Initial module and basic example

* Added module starting point

* Fixed script permission

* Extended service module

* Readme update and fixes

* Added basic example

* Basic example adjustments

* Basic example adjustments

* Fixed acceptance test [skip ci]

* Formatting updates

---------

Co-authored-by: Balazs Czoma <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

.github/workflows/module-test-pipeline.yml

@@ -0,0 +1,40 @@
+name: Provider Test Pipeline
+
+on: push
+
+jobs:
+  test:
+    name: Run Provider setup and tests
+    runs-on: ubuntu-latest
+    steps:
+      # - name: Set up Go
+      #   uses: actions/setup-go@v3
+      #   with:
+      #     go-version: "1.21"
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Terraform latest
+        uses: hashicorp/setup-terraform@v2
+
+      - name: Setup test broker
+        run: |
+          mkdir -p $HOME/solace; chmod 777 $HOME/solace
+          docker run -d -p 8080:8080 -p 55555:55555 --shm-size=1g --env username_admin_globalaccesslevel=admin --env username_admin_password=admin --env system_scaling_maxkafkabridgecount="10" --name=solace \
+            --env system_scaling_maxconnectioncount="1000" --mount type=bind,source=$HOME/solace,destination=/var/lib/solace,ro=false solace/solace-pubsub-standard:latest
+          while ! curl -s localhost:8080 | grep aurelia ; do sleep 1 ; done
+
+      - name: Test module from template on test broker
+        run: |
+          ci/scripts/test-module.sh ci/template-test
+
+      - name: Test module root on test broker
+        run: |
+          ci/scripts/test-module.sh ci/module-test
+
+      - name: Test examples
+        run: |
+          shopt -s extglob
+          for d in examples/!(basic-client-username)/; do (ci/scripts/test-module.sh "$d"); done
+          # ci/scripts/test-module.sh examples/basic-client-username/ -var-file=secret.tfvars

.github/workflows/prep-internal-release.yml

@@ -0,0 +1,122 @@
+# Launched manually
+on:
+  workflow_dispatch:
+    inputs:
+      prev_branch_name:
+        description: 'Prev branch name, must start with v'
+        required: true
+        default: 'v0.1.0-rc.1'
+      release_branch_name:
+        description: 'Release branch name, must start with v'
+        required: true
+        default: 'v0.1.0-rc.2'
+
+
+jobs:
+  build:
+    name: Prep release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.21"
+
+      - name: Checkout the code
+        uses: actions/checkout@v2
+
+      - name: Check release version and set next version
+        run: |
+          if ! echo "${{ github.event.inputs.release_branch_name }}" | grep ^v ; then
+            echo "Incorrect release branch name ${{ github.event.inputs.release_branch_name }}, must start with 'v'" ; exit 1
+          fi
+          if echo "${{ github.ref_name }}" | grep ^dev ; then
+            # set next dev version GH env, otherwise set it empty
+            echo "NEXT_DEV_VERSION=$(echo ${{ github.ref_name }} | awk -F. -v OFS=. '{$NF += 1 ; print}')" >> $GITHUB_ENV
+          fi
+
+      - name: Code format, dependencies, checks
+        run: |
+          find . -type d -print0 | xargs -0 -n1 terraform fmt
+
+      - name: Setup test broker
+        run: |
+          mkdir -p $HOME/solace; chmod 777 $HOME/solace
+          docker run -d -p 8080:8080 -p 55555:55555 --shm-size=1g --env username_admin_globalaccesslevel=admin --env username_admin_password=admin --env system_scaling_maxkafkabridgecount="10" --name=solace \
+            --env system_scaling_maxconnectioncount="1000" --mount type=bind,source=$HOME/solace,destination=/var/lib/solace,ro=false solace/solace-pubsub-standard:latest
+          while ! curl -s localhost:8080 | grep aurelia ; do sleep 1 ; done
+
+      - name: Check code builds and pass acceptance test
+        run: |
+          ci/scripts/test-module.sh ci/module-test
+          shopt -s extglob
+          for d in examples/!(basic-client-username)/; do (ci/scripts/test-module.sh "$d"); done
+
+      - name: Ensure version reflects release candidate version
+        run: |
+          VERSION=$(echo "${{ github.event.inputs.release_branch_name }}" | cut -d'v' -f2)
+          echo $VERSION > VERSION
+
+      - name: Add copyright headers where needed
+        run: |
+          go install github.com/google/addlicense@latest
+          addlicense -c 'Solace Corporation. All rights reserved.' -v -l apache ./*.tf
+          addlicense -c 'Solace Corporation. All rights reserved.' -v -l apache $(find ./examples -name "*.tf" -type f -print0 | xargs -0)
+
+      - name: Check changed files
+        uses: tj-actions/verify-changed-files@v17
+        id: check-changed-files
+
+      - name: Run step only when any of the files change
+        if: steps.check-changed-files.outputs.files_changed == 'true'
+        run: |
+          echo "Changed files: ${{ steps.check-changed-files.outputs.changed_files }}"
+
+      - name: Commit back updates when any of the files change
+        if: steps.check-changed-files.outputs.files_changed == 'true'
+        uses: EndBug/add-and-commit@v9
+        with:
+          committer_name: GitHub Actions
+          committer_email: [email protected]
+          message: 'Updating release candidate [skip ci]'
+          new_branch: GeneratedSourceUpdates-${{ github.ref_name }}
+
+      - name: Create pull request if needed, then break here because manual approval of the changes is required
+        if: steps.check-changed-files.outputs.files_changed == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          CURRENT_BRANCH=${GITHUB_REF_NAME}
+          gh pr create -B ${CURRENT_BRANCH} -H "GeneratedSourceUpdates-${CURRENT_BRANCH}" --title "Merge generated source updates into release candidate ${CURRENT_BRANCH}" --body 'Created by Github action'
+          echo Review and approve PR before release can continue
+          exit 1 // force actions stop here
+
+      - name: Create release branch starting point
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git fetch
+          git push origin refs/remotes/origin/${{ github.event.inputs.prev_branch_name }}:refs/heads/${{ github.event.inputs.release_branch_name }}
+
+      - name: Create PR to release branch
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          CURRENT_BRANCH=${GITHUB_REF_NAME}
+          gh pr create -B ${{ github.event.inputs.release_branch_name }} --title "New release ${{ github.event.inputs.release_branch_name }}" --body 'Created by Github action'
+
+      # - name: Create PR to release branch
+      #   uses: peterjgrainger/[email protected]
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #   with:
+      #     branch: "${{ github.event.inputs.release_branch_name }}"
+
+      # - name: Tag the release branch
+      #   if: env.NEXT_DEV_VERSION != ''
+      #   uses: peterjgrainger/[email protected]
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #   with:
+      #     branch: ${{ env.NEXT_DEV_VERSION }}
+

