fix(terraform): resolve OCI production deployment issues for managed nodes

Fix multiple issues discovered during OKE managed node pool deployment:
- Add init container to extract Oracle wallet zip and fix sqlnet.ora path
- Add Redis --requirepass command (official image doesn't use REDIS_PASSWORD env)
- Add NSG rules for NodePort range (30000-32767) and kube-proxy health check (10256)
- Add security list rules for LB-to-worker traffic on managed nodes
- Fix LB NSG annotation to use correct OKE CCM format
- Configure free-tier ADB settings to match existing database state
- Add ignore_changes for freeform_tags on free-tier ADB (rejects updates)
- Mark sensitive outputs in k8s module
- Add OCI CLI profile for Terraform provider authentication

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ericfitz

.gitignore

@@ -118,3 +118,5 @@ scripts/oci-env.sh
 **/terraform.tfvars
 **/tfplan
 **/.terraform/
+# Lock files in modules (generated by terraform init during validation)
+terraform/modules/**/.terraform.lock.hcl

terraform/environments/oci-production/main.tf

@@ -35,20 +35,22 @@ terraform {
 # OCI Provider configuration
 # Uses IMDS or ~/.oci/config for authentication
 provider "oci" {
-  region = var.region
+  region              = var.region
+  config_file_profile = "tmi"
   # auth   = "InstancePrincipal"  # Uncomment for IMDS authentication
 }
 
 # Kubernetes Provider - configured after OKE cluster creation
 # Uses OCI CLI for token authentication
+# Note: Run with GODEBUG=x509negativeserial=1 if Go 1.24+ rejects OKE certs
 provider "kubernetes" {
   host                   = module.kubernetes.cluster_endpoint
   cluster_ca_certificate = module.kubernetes.cluster_ca_certificate
 
   exec {
     api_version = "client.authentication.k8s.io/v1beta1"
     command     = "oci"
-    args        = ["ce", "cluster", "generate-token", "--cluster-id", module.kubernetes.cluster_id, "--region", var.region]
+    args        = ["ce", "cluster", "generate-token", "--cluster-id", module.kubernetes.cluster_id, "--region", var.region, "--profile", "tmi"]
   }
 }
 
@@ -122,12 +124,11 @@ module "database" {
   database_nsg_ids         = [module.network.database_nsg_id]
   object_storage_namespace = data.oci_objectstorage_namespace.ns.namespace
 
-  # Paid tier settings - enables private endpoint for ADB
-  is_free_tier                        = false
-  cpu_core_count                      = 1
-  compute_count                       = 2
-  data_storage_size_in_tbs            = 1
-  is_auto_scaling_enabled             = true
+  # Free tier - existing ADB is free-tier with public endpoint
+  # Note: Cannot convert free-tier ADB to paid with private endpoint in-place
+  is_free_tier                        = true
+  compute_count                       = 1
+  is_auto_scaling_enabled             = false
   is_auto_scaling_for_storage_enabled = false
   prevent_destroy                     = var.prevent_database_destroy
 

terraform/modules/database/oci/main.tf

@@ -60,6 +60,8 @@ resource "oci_database_autonomous_database" "tmi" {
   # Note: Terraform doesn't allow variables in lifecycle blocks
   lifecycle {
     prevent_destroy = true
+    # Free-tier ADB rejects most update operations; ignore drift on tags
+    ignore_changes = [freeform_tags]
   }
 
   freeform_tags = var.tags

terraform/modules/kubernetes/oci/k8s_resources.tf

@@ -122,6 +122,27 @@ resource "kubernetes_deployment_v1" "tmi_api" {
         service_account_name            = kubernetes_service_account_v1.tmi_api.metadata[0].name
         automount_service_account_token = true
 
+        # Init container to extract Oracle wallet zip into a shared emptyDir
+        init_container {
+          name  = "wallet-extract"
+          image = "busybox:1.36"
+          command = [
+            "sh", "-c",
+            "cp /wallet-zip/wallet.zip /tmp/wallet.zip && cd /wallet-extracted && unzip -o /tmp/wallet.zip && sed -i 's|DIRECTORY=\"?/network/admin\"|DIRECTORY=\"/wallet\"|' /wallet-extracted/sqlnet.ora"
+          ]
+
+          volume_mount {
+            name       = "wallet-zip"
+            mount_path = "/wallet-zip"
+            read_only  = true
+          }
+
+          volume_mount {
+            name       = "wallet-extracted"
+            mount_path = "/wallet-extracted"
+          }
+        }
+
         container {
           name  = "tmi-api"
           image = var.tmi_image_url
@@ -145,7 +166,7 @@ resource "kubernetes_deployment_v1" "tmi_api" {
           }
 
           volume_mount {
-            name       = "wallet"
+            name       = "wallet-extracted"
             mount_path = "/wallet"
             read_only  = true
           }
@@ -190,12 +211,17 @@ resource "kubernetes_deployment_v1" "tmi_api" {
         }
 
         volume {
-          name = "wallet"
+          name = "wallet-zip"
           secret {
             secret_name = kubernetes_secret_v1.wallet.metadata[0].name
           }
         }
 
+        volume {
+          name = "wallet-extracted"
+          empty_dir {}
+        }
+
         volume {
           name = "tmp"
           empty_dir {}
@@ -241,21 +267,14 @@ resource "kubernetes_deployment_v1" "redis" {
           name  = "redis"
           image = var.redis_image_url
 
+          # Official Redis image requires --requirepass flag for authentication
+          command = ["redis-server", "--requirepass", var.redis_password, "--port", "6379"]
+
           port {
             container_port = 6379
             protocol       = "TCP"
           }
 
