Topic sk bug 35241678 (#183)

Fixed Bug 35241678 - Network validation script flagging load balancer
port 443 port to be open to Internet.

1. Tested private load balancer with out cidr 0.0.0.0/0
2. Tested public load balancer.

---------

Co-authored-by: Roberto Sanchez <[email protected]>
Co-authored-by: Mahuwa Barman <[email protected]>
Co-authored-by: telake <[email protected]>
Co-authored-by: Rajesh Chavan <[email protected]>
Co-authored-by: abhijit-paranjpe <[email protected]>

Author: 6 people

terraform/main.tf

@@ -21,6 +21,7 @@ module "network-validation" {
   existing_lb_nsg_id             = var.add_existing_nsg && var.add_load_balancer ? var.existing_lb_nsg_id : ""
   existing_mount_target_nsg_id   = var.add_existing_nsg && var.add_fss ? var.existing_mount_target_nsg_id : ""
   existing_bastion_nsg_id        = var.add_existing_nsg && var.is_bastion_instance_required ? var.existing_bastion_nsg_id : ""
+  lb_source_cidr                 = var.add_load_balancer ? (var.is_lb_private ? "" : "0.0.0.0/0") : ""
 }
 
 module "system-tags" {

terraform/modules/network-validator/locals.tf

@@ -7,6 +7,7 @@ locals {
   validation_script_bastion_ip_param                     = var.bastion_ip != "" ? format("--bastionip %s", var.bastion_ip) : ""
   validation_script_lb_subnet_1_param                    = var.lb_subnet_1_id != "" ? format("--lbsubnet1 %s", var.lb_subnet_1_id) : ""
   validation_script_lb_subnet_2_param                    = var.lb_subnet_2_id != "" ? format("--lbsubnet2 %s", var.lb_subnet_2_id) : ""
+  validation_script_lb_source_cidr_param                 = var.lb_source_cidr != "" ? format("--lbsourcecidr %s", var.lb_source_cidr) : ""
   validation_script_wls_lb_port                          = var.wls_ms_extern_port != "" ? format("--externalport %s", var.wls_ms_extern_port) : ""
   validation_script_mount_target_subnet_param            = var.mount_target_subnet_id != "" ? format("--fsssubnet %s", var.mount_target_subnet_id) : ""
   validation_script_atp_db_id_param                      = var.atp_db_id != "" ? format("--atpdbid %s", var.atp_db_id) : ""

terraform/modules/network-validator/scripts/network_validation.sh

@@ -37,6 +37,7 @@ LB_NSG_OCID=""
 FSS_NSG_OCID=""
 LPG_OCID=""
 ALL_IPS="0.0.0.0/0"
+LB_SOURCE_CIDR=""
 NETWORK_VALIDATION_MSG="Fix the network validation script errors and re-run the script in the cloud shell"
 
 debug=false
@@ -240,6 +241,9 @@ function check_tcp_port_open_in_seclist_or_nsg() {
         else
           source_in_cidr_range=1
         fi
+      elif [[ $source = "" ]]
+      then
+        source_in_cidr_range=0
       else
         source_in_cidr_range=$(in_cidr_range $ingress_source $source ; echo $?)
       fi
@@ -519,9 +523,10 @@ This script is used to validate existing subnets, and optionally network securit
   -g, --lpg           OCID of the Local Peering Gateway (LPG) in the DB VCN
   -b, --bastionsubnet Bastion Subnet OCID
   -i, --bastionip     Bastion Host IP. Provide this if using existing bastion
+  -j, --lbsourcecidr  Load Balance Source CIDR
   -u, --lbsubnet1     Load Balancer Subnet 1 OCID
   -v, --lbsubnet2     Load Balancer Subnet 2 OCID which is required only for AD subnet
-  -l,  --externalport WebLogic Managed Server External Port
+  -l, --externalport  WebLogic Managed Server External Port
   -f, --fsssubnet     File Storage Service (FSS) Mount Target Subnet OCID
   -a, --adminsrvnsg   OCID of the Network Security Group (NSG) for the administration server (Required if using NSGs instead of security lists)
   -m, --managedsrvnsg OCID of the Network Security Group (NSG) for the managed servers (Required if using NSGs instead of security lists)
@@ -587,6 +592,7 @@ while [[ $1 = -?* ]]; do
     -g|--lpg) shift; LPG_OCID=${1} ;;
     -b|--bastionsubnet) shift; BASTION_SUBNET_OCID=${1} ;;
     -i|--bastionip) shift; BASTION_HOST_IP=${1} ;;
+    -j|--lbsourcecidr) shift; LB_SOURCE_CIDR=${1} ;;
     -u|--lbsubnet1) shift; LB_SUBNET_1_OCID=${1} ;;
     -v|--lbsubnet2) shift; LB_SUBNET_2_OCID=${1} ;;
     -l|--externalport) shift; WLS_LB_PORT=${1} ;;
@@ -963,20 +969,18 @@ if [[ -n ${LB_SUBNET_1_OCID} ]]
 then
   if [[ -z ${LB_NSG_OCID} ]]
   then
-    res=$(validate_subnet_port_access "${LB_SUBNET_1_OCID}" ${LB_PORT} "${ALL_IPS}")
+    res=$(validate_subnet_port_access "${LB_SUBNET_1_OCID}" ${LB_PORT} "${LB_SOURCE_CIDR}")
     if [[ $res -ne 0 ]]
     then
-      echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in LB Subnet CIDR [${LB_SUBNET_1_OCID}]. ${NETWORK_VALIDATION_MSG}"
-      validation_return_code=2
+      echo "WARNING : Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in LB Subnet CIDR [${LB_SUBNET_1_OCID}]. ${NETWORK_VALIDATION_MSG}"
     fi
   else
     if [[ -n ${ADMIN_SRV_NSG_OCID} && -n ${MANAGED_SRV_NSG_OCID} ]]
     then
-      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "$ALL_IPS" "nsg")
+      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "${LB_SOURCE_CIDR}" "nsg")
       if [[ $res -ne 0 ]]
       then
-        echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
-        validation_return_code=2
+        echo "WARNING : Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
       fi
     fi
   fi
@@ -1014,19 +1018,19 @@ if [[ -n ${LB_SUBNET_2_OCID} ]]
 then
   if [[ -z ${LB_NSG_OCID} ]]
   then
-    res=$(validate_subnet_port_access "${LB_SUBNET_2_OCID}" ${LB_PORT} "${ALL_IPS}")
+    res=$(validate_subnet_port_access "${LB_SUBNET_2_OCID}" ${LB_PORT} "${LB_SOURCE_CIDR}")
     if [[ $res -ne 0 ]]
     then
-      echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in LB Subnet CIDR [${LB_SUBNET_2_OCID}]. ${NETWORK_VALIDATION_MSG}"
+      echo "ERROR: Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in LB Subnet CIDR [${LB_SUBNET_2_OCID}]. ${NETWORK_VALIDATION_MSG}"
       validation_return_code=2
     fi
   else
     if [[ -n ${ADMIN_SRV_NSG_OCID} && -n ${MANAGED_SRV_NSG_OCID} ]]
     then
-      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "$ALL_IPS" "nsg")
+      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "${LB_SOURCE_CIDR}" "nsg")
       if [[ $res -ne 0 ]]
       then
-        echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
+        echo "ERROR: Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
         validation_return_code=2
       fi
     fi

