Merge and validate secured production mode in WLS for OCI

terraform/data_sources.tf

@@ -1,4 +1,4 @@
-# Copyright (c) 2023, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 data "oci_identity_regions" "home_region" {
@@ -209,3 +209,9 @@ data "oci_core_instances" "provisioned_instances" {
   }
 }
 
+data "oci_certificates_management_certificate_authority" "root_certificate_authority" {
+  count = var.configure_secure_mode && var.root_ca_id != "" ? 1 : 0
+  #Required
+  certificate_authority_id = var.root_ca_id
+}
+

terraform/locals.tf

@@ -1,4 +1,4 @@
-# Copyright (c) 2023, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 locals {
@@ -93,7 +93,7 @@ locals {
   deploy_sample_app = (var.deploy_sample_app && var.wls_edition != "SE")
 
   admin_ip_address      = local.assign_weblogic_public_ip ? module.compute.instance_public_ips[0] : module.compute.instance_private_ips[0]
-  admin_console_app_url = format("https://%s:%s/console", local.admin_ip_address, var.wls_extern_ssl_admin_port)
+  admin_console_app_url = format("https://%s:%s/console", local.admin_ip_address, local.wls_extern_ssl_admin_port)
   sample_app_protocol   = local.add_load_balancer ? "https" : "http"
   sample_app_url_lb_ip  = local.deploy_sample_app && local.add_load_balancer ? format("%s://%s/sample-app", local.sample_app_protocol, local.lb_ip) : ""
   sample_app_url_wls_ip = local.deploy_sample_app ? format("https://%s:%s/sample-app", local.admin_ip_address, var.wls_ms_extern_ssl_port) : ""
@@ -184,4 +184,16 @@ locals {
   is_rms_private_endpoint_required  = var.is_rms_private_endpoint_required && var.wls_existing_vcn_id != "" && var.wls_subnet_id != "" && !local.assign_weblogic_public_ip ? true : false
   add_new_rms_private_endpoint      = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Create New Resource Manager Endpoint" ? true : false
   add_existing_rms_private_endpoint = local.is_rms_private_endpoint_required && var.add_rms_private_endpoint == "Use Existing Resource Manager Endpoint" ? true : false
+
+  # Secured Production Mode
+  preserve_boot_properties          = var.configure_secure_mode ? var.preserve_boot_properties : true
+  wls_admin_port                    = var.configure_secure_mode ? var.administration_port : var.wls_admin_port
+  keystore_password_id              = var.configure_secure_mode ? var.keystore_password_id : ""
+  root_ca_id                        = var.configure_secure_mode ? var.root_ca_id : ""
+  cert_compartment_id               = var.cert_compartment_id == "" ? local.network_compartment_id : var.cert_compartment_id
+  wls_domain_configuration          = var.configure_secure_mode ? "Secured Production Mode" : "Production Mode"
+  wls_extern_ssl_admin_port         = var.configure_secure_mode ? var.administration_port : var.wls_extern_ssl_admin_port
+  wls_admin_user                    = var.configure_secure_mode ? var.wls_primary_admin_user : var.wls_admin_user
+  wls_secondary_admin_password_id   = var.configure_secure_mode ? var.wls_secondary_admin_password_id : ""
+  root_ca_compartment_id            = var.configure_secure_mode && var.root_ca_id != "" ? data.oci_certificates_management_certificate_authority.root_certificate_authority[0].compartment_id : ""
 }

