSLCertDataSecretName - } - { - name: 'APPLICATION_GATEWAY_SSL_KEYVAULT_FRONTEND_CERT_PASSWORD_SECRET_NAME' - value: keyVaultSSLCertPasswordSecretName - } { name: 'APPLICATION_GATEWAY_SSL_FRONTEND_CERT_DATA' value: appGatewaySSLCertData diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index 0756c4858..0fb979393 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -3,6 +3,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ +param _globalResourceNameSufix string param location string @description('${label.tagsLabel}') param tagsByResource object From a641652a56b757a53d3d1d0351a6705030c812a9 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Thu, 6 Feb 2025 13:50:27 +0800 Subject: [PATCH 23/32] update key vault API version --- resources/azure-common.properties | 4 ++-- weblogic-azure-aks/src/main/bicep/mainTemplate.bicep | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/resources/azure-common.properties b/resources/azure-common.properties index 1e24b1359..8648bea76 100644 --- a/resources/azure-common.properties +++ b/resources/azure-common.properties @@ -11,9 +11,9 @@ azure.apiVersionForAvailabilitySets=2023-07-01 # Microsoft.Compute/virtualMachines azure.apiVersionForVirtualMachines=2023-07-01 # Microsoft.KeyVault/vaults -azure.apiVersionForKeyVault=2023-02-01 +azure.apiVersionForKeyVault=2024-11-01 # Microsoft.KeyVault/vaults/secrets -azure.apiVersionForKeyVaultSecrets=2023-02-01 +azure.apiVersionForKeyVaultSecrets=2024-11-01 # Microsoft.ManagedIdentity/userAssignedIdentities azure.apiVersionForIdentity=2023-01-31 # Microsoft.Network/networkInterfaces diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 3e88b1ff8..8815a4296 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -285,7 +285,7 @@ var _objTagsByResource = { '${identifier.deploymentScripts}': contains(tagsByResource, '${identifier.deploymentScripts}') ? tagsByResource['${identifier.deploymentScripts}'] : json('{}') } var const_aksName = createAKSCluster ? 'wlsonaks${const_globalResourceNameSufix}' : aksClusterName -var const_appGatewaySSLCertOptionHaveCert = 'haveCert' +var const_appGatewaySSLCertOptionGenerateCert = 'generateCert' var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, const_globalResourceNameSufix) var const_acrName = (createACR) ? 'acrwlsaks${const_globalResourceNameSufix}' : acrName var const_azcliVersion = '2.53.0' @@ -407,7 +407,7 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep ] } -module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep' = if (enableAppGWIngress && appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveCert) { +module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert) { name: 'auto-generated-ssl-cert-for-app-gateway' params: { _globalResourceNameSufix: const_globalResourceNameSufix @@ -416,7 +416,7 @@ module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertand location: location secretName: name_appgwFrontendSSLCertName subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName) - tagsByResource: tagsByResource + tagsByResource: _objTagsByResource } dependsOn: [ uamiDeployment From 3075c590401c9a48a2efe96601b84bcc0027060e Mon Sep 17 00:00:00 2001 From: galiacheng Date: Thu, 6 Feb 2025 14:23:57 +0800 Subject: [PATCH 24/32] Fix "An invalid value was provided for 'accessPolicies[0].Permissions.secrets'" --- .../_autoGeneratedPfxCertandSaveinKeyvault.bicep | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep index 018e5ba83..d5b3023bb 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep @@ -15,8 +15,7 @@ param permission object = { secrets: [ 'get' 'list' - 'update' - 'create' + 'set' ] } From 73b384759808c2f0dad095c26848ac073260768b Mon Sep 17 00:00:00 2001 From: galiacheng Date: Thu, 6 Feb 2025 14:54:52 +0800 Subject: [PATCH 25/32] Set key vault certificate permission. --- .../_autoGeneratedPfxCertandSaveinKeyvault.bicep | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep index d5b3023bb..da95ac40e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep @@ -12,10 +12,11 @@ param location string @description('Access permission of the key vault, will applied to all access policies.') param permission object = { - secrets: [ + certificates: [ 'get' 'list' - 'set' + 'update' + 'create' ] } From 07b3f68729bb17480d1fc530541e97b38c4dddca Mon Sep 17 00:00:00 2001 From: galiacheng Date: Thu, 6 Feb 2025 17:13:57 +0800 Subject: [PATCH 26/32] upgrade jdk version --- .github/actions/setupmaven/action.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/actions/setupmaven/action.yml b/.github/actions/setupmaven/action.yml index f6dcf9c77..50f50652e 100644 --- a/.github/actions/setupmaven/action.yml +++ b/.github/actions/setupmaven/action.yml @@ -7,10 +7,12 @@ inputs: runs: using: "composite" steps: + - uses: actions/checkout@v4 - name: Set up Apache Maven and JDK - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: - java-version: 1.8 + distribution: 'microsoft' + java-version: 21 server-id: github # Value of the distributionManagement/repository/id field of the pom.xml server-username: MAVEN_USERNAME # env variable for username server-password: MAVEN_TOKEN # env variable for token From fcc8e84ac24e1d3a89de0dd0b79abb2739cbcc7b Mon Sep 17 00:00:00 2001 From: galiacheng Date: Fri, 7 Feb 2025 11:12:36 +0800 Subject: [PATCH 27/32] Code clean up. --- .../src/main/bicep/mainTemplate.bicep | 3 +-- ... => _autoGeneratedPfxCertInKeyVault.bicep} | 0 .../bicep/modules/_setupDBConnection.bicep | 4 ++-- .../bicep/modules/setupDBConnection.bicep | 21 +++++++++++++++++++ 4 files changed, 24 insertions(+), 4 deletions(-) rename weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/{_autoGeneratedPfxCertandSaveinKeyvault.bicep => _autoGeneratedPfxCertInKeyVault.bicep} (100%) diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 8815a4296..3a5a10105 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -211,7 +211,6 @@ param useLatestSupportedAksVersion bool = true param useHpa bool = true @description('True to set up internal load balancer service.') param useInternalLB bool = false -@description('ture to upload Java EE applications and deploy the applications to WebLogic domain.') param utcValue string = utcNow() @description('User provided ACR for base image') param userProvidedAcr string = 'null' @@ -407,7 +406,7 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep ] } -module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert) { +module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert) { name: 'auto-generated-ssl-cert-for-app-gateway' params: { _globalResourceNameSufix: const_globalResourceNameSufix diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep similarity index 100% rename from weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertandSaveinKeyvault.bicep rename to weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep index ff955555b..962160010 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep @@ -6,7 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string = uniqueString(utcNow()) +param _globalResourceNameSufix string param _pidEnd string = '' param _pidStart string = '' param _pidOtherDb string = '' @@ -42,7 +42,7 @@ param identity object = {} param jdbcDataSourceName string = 'jdbc/contoso' param location string @description('${label.tagsLabel}') -param tagsByResource object = {} +param tagsByResource object @description('UID of WebLogic domain, used in WebLogic Operator.') param wlsDomainUID string = 'sample-domain1' @secure() diff --git a/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep index ab6546fce..49cbe2148 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep @@ -65,6 +65,7 @@ param identity object = {} @description('JNDI Name for JDBC Datasource') param jdbcDataSourceName string = 'jdbc/contoso' +param utcValue string = utcNow() @description('UID of WebLogic domain, used in WebLogic Operator.') param wlsDomainUID string = 'sample-domain1' @secure() @@ -74,6 +75,24 @@ param wlsUserName string = 'weblogic' // This template is used for post deployment, hard code the CLI version with a variable. var const_azCliVersion = '2.33.1' +var _objTagsByResource = { + 'Microsoft.Monitor/accounts': contains(tagsByResource, 'Microsoft.Monitor/accounts') ? tagsByResource['Microsoft.Monitor/accounts'] : json('{}') + 'Microsoft.ContainerService/managedClusters': contains(tagsByResource, 'Microsoft.ContainerService/managedClusters') ? tagsByResource['Microsoft.ContainerService/managedClusters'] : json('{}') + 'Microsoft.Network/applicationGateways': contains(tagsByResource, 'Microsoft.Network/applicationGateways') ? tagsByResource['Microsoft.Network/applicationGateways'] : json('{}') + 'Microsoft.ContainerRegistry/registries': contains(tagsByResource, 'Microsoft.ContainerRegistry/registries') ? tagsByResource['Microsoft.ContainerRegistry/registries'] : json('{}') + 'Microsoft.Compute/virtualMachines': contains(tagsByResource, 'Microsoft.Compute/virtualMachines') ? tagsByResource['Microsoft.Compute/virtualMachines'] : json('{}') + 'Virtual machine extension': contains(tagsByResource, 'Virtual machine extension') ? tagsByResource['Virtual machine extension'] : json('{}') + 'Microsoft.Network/virtualNetworks': contains(tagsByResource, 'Microsoft.Network/virtualNetworks') ? tagsByResource['Microsoft.Network/virtualNetworks'] : json('{}') + 'Microsoft.Network/networkInterfaces': contains(tagsByResource, 'Microsoft.Network/networkInterfaces') ? tagsByResource['Microsoft.Network/networkInterfaces'] : json('{}') + 'Microsoft.Network/networkSecurityGroups': contains(tagsByResource, 'Microsoft.Network/networkSecurityGroups') ? tagsByResource['Microsoft.Network/networkSecurityGroups'] : json('{}') + 'Microsoft.Network/publicIPAddresses': contains(tagsByResource, 'Microsoft.Network/publicIPAddresses') ? tagsByResource['Microsoft.Network/publicIPAddresses'] : json('{}') + 'Microsoft.Storage/storageAccounts': contains(tagsByResource, 'Microsoft.Storage/storageAccounts') ? tagsByResource['Microsoft.Storage/storageAccounts'] : json('{}') + 'Microsoft.KeyVault/vaults': contains(tagsByResource, 'Microsoft.KeyVault/vaults') ? tagsByResource['Microsoft.KeyVault/vaults'] : json('{}') + 'Microsoft.ManagedIdentity/userAssignedIdentities': contains(tagsByResource, 'Microsoft.ManagedIdentity/userAssignedIdentities') ? tagsByResource['Microsoft.ManagedIdentity/userAssignedIdentities'] : json('{}') + 'Microsoft.Network/dnszones': contains(tagsByResource, 'Microsoft.Network/dnszones') ? tagsByResource['Microsoft.Network/dnszones'] : json('{}') + 'Microsoft.OperationalInsights/workspaces': contains(tagsByResource, 'Microsoft.OperationalInsights/workspaces') ? tagsByResource['Microsoft.OperationalInsights/workspaces'] : json('{}') + 'Microsoft.Resources/deploymentScripts': contains(tagsByResource, 'Microsoft.Resources/deploymentScripts') ? tagsByResource['Microsoft.Resources/deploymentScripts'] : json('{}') +} module pids './_pids/_pid.bicep' = { name: 'initialization' @@ -87,6 +106,7 @@ module configDataSource './_setupDBConnection.bicep' = { _pidStart: pids.outputs.dbStart _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken + _globalResourceNameSufix: uniqueString(utcValue) aksClusterName: aksClusterName aksClusterRGName: resourceGroup().name azCliVersion: const_azCliVersion @@ -99,6 +119,7 @@ module configDataSource './_setupDBConnection.bicep' = { identity: identity jdbcDataSourceName: jdbcDataSourceName location: resourceGroup().location + tagsByResource: _objTagsByResource wlsDomainUID: wlsDomainUID wlsPassword: wlsPassword wlsUserName: wlsUserName From a69ffe849e72703e63ff9068ed2acc49f6de0151 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Fri, 7 Feb 2025 14:54:30 +0800 Subject: [PATCH 28/32] No key vault info when the App Gateway certificate is uploaded. --- weblogic-azure-aks/src/main/bicep/mainTemplate.