Skip to content

Commit

Permalink
Topic sk jcs 13348 (#203)
Browse files Browse the repository at this point in the history 
Implemented [JCS-13348] - Use RMS private endpoint in lieu of bastion
host

Tested following scenarios 

New vcn/bastion - provisioning and scale out 
Existing vcn/new subnets - provisioning and scale out 
Existing vcn/existing subnets/new rms endpoint - provisioning and
scaleout
Existing vcn/existing subnets/existing rms endpoint - provisioning and
scale out
Existing vcn/existing subnets/both rms and bastion enabled -
provisioning and scale out
Existing vcn/existing subnets/ bastion and rms enabled - provisioning
and scale out
Existing vcn/existing subnets/ bastion and rms disabled - provisioning
and scale out
cli changes
Tested cli with bastion
Updated the builds for srg changes
Tested auto scaling with rms endpoint
  • Loading branch information
@skommala
skommala authored May 31, 2023
1 parent 9b7f860 commit 1d920fb
Show file tree
Hide file tree
Showing 19 changed files with 346 additions and 71 deletions.
2 changes: 2 additions & 0 deletions builds/build_cli.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ replace_variables()
sed -i '/variable "generate_dg_tag" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf
sed -i '/variable "use_marketplace_image" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/mp_variables.tf
sed -i '/variable "tf_script_version" {/!b;n;n;n;cdefault = \"'"$SCRIPTS_VERSION"'\"' ${TMP_BUILD}/variables.tf
sed -i '/variable "is_rms_private_endpoint_required" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf
sed -i '/variable "is_bastion_instance_required" {/!b;n;n;n;cdefault = true' ${TMP_BUILD}/bastion_variables.tf
}


Expand Down
7 changes: 5 additions & 2 deletions solutions/jrf/jrf_instance.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ wls_node_count = 2
wls_availability_domain_name = "<availability_domain_name>"
wls_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx"

### Bastion parameters to create new bastion instance
### Resource Manager Private Endpoint parameter
is_rms_private_endpoint_required = false

### Bastion instance parameters
is_bastion_instance_required = true
bastion_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx"
bastion_instance_shape = "VM.Standard.E4.Flex"
bastion_instance_shape = "VM.Standard.E4.Flex"
2 changes: 1 addition & 1 deletion terraform/bastion_variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
variable "is_bastion_instance_required" {
type = bool
description = "Set to true to use a bastion, either new or existing. If existing_bastion_instance_id is blank, a new bastion will be created"
default = true
default = false
}

variable "existing_bastion_instance_id" {
Expand Down
18 changes: 11 additions & 7 deletions terraform/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,6 @@ locals {
lb_subnet_1_name = var.is_lb_private ? "lbprist1" : "lbpubst1"
lb_subnet_2_name = var.is_lb_private ? "lbprist2" : "lbpubst2"


lb_id = local.use_existing_lb ? var.existing_load_balancer_id : local.new_lb_id
lb_ip = local.use_existing_lb ? local.existing_lb_ip : local.new_lb_ip

Expand All @@ -105,7 +104,7 @@ locals {
local.lb_ip,
) : ""

async_prov_mode = !local.assign_weblogic_public_ip && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : ""
async_prov_mode = !local.assign_weblogic_public_ip && !var.is_rms_private_endpoint_required && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : ""

jdk_labels = { jdk7 = "JDK 7", jdk8 = "JDK 8", jdk11 = "JDK 11" }
jdk_version = var.wls_version == "14.1.1.0" ? local.jdk_labels[var.wls_14c_jdk_version] : (var.wls_version == "11.1.1.7" ? local.jdk_labels["jdk7"] : local.jdk_labels["jdk8"])
Expand Down Expand Up @@ -151,13 +150,11 @@ locals {
use_apm_service = (var.use_apm_service || var.use_autoscaling)
apm_domain_compartment_id = local.use_apm_service ? lookup(data.oci_apm_apm_domain.apm_domain[0], "compartment_id") : ""