terraform/main.tf

@@ -1,4 +1,4 @@
-# Copyright (c) 2023,2024, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 ### Removing network validation script from provisioning flow temporarily.
@@ -63,9 +63,12 @@ module "network-vcn-config" {
   wls_extern_ssl_admin_port  = var.wls_extern_ssl_admin_port
   wls_extern_admin_port      = var.wls_extern_admin_port
   wls_expose_admin_port      = var.wls_expose_admin_port
+  wls_admin_ssl_port         = var.wls_admin_ssl_port
   wls_admin_port_source_cidr = var.wls_admin_port_source_cidr
-  wls_ms_content_port        = local.add_load_balancer ? (var.is_idcs_selected ? var.idcs_cloudgate_port : var.wls_ms_extern_port) : var.wls_ms_extern_ssl_port
+  wls_ms_content_port        = local.add_load_balancer ? (var.is_idcs_selected ? var.idcs_cloudgate_port : (var.configure_secure_mode ? var.wls_ms_extern_ssl_port : var.wls_ms_extern_port)) : var.wls_ms_extern_ssl_port
   assign_backend_public_ip   = local.assign_weblogic_public_ip
+  configure_secure_mode      = var.configure_secure_mode
+  administration_port        = var.administration_port
 
   wls_subnet_cidr              = local.wls_subnet_cidr
   wls_ms_source_cidrs          = local.add_load_balancer ? [local.lb_subnet_1_subnet_cidr] : ["0.0.0.0/0"]
@@ -239,6 +242,12 @@ module "policies" {
   fss_compartment_id               = var.fss_compartment_id == "" ? var.compartment_ocid : var.fss_compartment_id
   mount_target_compartment_id      = var.mount_target_compartment_id == "" ? var.compartment_ocid : var.mount_target_compartment_id
   is_rms_private_endpoint_required = local.is_rms_private_endpoint_required
+  instance_image_id                = var.instance_image_id
+  configure_secure_mode            = var.configure_secure_mode
+  keystore_password_id             = local.keystore_password_id
+  cert_compartment_id              = local.cert_compartment_id
+  root_ca_compartment_id           = local.root_ca_compartment_id
+  wls_secondary_admin_password_id  = local.wls_secondary_admin_password_id
 }
 
 module "bastion" {
@@ -464,6 +473,14 @@ module "validators" {
   provisioned_node_count = length(data.oci_core_instances.provisioned_instances.instances.*.display_name)
   use_marketplace_image  = var.use_marketplace_image
   wls_edition            = var.wls_edition
+
+  # Secured Production Mode
+  configure_secure_mode           = var.configure_secure_mode
+  keystore_password_id            = local.keystore_password_id
+  root_ca_id                      = local.root_ca_id
+  wls_secondary_admin_password_id = local.wls_secondary_admin_password_id
+  administration_port             = var.administration_port
+  ms_administration_port          = var.ms_administration_port
 }
 
 module "fss" {
@@ -591,7 +608,7 @@ module "compute" {
   tf_script_version         = var.tf_script_version
   use_regional_subnet       = local.use_regional_subnet
   wls_14c_jdk_version       = var.wls_14c_jdk_version
-  wls_admin_user            = var.wls_admin_user
+  wls_admin_user            = local.wls_admin_user
   wls_admin_password_id     = var.wls_admin_password_id
   wls_admin_server_name     = format("%s_adminserver", local.service_name_prefix)
   wls_ms_server_name        = format("%s_server_", local.service_name_prefix)
@@ -604,13 +621,25 @@ module "compute" {
   wls_machine_name          = format("%s_machine_", local.service_name_prefix)
   wls_extern_admin_port     = var.wls_extern_admin_port
   wls_extern_ssl_admin_port = var.wls_extern_ssl_admin_port
-  wls_admin_port            = var.wls_admin_port
+  wls_admin_port            = local.wls_admin_port
   wls_admin_ssl_port        = var.wls_admin_ssl_port
   wls_domain_name           = format("%s_domain", local.service_name_prefix)
   wls_server_startup_args   = var.wls_server_startup_args
   wls_existing_vcn_id       = var.wls_existing_vcn_id
   create_policies           = var.create_policies
 