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 3a5a10105..26feeff0a 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -435,8 +435,8 @@ module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress appgwSSLBackendRootCertData: appGatewaySSLBackendRootCertData appgwUsePrivateIP: appgwUsePrivateIP azCliVersion: const_azcliVersion - autoGeneratedSSLCertKeyVaultName: autoGeneratedSSLCert.outputs.keyVaultName - autoGeneratedSSLCertSecretName: autoGeneratedSSLCert.outputs.secretName + autoGeneratedSSLCertKeyVaultName: appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert ? autoGeneratedSSLCert.outputs.keyVaultName : '' + autoGeneratedSSLCertSecretName: appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert ? autoGeneratedSSLCert.outputs.secretName : '' dnsNameforApplicationGateway: name_domainLabelforApplicationGateway enableCustomSSL: enableCustomSSL identity: obj_uamiForDeploymentScript From 42f073f580162e392f18673da92f36fe5cb98cd8 Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 10 Feb 2025 12:45:47 +0800 Subject: [PATCH 29/32] validate existing aks networking configurations. --- .../src/main/arm/createUiDefinition.json | 8 ++++++++ .../inline-scripts/validateParameters.sh | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json index b34dee1e9..c5b00aa41 100644 --- a/weblogic-azure-aks/src/main/arm/createUiDefinition.json +++ b/weblogic-azure-aks/src/main/arm/createUiDefinition.json @@ -300,6 +300,14 @@ "required": true } }, + { + "name": "infoBoxAks", + "type": "Microsoft.Common.InfoBox", + "visible": "[not(bool(steps('section_aks').clusterInfo.createAKSCluster))]", + "options": { + "text": "Ensure that the AKS cluster is configured with the following networking settings:
  • Container networking: Azure CNI Node Subnet
  • Network policy: Azure
    • " + } + }, { "name": "aksClusterSelector", "type": "Microsoft.Solutions.ResourceSelector", diff --git a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh index 9267aca03..801019785 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/inline-scripts/validateParameters.sh @@ -441,6 +441,21 @@ function validate_aks_version() { fi } +function validate_aks_networking() { + local networkPluginMode=$(az aks show -g ${AKS_CLUSTER_RESOURCEGROUP_NAME} -n ${AKS_CLUSTER_NAME} | jq '.networkProfile.networkPluginMode' | tr -d "\"") + local networkPlugin=$(az aks show -g ${AKS_CLUSTER_RESOURCEGROUP_NAME} -n ${AKS_CLUSTER_NAME} | jq '.networkProfile.networkPlugin' | tr -d "\"") + + if [[ "${networkPluginMode}" != "null" ]]; then + echo_stderr "ERROR: invalid network plugin mode ${networkPluginMode} for ${AKS_CLUSTER_NAME}." + exit 1 + fi + + if [[ "${networkPlugin}" != "azure" ]]; then + echo_stderr "ERROR: invalid network plugin ${networkPlugin} for ${AKS_CLUSTER_NAME}." + exit 1 + fi +} + function enable_aks_managed_identity() { local identityLength=$(az aks show -g ${AKS_CLUSTER_RESOURCEGROUP_NAME} -n ${AKS_CLUSTER_NAME} | jq '.identity | length') echo "identityLength ${identityLength}" @@ -560,7 +575,9 @@ if [[ "${createAKSCluster,,}" == "true" ]]; then validate_aks_version fi +# validate existing aks cluster if [[ "${createAKSCluster,,}" != "true" ]]; then + validate_aks_networking enable_aks_managed_identity fi From 51c07feca48ad59a1926f1f5a9292dbaf0eba5af Mon Sep 17 00:00:00 2001 From: galiacheng Date: Mon, 10 Feb 2025 12:46:12 +0800 Subject: [PATCH 30/32] upgrade aks to 1.30.7. --- .../src/main/resources/aks_well_tested_version.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json b/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json index 8e355c7c2..3b8c596c6 100644 --- a/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json +++ b/weblogic-azure-aks/src/main/resources/aks_well_tested_version.json @@ -1,6 +1,6 @@ { "name": "Known-good version of Azure Kubernetes Service", "description": "This version is known to work for all the features of Azure WebLogic on AKS offer.", - "value": "1.28.10", - "testedDate": "2024-07-15" + "value": "1.30.7", + "testedDate": "2025-02-10" } From dc5a579a56aed68e1133f1c2cd0ff13be7f2004b Mon Sep 17 00:00:00 2001 From: Ed Burns Date: Mon, 10 Feb 2025 18:11:00 -0500 Subject: [PATCH 31/32] On branch wls-aks-redeploy Update names to match what they are naming. modified: weblogic-azure-aks/src/main/arm/createUiDefinition.json Signed-off-by: Ed Burns --- .../src/main/arm/createUiDefinition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/weblogic-azure-aks/src/main/arm/createUiDefinition.json b/weblogic-azure-aks/src/main/arm/createUiDefinition.json index c5b00aa41..e5f6bf90d 100644 --- a/weblogic-azure-aks/src/main/arm/createUiDefinition.json +++ b/weblogic-azure-aks/src/main/arm/createUiDefinition.json @@ -1137,7 +1137,7 @@ "visible": false }, { - "name": "keyVaultText00", + "name": "sslCertText00", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { @@ -1145,7 +1145,7 @@ } }, { - "name": "keyVaultText01", + "name": "sslCertText01", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { @@ -1153,7 +1153,7 @@ } }, { - "name": "keyVaultText02", + "name": "sslCertText02", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { @@ -1220,7 +1220,7 @@ "visible": "[equals(steps('section_appGateway').appgwIngress.certificateOption, 'haveCert')]" }, { - "name": "keyVaultBackendSSLCertData", + "name": "uploadedSSLCertData", "type": "Microsoft.Common.FileUpload", "label": "Trusted root certificate(.cer, .cert)", "toolTip": "Trusted root certificate (CA certificate) used to set up end to end TLS/SSL", @@ -2078,7 +2078,7 @@ "aksClusterName": "[last(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'))]", "aksClusterRGName": "[last(take(split(steps('section_aks').clusterInfo.aksClusterSelector.id, '/'), 5))]", "appGatewayCertificateOption": "[steps('section_appGateway').appgwIngress.certificateOption]", - "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.keyVaultBackendSSLCertData]", + "appGatewaySSLBackendRootCertData": "[steps('section_appGateway').appgwIngress.uploadedSSLCertData]", "appGatewaySSLCertData": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertData]", "appGatewaySSLCertPassword": "[steps('section_appGateway').appgwIngress.appGatewaySSLCertPassword]", "appgwForAdminServer": "[steps('section_appGateway').appgwIngress.appgwForAdminServer]", From 5832f058eb3995866ad2302e02eb5c34e17862c6 Mon Sep 17 00:00:00 2001 From: Ed Burns Date: Mon, 10 Feb 2025 21:05:29 -0500 Subject: [PATCH 32/32] On branch wls-aks-redeploy Fix typo sufix -> suffix modified: weblogic-azure-aks/src/main/bicep/mainTemplate.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep modified: weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep modified: weblogic-azure-aks/src/main/bicep/modules/networking.bicep modified: weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep modified: weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep Signed-off-by: Ed Burns --- .../src/main/bicep/mainTemplate.bicep | 42 +++++++++---------- .../_autoGeneratedPfxCertInKeyVault.bicep | 4 +- .../_ds-create-networking.bicep | 4 +- .../_ds-create-wls-cluster.bicep | 4 +- .../_ds-datasource-connection.bicep | 4 +- .../_ds-output-domain-configurations.bicep | 4 +- .../_ds-validate-applications.bicep | 4 +- .../_ds-validate-parameters.bicep | 4 +- .../_deployment-scripts/_ds_enable_hpa.bicep | 4 +- .../_ds_enable_prometheus_metrics.bicep | 4 +- .../_ds_install_agic.bicep | 4 +- .../_ds_validate_agic.bicep | 4 +- .../bicep/modules/_enableAutoScaling.bicep | 6 +-- .../bicep/modules/_enablePromethuesKeda.bicep | 10 ++--- .../bicep/modules/_globalUamiAndRoles.bicep | 4 +- .../_roleAssignmentinRgScope.bicep | 4 +- .../bicep/modules/_setupDBConnection.bicep | 4 +- .../_setupPasswordlessDBConnection.bicep | 6 +-- .../src/main/bicep/modules/networking.bicep | 10 ++--- .../bicep/modules/setupDBConnection.bicep | 2 +- .../bicep/modules/setupWebLogicCluster.bicep | 4 +- 21 files changed, 68 insertions(+), 68 deletions(-) diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 26feeff0a..ed56ded0c 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -283,10 +283,10 @@ var _objTagsByResource = { '${identifier.workspaces}': contains(tagsByResource, '${identifier.workspaces}') ? tagsByResource['${identifier.workspaces}'] : json('{}') '${identifier.deploymentScripts}': contains(tagsByResource, '${identifier.deploymentScripts}') ? tagsByResource['${identifier.deploymentScripts}'] : json('{}') } -var const_aksName = createAKSCluster ? 'wlsonaks${const_globalResourceNameSufix}' : aksClusterName +var const_aksName = createAKSCluster ? 'wlsonaks${const_globalResourceNameSuffix}' : aksClusterName var const_appGatewaySSLCertOptionGenerateCert = 'generateCert' -var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, const_globalResourceNameSufix) -var const_acrName = (createACR) ? 'acrwlsaks${const_globalResourceNameSufix}' : acrName +var const_appGatewayPublicIPAddressName = format('{0}-{1}', appGatewayPublicIPAddressName, const_globalResourceNameSuffix) +var const_acrName = (createACR) ? 'acrwlsaks${const_globalResourceNameSuffix}' : acrName var const_azcliVersion = '2.53.0' var const_azureSubjectName = format('{0}.{1}.{2}', name_domainLabelforApplicationGateway, location, 'cloudapp.azure.com') var const_bValidateApplications= validateApplications && (length(appPackageUrls) > 0) @@ -295,9 +295,9 @@ var const_createNewAcr = useOracleImage && createACR var const_defaultKeystoreType = 'PKCS12' var const_enableNetworking = (length(lbSvcValues) > 0) || enableAppGWIngress var const_enablePV = enableCustomSSL || enableAzureFileShare -var const_fileShareName = 'weblogic-${const_globalResourceNameSufix}' -var const_globalResourceNameSufix = '${uniqueString(utcValue)}' -var const_nsgName = 'wls-aks-nsg-${const_globalResourceNameSufix}' +var const_fileShareName = 'weblogic-${const_globalResourceNameSuffix}' +var const_globalResourceNameSuffix = '${uniqueString(utcValue)}' +var const_nsgName = 'wls-aks-nsg-${const_globalResourceNameSuffix}' var const_showAdminConsoleExUrl = (length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForAdminServer) var const_showRemoteAdminConsoleExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && !enableCustomSSL var const_showRemoteAdminConsoleSecuredExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && enableCustomSSL @@ -306,10 +306,10 @@ var const_wlsJavaOptions = wlsJavaOption == '' ? 