Topic sk main 1 (#189)

skommala · web-flow · commit 9315b09658a1 · 2023-04-05T09:47:40.000-07:00
- Updating image versions with autoscaling functions issues addressed
- Remove requirement from network validation script for private load balancer to open to 0.0.0.0/0 CIDR.
diff --git a/terraform/images/mp_image_ee_byol.tfvars b/terraform/images/mp_image_ee_byol.tfvars
@@ -4,9 +4,9 @@
 tf_script_version        = "23.1.3-230323195128"
 use_marketplace_image    = true
 listing_id               = "ocid1.appcataloglisting.oc1..aaaaaaaawd5ti5ldjzdppppi675onvo3mvjcwt64jjey7rib3beau2ngkl2q"
-listing_resource_version = "23.1.3-ol7.9-22.08.29-230323-1"
-instance_image_id        = "ocid1.image.oc1..aaaaaaaadgqvwsbfcm6bjaowtogdym4kv5gffi6rwv3d5po2o4vk2smwwcxa"
+listing_resource_version = "23.1.3-ol7.9-22.08.29-230403-1"
+instance_image_id        = "ocid1.image.oc1..aaaaaaaaxtluh6hcu57iwdkq6eyycporj4fxttwrnevipybbl53h6xd2ysjq"
 
 ucm_listing_id               = "ocid1.appcataloglisting.oc1..aaaaaaaa653zc2e4fsem5hhwinmfgnv3xp4dmbq6c6gvf45okxf6xz3smhiq"
-ucm_listing_resource_version = "23.1.3-ol7.9-22.08.29-230323-1"
-ucm_instance_image_id        = "ocid1.image.oc1..aaaaaaaagmy46blg6wrvwvozvnui25jxaus5jt6fquv2efkktcf2p6vnveiq"
+ucm_listing_resource_version = "23.1.3-ol7.9-22.08.29-230403-1"
+ucm_instance_image_id        = "ocid1.image.oc1..aaaaaaaal7yykedaeoibixspndnemfynqzfmj5umooepdw6xnftdkyc3qu6q"
diff --git a/terraform/images/mp_image_ee_ucm.tfvars b/terraform/images/mp_image_ee_ucm.tfvars
@@ -4,5 +4,5 @@
 tf_script_version        = "23.1.3-230323195128"
 use_marketplace_image    = true
 listing_id               = "ocid1.appcataloglisting.oc1..aaaaaaaa653zc2e4fsem5hhwinmfgnv3xp4dmbq6c6gvf45okxf6xz3smhiq"
-listing_resource_version = "23.1.3-ol7.9-22.08.29-230323-1"
-instance_image_id        = "ocid1.image.oc1..aaaaaaaagmy46blg6wrvwvozvnui25jxaus5jt6fquv2efkktcf2p6vnveiq"
+listing_resource_version = "23.1.3-ol7.9-22.08.29-230403-1"
+instance_image_id        = "ocid1.image.oc1..aaaaaaaal7yykedaeoibixspndnemfynqzfmj5umooepdw6xnftdkyc3qu6q"
diff --git a/terraform/images/mp_image_se_byol.tfvars b/terraform/images/mp_image_se_byol.tfvars
@@ -1,8 +1,8 @@
 # Copyright (c) 2023, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v1.0 as shown at https://oss.oracle.com/licenses/upl.