+  # Secured Production Mode
+  configure_secure_mode              = var.configure_secure_mode
+  preserve_boot_properties           = local.preserve_boot_properties
+  administration_port                = var.administration_port
+  ms_administration_port             = var.ms_administration_port
+  keystore_password_id               = local.keystore_password_id
+  root_ca_id                         = local.root_ca_id
+  cert_compartment_id                = local.cert_compartment_id
+  thread_pool_limit                  = var.thread_pool_limit
+  wls_secondary_admin_user           = var.wls_secondary_admin_user
+  wls_secondary_admin_password_id    = local.wls_secondary_admin_password_id
+
   #The following two are for adding a dependency on the peering module
   wls_vcn_peering_dns_resolver_id           = element(flatten(concat(module.vcn-peering[*].wls_vcn_dns_resolver_id, [""])), 0)
   wls_vcn_peering_route_table_attachment_id = local.assign_weblogic_public_ip ? element(flatten(concat(module.vcn-peering[*].wls_vcn_public_route_table_attachment_id, [""])), 0) : element(flatten(concat(module.vcn-peering[*].wls_vcn_private_route_table_attachment_id, [""])), 0)
@@ -709,8 +738,11 @@ module "load-balancer-backends" {
   lb_backendset_name   = local.lb_backendset_name
   num_vm_instances     = var.wls_node_count
   instance_private_ips = module.compute.instance_private_ips
-  backend_port         = var.is_idcs_selected ? var.idcs_cloudgate_port : var.wls_ms_extern_port
+  backend_port         = var.is_idcs_selected ? var.idcs_cloudgate_port : (var.configure_secure_mode ? var.wls_ms_extern_ssl_port : var.wls_ms_extern_port)
   health_check_url     = var.is_idcs_selected ? "/cloudgate" : "/"
+
+  configure_secure_mode    = var.configure_secure_mode
+  root_ca_id               = local.root_ca_id
 }
 
 module "observability-logging" {

terraform/modules/compute/wls_compute/variables.tf

@@ -1,4 +1,4 @@
-# Copyright (c) 2023,2024, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 variable "tenancy_id" {
@@ -293,3 +293,56 @@ variable "is_ucm_image" {
   type        = bool
   description = "The metadata info to send it to instance to determine if its ucm image based instance or not"
 }
+
+# All the variables under this comment belong to Secured Production Mode
+variable "configure_secure_mode" {
+  type        = bool
+  description = "Set to true to configure a secure WebLogic domain"
+}
+
+variable "preserve_boot_properties" {
+  type        = bool
+  description = "Set to true to preserve the boot.properties file for administration server and managed servers"
+}
+
+variable "administration_port" {
+  type        = number
+  description = "The domain-wide administration port to configure a secure WebLogic domain"
+}
+
+variable "ms_administration_port" {
+  type        = number
+  description = "The administration port for managed servers to configure a secure WebLogic domain"
+}
+
+variable "keystore_dir" {
+  type        = string
+  description = "The directory where the pkcs12 keystores will be created in the compute instance when secured production mode is enabled."
+  default     = "/u01/data/keystores"
+}
+
+variable "keystore_password_id" {
+  type        = string
+  description = "The OCID of the vault secret with the password for creating the keystore"
+}
+
+variable "root_ca_id" {
+  type        = string
+  description = "The OCID of the existing root certificate authority to issue the certificates"
+}
+
+variable "cert_compartment_id" {
+  type        = string
+  description = "The OCID of the compartment where the certificate will be created. Leave it blank to use the network compartment for the certificate"
+}
+
+variable "thread_pool_limit" {
+  type        = number
+  description = "Shared Capacity For Work Managers"
+}
+
+variable "certificate_id" {
+  type        = string
+  description = "The OCID of the SSL certificate to configure a secure WebLogic domain"
+  default     = ""
+}

terraform/modules/compute/wls_compute/wls_compute.tf

@@ -54,7 +54,6 @@ module "wls-instances" {
       wls_ms_server_name                 = var.wls_ms_server_name
       wls_admin_server_name              = var.wls_admin_server_name
       wls_cluster_name                   = var.wls_cluster_name
-      wls_cluster_mc_port                = var.wls_cluster_mc_port
       wls_machine_name                   = var.wls_machine_name
       wls_server_startup_args            = var.wls_server_startup_args
       total_vm_count                     = var.num_vm_instances
@@ -69,6 +68,20 @@ module "wls-instances" {
       is_bastion_instance_required       = var.is_bastion_instance_required
       create_policies                    = var.create_policies
 
