Topic sk jcs 13348 (#203)

Implemented [JCS-13348] - Use RMS private endpoint in lieu of bastion
host

Tested following scenarios 

New vcn/bastion - provisioning and scale out 
Existing vcn/new subnets - provisioning and scale out 
Existing vcn/existing subnets/new rms endpoint - provisioning and
scaleout
Existing vcn/existing subnets/existing rms endpoint - provisioning and
scale out
Existing vcn/existing subnets/both rms and bastion enabled -
provisioning and scale out
Existing vcn/existing subnets/ bastion and rms enabled - provisioning
and scale out
Existing vcn/existing subnets/ bastion and rms disabled - provisioning
and scale out
cli changes
Tested cli with bastion
Updated the builds for srg changes
Tested auto scaling with rms endpoint

Author: skommala

builds/build_cli.sh

@@ -80,6 +80,8 @@ replace_variables()
   sed -i '/variable "generate_dg_tag" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf
   sed -i '/variable "use_marketplace_image" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/mp_variables.tf
   sed -i '/variable "tf_script_version" {/!b;n;n;n;cdefault = \"'"$SCRIPTS_VERSION"'\"' ${TMP_BUILD}/variables.tf
+  sed -i '/variable "is_rms_private_endpoint_required" {/!b;n;n;n;cdefault = false' ${TMP_BUILD}/variables.tf
+  sed -i '/variable "is_bastion_instance_required" {/!b;n;n;n;cdefault = true' ${TMP_BUILD}/bastion_variables.tf
 }
 
 

solutions/jrf/jrf_instance.tfvars

@@ -26,7 +26,10 @@ wls_node_count = 2
 wls_availability_domain_name = "<availability_domain_name>"
 wls_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx"
 
-### Bastion parameters to create new bastion instance
+### Resource Manager Private Endpoint parameter
+is_rms_private_endpoint_required = false
+
+### Bastion instance parameters
 is_bastion_instance_required = true
 bastion_subnet_id = "ocid1.subnet.xxxxxxxxxxxxxxx"
-bastion_instance_shape = "VM.Standard.E4.Flex"
+bastion_instance_shape = "VM.Standard.E4.Flex"

terraform/bastion_variables.tf

@@ -4,7 +4,7 @@
 variable "is_bastion_instance_required" {
   type        = bool
   description = "Set to true to use a bastion, either new or existing. If existing_bastion_instance_id is blank, a new bastion will be created"
-  default     = true
+  default     = false
 }
 
 variable "existing_bastion_instance_id" {

terraform/locals.tf

@@ -84,7 +84,6 @@ locals {
   lb_subnet_1_name = var.is_lb_private ? "lbprist1" : "lbpubst1"
   lb_subnet_2_name = var.is_lb_private ? "lbprist2" : "lbpubst2"
 
-
   lb_id = local.use_existing_lb ? var.existing_load_balancer_id : local.new_lb_id
   lb_ip = local.use_existing_lb ? local.existing_lb_ip : local.new_lb_ip
 
@@ -105,7 +104,7 @@ locals {
     local.lb_ip,
   ) : ""
 
-  async_prov_mode = !local.assign_weblogic_public_ip && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : ""
+  async_prov_mode = !local.assign_weblogic_public_ip && !var.is_rms_private_endpoint_required && !var.is_bastion_instance_required ? "Asynchronous provisioning is enabled. Connect to each compute instance and confirm that the file /u01/data/domains/${format("%s_domain", local.service_name_prefix)}/provCompletedMarker exists. Details are found in the file /u01/logs/provisioning.log." : ""
 
   jdk_labels  = { jdk7 = "JDK 7", jdk8 = "JDK 8", jdk11 = "JDK 11" }
   jdk_version = var.wls_version == "14.1.1.0" ? local.jdk_labels[var.wls_14c_jdk_version] : (var.wls_version == "11.1.1.7" ? local.jdk_labels["jdk7"] : local.jdk_labels["jdk8"])
@@ -151,13 +150,11 @@ locals {
   use_apm_service           = (var.use_apm_service || var.use_autoscaling)
   apm_domain_compartment_id = local.use_apm_service ? lookup(data.oci_apm_apm_domain.apm_domain[0], "compartment_id") : ""
 
-
-
   ocir_namespace = data.oci_objectstorage_namespace.object_namespace.namespace
 
-  ocir_namespace_with_slash = format("%s/",local.ocir_namespace)
-  ocir_user_starts_with = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash))
-  ocir_user =  local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user :  "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}"
+  ocir_namespace_with_slash = format("%s/", local.ocir_namespace)
+  ocir_user_starts_with     = substr(var.ocir_user, 0, length(local.ocir_namespace_with_slash))
+  ocir_user                 = local.ocir_user_starts_with == local.ocir_namespace_with_slash ? var.ocir_user : "${format("%s%s", local.ocir_namespace_with_slash, var.ocir_user)}"
 
   region_keys         = data.oci_identity_regions.all_regions.regions.*.key
   region_names        = data.oci_identity_regions.all_regions.regions.*.name
@@ -180,4 +177,11 @@ locals {
     "instanceShape" = var.bastion_instance_shape,
     "ocpus"         = 1
   }
+
+  is_bastion_instance_required = (var.is_bastion_instance_required && var.subnet_type != "Use Public Subnet") || var.wls_existing_vcn_id == "" || (var.wls_existing_vcn_id != "" && var.wls_subnet_id == "") ? true : false
+
+  # Resource Manager Endpoint
+  is_rms_private_endpoint_required  = var.is_rms_private_endpoint_required && var.wls_existing_vcn_id != "" && var.wls_subnet_id != "" && !local.assign_weblogic_public_ip ? true : false
+  add_new_rms_private_endpoint      = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Create New Resource Manager Endpoint" ? true : false
+  add_existing_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Use Existing Resource Manager Endpoint" ? true : false
 }

terraform/main.tf

@@ -72,7 +72,7 @@ module "network-vcn-config" {
   create_load_balancer         = local.add_load_balancer
   resource_name_prefix         = local.service_name_prefix
   bastion_subnet_cidr          = local.bastion_subnet_cidr
-  is_bastion_instance_required = var.is_bastion_instance_required
+  is_bastion_instance_required = local.is_bastion_instance_required
   existing_bastion_instance_id = var.existing_bastion_instance_id
   vcn_cidr                     = var.wls_vcn_name == "" ? data.oci_core_vcn.wls_vcn[0].cidr_block : element(concat(module.network-vcn.*.vcn_cidr, tolist([""])), 0)
   existing_mt_subnet_id        = var.mount_target_subnet_id
@@ -116,7 +116,7 @@ module "network-lb-nsg" {
 
 module "network-bastion-nsg" {
   source         = "./modules/network/nsg"
-  count          = var.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0
+  count          = local.is_bastion_instance_required && var.existing_bastion_instance_id == "" && !local.use_existing_subnets && local.bastion_subnet_cidr != "" ? 1 : 0
   compartment_id = local.network_compartment_id
   vcn_id         = local.vcn_id
   nsg_name       = "${local.service_name_prefix}-bastion-nsg"
@@ -190,13 +190,13 @@ module "network-lb-subnet-1" {
 /* Create back end subnet for bastion subnet */
 module "network-bastion-subnet" {
   source             = "./modules/network/subnet"
-  count              = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && var.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0
+  count              = !local.assign_weblogic_public_ip && var.bastion_subnet_id == "" && local.is_bastion_instance_required && var.existing_bastion_instance_id == "" ? 1 : 0
   compartment_id     = local.network_compartment_id
   vcn_id             = local.vcn_id
   dhcp_options_id    = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].dhcp_options_id : ""
   route_table_id     = length(module.network-vcn-config) > 0 ? module.network-vcn-config[0].route_table_id : ""
   subnet_name        = "${local.service_name_prefix}-${var.bastion_subnet_name}"
-  dns_label          = "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}"
+  dns_label          = local.is_bastion_instance_required && local.is_rms_private_endpoint_required ? format("%s-%s", var.bastion_subnet_name, substr(strrev(var.service_name), 0, 7)) : "${var.bastion_subnet_name}-${substr(uuid(), -7, -1)}"
   cidr_block         = local.bastion_subnet_cidr
   prohibit_public_ip = false
 
@@ -240,11 +240,10 @@ module "policies" {
   mount_target_compartment_id = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id
 }
 
-
 module "bastion" {
   #depends_on          = [module.network-validation]
   source              = "./modules/compute/bastion"
-  count               = (!local.assign_weblogic_public_ip && var.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0
+  count               = (!local.assign_weblogic_public_ip && local.is_bastion_instance_required && var.existing_bastion_instance_id == "") ? 1 : 0
   availability_domain = local.bastion_availability_domain
   bastion_subnet_id   = var.bastion_subnet_id != "" ? var.bastion_subnet_id : module.network-bastion-subnet[0].subnet_id
 
@@ -349,7 +348,7 @@ module "vcn-peering" {
 
 module "validators" {
   #depends_on = [module.network-validation]
-  source     = "./modules/validators"
+  source                     = "./modules/validators"
   compartment_id             = var.compartment_ocid
   service_name               = var.service_name
   wls_ms_port                = var.wls_ms_extern_port
@@ -394,7 +393,7 @@ module "validators" {
   lb_subnet_1_cidr             = var.lb_subnet_1_cidr
   bastion_subnet_cidr          = local.bastion_subnet_cidr
   assign_public_ip             = local.assign_weblogic_public_ip
-  is_bastion_instance_required = var.is_bastion_instance_required
+  is_bastion_instance_required = local.is_bastion_instance_required
   existing_bastion_instance_id = var.existing_bastion_instance_id
   bastion_ssh_private_key      = var.bastion_ssh_private_key
 