ocir_namespace = data.oci_objectstorage_namespace.object_namespace.namespace

ocir_namespace_with_slash = format("%s/",local.ocir_namespace)
ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash))
ocir_user = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}"
ocir_namespace_with_slash = format("%s/", local.ocir_namespace)
ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash))
ocir_user = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}"

region_keys = data.oci_identity_regions.all_regions.regions.*.key
region_names = data.oci_identity_regions.all_regions.regions.*.name
Expand All @@ -180,4 +177,11 @@ locals {
"instanceShape" = var.bastion_instance_shape,
"ocpus" = 1
}

is_bastion_instance_required = (var.is_bastion_instance_required && var.subnet_type != "Use Public Subnet") || var.wls_existing_vcn_id == "" || (var.wls_existing_vcn_id != "" && var.wls_subnet_id == "") ? true : false

# Resource Manager Endpoint
is_rms_private_endpoint_required = var.is_rms_private_endpoint_required && var.wls_existing_vcn_id != "" && var.wls_subnet_id != "" && !local.assign_weblogic_public_ip ? true : false
add_new_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Create New Resource Manager Endpoint" ? true : false
add_existing_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Use Existing Resource Manager Endpoint" ? true : false
}
79 changes: 48 additions & 31 deletions terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ module "network-vcn-config" {
create_load_balancer = local.add_load_balancer
resource_name_prefix = local.service_name_prefix
bastion_subnet_cidr = local.bastion_subnet_cidr
is_bastion_instance_required = var.is_bastion_instance_required
is_bastion_instance_required = local.is_bastion_instance_required
existing_bastion_instance_id = var.existing_bastion_instance_id
vcn_cidr = var.wls_vcn_name == "" ? data.oci_core_vcn.wls_vcn[0].cidr_block : element(concat(module.network-vcn.*.vcn_cidr, tolist([""])), 0)
existing_mt_subnet_id = var.mount_target_subnet_id
Expand Down Expand Up @@ -116,7 +116,7 @@ module "network-lb-nsg" {

module "network-bastion-nsg" {
source = "./modules/network/nsg"
count = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0
count = local.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0
compartment_id = local.network_compartment_id
vcn_id = local.vcn_id
nsg_name = "${local.service_name_prefix}-bastion-nsg"
Expand Down Expand Up @@ -190,13 +190,13 @@ module "network-lb-subnet-1" {
/* Create back end subnet for bastion subnet */
module "network-bastion-subnet" {
source = "./modules/network/subnet"
count = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && var.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0
count = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && local.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0
compartment_id = local.network_compartment_id
vcn_id = local.vcn_id
dhcp_options_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].dhcp_options_id : ""
route_table_id = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].route_table_id : ""
subnet_name = "${local.service_name_prefix}-${var.bastion_subnet_name}"
dns_label = "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}"
dns_label = local.is_bastion_instance_required && local.is_rms_private_endpoint_required ? format("%s-%s", var.bastion_subnet_name, substr(strrev(var.service_name), 0, 7)) : "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}"
cidr_block = local.bastion_subnet_cidr
prohibit_public_ip = false

Expand Down Expand Up @@ -240,11 +240,10 @@ module "policies" {
mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id
}


module "bastion" {
#depends_on = [module.network-validation]
source = "./modules/compute/bastion"
count = (!local.assign_weblogic_public_ip && var.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0
count = (!local.assign_weblogic_public_ip && local.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0
availability_domain = local.bastion_availability_domain
bastion_subnet_id = var.bastion_subnet_id != "" ? var.bastion_subnet_id : module.network-bastion-subnet[0].subnet_id

Expand Down Expand Up @@ -349,7 +348,7 @@ module "vcn-peering" {

module "validators" {
#depends_on = [module.network-validation]
source = "./modules/validators"
source = "./modules/validators"
compartment_id = var.compartment_ocid
service_name = var.service_name
wls_ms_port = var.wls_ms_extern_port
Expand Down Expand Up @@ -394,7 +393,7 @@ module "validators" {
lb_subnet_1_cidr = var.lb_subnet_1_cidr
bastion_subnet_cidr = local.bastion_subnet_cidr
assign_public_ip = local.assign_weblogic_public_ip
is_bastion_instance_required = var.is_bastion_instance_required
is_bastion_instance_required = local.is_bastion_instance_required
existing_bastion_instance_id = var.existing_bastion_instance_id
bastion_ssh_private_key = var.bastion_ssh_private_key