+      # Secured Production Mode
+      configure_secure_mode              = var.configure_secure_mode
+      preserve_boot_properties           = var.preserve_boot_properties
+      administration_port                = var.administration_port
+      ms_administration_port             = var.ms_administration_port
+      keystore_dir                       = var.keystore_dir
+      keystore_password_id               = var.keystore_password_id
+      root_ca_id                         = var.root_ca_id
+      cert_compartment_id                = var.cert_compartment_id
+      certificate_id                     = var.certificate_id
+      thread_pool_limit                  = var.thread_pool_limit
+      wls_secondary_admin_user           = var.wls_secondary_admin_user
+      wls_secondary_admin_password_ocid  = var.wls_secondary_admin_password_id
+
       user_data            = data.template_cloudinit_config.config.rendered
       mode                 = var.mode
       wls_version          = var.wls_version

terraform/modules/compute/wls_compute/wls_variables.tf

@@ -13,7 +13,8 @@ variable "wls_edition" {
 
 variable "wls_admin_user" {
   type        = string
-  description = "The name of the admin user that will be added to the WebLogic domain"
+  description = "Name of WebLogic administration user"
+  default     = "weblogic"
   validation {
     condition     = replace(var.wls_admin_user, "/^[a-zA-Z][a-zA-Z0-9_-]{7,127}/", "0") == "0"
     error_message = "WLSC-ERROR: The value for wls_admin_user should be between 8 and 128 characters long and alphanumeric, and can contain underscore (_) and hyphen(-) special characters."
@@ -137,16 +138,6 @@ variable "wls_ms_ssl_port" {
   }
 }
 
-variable "wls_cluster_mc_port" {
-  type        = number
-  description = "The managed server port on which to send heartbeats and other internal cluster traffic"
-  default     = 5555
-  validation {
-    condition     = var.wls_cluster_mc_port > 0
-    error_message = "WLSC-ERROR: The value for wls_cluster_mc_port should be greater than 0."
-  }
-}
-
 variable "wls_nm_port" {
   type        = number
   description = "The listen port number for the node manager process on all compute instances"
@@ -170,8 +161,8 @@ variable "provisioning_timeout_mins" {
 
 variable "wls_admin_server_wait_timeout_mins" {
   type        = number
-  description = "Teh timeout in minutes for the administration server to enroll to node manager"
-  default     = 30
+  description = "The timeout in minutes for the administration server to enroll to node manager"
+  default     = 10
 }
 
 variable "wls_version" {
@@ -228,3 +219,29 @@ variable "wls_version_to_rcu_component_list_map" {
     "12.2.1.4" = "MDS,WLS,STB,IAU_APPEND,IAU_VIEWER,UCSUMS,IAU,OPSS"
   }
 }
+
+# All variables under this comment belong to secured production mode
+variable "wls_primary_admin_user" {
+  type        = string
+  description = "Name of primary WebLogic administration user"
+  default     = "wls_user"
+  validation {
+    condition     = replace(var.wls_primary_admin_user, "/^[a-zA-Z][a-zA-Z0-9_-]{7,127}/", "0") == "0" && !contains(["system", "admin", "administrator", "weblogic"], var.wls_primary_admin_user)
+    error_message = "WLSC-ERROR: The value for wls_primary_admin_user should be between 8 and 128 characters long and alphanumeric, and can contain underscore (_) and hyphen(-) special characters, and should not be system, admin, administrator, or weblogic."
+  }
+}
+
+variable "wls_secondary_admin_user" {
+  type        = string
+  description = "Name of secondary WebLogic administration user"
+  default     = "wls_user_1"
+  validation {
+    condition     = replace(var.wls_secondary_admin_user, "/^[a-zA-Z][a-zA-Z0-9_-]{7,127}/", "0") == "0" && !contains(["system", "admin", "administrator", "weblogic"], var.wls_secondary_admin_user)
+    error_message = "WLSC-ERROR: The value for wls_secondary_admin_user should be between 8 and 128 characters long and alphanumeric, and can contain underscore (_) and hyphen(-) special characters, and should not be system, admin, administrator, or weblogic."
+  }
+}
+
+variable "wls_secondary_admin_password_id" {
+  type        = string
+  description = "The OCID of the vault secret with the password for secondary WebLogic administration user"
+}

