Add policy for updating ATP NSG & Rename variable ocidb_existing_vcn_add_seclist (#113)

* Add policy for updating ATP NSG

* Add policy for updating ATP NSG

* Add policy for updating ATP NSG

Author: Mahuwa-Barman

terraform/db_variables.tf

@@ -141,7 +141,7 @@ variable "atp_db_password_id" {
 
 variable "atp_db_network_compartment_id" {
   type        = string
-  description = "The OCID of the compartment in which the ATP database VCN is found"
+  description = "The OCID of the compartment in which the ATP database private endpoint VCN is found"
   default     = ""
 }
 
@@ -158,10 +158,9 @@ variable "atp_db_uses_private_endpoint" {
   default     = false
 }
 
-#This variable is used for both oci db and ATP with private subnet
-#NOTE: this has not been renamed to support future cloning support
-variable "ocidb_existing_vcn_add_seclist" {
+#This variable is used for both OCI database and ATP database with private endpoint
+variable "db_existing_vcn_add_secrule" {
   type        = bool
-  description = "Set to true to add a security list to the database subnet (for OCI DB) when using existing VCN or network security group (for ATP with private endpoint) that allows connections from the WebLogic Server subnet"
+  description = "Set to true to add a security list to the database subnet (for OCI DB) or a security rule to the network security group (for ATP with private endpoint) that allows connections from the WebLogic Server subnet"
   default     = true
 }

terraform/locals.tf

@@ -28,12 +28,16 @@ locals {
   db_password_id                = local.is_atp_db ? var.atp_db_password_id : var.oci_db_password_id
   is_atp_db                     = trimspace(var.atp_db_id) != ""
   is_atp_with_private_endpoints = local.is_atp_db && (length(data.oci_database_autonomous_database.atp_db) != 0 ? data.oci_database_autonomous_database.atp_db[0].subnet_id != null : false)
-  atp_db_network_compartment_id = local.is_atp_db && var.atp_db_network_compartment_id == "" ? var.atp_db_compartment_id : var.atp_db_network_compartment_id
+  atp_db_network_compartment_id = local.is_atp_with_private_endpoints && var.atp_db_network_compartment_id == "" ? var.atp_db_compartment_id : var.atp_db_network_compartment_id
 
   atp_db = {
-    is_atp         = local.is_atp_db
-    compartment_id = var.atp_db_compartment_id
-    password_id    = var.atp_db_password_id
+    is_atp                        = local.is_atp_db
+    password_id                   = var.atp_db_password_id
+    compartment_id                = var.atp_db_compartment_id
+    is_atp_with_private_endpoints = local.is_atp_with_private_endpoints
+    network_compartment_id        = local.atp_db_network_compartment_id
+    existing_vcn_id               = var.atp_db_existing_vcn_id
+    existing_vcn_add_seclist      = local.is_atp_with_private_endpoints ? var.db_existing_vcn_add_secrule : false
   }
   oci_db = {
     is_oci_db                = local.is_oci_db
@@ -42,14 +46,14 @@ locals {
     network_compartment_id   = local.oci_db_network_compartment_id
     existing_vcn_id          = var.oci_db_existing_vcn_id
     oci_db_connection_string = var.oci_db_connection_string
-    existing_vcn_add_seclist = local.is_oci_db ? var.ocidb_existing_vcn_add_seclist : false
+    existing_vcn_add_seclist = local.is_oci_db ? var.db_existing_vcn_add_secrule : false
   }
 
   is_oci_db                     = trimspace(var.oci_db_dbsystem_id) == "" ? false : true
   oci_db_compartment_id         = var.oci_db_compartment_id == "" ? local.network_compartment_id : var.oci_db_compartment_id
   oci_db_network_compartment_id = local.is_oci_db && var.oci_db_network_compartment_id == "" ? var.oci_db_compartment_id : var.oci_db_network_compartment_id
 
-  db_network_compartment_id = local.is_atp_db ? local.atp_db_network_compartment_id : local.oci_db_network_compartment_id
+  db_network_compartment_id = local.is_atp_with_private_endpoints ? local.atp_db_network_compartment_id : local.oci_db_network_compartment_id
 
   # Locals used by outputs
   bastion_public_ip = element(coalescelist(module.bastion[*].public_ip, data.oci_core_instance.existing_bastion_instance.*.public_ip, [""]), 0)

terraform/main.tf

@@ -580,7 +580,7 @@ module "compute" {
   mount_path  = var.mount_path
   export_path = var.existing_export_path_id != "" ? element(concat(data.oci_file_storage_exports.export[*].exports[0].path, [""]), 0) : element(concat(module.fss[*].export_path, [""]), 0)
 
-  db_existing_vcn_add_seclist = var.ocidb_existing_vcn_add_seclist
+  db_existing_vcn_add_seclist = var.db_existing_vcn_add_secrule
   jrf_parameters = {
     db_user        = local.db_user
     db_password_id = local.db_password_id

terraform/modules/compute/wls_compute/db_variables.tf

@@ -68,5 +68,5 @@ variable "jrf_parameters" {
 //Add security list to existing db vcn
 variable "db_existing_vcn_add_seclist" {
   type        = bool
-  description = "Set to true to add a security list to the database subnet (for OCI DB) when using existing VCN or network security group (for ATP with private endpoint) that allows connections from the WebLogic Server subnet"
+  description = "Set to true to add a security list to the database subnet (for OCI DB) or a security rule to the network security group (for ATP with private endpoint) that allows connections from the WebLogic Server subnet"
 }

terraform/modules/policies/locals.tf

@@ -22,6 +22,8 @@ locals {
   atp_policy_statement1     = (var.atp_db.is_atp && var.atp_db.password_id != "") ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read secret-bundles in tenancy where target.secret.id = '${var.atp_db.password_id}'" : ""
   # This policy with "use autonomous-transaction-processing-family" verb is needed to download ATP db wallet
   atp_policy_statement2    = (var.atp_db.is_atp && var.atp_db.compartment_id != "") ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use autonomous-transaction-processing-family in compartment id ${var.atp_db.compartment_id}" : ""
+  # This policy with "manage network-security-groups" verb is needed to add security rule in the ATP db (with private endpoint) NSG in the ATP db VCN
+  atp_policy_statement3    = (var.atp_db.is_atp_with_private_endpoints && var.atp_db.existing_vcn_add_seclist && var.atp_db.network_compartment_id != "") ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to manage network-security-groups in compartment id ${var.atp_db.network_compartment_id} where request.operation = 'AddNetworkSecurityGroupSecurityRules'" : ""
   oci_db_policy_statement1 = var.oci_db.password_id != "" ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read secret-bundles in tenancy where target.secret.id = '${var.oci_db.password_id}'" : ""
   # This policy with "inspect virtual-network-family" verb is needed to read OCI DB VCN information like CIDR, etc, for VCN validation
   oci_db_policy_statement2 = (var.oci_db.network_compartment_id != "" && var.oci_db.existing_vcn_id != local.network_vcn_id) ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to inspect virtual-network-family in compartment id ${var.oci_db.network_compartment_id} where target.vcn.id = '${var.oci_db.existing_vcn_id}'" : ""
@@ -34,7 +36,7 @@ locals {
   # This policy with "use load_balancer" verb is needed to create load balancer for new vcn
   lb_policy_statement = var.add_load_balancer ? length(oci_identity_dynamic_group.wlsc_instance_principal_group) > 0 ? "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to use load-balancers in compartment id ${var.network_compartment_id}" : "" : ""
 
-  service_statements = compact([local.core_policy_statement1, local.core_policy_statement2, local.core_policy_statement3, local.network_policy_statement1, local.secrets_policy_statement1, local.secrets_policy_statement2, local.atp_policy_statement1, local.atp_policy_statement2, local.oci_db_policy_statement1, local.oci_db_policy_statement2, local.logging_policy, local.apm_domain_policy_statement, local.lb_policy_statement])
+  service_statements = compact([local.core_policy_statement1, local.core_policy_statement2, local.core_policy_statement3, local.network_policy_statement1, local.secrets_policy_statement1, local.secrets_policy_statement2, local.atp_policy_statement1, local.atp_policy_statement2, local.atp_policy_statement3, local.oci_db_policy_statement1, local.oci_db_policy_statement2, local.logging_policy, local.apm_domain_policy_statement, local.lb_policy_statement])
 
   cloning_policy_statement1 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to read orm-stacks in compartment id ${var.compartment_id}"
   cloning_policy_statement2 = "Allow dynamic-group ${oci_identity_dynamic_group.wlsc_instance_principal_group.name} to inspect compartments in tenancy"

terraform/modules/policies/variables.tf

@@ -97,15 +97,23 @@ variable "wls_admin_password_id" {
 
 variable "atp_db" {
   type = object({
-    is_atp         = bool
-    compartment_id = string
-    password_id    = string
+    is_atp                        = bool
+    password_id                   = string
+    compartment_id                = string
+    is_atp_with_private_endpoints = bool
+    network_compartment_id        = string
+    existing_vcn_id               = string
+    existing_vcn_add_seclist      = bool
   })
   description = <<-EOT
   atp_db = {
     is_atp: "Indicates if an ATP database is used to store the schemas of a JRF WebLogic domain"
-    compartment_id: "The OCID of the compartment where the ATP database is located"
     password_id: "The OCID of the vault secret with the password of the database"
+    compartment_id: "The OCID of the compartment where the ATP database is located"
+    is_atp_with_private_endpoints: "Indicates if the ATP database uses private endpoint for network access"
+    network_compartment_id: "The OCID of the compartment in which the ATP database private endpoint VCN is found"
+    existing_vcn_id: "The OCID of the VCN used by the ATP database private endpoint"
+    existing_vcn_add_seclist: "Set to true to add a security list to the network security group (for ATP with private endpoint) that allows connections from the WebLogic Server subnet"
   }
   EOT
 }
@@ -127,7 +135,7 @@ variable "oci_db" {
     compartment_id: "The OCID of the compartment where the OCI database is located"
     network_compartment_id: "The OCID of the compartment in which the DB System VCN is found"
     existing_vcn_id: "The OCID of the DB system VCN"
-    existing_vcn_add_seclist: "Set to true to add a security list to the database subnet (for OCI DB) when using existing VCN that allows connections from the WebLogic Server subnet"
+    existing_vcn_add_seclist: "Set to true to add a security list to the database subnet (for OCI DB) that allows connections from the WebLogic Server subnet"
   }
   EOT
 }

terraform/schema.yaml

@@ -63,7 +63,7 @@ groupings:
       - ${oci_db_secret_compartment_id}
       - ${oci_db_password_id}
       - ${oci_db_port}
-      - ${ocidb_existing_vcn_add_seclist}
+      - ${db_existing_vcn_add_secrule}
       - ${db_vcn_lpg_id}
       #End of JRF fields
       - ${deploy_sample_app}
@@ -1636,7 +1636,7 @@ variables:
     description: The compartment in which the DB System Virtual Cloud Network is found.
     default: ${compartment_ocid}
 
-  ocidb_existing_vcn_add_seclist:
+  db_existing_vcn_add_secrule:
     visible:
       and:
         - ${orm_create_mode}
@@ -1650,7 +1650,7 @@ variables:
     type: boolean
     default: true
     title: Create Database Security List
-    description: Add a security list to the DB subnet or Network Security Group for ATP Database with private endpoint that allows connections from the WebLogic Server subnet
+    description: Add a security list to the DB subnet or a security rule to the Network Security Group for ATP Database with private endpoint that allows connections from the WebLogic Server subnet
 
   # OCI DB Configuration
 

terraform/schema_14110.yaml

@@ -186,7 +186,7 @@ groupings:
       - ${oci_db_compartment_id}
       - ${oci_db_network_compartment_id}
       - ${oci_db_existing_vcn_id}
-      - ${ocidb_existing_vcn_add_seclist}
+      - ${db_existing_vcn_add_secrule}
       - ${oci_db_dbsystem_id}
       - ${oci_db_dbhome_id}
       - ${oci_db_dbhome_major_version}