 
-tf_script_version        = "23.1.1-230118062825"
+tf_script_version        = "23.1.3-230323195128"
 use_marketplace_image    = true
 listing_id               = "ocid1.appcataloglisting.oc1..aaaaaaaaalcwal6mfwjbezzqyj3waoxrvigml4n3lcn3hfday3ozetjqn25a"
-listing_resource_version = "23.1.1-ol7.9-22.08.29-230118-1"
-instance_image_id        = "ocid1.image.oc1..aaaaaaaa3wt3nt5w44bjllp3hjg37rxbtt34qijzzuv2v6youp3my2eadtha"
+listing_resource_version = "23.1.3-ol7.9-22.08.29-230403-1"
+instance_image_id        = "ocid1.image.oc1..aaaaaaaahligehnfnp2xftozjwuhgfkpkadq6pushc2sb7nealnxzqo2zx7a"
diff --git a/terraform/images/mp_image_suite_byol.tfvars b/terraform/images/mp_image_suite_byol.tfvars
@@ -4,9 +4,9 @@
 tf_script_version        = "23.1.3-230323195128"
 use_marketplace_image    = true
 listing_id               = "ocid1.appcataloglisting.oc1..aaaaaaaajl5w3d76x5vdc4n7oqjpsxh4jtwivclvvp6gj4em3kufju6sftga"
-listing_resource_version = "23.1.3-ol7.9-22.08.29-230323-1"
-instance_image_id        = "ocid1.image.oc1..aaaaaaaar3qjebqyaqpqwqzeg2mtf2gt4oosly23qaeb4k76fzhprnphnuxa"
+listing_resource_version = "23.1.3-ol7.9-22.08.29-230403-1"
+instance_image_id        = "ocid1.image.oc1..aaaaaaaabmhlyilqghz5otg6w7nso3k3bhxwvy33nvfnlshkflxwa566jsua"
 
 ucm_listing_id               = "ocid1.appcataloglisting.oc1..aaaaaaaaq2vkow7zwkxg6ky4zxsnckdlfgtgmg7i4kkyev3y6zyo72mpkgza"
-ucm_listing_resource_version = "23.1.3-ol7.9-22.08.29-230323-1"
-ucm_instance_image_id        = "ocid1.image.oc1..aaaaaaaaxrntnjc2btd7o3rig3wpqkyskair2iospvquto2ofjt2tmuuujya"
+ucm_listing_resource_version = "23.1.3-ol7.9-22.08.29-230403-1"
+ucm_instance_image_id        = "ocid1.image.oc1..aaaaaaaata2m6fw5ox4xz3c4w7ujsobiaqyhtfcz67jlut33kgbxpk2mhejq"
diff --git a/terraform/images/mp_image_suite_ucm.tfvars b/terraform/images/mp_image_suite_ucm.tfvars
@@ -4,5 +4,5 @@
 tf_script_version        = "23.1.3-230323195128"
 use_marketplace_image    = true
 listing_id               = "ocid1.appcataloglisting.oc1..aaaaaaaaq2vkow7zwkxg6ky4zxsnckdlfgtgmg7i4kkyev3y6zyo72mpkgza"
-listing_resource_version = "23.1.3-ol7.9-22.08.29-230323-1"
-instance_image_id        = "ocid1.image.oc1..aaaaaaaaxrntnjc2btd7o3rig3wpqkyskair2iospvquto2ofjt2tmuuujya"
+listing_resource_version = "23.1.3-ol7.9-22.08.29-230403-1"
+instance_image_id        = "ocid1.image.oc1..aaaaaaaata2m6fw5ox4xz3c4w7ujsobiaqyhtfcz67jlut33kgbxpk2mhejq"
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -21,6 +21,7 @@ module "network-validation" {
   existing_lb_nsg_id             = var.add_existing_nsg && var.add_load_balancer ? var.existing_lb_nsg_id : ""
   existing_mount_target_nsg_id   = var.add_existing_nsg && var.add_fss ? var.existing_mount_target_nsg_id : ""
   existing_bastion_nsg_id        = var.add_existing_nsg && var.is_bastion_instance_required ? var.existing_bastion_nsg_id : ""
+  lb_source_cidr                 = var.add_load_balancer ? (var.is_lb_private ? "" : "0.0.0.0/0") : ""
 }
 
 module "system-tags" {
diff --git a/terraform/modules/network-validator/locals.tf b/terraform/modules/network-validator/locals.tf
@@ -7,6 +7,7 @@ locals {
   validation_script_bastion_ip_param                     = var.bastion_ip != "" ? format("--bastionip %s", var.bastion_ip) : ""
   validation_script_lb_subnet_1_param                    = var.lb_subnet_1_id != "" ? format("--lbsubnet1 %s", var.lb_subnet_1_id) : ""
   validation_script_lb_subnet_2_param                    = var.lb_subnet_2_id != "" ? format("--lbsubnet2 %s", var.lb_subnet_2_id) : ""
+  validation_script_lb_source_cidr_param                 = var.lb_source_cidr != "" ? format("--lbsourcecidr %s", var.lb_source_cidr) : ""
   validation_script_wls_lb_port                          = var.wls_ms_extern_port != "" ? format("--externalport %s", var.wls_ms_extern_port) : ""
   validation_script_mount_target_subnet_param            = var.mount_target_subnet_id != "" ? format("--fsssubnet %s", var.mount_target_subnet_id) : ""
   validation_script_atp_db_id_param                      = var.atp_db_id != "" ? format("--atpdbid %s", var.atp_db_id) : ""
diff --git a/terraform/modules/network-validator/scripts/network_validation.sh b/terraform/modules/network-validator/scripts/network_validation.sh
@@ -37,6 +37,7 @@ LB_NSG_OCID=""
 FSS_NSG_OCID=""
 LPG_OCID=""
 ALL_IPS="0.0.0.0/0"
+LB_SOURCE_CIDR=""
 NETWORK_VALIDATION_MSG="Fix the network validation script errors and re-run the script in the cloud shell"
 
 debug=false
@@ -240,6 +241,9 @@ function check_tcp_port_open_in_seclist_or_nsg() {
         else
           source_in_cidr_range=1
         fi
+      elif [[ $source = "" ]]
+      then
+        source_in_cidr_range=0
       else
         source_in_cidr_range=$(in_cidr_range $ingress_source $source ; echo $?)