terraform/modules/network-validator/validator.tf

@@ -3,7 +3,7 @@
 
 resource "null_resource" "validate_network" {
   provisioner "local-exec" {
-    command     = "chmod +x ./scripts/network_validation.sh && ./scripts/network_validation.sh ${local.validation_script_wls_subnet_param} ${local.validation_script_bastion_subnet_param} ${local.validation_script_bastion_ip_param} ${local.validation_script_lb_subnet_1_param} ${local.validation_script_lb_subnet_2_param} ${local.validation_script_wls_lb_port} ${local.validation_script_mount_target_subnet_param} ${local.validation_script_atp_db_id_param} ${local.validation_script_oci_db_dbsystem_id_param} ${local.validation_script_oci_db_port_param} ${local.validation_script_http_port_param} ${local.validation_script_https_port_param} ${local.validation_script_existing_admin_server_nsg_id_param} ${local.validation_script_existing_managed_server_nsg_id_param} ${local.validation_script_existing_lb_nsg_id_param} ${local.validation_script_existing_mount_target_nsg_id_param} ${local.validation_script_existing_bastion_nsg_id_param}"
+    command     = "chmod +x ./scripts/network_validation.sh && ./scripts/network_validation.sh ${local.validation_script_wls_subnet_param} ${local.validation_script_bastion_subnet_param} ${local.validation_script_bastion_ip_param} ${local.validation_script_lb_subnet_1_param} ${local.validation_script_lb_subnet_2_param} ${local.validation_script_wls_lb_port} ${local.validation_script_lb_source_cidr_param} ${local.validation_script_mount_target_subnet_param} ${local.validation_script_atp_db_id_param} ${local.validation_script_oci_db_dbsystem_id_param} ${local.validation_script_oci_db_port_param} ${local.validation_script_http_port_param} ${local.validation_script_https_port_param} ${local.validation_script_existing_admin_server_nsg_id_param} ${local.validation_script_existing_managed_server_nsg_id_param} ${local.validation_script_existing_lb_nsg_id_param} ${local.validation_script_existing_mount_target_nsg_id_param} ${local.validation_script_existing_bastion_nsg_id_param}"
     interpreter = ["/bin/bash", "-c"]
     working_dir = path.module
   }

terraform/modules/network-validator/variables.tf

@@ -85,3 +85,8 @@ variable "existing_bastion_nsg_id" {
   type        = string
   description = "The OCID of the pre-created NSG that should be attached to the bastion instance"
 }
+
+variable "lb_source_cidr" {
+  type        = string
+  description = "Set to empty value if loadbalancer is set to private"
+}

terraform/schema_14110.yaml

@@ -713,7 +713,7 @@ variables:
     default: false
     required: true
     title: "Skip Network Validation"
-    description: "Skip running network validation script for existing subnets. Existing Virtual Cloud Network can be validated using the network validation script. See <a target=\"_blank\" href=\https://docs.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/weblogic-cloud/user&id=oci_network_validate\>Validate Existing Network Setup</a>"
+    description: "Skip running network validation script for existing subnets. Existing Virtual Cloud Network can be validated using the network validation script. See <a target=\"_blank\" href=\"https://docs.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/weblogic-cloud/user&id=oci_network_validate\">Validate Existing Network Setup</a>"
     visible:
       and:
         - not: