Merge pull request #359 from gnsuryan/main

Changes related to default outbound access and azure security fixes for admin offer

Author: rjeberhard

weblogic-azure-vm/arm-oraclelinux-wls-admin/admin-ssl-post-deploy/src/main/scripts/configureCustomAdminSSL.sh

@@ -48,9 +48,9 @@ function validateInput()
         echo_stderr "wlsDomainName is required. "
     fi
 
-    if [[ -z "$wlsUserName" || -z "$wlsPassword" ]]
+    if [[ -z "$wlsUserName" || -z "$wlsShibboleth" ]]
     then
-        echo_stderr "wlsUserName or wlsPassword is required. "
+        echo_stderr "wlsUserName or wlsShibboleth is required. "
         exit 1
     fi
 
@@ -107,7 +107,7 @@ function configureSSL()
 
 isCustomSSLEnabled='${isCustomSSLEnabled}'
 
-connect('$wlsUserName','$wlsPassword','t3://$wlsAdminURL')
+connect('$wlsUserName','$wlsShibboleth','t3://$wlsAdminURL')
 edit("$wlsServerName")
 startEdit()
 cd('/Servers/$wlsServerName')
@@ -291,7 +291,7 @@ args=("$@")
 ELEMENTS=${#args[@]} 
 
 #read arguments from stdin
-read adminVMName wlsDomainName wlsUserName wlsPassword oracleHome wlsDomainPath enableAAD wlsADSSLCer isCustomSSLEnabled customIdentityKeyStoreBase64String customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreBase64String customTrustKeyStorePassPhrase customTrustKeyStoreType privateKeyAlias privateKeyPassPhrase
+read adminVMName wlsDomainName wlsUserName wlsShibboleth oracleHome wlsDomainPath enableAAD wlsADSSLCer isCustomSSLEnabled customIdentityKeyStoreBase64String customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreBase64String customTrustKeyStorePassPhrase customTrustKeyStoreType privateKeyAlias privateKeyPassPhrase
 
 
 enableAAD="${enableAAD,,}"

weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/mainTemplate.json

@@ -177,6 +177,10 @@
          "type": "string",
          "defaultValue": "[newGuid()]"
       },
+      "guidTag": {
+         "type": "string",
+         "defaultValue": "[newGuid()]"
+      },
       "location": {
          "type": "string",
          "defaultValue": "[resourceGroup().location]",
@@ -368,12 +372,16 @@
    },
    "variables": {
       "const_globalResourceNameSuffix": "[uniqueString(parameters('guidValue'))]",
+      "const_guidTag": "[uniqueString(parameters('guidTag'))]",
       "name_adminCustomSSLLinkedTemplateName": "adminTemplateForCustomSSL.json",
       "name_adminLinkedTemplateDeployment": "[concat('admin',if(parameters('enableCustomSSL'),'CustomSSL',''),'LinkedTemplate')]",
+      "name_uamiForPostDeploymentScript" : "uamiForPostDeploymentScript",
       "name_adminLinkedTemplateName": "adminTemplate.json",
       "name_adminVM": "[concat(parameters('adminVMName'), variables('const_globalResourceNameSuffix'))]",
       "name_dbLinkedTemplate": "dbTemplate.json",
       "name_dnszonesLinkedTemplateName": "dnszonesTemplate.json",
+      "name_postDeploymentUAMIRolesTemplate" : "postDeploymentUAMIRolesTemplate.json",
+      "name_postDeploymentTemplate": "postDeploymentTemplate.json", 
       "name_networkSecurityGroup": "[concat(parameters('dnsLabelPrefix'), '-nsg', variables('const_globalResourceNameSuffix'))]",
       "name_nsgLinkedTemplateName": "nsgNestedTemplate.json",
       // If adding a new resource, add the resource identifier to the array below
@@ -456,6 +464,9 @@
                "_globalResourceNameSuffix": {
                   "value": "[variables('const_globalResourceNameSuffix')]"
                },
+               "const_guidTag":{
+                  "value": "[variables('const_guidTag')]"
+               },
                "adminPasswordOrKey": {
                   "value": "[parameters('adminPasswordOrKey')]"
                },
@@ -556,6 +567,9 @@
                "_globalResourceNameSuffix": {
                   "value": "[variables('const_globalResourceNameSuffix')]"
                },
+               "const_guidTag":{
+                  "value": "[variables('const_guidTag')]"
+               },
                "adminPasswordOrKey": {
                   "value": "[parameters('adminPasswordOrKey')]"
                },
@@ -807,18 +821,95 @@
 