       fi
@@ -519,9 +523,10 @@ This script is used to validate existing subnets, and optionally network securit
   -g, --lpg           OCID of the Local Peering Gateway (LPG) in the DB VCN
   -b, --bastionsubnet Bastion Subnet OCID
   -i, --bastionip     Bastion Host IP. Provide this if using existing bastion
+  -j, --lbsourcecidr  Load Balance Source CIDR
   -u, --lbsubnet1     Load Balancer Subnet 1 OCID
   -v, --lbsubnet2     Load Balancer Subnet 2 OCID which is required only for AD subnet
-  -l,  --externalport WebLogic Managed Server External Port
+  -l, --externalport  WebLogic Managed Server External Port
   -f, --fsssubnet     File Storage Service (FSS) Mount Target Subnet OCID
   -a, --adminsrvnsg   OCID of the Network Security Group (NSG) for the administration server (Required if using NSGs instead of security lists)
   -m, --managedsrvnsg OCID of the Network Security Group (NSG) for the managed servers (Required if using NSGs instead of security lists)
@@ -587,6 +592,7 @@ while [[ $1 = -?* ]]; do
     -g|--lpg) shift; LPG_OCID=${1} ;;
     -b|--bastionsubnet) shift; BASTION_SUBNET_OCID=${1} ;;
     -i|--bastionip) shift; BASTION_HOST_IP=${1} ;;
+    -j|--lbsourcecidr) shift; LB_SOURCE_CIDR=${1} ;;
     -u|--lbsubnet1) shift; LB_SUBNET_1_OCID=${1} ;;
     -v|--lbsubnet2) shift; LB_SUBNET_2_OCID=${1} ;;
     -l|--externalport) shift; WLS_LB_PORT=${1} ;;
@@ -963,20 +969,18 @@ if [[ -n ${LB_SUBNET_1_OCID} ]]
 then
   if [[ -z ${LB_NSG_OCID} ]]
   then
-    res=$(validate_subnet_port_access "${LB_SUBNET_1_OCID}" ${LB_PORT} "${ALL_IPS}")
+    res=$(validate_subnet_port_access "${LB_SUBNET_1_OCID}" ${LB_PORT} "${LB_SOURCE_CIDR}")
     if [[ $res -ne 0 ]]
     then
-      echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in LB Subnet CIDR [${LB_SUBNET_1_OCID}]. ${NETWORK_VALIDATION_MSG}"
-      validation_return_code=2
+      echo "WARNING : Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in LB Subnet CIDR [${LB_SUBNET_1_OCID}]. ${NETWORK_VALIDATION_MSG}"
     fi
   else
     if [[ -n ${ADMIN_SRV_NSG_OCID} && -n ${MANAGED_SRV_NSG_OCID} ]]
     then
-      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "$ALL_IPS" "nsg")
+      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "${LB_SOURCE_CIDR}" "nsg")
       if [[ $res -ne 0 ]]
       then
-        echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
-        validation_return_code=2
+        echo "WARNING : Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
       fi
     fi
   fi
@@ -1014,20 +1018,18 @@ if [[ -n ${LB_SUBNET_2_OCID} ]]
 then
   if [[ -z ${LB_NSG_OCID} ]]
   then
-    res=$(validate_subnet_port_access "${LB_SUBNET_2_OCID}" ${LB_PORT} "${ALL_IPS}")
+    res=$(validate_subnet_port_access "${LB_SUBNET_2_OCID}" ${LB_PORT} "${LB_SOURCE_CIDR}")
     if [[ $res -ne 0 ]]
     then
-      echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in LB Subnet CIDR [${LB_SUBNET_2_OCID}]. ${NETWORK_VALIDATION_MSG}"
-      validation_return_code=2
+      echo "WARNING: Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in LB Subnet CIDR [${LB_SUBNET_2_OCID}]. ${NETWORK_VALIDATION_MSG}"
     fi
   else
     if [[ -n ${ADMIN_SRV_NSG_OCID} && -n ${MANAGED_SRV_NSG_OCID} ]]
     then
-      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "$ALL_IPS" "nsg")
+      res=$(check_tcp_port_open_in_seclist_or_nsg $LB_NSG_OCID "${LB_PORT}" "${LB_SOURCE_CIDR}" "nsg")
       if [[ $res -ne 0 ]]
       then
-        echo "ERROR: Port [$LB_PORT] is not open for 0.0.0.0/0 in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