Expand Down Expand Up @@ -468,8 +467,8 @@ module "validators" {

module "fss" {
#depends_on = [module.network-validation]
source = "./modules/fss"
count = var.add_fss ? 1 : 0
source = "./modules/fss"
count = var.add_fss ? 1 : 0

compartment_id = var.compartment_ocid
availability_domain = local.fss_availability_domain
Expand All @@ -491,8 +490,8 @@ module "fss" {

module "load-balancer" {
#depends_on = [module.network-validation]
source = "./modules/lb/loadbalancer"
count = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0
source = "./modules/lb/loadbalancer"
count = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0

compartment_id = local.network_compartment_id
lb_reserved_public_ip_id = compact([var.lb_reserved_public_ip_id])
Expand All @@ -510,10 +509,26 @@ module "load-balancer" {
}
}

module "rms-private-endpoint" {
source = "./modules/rms-private-endpoint"
count = local.is_rms_private_endpoint_required && local.add_new_rms_private_endpoint ? 1 : 0

vcn_id = local.vcn_id
compartment_id = local.network_compartment_id
private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0)
private_endpoint_nsg_id = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0)
resource_name_prefix = var.service_name

tags = {
defined_tags = local.defined_tags
freeform_tags = local.free_form_tags
}
}

module "observability-common" {
#depends_on = [module.network-validation]
source = "./modules/observability/common"
count = var.use_oci_logging ? 1 : 0
source = "./modules/observability/common"
count = var.use_oci_logging ? 1 : 0

compartment_id = var.compartment_ocid
service_prefix_name = local.service_name_prefix
Expand All @@ -522,8 +537,8 @@ module "observability-common" {

module "observability-autoscaling" {
#depends_on = [module.network-validation]
source = "./modules/observability/autoscaling"
count = var.use_autoscaling ? 1 : 0
source = "./modules/observability/autoscaling"
count = var.use_autoscaling ? 1 : 0

compartment_id = var.compartment_ocid
metric_compartment_id = local.apm_domain_compartment_id
Expand Down Expand Up @@ -608,7 +623,7 @@ module "compute" {

deploy_sample_app = local.deploy_sample_app

is_bastion_instance_required = var.is_bastion_instance_required
is_bastion_instance_required = local.is_bastion_instance_required

is_idcs_selected = var.is_idcs_selected
idcs_host = var.idcs_host
Expand Down Expand Up @@ -683,8 +698,8 @@ module "compute" {

module "load-balancer-backends" {
#depends_on = [module.network-validation]
source = "./modules/lb/backends"
count = local.add_load_balancer ? 1 : 0
source = "./modules/lb/backends"
count = local.add_load_balancer ? 1 : 0

resource_name_prefix = local.service_name_prefix
load_balancer_id = local.add_load_balancer ? (var.existing_load_balancer_id != "" ? var.existing_load_balancer_id : element(coalescelist(module.load-balancer[*].wls_loadbalancer_id, [""]), 0)) : ""
Expand All @@ -698,8 +713,8 @@ module "load-balancer-backends" {

module "observability-logging" {
#depends_on = [module.network-validation]
source = "./modules/observability/logging"
count = var.use_oci_logging ? 1 : 0
source = "./modules/observability/logging"
count = var.use_oci_logging ? 1 : 0

compartment_id = var.compartment_ocid
oci_managed_instances_principal_group = element(concat(module.policies[*].oci_managed_instances_principal_group, [""]), 0)
Expand All @@ -716,16 +731,18 @@ module "observability-logging" {

module "provisioners" {
#depends_on = [module.network-validation]
source = "./modules/provisioners"

existing_bastion_instance_id = var.existing_bastion_instance_id
host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""])
num_vm_instances = var.wls_node_count
ssh_private_key = module.compute.ssh_private_key_opc
assign_public_ip = local.assign_weblogic_public_ip
bastion_host = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip
bastion_host_private_key = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)
is_bastion_instance_required = var.is_bastion_instance_required
source = "./modules/provisioners"