             }
          }
-      },     
+      },
       {
          "type": "Microsoft.Resources/deployments",
          "apiVersion": "${azure.apiVersionForDeployment}",
+         "name": "[variables('name_uamiForPostDeploymentScript')]",
+         "condition": "[equals(parameters('virtualNetworkNewOrExisting'), 'existing')]",
          "tags": "[variables('obj_tagsByResources')['${identifier.resourcesDeployment}']]",
-         "name": "${admin.end}",
          "dependsOn": [
             "[resourceId('Microsoft.Resources/deployments', variables('name_adminLinkedTemplateDeployment'))]",
             "[resourceId('Microsoft.Resources/deployments', 'networkSecurityLinkedTemplate')]",
             "[resourceId('Microsoft.Resources/deployments', 'dnszonesLinkedTemplate')]",
             "[resourceId('Microsoft.Resources/deployments', 'dbLinkedTemplate')]"
          ],
+         "properties": {
+            "mode": "Incremental",
+            "templateLink": {
+               "uri": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/', variables('name_postDeploymentUAMIRolesTemplate')))]",
+              "contentVersion": "1.0.0.0"
+             },
+            "parameters": {
+               "location": {
+                  "value": "[parameters('location')]"
+                },
+               "_globalResourceNameSuffix": {
+                  "value": "[variables('const_globalResourceNameSuffix')]"
+               },
+               "tagsByResource": {
+                  "value": "[variables('obj_tagsByResources')]"
+               }
+            }
+         }
+	  },
+      {
+         "type": "Microsoft.Resources/deployments",
+         "apiVersion": "${azure.apiVersionForDeployment}",
+         "name": "postDeplyment",
+         "condition": "[equals(parameters('virtualNetworkNewOrExisting'), 'existing')]",
+         "tags": "[variables('obj_tagsByResources')['${identifier.resourcesDeployment}']]",
+         "dependsOn": [
+            "[resourceId('Microsoft.Resources/deployments', variables('name_adminLinkedTemplateDeployment'))]",
+            "[resourceId('Microsoft.Resources/deployments', 'networkSecurityLinkedTemplate')]",
+            "[resourceId('Microsoft.Resources/deployments', 'dnszonesLinkedTemplate')]",
+            "[resourceId('Microsoft.Resources/deployments', 'dbLinkedTemplate')]",
+            "[resourceId('Microsoft.Resources/deployments', variables('name_uamiForPostDeploymentScript'))]"
+         ],
+         "properties": {
+            "mode": "Incremental",
+            "templateLink": {
+               "uri": "[uri(parameters('_artifactsLocation'), concat('nestedtemplates/', variables('name_postDeploymentTemplate')))]",
+               "contentVersion": "1.0.0.0"
+            },
+            "parameters": {
+              "location": {
+               "value": "[parameters('location')]"
+            },
+            "_globalResourceNameSuffix": {
+               "value": "[variables('const_globalResourceNameSuffix')]"
+            },
+            "tagsByResource": {
+               "value": "[variables('obj_tagsByResources')]"
+            },
+            "const_guidTag":{
+               "value": "[variables('const_guidTag')]"
+            },
+            "_artifactsLocation": {
+               "value": "[parameters('_artifactsLocation')]"
+            },
+            "_artifactsLocationSasToken": {
+               "value": "[parameters('_artifactsLocationSasToken')]"
+            },
+            "userAssignedIdentityResourceId":{
+               "value": "[reference(variables('name_uamiForPostDeploymentScript'),'${azure.apiVersionForDeployment}').outputs.uamidForPostDeployment.value]"
+            }
+          }
+        }
+      },
+      {
+         "type": "Microsoft.Resources/deployments",
+         "apiVersion": "${azure.apiVersionForDeployment}",
+         "tags": "[variables('obj_tagsByResources')['${identifier.resourcesDeployment}']]",
+         "name": "${admin.end}",
+         "dependsOn": [
+            "[resourceId('Microsoft.Resources/deployments', variables('name_adminLinkedTemplateDeployment'))]",
+            "[resourceId('Microsoft.Resources/deployments', 'networkSecurityLinkedTemplate')]",
+            "[resourceId('Microsoft.Resources/deployments', 'dnszonesLinkedTemplate')]",
+            "[resourceId('Microsoft.Resources/deployments', 'dbLinkedTemplate')]",
+            "[resourceId('Microsoft.Resources/deployments', variables('name_uamiForPostDeploymentScript'))]",
+            "[resourceId('Microsoft.Resources/deployments',  'postDeplyment')]"
+         ],
          "properties": {
             "mode": "Incremental",
             "template": {

weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/adminTemplate.json

@@ -26,6 +26,12 @@
          "metadata": {
             "description": "A unique suffix that was specified during the deployment of the solution template."
          }
+      },
+	  "const_guidTag" :{
+         "type": "string",
+         "metadata": {
+            "description": "A unique tag for resources."
+         }
       },
       "adminPasswordOrKey": {
          "type": "securestring",
@@ -406,8 +412,7 @@
       {
          "apiVersion": "${azure.apiVersionForPublicIPAddresses}",
          "type": "Microsoft.Network/publicIPAddresses",
-         "tags": "[parameters('tagsByResource')['${identifier.publicIPAddresses}']]",
-         "condition": "[equals(parameters('virtualNetworkNewOrExisting'), 'new')]",
+         "tags": "[if(equals(parameters('virtualNetworkNewOrExisting'), 'new'),parameters('tagsByResource')['${identifier.publicIPAddresses}'],if(empty(parameters('tagsByResource')['${identifier.publicIPAddresses}']),createObject(parameters('const_guidTag'),''),union(parameters('tagsByResource')['${identifier.publicIPAddresses}'],createObject(parameters('const_guidTag'),''))))]",
          "name": "[variables('name_publicIPAddress')]",
          "location": "[parameters('location')]",
          "properties": {
@@ -482,12 +487,19 @@
          "condition": "[equals(parameters('virtualNetworkNewOrExisting'), 'existing')]",
          "name": "[variables('name_nic_without_pub_ip')]",
          "location": "[parameters('location')]",
+         "dependsOn": [
+            "[resourceId('Microsoft.Network/publicIPAddresses/', variables('name_publicIPAddress'))]",
+            "[resourceId('Microsoft.Network/virtualNetworks/', variables('name_virtualNetwork'))]"
+         ],
          "properties": {
             "ipConfigurations": [
                {
                   "name": "ipconfig1",
                   "properties": {
                      "privateIPAllocationMethod": "Dynamic",
+                     "publicIPAddress": {
+                        "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('name_publicIPAddress'))]"
+                     },
                      "subnet": {
                         "id": "[variables('ref_subnet')]"
                      }

weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/adminTemplateForCustomSSL.json

@@ -27,6 +27,12 @@
             "description": "A unique suffix that was specified during the deployment of the solution template."
          }
       },
+      "const_guidTag" :{
+         "type": "string",
+         "metadata": {
+            "description": "A unique tag for resources."
+         }
+      },
       "adminPasswordOrKey": {
          "type": "securestring",
          "metadata": {
@@ -478,8 +484,7 @@
       {
          "apiVersion": "${azure.apiVersionForPublicIPAddresses}",
          "type": "Microsoft.Network/publicIPAddresses",
-         "tags": "[parameters('tagsByResource')['${identifier.publicIPAddresses}']]",
-         "condition": "[equals(parameters('virtualNetworkNewOrExisting'), 'new')]",
+         "tags": "[if(equals(parameters('virtualNetworkNewOrExisting'), 'new'),parameters('tagsByResource')['${identifier.publicIPAddresses}'],if(empty(parameters('tagsByResource')['${identifier.publicIPAddresses}']),createObject(parameters('const_guidTag'),''),union(parameters('tagsByResource')['${identifier.publicIPAddresses}'],createObject(parameters('const_guidTag'),''))))]",
          "name": "[variables('name_publicIPAddress')]",
          "location": "[parameters('location')]",
          "properties": {
@@ -488,7 +493,7 @@
                "domainNameLabel": "[concat(toLower(parameters('dnsLabelPrefix')),'-',take(replace(parameters('guidValue'), '-', ''), 10),'-',toLower(parameters('wlsDomainName')))]"
             }
          }
-      },
+      },	  
       {
          "apiVersion": "${azure.apiVersionForVirtualNetworks}",
          "type": "Microsoft.Network/virtualNetworks",
@@ -554,12 +559,19 @@
          "condition": "[equals(parameters('virtualNetworkNewOrExisting'), 'existing')]",
          "name": "[variables('name_nic_without_pub_ip')]",
          "location": "[parameters('location')]",
+          "dependsOn": [
+            "[resourceId('Microsoft.Network/publicIPAddresses/', variables('name_publicIPAddress'))]",
+            "[resourceId('Microsoft.Network/virtualNetworks/', variables('name_virtualNetwork'))]"
+         ],
          "properties": {
             "ipConfigurations": [
                {
                   "name": "ipconfig1",
                   "properties": {
                      "privateIPAllocationMethod": "Dynamic",
+                     "publicIPAddress": {
+                        "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('name_publicIPAddress'))]"
+                     },
                      "subnet": {
                         "id": "[variables('ref_subnet')]"
                      }