-          env {
-            name  = "REDIS_PASSWORD"
-            value = var.redis_password
-          }
-
-          env {
-            name  = "REDIS_PORT"
-            value = "6379"
-          }
-
           liveness_probe {
             tcp_socket {
               port = 6379
@@ -338,7 +357,7 @@ resource "kubernetes_service_v1" "tmi_api" {
         "service.beta.kubernetes.io/oci-load-balancer-shape-flex-min"                = tostring(var.lb_min_bandwidth_mbps)
         "service.beta.kubernetes.io/oci-load-balancer-shape-flex-max"                = tostring(var.lb_max_bandwidth_mbps)
         "service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode" = "None"
-        "oci-network-security-groups"                                                = join(",", var.lb_nsg_ids)
+        "oci.oraclecloud.com/oci-network-security-groups"                              = join(",", var.lb_nsg_ids)
       },
       # SSL annotations when certificate is provided
       var.ssl_certificate_pem != null ? {

terraform/modules/kubernetes/oci/outputs.tf

@@ -48,11 +48,13 @@ output "http_url" {
 
 output "https_url" {
   description = "HTTPS URL for the application (if SSL configured)"
+  sensitive   = true
   value       = var.ssl_certificate_pem != null && length(kubernetes_service_v1.tmi_api.status[0].load_balancer[0].ingress) > 0 ? "https://${kubernetes_service_v1.tmi_api.status[0].load_balancer[0].ingress[0].ip}" : null
 }
 
 output "service_endpoint" {
   description = "Service endpoint URL (standard interface)"
+  sensitive   = true
   value = length(kubernetes_service_v1.tmi_api.status[0].load_balancer[0].ingress) > 0 ? (
     var.ssl_certificate_pem != null ?
     "https://${kubernetes_service_v1.tmi_api.status[0].load_balancer[0].ingress[0].ip}" :

terraform/modules/network/oci/main.tf

@@ -164,6 +164,28 @@ resource "oci_core_security_list" "private" {
     }
   }
 
+  # Allow LB to NodePort range (required for managed node pools)
+  ingress_security_rules {
+    protocol    = "6" # TCP
+    source      = var.public_subnet_cidr
+    source_type = "CIDR_BLOCK"
+    tcp_options {
+      min = 30000
+      max = 32767
+    }
+  }
+
+  # Allow LB health check to kube-proxy (required for managed node pools)
+  ingress_security_rules {
+    protocol    = "6" # TCP
+    source      = var.public_subnet_cidr
+    source_type = "CIDR_BLOCK"
+    tcp_options {
+      min = 10256
+      max = 10256
+    }
+  }
+
   # Allow egress to database subnet (Oracle DB ports)
   egress_security_rules {
     protocol         = "6" # TCP
@@ -904,6 +926,78 @@ resource "oci_core_network_security_group_security_rule" "lb_egress_oke_pods" {
   }
 }
 
+# Allow load balancer to reach OKE NodePort range (required for managed node pools)
+resource "oci_core_network_security_group_security_rule" "lb_egress_oke_nodeport" {
+  network_security_group_id = oci_core_network_security_group.lb.id
+  direction                 = "EGRESS"
+  protocol                  = "6" # TCP
+
+  description      = "Allow traffic to OKE NodePort range (managed nodes)"
+  destination      = oci_core_network_security_group.oke_pod.id
+  destination_type = "NETWORK_SECURITY_GROUP"
+
+  tcp_options {
+    destination_port_range {
+      min = 30000
+      max = 32767
+    }
+  }
+}
+
+# Allow load balancer health check to kube-proxy (required for managed node pools)
+resource "oci_core_network_security_group_security_rule" "lb_egress_oke_healthcheck" {
+  network_security_group_id = oci_core_network_security_group.lb.id
+  direction                 = "EGRESS"
+  protocol                  = "6" # TCP
+
+  description      = "Allow health check to kube-proxy (managed nodes)"
+  destination      = oci_core_network_security_group.oke_pod.id
+  destination_type = "NETWORK_SECURITY_GROUP"
+
+  tcp_options {
+    destination_port_range {
+      min = 10256
+      max = 10256
+    }
+  }
+}
+
+# Allow OKE workers to accept NodePort traffic from load balancer (managed nodes)
+resource "oci_core_network_security_group_security_rule" "oke_pod_ingress_lb_nodeport" {
+  network_security_group_id = oci_core_network_security_group.oke_pod.id
+  direction                 = "INGRESS"
+  protocol                  = "6" # TCP
+
+  description = "Allow LB to NodePort range (managed nodes)"
+  source      = oci_core_network_security_group.lb.id
+  source_type = "NETWORK_SECURITY_GROUP"
+
+  tcp_options {
+    destination_port_range {
+      min = 30000
+      max = 32767
+    }
+  }
+}
+
+# Allow OKE workers to accept health check from load balancer (managed nodes)
+resource "oci_core_network_security_group_security_rule" "oke_pod_ingress_lb_healthcheck" {
+  network_security_group_id = oci_core_network_security_group.oke_pod.id
+  direction                 = "INGRESS"
+  protocol                  = "6" # TCP
+
+  description = "Allow LB health check to kube-proxy (managed nodes)"
+  source      = oci_core_network_security_group.lb.id
+  source_type = "NETWORK_SECURITY_GROUP"
+
+  tcp_options {
+    destination_port_range {
+      min = 10256
+      max = 10256
+    }
+  }
+}
+
 # Allow OKE pods to reach database NSG
 resource "oci_core_network_security_group_security_rule" "db_ingress_oke_pods" {
   network_security_group_id = oci_core_network_security_group.database.id