existing_bastion_instance_id = var.existing_bastion_instance_id
host_ips = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""])
num_vm_instances = var.wls_node_count
ssh_private_key = module.compute.ssh_private_key_opc
is_rms_private_endpoint_required = local.is_rms_private_endpoint_required
rms_private_endpoint_id = local.is_rms_private_endpoint_required ? local.add_new_rms_private_endpoint ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : ""
assign_public_ip = local.assign_weblogic_public_ip
bastion_host = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip
bastion_host_private_key = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)
is_bastion_instance_required = local.is_bastion_instance_required

mode = var.mode
wlsoci_vmscripts_zip_bundle_path = var.wlsoci_vmscripts_zip_bundle_path
Expand Down
4 changes: 2 additions & 2 deletions terraform/modules/policies/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ locals {
apm_domain_policy_statement = var.use_apm_service ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use apm-domains in compartment id ${var.apm_domain_compartment_id}" : ""
# This policy with "use load_balancer" verb is needed to create load balancer for new vcn
lb_policy_statement = var.add_load_balancer ? length(oci_identity_dynamic_group.wlsc_instance_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use load-balancers in compartment id ${var.network_compartment_id}" : "" : ""

service_statements = compact([local.core_policy_statement1, local.core_policy_statement2, local.core_policy_statement3, local.network_policy_statement1, local.secrets_policy_statement1, local.secrets_policy_statement2,
local.atp_policy_statement1, local.atp_policy_statement2, local.atp_policy_statement3, local.oci_db_policy_statement1, local.oci_db_policy_statement2, local.oci_db_policy_statement3, local.logging_policy,
local.apm_domain_policy_statement, local.lb_policy_statement
Expand Down Expand Up @@ -76,6 +75,7 @@ locals {
autoscaling_statement25 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect dynamic-groups in tenancy" : "" : ""
autoscaling_statement26 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage policies in tenancy" : "" : ""
autoscaling_statement27 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to use tag-namespaces in tenancy" : "" : ""
autoscaling_statement28 = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage orm-family in compartment id ${var.network_compartment_id}" : "" : ""
autoscaling_atp_policy_statement = (var.atp_db.is_atp && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect autonomous-transaction-processing-family in compartment id ${var.atp_db.compartment_id}" : "" : ""
autoscaling_db_policy_statement = (local.is_oci_db && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect database-family in compartment id ${var.oci_db.compartment_id}" : "" : ""
autoscaling_fss_mount_target_policy_statement = (var.add_fss && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage mount-targets in compartment id ${var.mount_target_compartment_id}" : "" : ""
Expand All @@ -96,7 +96,7 @@ locals {
local.autoscaling_statement18, local.autoscaling_statement19, local.autoscaling_statement20,
local.autoscaling_statement21, local.autoscaling_statement22, local.autoscaling_statement23,
local.autoscaling_statement24, local.autoscaling_statement25, local.autoscaling_statement26,
local.autoscaling_statement27,
local.autoscaling_statement27, local.autoscaling_statement28,
local.autoscaling_logging_policy_1, local.autoscaling_logging_policy_2, local.autoscaling_logging_policy_3,
local.autoscaling_atp_policy_statement,
local.autoscaling_db_policy_statement,
Expand Down
10 changes: 10 additions & 0 deletions terraform/modules/provisioners/data_sources.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Copyright (c) 2023, Oracle and/or its affiliates.
# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.


// Resolves the private IP of the customer's private endpoint to a NAT IP. Used as the host address in the "remote-exec" resource
data "oci_resourcemanager_private_endpoint_reachable_ip" "private_endpoint_reachable_ips" {
count = var.is_rms_private_endpoint_required ? var.num_vm_instances : 0
private_endpoint_id = var.rms_private_endpoint_id
private_ip = var.host_ips[count.index]
}
Loading

0 comments on commit 1d920fb

Please sign in to comment.