diff --git a/VERSION b/VERSION index 3738566..f2e984b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.1.0-rc.1 +0.1.0-rc.2 diff --git a/examples/acl-profile-exceptions/README.md b/examples/acl-profile-exceptions/README.md new file mode 100644 index 0000000..eeb3170 --- /dev/null +++ b/examples/acl-profile-exceptions/README.md @@ -0,0 +1,82 @@ +# ACL Profile Exceptions Configuration Example + +This directory demonstrates configuration of a client username with [ACL profile exceptions](https://docs.solace.com/Security/Managing-Access-Control-Lists.htm) on the PubSub+ event broker, leveraging the Client Terraform module. + +One set of use cases is if the assigned ACL profile is restrictive (the default value is "disallow") and individual permissions are added as exceptions. Other cases need individual exceptions to a permissive profile. Both serve the configuration of specific requirements of the client being provisioned. + +The following ACL profile exceptions are supported: +* Publish topic exception +* Subscribe topic exception +* Subscribe share name exception +* Client connect exception + +Also note that topic exceptions may use [substitution variables](https://docs.solace.com/Security/Granting-Clients-Access.htm#Using), which will also be demonstrated. + +## Module Configuration in the Example + +### Required Inputs + +* `msg_vpn_name` - set to `default` in the example +* `client_identifier_type` - set to `client_username` +* `client_identifier_name` - set to `myclient` in the example. +* `client_profile_name` - `default`, in the example +* `acl_profile_name` - `default`, in the example. The "default" ACL profile's default actions are "allow", so all exceptions defined will be denied. + +### Optional Inputs + +* `acl_profile_publish_topic_exceptions`, `acl_profile_subscribe_topic_exceptions`, `acl_profile_subscribe_share_name_exceptions`, `acl_profile_client_connect_exceptions` - examples show how to define them in a list form. + +Optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the [documentation of "solacebroker_msg_vpn_client_username"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_client_username#optional). + +The module default for the `enabled` variable is true, which enables both the RDP and the REST consumer resources. + +### Output + +The module `client_username` output refers to the created client username and the exceptions outputs provide the list the created exceptions. + +## Created resources + +This example will create following resources: + +* `solacebroker_msg_vpn_client_username` +* `solacebroker_msg_vpn_acl_profile_publish_topic_exception` +* `solacebroker_msg_vpn_acl_profile_subscribe_topic_exception` +* `solacebroker_msg_vpn_acl_profile_subscribe_share_name_exception` +* `solacebroker_msg_vpn_acl_profile_client_connect_exception` + +## Running the Example + +### Access to a PubSub+ broker + +If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started. + +### Sample source code + +The sample is available from the module GitHub repo: + +```bash +git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git +cd examples/acl-profile-exceptions +``` + +### Adjust Provider Configuration + +Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker. + +### Create the resource + +Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm) + +Execute from this folder: + +```bash +terraform init +terraform plan +terraform apply +``` + +Run `terraform destroy` to clean up created resources when no longer needed. + +## Additional Documentation + +Refer to the [Configuring Client Authorization](https://docs.solace.com/Security/Configuring-Client-Authorization.htm) section in the PubSub+ documentation. diff --git a/examples/acl-profile-exceptions/main.tf b/examples/acl-profile-exceptions/main.tf index 171f7b9..1d303ab 100644 --- a/examples/acl-profile-exceptions/main.tf +++ b/examples/acl-profile-exceptions/main.tf @@ -27,17 +27,18 @@ module "testclient" { client_profile_name = "default" acl_profile_name = "default" - // The "default" ACL profile, used in the example, default actions are "allow", exceptions are "deny" + // The "default" ACL profile, used in the example, has default actions "allow", so exceptions are "deny" // example of multiple publish topic exceptions acl_profile_publish_topic_exceptions = [ { - publish_topic_exception = "a/b/c* d/e/f", + publish_topic_exception = "a/b/c*", publish_topic_exception_syntax = "smf" }, { - publish_topic_exception = "g/h/i", - publish_topic_exception_syntax = "mqtt" + // example of using substitution variable - no need to escape the $ character here + publish_topic_exception = "g/$client-username", + publish_topic_exception_syntax = "smf" } ] diff --git