@@ -468,8 +467,8 @@ module "validators" {
 
 module "fss" {
   #depends_on = [module.network-validation]
-  source     = "./modules/fss"
-  count      = var.add_fss ? 1 : 0
+  source = "./modules/fss"
+  count  = var.add_fss ? 1 : 0
 
   compartment_id      = var.compartment_ocid
   availability_domain = local.fss_availability_domain
@@ -491,8 +490,8 @@ module "fss" {
 
 module "load-balancer" {
   #depends_on = [module.network-validation]
-  source     = "./modules/lb/loadbalancer"
-  count      = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0
+  source = "./modules/lb/loadbalancer"
+  count  = (local.add_load_balancer && var.existing_load_balancer_id == "") ? 1 : 0
 
   compartment_id           = local.network_compartment_id
   lb_reserved_public_ip_id = compact([var.lb_reserved_public_ip_id])
@@ -510,10 +509,26 @@ module "load-balancer" {
   }
 }
 
+module "rms-private-endpoint" {
+  source = "./modules/rms-private-endpoint"
+  count  = local.is_rms_private_endpoint_required && local.add_new_rms_private_endpoint ? 1 : 0
+
+  vcn_id                     = local.vcn_id
+  compartment_id             = local.network_compartment_id
+  private_endpoint_subnet_id = var.wls_subnet_id != "" ? var.wls_subnet_id : element(concat(module.network-wls-private-subnet[*].subnet_id, [""]), 0)
+  private_endpoint_nsg_id    = var.wls_subnet_id != "" ? (var.add_existing_nsg ? [var.existing_admin_server_nsg_id] : []) : element(module.network-compute-admin-nsg[*].nsg_id, 0)
+  resource_name_prefix       = var.service_name
+
+  tags = {
+    defined_tags  = local.defined_tags
+    freeform_tags = local.free_form_tags
+  }
+}
+
 module "observability-common" {
   #depends_on = [module.network-validation]
-  source     = "./modules/observability/common"
-  count      = var.use_oci_logging ? 1 : 0
+  source = "./modules/observability/common"
+  count  = var.use_oci_logging ? 1 : 0
 
   compartment_id      = var.compartment_ocid
   service_prefix_name = local.service_name_prefix
@@ -522,8 +537,8 @@ module "observability-common" {
 
 module "observability-autoscaling" {
   #depends_on = [module.network-validation]
-  source     = "./modules/observability/autoscaling"
-  count      = var.use_autoscaling ? 1 : 0
+  source = "./modules/observability/autoscaling"
+  count  = var.use_autoscaling ? 1 : 0
 
   compartment_id        = var.compartment_ocid
   metric_compartment_id = local.apm_domain_compartment_id
@@ -608,7 +623,7 @@ module "compute" {
 
   deploy_sample_app = local.deploy_sample_app
 
-  is_bastion_instance_required = var.is_bastion_instance_required
+  is_bastion_instance_required = local.is_bastion_instance_required
 
   is_idcs_selected      = var.is_idcs_selected
   idcs_host             = var.idcs_host
@@ -683,8 +698,8 @@ module "compute" {
 
 module "load-balancer-backends" {
   #depends_on = [module.network-validation]
-  source     = "./modules/lb/backends"
-  count      = local.add_load_balancer ? 1 : 0
+  source = "./modules/lb/backends"
+  count  = local.add_load_balancer ? 1 : 0
 
   resource_name_prefix = local.service_name_prefix
   load_balancer_id     = local.add_load_balancer ? (var.existing_load_balancer_id != "" ? var.existing_load_balancer_id : element(coalescelist(module.load-balancer[*].wls_loadbalancer_id, [""]), 0)) : ""
@@ -698,8 +713,8 @@ module "load-balancer-backends" {
 
 module "observability-logging" {
   #depends_on = [module.network-validation]
-  source     = "./modules/observability/logging"
-  count      = var.use_oci_logging ? 1 : 0
+  source = "./modules/observability/logging"
+  count  = var.use_oci_logging ? 1 : 0
 
   compartment_id                        = var.compartment_ocid
   oci_managed_instances_principal_group = element(concat(module.policies[*].oci_managed_instances_principal_group, [""]), 0)
@@ -716,16 +731,18 @@ module "observability-logging" {
 