'null' : wlsJavaOption var name_appgwFrontendSSLCertName = 'appGatewaySslCert' var name_appgwBackendRootCertName = 'appGatewayTrustedRootCert' var name_defaultPidDeployment = 'pid' -var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${const_globalResourceNameSufix}' +var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${const_globalResourceNameSuffix}' var name_domainLabelforApplicationGateway = take('${name_dnsNameforApplicationGateway}-${toLower(name_rgNameWithoutSpecialCharacter)}-${toLower(wlsDomainName)}', 63) var name_rgNameWithoutSpecialCharacter = replace(replace(replace(replace(resourceGroup().name, '.', ''), '(', ''), ')', ''), '_', '') // remove . () _ from resource group name -var name_storageAccountName = 'wls${const_globalResourceNameSufix}' +var name_storageAccountName = 'wls${const_globalResourceNameSuffix}' var ref_wlsDomainDeployment = _enableCustomSSL ? wlsDomainWithCustomSSLDeployment : wlsDomainDeployment var obj_uamiForDeploymentScript = { type: 'UserAssigned' @@ -334,7 +334,7 @@ module partnerCenterPid './modules/_pids/_empty.bicep' = { module uamiDeployment 'modules/_globalUamiAndRoles.bicep' = { name: 'uami-deployment' params: { - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix location: location tagsByResource: _objTagsByResource } @@ -357,7 +357,7 @@ module preAzureResourceDeployment './modules/_preDeployedAzureResources.bicep' = module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep' = { name: 'validate-parameters-and-fail-fast' params: { - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix acrName: preAzureResourceDeployment.outputs.acrName acrResourceGroupName: preAzureResourceDeployment.outputs.acrResourceGroupName aksAgentPoolNodeCount: aksAgentPoolNodeCount @@ -409,9 +409,9 @@ module validateInputs 'modules/_deployment-scripts/_ds-validate-parameters.bicep module autoGeneratedSSLCert './modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep' = if (enableAppGWIngress && appGatewayCertificateOption == const_appGatewaySSLCertOptionGenerateCert) { name: 'auto-generated-ssl-cert-for-app-gateway' params: { - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix identity: obj_uamiForDeploymentScript - keyVaultName: 'wlskv${const_globalResourceNameSufix}' + keyVaultName: 'wlskv${const_globalResourceNameSuffix}' location: location secretName: name_appgwFrontendSSLCertName subjectName: format('CN={0}', enableDNSConfiguration ? format('{0}.{1}', dnsNameforApplicationGateway, dnszoneName) : const_azureSubjectName) @@ -430,7 +430,7 @@ module appgatewayDeployment 'modules/_appGateway.bicep' = if (enableAppGWIngress _pidAppgwStart: pids.outputs.appgwStart == '' ? name_defaultPidDeployment : pids.outputs.appgwStart _pidAppgwWithCustomCert: pids.outputs.customCertForAppgw == '' ? name_defaultPidDeployment : pids.outputs.customCertForAppgw appgwCertificateOption: appGatewayCertificateOption - appgwName: 'appgw${const_globalResourceNameSufix}' + appgwName: 'appgw${const_globalResourceNameSuffix}' appgwPublicIPAddressName: const_appGatewayPublicIPAddressName appgwSSLBackendRootCertData: appGatewaySSLBackendRootCertData appgwUsePrivateIP: appgwUsePrivateIP @@ -461,7 +461,7 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.wlsAKSEnd == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSEnd _pidSSLEnd: pids.outputs.sslEnd == '' ? name_defaultPidDeployment : pids.outputs.sslEnd _pidSSLStart: pids.outputs.sslStart == '' ? name_defaultPidDeployment : pids.outputs.sslStart @@ -535,7 +535,7 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.wlsAKSEnd == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSEnd _pidStart: pids.outputs.wlsAKSStart == '' ? name_defaultPidDeployment : pids.outputs.wlsAKSStart aciResourcePermissions: aciResourcePermissions @@ -607,7 +607,7 @@ module networkingDeployment 'modules/networking.bicep' = if (const_enableNetwork params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidNetworkingEnd: pids.outputs.networkingEnd == '' ? name_defaultPidDeployment : pids.outputs.networkingEnd _pidNetworkingStart: pids.outputs.networkingStart == '' ? name_defaultPidDeployment : pids.outputs.networkingStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName @@ -654,7 +654,7 @@ module datasourceDeployment 'modules/_setupDBConnection.bicep' = if (enableDB && params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.dbEnd _pidStart: pids.outputs.dbStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName @@ -686,7 +686,7 @@ module passwordlessDatasourceDeployment 'modules/_setupPasswordlessDBConnection. params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidEnd: pids.outputs.pswlessDbEnd _pidStart: pids.outputs.pswlessDbStart aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName @@ -721,7 +721,7 @@ module validateApplciations 'modules/_deployment-scripts/_ds-validate-applicatio params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion @@ -743,7 +743,7 @@ module horizontalAutoscaling 'modules/_enableAutoScaling.bicep' = if (enableAuto params: { _pidCPUUtilization: pids.outputs.cpuUtilization _pidEnd: pids.outputs.autoScalingEnd - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix _pidMemoryUtilization: pids.outputs.memoryUtilization _pidStart: pids.outputs.autoScalingStart _pidWme: pids.outputs.enableWlsMonitoringExporter @@ -776,7 +776,7 @@ module horizontalAutoscaling 'modules/_enableAutoScaling.bicep' = if (enableAuto module queryWLSDomainConfig 'modules/_deployment-scripts/_ds-output-domain-configurations.bicep' = { name: 'query-wls-domain-configurations' params: { - _globalResourceNameSufix: const_globalResourceNameSufix + _globalResourceNameSuffix: const_globalResourceNameSuffix aksClusterRGName: ref_wlsDomainDeployment.outputs.aksClusterRGName aksClusterName: ref_wlsDomainDeployment.outputs.aksClusterName azCliVersion: const_azcliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep index da95ac40e..c7f4022f2 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_autoGeneratedPfxCertInKeyVault.bicep @@ -1,7 +1,7 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param _globalResourceNameSufix string +param _globalResourceNameSuffix string @description('Managed identity to be used for the deployment script. Currently, only user-assigned MSI is supported.') param identity object = {} @@ -64,7 +64,7 @@ resource keyvault 'Microsoft.KeyVault/vaults@${azure.apiVersionForKeyVault}' = { } resource createAddCertificate 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-create-add-appgw-certificate-${_globalResourceNameSufix}' + name: 'ds-create-add-appgw-certificate-${_globalResourceNameSuffix}' location: location identity: identity kind: 'AzurePowerShell' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep index fa8a07c63..901fe4f83 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-networking.bicep @@ -4,7 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param appgwAlias string = 'appgw-contoso-alias' param appgwName string = 'appgw-contoso' @@ -47,7 +47,7 @@ var const_primaryScript = 'setupNetworking.sh' var const_utilityScript = 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-networking-deployment-${_globalResourceNameSufix}' + name: 'ds-networking-deployment-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep index 2998320b6..2db8542ca 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep @@ -4,7 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterRGName string = '' param aksClusterName string = '' @@ -83,7 +83,7 @@ var const_updateDomainConfigScript= 'updateDomainConfig.sh' var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-cluster-creation-${_globalResourceNameSufix}' + name: 'ds-wls-cluster-creation-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep index b8310c1d0..19d5678d3 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-datasource-connection.bicep @@ -4,7 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string @@ -39,7 +39,7 @@ var const_scriptLocation = uri(_artifactsLocation, 'scripts/') var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-db-connection-${_globalResourceNameSufix}' + name: 'ds-wls-db-connection-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep index 80c726183..d86fc1353 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-output-domain-configurations.bicep @@ -1,7 +1,7 @@ // Copyright (c) 2021, 2024 Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterRGName string = '' param aksClusterName string = '' param azCliVersion string = '' @@ -19,7 +19,7 @@ var base64_queryDomainConfigurations = loadFileAsBase64('../../../arm/scripts/in var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-query-wls-configurations-${_globalResourceNameSufix}' + name: 'ds-query-wls-configurations-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep index d46457a8e..ff4568f73 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-applications.bicep @@ -4,7 +4,7 @@ param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterRGName string = '' param aksClusterName string = '' @@ -27,7 +27,7 @@ var const_utilityScript= 'utility.sh' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { - name: 'ds-wls-validate-applications-${_globalResourceNameSufix}' + name: 'ds-wls-validate-applications-${_globalResourceNameSuffix}' location: location kind: 'AzureCLI' identity: identity diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep index ffbd1759a..c865a2e6a 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-validate-parameters.bicep @@ -1,7 +1,7 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param acrName string param acrResourceGroupName string param aksAgentPoolNodeCount int @@ -59,7 +59,7 @@ var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') var base64_validateParameters = loadFileAsBase64('../../../arm/scripts/inline-scripts/validateParameters.sh') var const_arguments = '${location} ${createAKSCluster} ${aksAgentPoolVMSize} ${aksAgentPoolNodeCount} ${useOracleImage} ${wlsImageTag} ${userProvidedImagePath} ${enableCustomSSL} ${appGatewayCertificateOption} ${enableAppGWIngress} ${const_checkDNSZone}' var const_checkDNSZone = enableDNSConfiguration && !createDNSZone -var const_deploymentName = 'ds-validate-parameters-and-fail-fast-${_globalResourceNameSufix}' +var const_deploymentName = 'ds-validate-parameters-and-fail-fast-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep index 499e288d6..ec3571b0f 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_hpa.bicep @@ -1,7 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param azCliVersion string @@ -23,7 +23,7 @@ param wlsNamespace string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableHpa = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableHpa.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-enable-hpa-${_globalResourceNameSufix}' +var const_deploymentName='ds-enable-hpa-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep index 7aa6574b5..3be6c611a 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_enable_prometheus_metrics.bicep @@ -1,7 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param amaName string @@ -24,7 +24,7 @@ param workspaceId string var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableHpa = loadFileAsBase64('../../../arm/scripts/inline-scripts/enablePrometheusMetrics.