a/examples/authorization-group/README.md b/examples/authorization-group/README.md new file mode 100644 index 0000000..6dfdf08 --- /dev/null +++ b/examples/authorization-group/README.md @@ -0,0 +1,66 @@ +# Authorization Group Configuration Example + +Configuration in this directory creates an authorization group on the PubSub+ event broker, leveraging the Client Terraform module. The authorization group can be used for [OAuth](https://docs.solace.com/Security/Client-Authorization-Overview.htm#Authoriz2) or [LDAP](https://docs.solace.com/Security/Client-Authorization-Overview.htm#LDAP-Groups) authorization. + +## Module Configuration in the Example + +### Required Inputs + +* `msg_vpn_name` - set to `default` in the example +* `client_identifier_type` - set to `authorization_group` +* `client_identifier_name` - set to `myauthgroup` in the example. +* `client_profile_name` - `default`, in the example +* `acl_profile_name` - `default`, in the example + +### Optional Inputs + +Optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the [documentation of "solacebroker_msg_vpn_authorization_group"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_authorization_group#optional). + +The module default for the `enabled` variable is true, which enables both the RDP and the REST consumer resources. + +### Output + +The module `authorization_group` output refers to the created authorization group. + +## Created resources + +This example will create following resources: + +* `solacebroker_msg_vpn_authorization_group` + +## Running the Example + +### Access to a PubSub+ broker + +If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started. + +### Sample source code + +The sample is available from the module GitHub repo: + +```bash +git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git +cd examples/authorization-group +``` + +### Adjust Provider Configuration + +Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker. + +### Create the resource + +Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm) + +Execute from this folder: + +```bash +terraform init +terraform plan +terraform apply +``` + +Run `terraform destroy` to clean up created resources when no longer needed. + +## Additional Documentation + +Refer to the [Configuring Client Authorization](https://docs.solace.com/Security/Configuring-Client-Authorization.htm) section in the PubSub+ documentation. diff --git a/examples/basic-client-username/README.md b/examples/basic-client-username/README.md index b4bf659..51f24b2 100644 --- a/examples/basic-client-username/README.md +++ b/examples/basic-client-username/README.md @@ -44,7 +44,7 @@ The sample is available from the module GitHub repo: ```bash git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git -cd examples/adding-headers +cd examples/basic-client-username ``` ### Adjust Provider Configuration diff --git a/examples/client-username-attributes/README.md b/examples/client-username-attributes/README.md new file mode 100644 index 0000000..5eb96c2 --- /dev/null +++ b/examples/client-username-attributes/README.md @@ -0,0 +1,69 @@ +# Client Username Attributes Configuration Example + +This directory demonstrates configuration of a client username with additional [client username attributes](https://docs.solace.com/Security/Configuring-Client-Usernames.htm?Highlight=client%20username%20attributes#Setting) on the PubSub+ event broker, leveraging the Client Terraform module. + +## Module Configuration in the Example + +### Required Inputs + +* `msg_vpn_name` - set to `default` in the example +* `client_identifier_type` - set to `client_username` +* `client_identifier_name` - set to `myclientwithattributes` in the example. +* `client_profile_name` - `default`, in the example +* `acl_profile_name` - `default`, in the example + +### Optional Inputs + +* `client_username_attributes` - a set of attributes in a list form. + +Optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the [documentation of "solacebroker_msg_vpn_client_username"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_client_username#optional). + +The module default for the `enabled` variable is true, which enables both the RDP and the REST consumer resources. + +### Output + +The module `client_username` output refers to the created client username and the `attributes` output provides the list of created attributes. + +## Created resources + +This example will create following resources: + +* `solacebroker_msg_vpn_client_username` +* `solacebroker_msg_vpn_client_username_attribute` + +## Running the Example + +### Access to a PubSub+ broker + +If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started. + +### Sample source code + +The sample is available from the module