-        validation_return_code=2
+        echo "WARNING: Port [$LB_PORT] is not open for ${LB_SOURCE_CIDR} in Load Balancer Server NSG [${LB_NSG_OCID}]. ${NETWORK_VALIDATION_MSG}"
       fi
     fi
   fi
diff --git a/terraform/modules/network-validator/validator.tf b/terraform/modules/network-validator/validator.tf
@@ -3,7 +3,7 @@
 
 resource "null_resource" "validate_network" {
   provisioner "local-exec" {
-    command     = "chmod +x ./scripts/network_validation.sh && ./scripts/network_validation.sh ${local.validation_script_wls_subnet_param} ${local.validation_script_bastion_subnet_param} ${local.validation_script_bastion_ip_param} ${local.validation_script_lb_subnet_1_param} ${local.validation_script_lb_subnet_2_param} ${local.validation_script_wls_lb_port} ${local.validation_script_mount_target_subnet_param} ${local.validation_script_atp_db_id_param} ${local.validation_script_oci_db_dbsystem_id_param} ${local.validation_script_oci_db_port_param} ${local.validation_script_http_port_param} ${local.validation_script_https_port_param} ${local.validation_script_existing_admin_server_nsg_id_param} ${local.validation_script_existing_managed_server_nsg_id_param} ${local.validation_script_existing_lb_nsg_id_param} ${local.validation_script_existing_mount_target_nsg_id_param} ${local.validation_script_existing_bastion_nsg_id_param}"
+    command     = "chmod +x ./scripts/network_validation.sh && ./scripts/network_validation.sh ${local.validation_script_wls_subnet_param} ${local.validation_script_bastion_subnet_param} ${local.validation_script_bastion_ip_param} ${local.validation_script_lb_subnet_1_param} ${local.validation_script_lb_subnet_2_param} ${local.validation_script_wls_lb_port} ${local.validation_script_lb_source_cidr_param} ${local.validation_script_mount_target_subnet_param} ${local.validation_script_atp_db_id_param} ${local.validation_script_oci_db_dbsystem_id_param} ${local.validation_script_oci_db_port_param} ${local.validation_script_http_port_param} ${local.validation_script_https_port_param} ${local.validation_script_existing_admin_server_nsg_id_param} ${local.validation_script_existing_managed_server_nsg_id_param} ${local.validation_script_existing_lb_nsg_id_param} ${local.validation_script_existing_mount_target_nsg_id_param} ${local.validation_script_existing_bastion_nsg_id_param}"
     interpreter = ["/bin/bash", "-c"]
     working_dir = path.module
   }
diff --git a/terraform/modules/network-validator/variables.tf b/terraform/modules/network-validator/variables.tf
@@ -85,3 +85,8 @@ variable "existing_bastion_nsg_id" {
   type        = string
   description = "The OCID of the pre-created NSG that should be attached to the bastion instance"
 }
+
+variable "lb_source_cidr" {
+  type        = string
+  description = "Set to empty value if loadbalancer is set to private"
+}
diff --git a/terraform/schema_14110.yaml b/terraform/schema_14110.yaml
@@ -713,7 +713,7 @@ variables:
     default: false
     required: true
     title: "Skip Network Validation"
-    description: "Skip running network validation script for existing subnets. Existing Virtual Cloud Network can be validated using the network validation script. See <a target=\"_blank\" href=\https://docs.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/weblogic-cloud/user&id=oci_network_validate\>Validate Existing Network Setup</a>"