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName = 'ds-enable-promethues-metrics-${_globalResourceNameSufix}' +var const_deploymentName = 'ds-enable-promethues-metrics-${_globalResourceNameSuffix}' var const_kedaNamespace= 'keda' var const_kedaSa= 'keda-operator' diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep index cb2b4f922..fc355f699 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_install_agic.bicep @@ -1,7 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param appgwName string = 'appgw-contoso' @@ -16,7 +16,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/enableAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-install-agic-${_globalResourceNameSufix}' +var const_deploymentName='ds-install-agic-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep index 0d901b5d1..437ac0128 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds_validate_agic.bicep @@ -1,7 +1,7 @@ // Copyright (c) 2024, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param azCliVersion string = '' @@ -15,7 +15,7 @@ param utcValue string = utcNow() var base64_common = loadFileAsBase64('../../../arm/scripts/common.sh') var base64_enableAgic = loadFileAsBase64('../../../arm/scripts/inline-scripts/validateAgic.sh') var base64_utility = loadFileAsBase64('../../../arm/scripts/utility.sh') -var const_deploymentName='ds-validate-agic-${_globalResourceNameSufix}' +var const_deploymentName='ds-validate-agic-${_globalResourceNameSuffix}' resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVersionForDeploymentScript}' = { name: const_deploymentName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep b/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep index da1559e3f..59d78778a 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_enableAutoScaling.bicep @@ -3,7 +3,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param _pidCPUUtilization string = '' param _pidEnd string = '' param _pidMemoryUtilization string = '' @@ -73,7 +73,7 @@ module pidWme './_pids/_pid.bicep' = if(!useHpa) { module hapDeployment '_deployment-scripts/_ds_enable_hpa.bicep' = if(useHpa) { name: 'hpa-deployment' params: { - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion @@ -93,7 +93,7 @@ module hapDeployment '_deployment-scripts/_ds_enable_hpa.bicep' = if(useHpa) { module promethuesKedaDeployment '_enablePromethuesKeda.bicep' = if (!useHpa) { name: 'promethues-keda-weblogic-monitoring-exporter-deployment' params: { - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep b/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep index d2ca6cdc5..fc5aa1a2e 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_enablePromethuesKeda.bicep @@ -2,7 +2,7 @@ Copyright (c) 2024, Oracle and/or its affiliates. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param aksClusterName string param aksClusterRGName string param azCliVersion string @@ -20,9 +20,9 @@ param wlsUserName string var const_namespace = '${wlsDomainUID}-ns' // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfMonitorDataReader = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -var name_azureMonitorAccountName = 'ama${_globalResourceNameSufix}' -var name_kedaUserDefinedManagedIdentity = 'kedauami${_globalResourceNameSufix}' -var name_kedaMonitorDataReaderRoleAssignmentName = guid('${resourceGroup().id}${name_kedaUserDefinedManagedIdentity}${_globalResourceNameSufix}') +var name_azureMonitorAccountName = 'ama${_globalResourceNameSuffix}' +var name_kedaUserDefinedManagedIdentity = 'kedauami${_globalResourceNameSuffix}' +var name_kedaMonitorDataReaderRoleAssignmentName = guid('${resourceGroup().id}${name_kedaUserDefinedManagedIdentity}${_globalResourceNameSuffix}') resource monitorAccount 'Microsoft.Monitor/accounts@${azure.apiVersionForMonitorAccount}' = { name: name_azureMonitorAccountName @@ -62,7 +62,7 @@ resource kedaUamiRoleAssignment 'Microsoft.Authorization/roleAssignments@${azure module azureMonitorIntegrationDeployment '_deployment-scripts/_ds_enable_prometheus_metrics.bicep' = { name: 'azure-monitor-promethues-keda-deployment' params: { - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName amaName: name_azureMonitorAccountName diff --git a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep index 0fb979393..e5acfe269 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_globalUamiAndRoles.bicep @@ -3,7 +3,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. */ -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param location string @description('${label.tagsLabel}') param tagsByResource object @@ -11,7 +11,7 @@ param name_deploymentScriptContributorRoleAssignmentName string = newGuid() // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles var const_roleDefinitionIdOfContributor = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${_globalResourceNameSufix}' +var name_deploymentScriptUserDefinedManagedIdentity = 'wls-aks-deployment-script-user-defined-managed-itentity-${_globalResourceNameSuffix}' // UAMI for deployment script resource uamiForDeploymentScript 'Microsoft.ManagedIdentity/userAssignedIdentities@${azure.apiVersionForIdentity}' = { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep index 7b47d30ef..f5b50c20d 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_roleAssignmentinRgScope.bicep @@ -16,13 +16,13 @@ Usage: } */ -param _globalResourceNameSufix string +param _globalResourceNameSuffix string // https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles param roleDefinitionId string = '' param identity object = {} var const_identityAPIVersion = '2022-01-31-PREVIEW' -var name_roleAssignmentName = guid('${subscription().id}${_globalResourceNameSufix}Role assignment in resource group scope') +var name_roleAssignmentName = guid('${subscription().id}${_globalResourceNameSuffix}Role assignment in resource group scope') // Get role resource id resource roleResourceDefinition 'Microsoft.Authorization/roleDefinitions@${azure.apiVersionForRoleDefinitions}' existing = { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep index 962160010..fb2a44eed 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupDBConnection.bicep @@ -6,7 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param _pidEnd string = '' param _pidStart string = '' param _pidOtherDb string = '' @@ -69,7 +69,7 @@ module configDataSource '_deployment-scripts/_ds-datasource-connection.bicep' = params:{ _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep index 601eaf03b..a431ba321 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_setupPasswordlessDBConnection.bicep @@ -6,7 +6,7 @@ Licensed under the Universal Permissive License v 1.0 as shown at https://oss.or param _artifactsLocation string = deployment().properties.templateLink.uri @secure() param _artifactsLocationSasToken string = '' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string param _pidEnd string = '' param _pidStart string = '' @@ -81,7 +81,7 @@ module dbIdentityVMContributorRoleAssignment '_rolesAssignment/_roleAssignmentin name: 'assign-db-identity-vm-contributor-role' scope: resourceGroup(aksNodeRGName) params: { - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix identity: dbIdentity roleDefinitionId: const_roleDefinitionIdOfVMContributor } @@ -128,7 +128,7 @@ module configDataSource '_deployment-scripts/_ds-datasource-connection.bicep' = params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterName: aksClusterName aksClusterRGName: aksClusterRGName azCliVersion: azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep index 09f1a51bc..20f9071ac 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/networking.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/networking.bicep @@ -10,7 +10,7 @@ param _pidLbEnd string = 'pid-networking-lb-end' param _pidLbStart string = 'pid-networking-lb-start' param _pidNetworkingEnd string = 'pid-networking-end' param _pidNetworkingStart string = 'pid-networking-start' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string @description('Resource group name of an existing AKS cluster.') param aksClusterRGName string = 'aks-contoso-rg' @description('Name of an existing AKS cluster.') @@ -99,7 +99,7 @@ module dnsZoneDeployment '_azure-resoruces/_dnsZones.bicep' = if (enableDNSConfi module installAgic '_deployment-scripts/_ds_install_agic.bicep' = if (enableAppGWIngress) { name: 'install-agic' params: { - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix location: location identity: identity aksClusterRGName: aksClusterRGName @@ -127,7 +127,7 @@ module agicRoleAssignment '_rolesAssignment/_agicRoleAssignment.bicep' = if (ena module validateAgic '_deployment-scripts/_ds_validate_agic.bicep' = if (enableAppGWIngress) { name: 'validate-agic' params: { - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix location: location identity: identity aksClusterRGName: aksClusterRGName @@ -145,7 +145,7 @@ module networkingDeploymentYesAppGW '_deployment-scripts/_ds-create-networking.b params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix appgwName: appGatewayName appgwAlias: appGatewayAlias appgwForAdminServer: appgwForAdminServer @@ -186,7 +186,7 @@ module networkingDeploymentNoAppGW '_deployment-scripts/_ds-create-networking.bi params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix appgwName: 'null' appgwAlias: 'null' appgwForAdminServer: appgwForAdminServer diff --git a/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep b/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep index 49cbe2148..5f7486dd3 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/setupDBConnection.bicep @@ -106,7 +106,7 @@ module configDataSource './_setupDBConnection.bicep' = { _pidStart: pids.outputs.dbStart _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: uniqueString(utcValue) + _globalResourceNameSuffix: uniqueString(utcValue) aksClusterName: aksClusterName aksClusterRGName: resourceGroup().name azCliVersion: const_azCliVersion diff --git a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep index b26a0f48f..ec0325055 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep @@ -21,7 +21,7 @@ param _pidEnd string = 'pid-wls-end' param _pidStart string = 'pid-wls-start' param _pidSSLEnd string = 'pid-ssl-end' param _pidSSLStart string = 'pid-ssl-start' -param _globalResourceNameSufix string +param _globalResourceNameSuffix string @description('true to use resource or workspace permissions. false to require workspace permissions.') param aciResourcePermissions bool = true @description('Number of days to retain data in Azure Monitor workspace.') @@ -201,7 +201,7 @@ module wlsDomainDeployment './_deployment-scripts/_ds-create-wls-cluster.bicep' params: { _artifactsLocation: _artifactsLocation _artifactsLocationSasToken: _artifactsLocationSasToken - _globalResourceNameSufix: _globalResourceNameSufix + _globalResourceNameSuffix: _globalResourceNameSuffix aksClusterRGName: createAKSCluster ? resourceGroup().name : aksClusterRGName aksClusterName: aksClusterName acrName: useOracleImage ? acrName : userProvidedAcr