weblogic-azure-vm/arm-oraclelinux-wls-admin/src/main/arm/nestedtemplates/postDeploymentTemplate.json

@@ -0,0 +1,107 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+		"location": {
+		   "type": "string",
+		   "metadata": {
+		      "description": "Location for all resources."
+		   }
+		},
+		"_globalResourceNameSuffix": {
+		   "type": "string",
+		   "metadata": {
+		      "description": "A unique suffix that was specified during the deployment of the solution template."
+		   }
+		},
+		"tagsByResource": {
+		    "type": "object",
+		    "defaultValue": {},
+		    "metadata": {
+		        "description": "${label.tagsLabel}"
+		    }
+		},
+		"const_guidTag" :{
+			"type": "string",
+			"metadata": {
+			   "description": "A unique tag for resources."
+			}
+		},
+		"_artifactsLocation": {
+		   "type": "string",
+		   "metadata": {
+		      "description": "The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated."
+		   }
+		},
+		"_artifactsLocationAdminTemplate": {
+		   "defaultValue": "[if(contains(parameters('_artifactsLocation'), 'githubusercontent'), parameters('_artifactsLocation'), deployment().properties.templateLink.uri)]",
+		   "type": "string",
+		   "metadata": {
+		      "description": "If we are deploying from the command line, use the passed in _artifactsLocation, otherwise use the default."
+		   }
+		},
+		"_artifactsLocationSasToken": {
+		   "type": "securestring",
+		   "metadata": {
+		      "description": "The sasToken required to access _artifactsLocation.  When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured."
+		   }
+		},
+		"userAssignedIdentityResourceId":{
+			"type": "string",
+			"metadata": { 
+				"Description": "UserAssigned Identity"
+			}
+		},
+		"utcValue": {
+		  "type": "string",
+		  "defaultValue": "[utcNow()]"
+		}		
+    },
+    "variables": {
+		"name_postDeploymentscriptFile": "postDeploymentScript.sh"
+    },
+    "resources": [
+		{
+		    "type": "Microsoft.Resources/deploymentScripts",
+		    "apiVersion": "${azure.apiVersionForDeploymentScript}",
+			"tags": "[parameters('tagsByResource')['${identifier.deploymentScripts}']]",
+			"name": "[concat('postdeployscript-', parameters('_globalResourceNameSuffix'))]",
+			"kind": "AzureCLI",
+			"location": "[parameters('location')]",
+			"identity": {
+			       "type": "UserAssigned",
+			       "userAssignedIdentities": {
+			        "[parameters('userAssignedIdentityResourceId')]": {}
+					}
+			 },
+			"properties": {
+				"forceUpdateTag": "[parameters('utcValue')]",
+				"azCliVersion": "2.9.1",
+				"timeout": "PT30M",
+				"cleanupPreference": "OnSuccess",
+				"retentionInterval": "P1D",
+				"primaryScriptUri": "[uri(parameters('_artifactsLocationAdminTemplate'), concat('../scripts/', variables('name_postDeploymentscriptFile'), parameters('_artifactsLocationSasToken')))]",
+				"environmentVariables": [
+					{
+						"name": "MANAGED_IDENTITY_ID",
+						"value": "[parameters('userAssignedIdentityResourceId')]"
+					},
+					{
+					    "name": "RESOURCE_GROUP_NAME",
+					    "value": "[resourceGroup().name]"	
+					},
+					{
+						"name": "GUID_TAG",
+						"value": "[parameters('const_guidTag')]"
+					}
+				]
+			}
+		}
+    ],
+    "outputs": {
+		"userAssignedIdentityResource": {
+		         "type": "string",
+		         "value": "[parameters('userAssignedIdentityResourceId')]"
+		 }
+    }
+}