terraform/modules/lb/backends/lb_backends.tf

@@ -1,4 +1,4 @@
-# Copyright (c) 2023, Oracle and/or its affiliates.
+# Copyright (c) 2023, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 locals {
@@ -9,7 +9,7 @@ locals {
 
 resource "oci_load_balancer_backend_set" "wls_lb_backendset" {
   # If using existing load balancer, use per-created backend set of existing lb
-  count = var.use_existing_lb ? 0 : 1
+  count = var.configure_secure_mode ? 0 : var.use_existing_lb ? 0 : 1
 
   name             = var.lb_backendset_name
   load_balancer_id = var.load_balancer_id
@@ -27,11 +27,41 @@ resource "oci_load_balancer_backend_set" "wls_lb_backendset" {
   lb_cookie_session_persistence_configuration {}
 }
 
+resource "oci_load_balancer_backend_set" "wls_lb_backendset_secure_mode" {
+  # If using existing load balancer in secured production mode, use per-created backend set of existing lb
+  count = var.use_existing_lb ? 0 : var.configure_secure_mode ? 1 : 0
+
+  name             = var.lb_backendset_name
+  load_balancer_id = var.load_balancer_id
+  policy           = var.lb_policy
+
+  health_checker {
+    port                = var.backend_port
+    protocol            = var.lb_protocol
+    response_body_regex = ".*"
+    url_path            = local.health_check_url_path
+    return_code         = var.return_code
+  }
+
+  ssl_configuration {
+    trusted_certificate_authority_ids = [var.root_ca_id]
+    verify_depth = 1
+    verify_peer_certificate = true
+  }
+
+  # Set the session persistence to lb-session-persistence with all default values.
+  lb_cookie_session_persistence_configuration {}
+
+  lifecycle {
+    ignore_changes = [ssl_configuration]
+  }
+}
+
 resource "oci_load_balancer_listener" "wls_lb_listener_https" {
   count                    = local.use_https_listener_count
   load_balancer_id         = var.load_balancer_id
   name                     = "${var.resource_name_prefix}_https"
-  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
+  default_backend_set_name = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[count.index].name : oci_load_balancer_backend_set.wls_lb_backendset[count.index].name
   port                     = var.lb_https_lstr_port
   protocol                 = var.lb_protocol
   rule_set_names           = [oci_load_balancer_rule_set.SSL_headers[count.index].name]
@@ -51,10 +81,10 @@ resource "oci_load_balancer_listener" "wls_lb_listener_https" {
 }
 
 resource "oci_load_balancer_backend" "wls_lb_backend" {
-  count = var.use_existing_lb || (length(oci_load_balancer_backend_set.wls_lb_backendset) > 0) ? var.num_vm_instances : 0
+  count = var.use_existing_lb || (length(oci_load_balancer_backend_set.wls_lb_backendset) > 0) || (length(oci_load_balancer_backend_set.wls_lb_backendset_secure_mode) > 0) ? var.num_vm_instances : 0
 
   load_balancer_id = var.load_balancer_id
-  backendset_name  = var.use_existing_lb ? var.lb_backendset_name : oci_load_balancer_backend_set.wls_lb_backendset[0].name
+  backendset_name  = var.use_existing_lb ? var.lb_backendset_name : var.configure_secure_mode ? oci_load_balancer_backend_set.wls_lb_backendset_secure_mode[0].name : oci_load_balancer_backend_set.wls_lb_backendset[0].name
   ip_address       = var.instance_private_ips[count.index]
   port             = var.backend_port
   backup           = false