.github/workflows/verify-registry-release.yml

@@ -0,0 +1,59 @@
+# Launched manually to test new release from registry
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'The version of the release in the Terraform registry (expecting semver format)'
+        required: true
+        default: '0.1.0-rc.1'
+      public_release:
+        type: boolean
+        description: 'Check if this is a public release (from registry.terraform.io). Private release is from app.terraform.io'
+        required: true
+        default: false
+
+jobs:
+  build:
+    name: Verify registry release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.21"
+
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Setup test broker
+        run: |
+          mkdir -p $HOME/solace; chmod 777 $HOME/solace
+          docker run -d -p 8080:8080 -p 55555:55555 --shm-size=1g --env username_admin_globalaccesslevel=admin --env username_admin_password=admin --env system_scaling_maxkafkabridgecount="10" --name=solace \
+            --mount type=bind,source=$HOME/solace,destination=/var/lib/solace,ro=false solace/solace-pubsub-standard:"10.6.1.52"
+          while ! curl -s localhost:8080 | grep aurelia ; do sleep 1 ; done
+
+      - name: Set up Terraform latest - public
+        if: ${{ github.event.inputs.public_release != 'false' }}
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: true
+
+      - name: Set up Terraform latest - private, with token
+        if: ${{ github.event.inputs.public_release == 'false' }}
+        uses: hashicorp/setup-terraform@v3
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+          terraform_wrapper: true
+
+      - name: Setup token and patch module with release information
+        run: |
+          MODULENAME=service
+          if [ "${{ github.event.inputs.public_release }}" == "false" ] ; then
+            echo Internal release
+            MODULE_REF="app.terraform.io/SolaceDev/$MODULENAME/solacebroker"
+          else
+            echo Public release
+            MODULE_REF="SolaceProducts/$MODULENAME/solacebroker"
+          fi
+          ci/scripts/test-module.sh ci/module-test/ "" $MODULE_REF "${{ github.event.inputs.release_version }}"
+

.gitignore

@@ -4,18 +4,12 @@
 # .tfstate files
 *.tfstate
 *.tfstate.*
+*.lock.hcl
 
 # Crash log files
 crash.log
 crash.*.log
 
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
-
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf

README.md

@@ -1,2 +1,101 @@
-# terraform-solacebroker-service
-Solace software broker Terraform module to abstract broker VPN, authenticatiopn and authorization configuration
+# Solace PubSub+ Software Event Broker Service Terraform Module
+
+Terraform module that encapsulates a [message VPN](https://docs.solace.com/Features/VPN/Managing-Message-VPNs.htm) including client and ACL profiles, resource limits and service on the [Solace PubSub+ Event Broker](https://solace.com/products/event-broker/).
+
+The basic use case is to create a new message VPN with a permissive `default` ACL and client profile, ready for messaging. Optionally, an additional fully customizable ACL profile and a client profile can be defined. The module also adds advanced client certificate authentication and OAuth authentication configuration support.
+
+Note: the `default` client username that is automatically created with the new VPN is disabled. It is recommended to use the [Client Module](https://registry.terraform.io/modules/SolceProducts/client/solacebroker/latest) to setup a client username if required. Also, services that require message VPN specific ports, including REST, MQTT etc. are disabled by default and need to be enabled/configured through optional variables.
+
+Use case details are provided in the [Examples](#examples).
+
+## Module input variables
+
+### Required
+
+* `msg_vpn_name` - thename of the new message VPN to be created
+
+### Optional
+
+* `acl_profile_name` - the name of the optionally added ACL profile. A `default` profile is always created and if left at default empty then no additional ACL profile will be created.
+* `client_profile_name` - the name of the optionally added client profile. A `default` profile is always created and if left at default empty then no additional ACL profile will be created.
+* `oauth_profile_name` - the name of an optionally added OAuth profile. Note that there will be no OAUth profile created unless a non-empty name is provided.
+* `oauth_profile_client_required_claims` - a set of optional client-required claims.
+* `oauth_profile_resource_server_required_claims` - a set of optional server-required claims.
+* `cert_matching_rule_name` - the name of an optionally added certificate matching rule. Note that there will be no certificate matching rule created unless a non-empty name is provided.
+* `cert_matching_rule_conditions` - a set of optional certificate matching rule conditions.
+* `cert_matching_rule_attribute_filters` - a set of optional certificate matching rule attribute filters.
+
+Additional optional module variables names are the same as the underlying resource attributes. The recommended approach to determine variable name mappings is to look up the resource's documentation for matching attribute names:
+
+| Resource name |
+|---------------|
+|[solacebroker_msg_vpn](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional)|
+|[solacebroker_msg_vpn_acl_profile](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_acl_profile#optional)|
+|[solacebroker_msg_vpn_client_profile](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_client_profile#optional)|
+|[solacebroker_msg_vpn_authentication_oauth_profile](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_authentication_oauth_profile#optional)|
+
+Most optional variables' default value is `null`, meaning that if not provided then the resource default value will be provisioned on the broker.
+
+Exceptions: the following optional variables' default value differ from the resource attribute defaults:
+
+| Input variable | Default value | Note |
+|----------------|---------------|------|
+| `authentication_basic_type` | `internal` |
+| `dmr_enabled` | `true` | 
+| `enabled` | `true` | the Message VPN and underlying created objects |
+| `jndi_enabled` | `true` |
+| `max_msg_spool_usage` | 1500 | message VPN |
+
+-> The module default for the  optional variable is `true`, which 
+
+## Module outputs
+
+[Module outputs](https://developer.hashicorp.com/terraform/language/values/outputs) provide reference to created resources. Any reference to a resource that has not been created will be set to `(null)`.
+
+Note that the "message VPN" output is [sensitive](https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-suppressing-values-in-cli-output) due to some sensitive attributes it contains.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_solacebroker"></a> [solacebroker](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest) | ~> 0.9 |
+
+## Resources
+
+The following table shows the resources created. "X" denotes a resource always created, "O" is a resource that may be created optionally
+
+| Name |  | Notes |
+|------|------|------|
+| solacebroker_msg_vpn | X | |
+| solacebroker_msg_vpn_acl_profile | O | This is an additional configurable profile. A default ACL profile is always created |
+| solacebroker_msg_vpn_client_profile | O | This is an additional configurable profile. A default client profile is always created |
+| solacebroker_msg_vpn_authentication_oauth_profile | O | |
+| solacebroker_msg_vpn_authentication_oauth_profile_client_required_claim | O | Requires above AOuth profile and it will be assigned to that |
+| solacebroker_msg_vpn_authentication_oauth_profile_resource_server_required_claim | O | Requires above AOuth profile and it will be assigned to that |
+| solacebroker_msg_vpn_cert_matching_rule | O | |
+| solacebroker_msg_vpn_cert_matching_rule_condition | O | Requires above certification matching rule and it will be assigned to that |
+| solacebroker_msg_vpn_cert_matching_rule_attribute_filter | O | Requires above certification matching rule and it will be assigned to that |
+
+## Examples
+
+Refer to the following configuration examples:
+
+- [Basic VPN](examples/basic-vpn)
+- [Services and listen ports](examples/services-and-listen-ports)
+- [Customized client and ACL profiles](examples/customized-client-and-acl-profiles)
+- [OAuth profile](examples/oauth-profile)
+- [Certification matching rule](examples/certificate-matching-rule)
+
+## Module use recommendations
+
+This module is expected to be used primarily by middleware teams. It is primarily concerned with setting an environment and constraints where application developer teams may add their specific requirements through the Solace Client, Queues & Endpoints, JNDI or REST delivery modules. This module may be forked and adjusted with private defaults.
+
+## Resources
+
+For more information about Solace technology in general please visit these resources:
+
+- Solace [Technical Documentation](https://docs.solace.com/)
+    - [Configuring Message VPNs](https://docs.solace.com/Features/VPN/Configuring-VPNs.htm)
+- The Solace Developer Portal website at: [solace.dev](//solace.dev/)
+- Understanding [Solace technology](//solace.com/products/platform/)
+- Ask the [Solace community](//dev.solace.com/community/).

VERSION

@@ -0,0 +1 @@
+0.1.0-rc.1