 module "provisioners" {
   #depends_on = [module.network-validation]
-  source     = "./modules/provisioners"
-
-  existing_bastion_instance_id = var.existing_bastion_instance_id
-  host_ips                     = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""])
-  num_vm_instances             = var.wls_node_count
-  ssh_private_key              = module.compute.ssh_private_key_opc
-  assign_public_ip             = local.assign_weblogic_public_ip
-  bastion_host                 = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip
-  bastion_host_private_key     = local.assign_weblogic_public_ip || !var.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)
-  is_bastion_instance_required = var.is_bastion_instance_required
+  source = "./modules/provisioners"
+
+  existing_bastion_instance_id     = var.existing_bastion_instance_id
+  host_ips                         = coalescelist(compact(module.compute.instance_public_ips), compact(module.compute.instance_private_ips), [""])
+  num_vm_instances                 = var.wls_node_count
+  ssh_private_key                  = module.compute.ssh_private_key_opc
+  is_rms_private_endpoint_required = local.is_rms_private_endpoint_required
+  rms_private_endpoint_id          = local.is_rms_private_endpoint_required ? local.add_new_rms_private_endpoint ? module.rms-private-endpoint[0].rms_private_endpoint_id : var.rms_existing_private_endpoint_id : ""
+  assign_public_ip                 = local.assign_weblogic_public_ip
+  bastion_host                     = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].public_ip : data.oci_core_instance.existing_bastion_instance[0].public_ip
+  bastion_host_private_key         = local.assign_weblogic_public_ip || !local.is_bastion_instance_required ? "" : var.existing_bastion_instance_id == "" ? module.bastion[0].bastion_private_ssh_key : file(var.bastion_ssh_private_key)
+  is_bastion_instance_required     = local.is_bastion_instance_required
 
   mode                             = var.mode
   wlsoci_vmscripts_zip_bundle_path = var.wlsoci_vmscripts_zip_bundle_path

terraform/modules/policies/locals.tf

@@ -35,7 +35,6 @@ locals {
   apm_domain_policy_statement = var.use_apm_service ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use apm-domains in compartment id ${var.apm_domain_compartment_id}" : ""
   # This policy with "use load_balancer" verb is needed to create load balancer for new vcn
   lb_policy_statement = var.add_load_balancer ? length(oci_identity_dynamic_group.wlsc_instance_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use load-balancers in compartment id ${var.network_compartment_id}" : "" : ""
-
   service_statements = compact([local.core_policy_statement1, local.core_policy_statement2, local.core_policy_statement3, local.network_policy_statement1, local.secrets_policy_statement1, local.secrets_policy_statement2,
     local.atp_policy_statement1, local.atp_policy_statement2, local.atp_policy_statement3, local.oci_db_policy_statement1, local.oci_db_policy_statement2, local.oci_db_policy_statement3, local.logging_policy,
     local.apm_domain_policy_statement, local.lb_policy_statement
@@ -76,6 +75,7 @@ locals {
   autoscaling_statement25                       = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect dynamic-groups in tenancy" : "" : ""
   autoscaling_statement26                       = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage policies in tenancy" : "" : ""
   autoscaling_statement27                       = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to use tag-namespaces in tenancy" : "" : ""
+  autoscaling_statement28                       = var.use_autoscaling ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage orm-family in compartment id ${var.network_compartment_id}" : "" : ""
   autoscaling_atp_policy_statement              = (var.atp_db.is_atp && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect autonomous-transaction-processing-family in compartment id ${var.atp_db.compartment_id}" : "" : ""
   autoscaling_db_policy_statement               = (local.is_oci_db && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to inspect database-family in compartment id ${var.oci_db.compartment_id}" : "" : ""
   autoscaling_fss_mount_target_policy_statement = (var.add_fss && var.use_autoscaling) ? length(oci_identity_dynamic_group.wlsc_functions_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_functions_principal_group[0].name} to manage mount-targets in compartment id ${var.mount_target_compartment_id}" : "" : ""
@@ -96,7 +96,7 @@ locals {
     local.autoscaling_statement18, local.autoscaling_statement19, local.autoscaling_statement20,
     local.autoscaling_statement21, local.autoscaling_statement22, local.autoscaling_statement23,
     local.autoscaling_statement24, local.autoscaling_statement25, local.autoscaling_statement26,
-    local.autoscaling_statement27,
+    local.autoscaling_statement27, local.autoscaling_statement28,
     local.autoscaling_logging_policy_1, local.autoscaling_logging_policy_2, local.autoscaling_logging_policy_3,
     local.autoscaling_atp_policy_statement,
     local.autoscaling_db_policy_statement,

terraform/modules/provisioners/data_sources.tf

@@ -0,0 +1,10 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+
+// Resolves the private IP of the customer's private endpoint to a NAT IP. Used as the host address in the "remote-exec" resource
+data "oci_resourcemanager_private_endpoint_reachable_ip" "private_endpoint_reachable_ips" {
+  count               = var.is_rms_private_endpoint_required ? var.num_vm_instances : 0
+  private_endpoint_id = var.rms_private_endpoint_id
+  private_ip          = var.host_ips[count.index]
+}