+    description: "Skip running network validation script for existing subnets. Existing Virtual Cloud Network can be validated using the network validation script. See <a target=\"_blank\" href=\"https://docs.oracle.com/pls/topic/lookup?ctx=en/cloud/paas/weblogic-cloud/user&id=oci_network_validate\">Validate Existing Network Setup</a>"
     visible:
       and:
         - not:

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ module "network-validation" {`
`21`	`21`	`existing_lb_nsg_id = var.add_existing_nsg && var.add_load_balancer ? var.existing_lb_nsg_id : ""`
`22`	`22`	`existing_mount_target_nsg_id = var.add_existing_nsg && var.add_fss ? var.existing_mount_target_nsg_id : ""`
`23`	`23`	`existing_bastion_nsg_id = var.add_existing_nsg && var.is_bastion_instance_required ? var.existing_bastion_nsg_id : ""`
	`24`	`+ lb_source_cidr = var.add_load_balancer ? (var.is_lb_private ? "" : "0.0.0.0/0") : ""`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`module "system-tags" {`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`
`4`	`4`	`resource "null_resource" "validate_network" {`
`5`	`5`	`provisioner "local-exec" {`
`6`		- command = "chmod +x ./scripts/network_validation.sh && ./scripts/network_validation.sh ${local.validation_script_wls_subnet_param} ${local.validation_script_bastion_subnet_param} ${local.validation_script_bastion_ip_param} ${local.validation_script_lb_subnet_1_param} ${local.validation_script_lb_subnet_2_param} ${local.validation_script_wls_lb_port} ${local.validation_script_mount_target_subnet_param} ${local.validation_script_atp_db_id_param} ${local.validation_script_oci_db_dbsystem_id_param} ${local.validation_script_oci_db_port_param} ${local.validation_script_http_port_param} ${local.validation_script_https_port_param} ${local.validation_script_existing_admin_server_nsg_id_param} ${local.validation_script_existing_managed_server_nsg_id_param} ${local.validation_script_existing_lb_nsg_id_param} ${local.validation_script_existing_mount_target_nsg_id_param} ${local.validation_script_existing_bastion_nsg_id_param}"
	`6`	+ command = "chmod +x ./scripts/network_validation.sh && ./scripts/network_validation.sh ${local.validation_script_wls_subnet_param} ${local.validation_script_bastion_subnet_param} ${local.validation_script_bastion_ip_param} ${local.validation_script_lb_subnet_1_param} ${local.validation_script_lb_subnet_2_param} ${local.validation_script_wls_lb_port} ${local.validation_script_lb_source_cidr_param} ${local.validation_script_mount_target_subnet_param} ${local.validation_script_atp_db_id_param} ${local.validation_script_oci_db_dbsystem_id_param} ${local.validation_script_oci_db_port_param} ${local.validation_script_http_port_param} ${local.validation_script_https_port_param} ${local.validation_script_existing_admin_server_nsg_id_param} ${local.validation_script_existing_managed_server_nsg_id_param} ${local.validation_script_existing_lb_nsg_id_param} ${local.validation_script_existing_mount_target_nsg_id_param} ${local.validation_script_existing_bastion_nsg_id_param}"
`7`	`7`	`interpreter = ["/bin/bash", "-c"]`
`8`	`8`	`working_dir = path.module`
`9`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,3 +85,8 @@ variable "existing_bastion_nsg_id" {`
`85`	`85`	`type = string`
`86`	`86`	`description = "The OCID of the pre-created NSG that should be attached to the bastion instance"`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+variable "lb_source_cidr" {`
	`90`	`+ type = string`
	`91`	`+ description = "Set to empty value if loadbalancer is set to private"`
	`92`	`+}`