GitHub repo: + +```bash +git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git +cd examples/client-username-attributes +``` + +### Adjust Provider Configuration + +Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker. + +### Create the resource + +Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm) + +Execute from this folder: + +```bash +terraform init +terraform plan +terraform apply +``` + +Run `terraform destroy` to clean up created resources when no longer needed. + +## Additional Documentation + +Refer to the [Configuring Client Authorization](https://docs.solace.com/Security/Configuring-Client-Authorization.htm) section in the PubSub+ documentation. diff --git a/examples/client-username-attributes/main.tf b/examples/client-username-attributes/main.tf index d46702b..b87a9c8 100644 --- a/examples/client-username-attributes/main.tf +++ b/examples/client-username-attributes/main.tf @@ -23,7 +23,7 @@ module "testclient" { msg_vpn_name = "default" client_identifier_type = "client_username" - client_identifier_name = "myclient" + client_identifier_name = "myclientwithattributes" client_profile_name = "default" acl_profile_name = "default" diff --git a/internal/gen-template/main.tf b/internal/gen-template/main.tf index 8f70957..f45b499 100644 --- a/internal/gen-template/main.tf +++ b/internal/gen-template/main.tf @@ -38,15 +38,6 @@ resource "solacebroker_msg_vpn_acl_profile_publish_topic_exception" "main" { publish_topic_exception_syntax = local.acl_profile_publish_topic_exceptions_list[count.index].publish_topic_exception_syntax } -resource "solacebroker_msg_vpn_acl_profile_subscribe_share_name_exception" "main" { - count = length(local.acl_profile_subscribe_share_name_exceptions_list) - - msg_vpn_name = var.msg_vpn_name - acl_profile_name = var.acl_profile_name - subscribe_share_name_exception = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception - subscribe_share_name_exception_syntax = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception_syntax -} - resource "solacebroker_msg_vpn_acl_profile_subscribe_topic_exception" "main" { count = length(local.acl_profile_subscribe_topic_exceptions_list) @@ -56,6 +47,15 @@ resource "solacebroker_msg_vpn_acl_profile_subscribe_topic_exception" "main" { subscribe_topic_exception_syntax = local.acl_profile_subscribe_topic_exceptions_list[count.index].subscribe_topic_exception_syntax } +resource "solacebroker_msg_vpn_acl_profile_subscribe_share_name_exception" "main" { + count = length(local.acl_profile_subscribe_share_name_exceptions_list) + + msg_vpn_name = var.msg_vpn_name + acl_profile_name = var.acl_profile_name + subscribe_share_name_exception = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception + subscribe_share_name_exception_syntax = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception_syntax +} + resource "solacebroker_msg_vpn_acl_profile_client_connect_exception" "main" { count = length(var.acl_profile_client_connect_exceptions) diff --git a/main.tf b/main.tf index b9bfe8b..04b09cb 100644 --- a/main.tf +++ b/main.tf @@ -55,15 +55,6 @@ resource "solacebroker_msg_vpn_acl_profile_publish_topic_exception" "main" { publish_topic_exception_syntax = local.acl_profile_publish_topic_exceptions_list[count.index].publish_topic_exception_syntax } -resource "solacebroker_msg_vpn_acl_profile_subscribe_share_name_exception" "main" { - count = length(local.acl_profile_subscribe_share_name_exceptions_list) - - msg_vpn_name = var.msg_vpn_name - acl_profile_name = var.acl_profile_name - subscribe_share_name_exception = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception - subscribe_share_name_exception_syntax = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception_syntax -} - resource "solacebroker_msg_vpn_acl_profile_subscribe_topic_exception" "main" { count = length(local.acl_profile_subscribe_topic_exceptions_list) @@ -73,6 +64,15 @@ resource "solacebroker_msg_vpn_acl_profile_subscribe_topic_exception" "main" { subscribe_topic_exception_syntax = local.acl_profile_subscribe_topic_exceptions_list[count.index].subscribe_topic_exception_syntax } +resource "solacebroker_msg_vpn_acl_profile_subscribe_share_name_exception" "main" { + count = length(local.acl_profile_subscribe_share_name_exceptions_list) + + msg_vpn_name = var.msg_vpn_name + acl_profile_name = var.acl_profile_name + subscribe_share_name_exception = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception + subscribe_share_name_exception_syntax = local.acl_profile_subscribe_share_name_exceptions_list[count.index].subscribe_share_name_exception_syntax +} + resource "solacebroker_msg_vpn_acl_profile_client_connect_exception" "main" { count = length(var.acl_profile_client_connect_exceptions)