Added client certificate auth example

README.md

@@ -83,8 +83,8 @@ Refer to the following configuration examples:
 - [Basic VPN](examples/basic-vpn)
 - [Services and listen ports](examples/services-and-listen-ports)
 - [Customized ACL and client profiles](examples/customized-acl-and-client-profiles)
-- [OAuth profile](examples/oauth-profile)
-- [Certification matching rule](examples/certificate-matching-rule)
+- [OAuth authentication](examples/oauth-authentication)
+- [Client certificate authentication](examples/client-certificate-authentication)
 
 ## Module use recommendations
 

examples/client-certificate-authentication/README.md

@@ -0,0 +1,74 @@
+# Client Certificate Authentication Configuration Example
+
+This example shows how to configure [client certificate authentication](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Client-Cert) (or mTLS) for clients connecting to a PubSub+ event broker at the Message VPN level, leveraging the Service Terraform module.
+
+Note: a pre-requisite for client certificate authentication is broker-level server key, certificate and certificate authorities configured, which is outside the scope of this module.
+
+The module exposes [client certificate authentication related message VPN configuration](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Client-CERT-VPNs) through input variables. It also supports the setup of a [message VPN matching](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Configur) rule with a set of conditions or a set of attribute filters. Note that if more matching rules are required then these will need to be configured outside the module.
+
+## Module Configuration in the Example
+
+### Required Inputs
+
+* `msg_vpn_name` - set to `vpn-with-mtls` in the example
+
+### Optional Inputs
+
+* `authentication_client_cert_enabled` - set to `true` for client certificate authentication in the example. Automatically enabled if VPN matching is configured
+* `cert_matching_rule_name` - specified if message VPN matching is required
+* `cert_matching_rule_conditions` - a set of conditions for above certificate matching rule
+* `cert_matching_rule_attribute_filters` - a set of filters for above certificate matching rule
+
+Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the documentation of ["solacebroker_msg_vpn"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional).
+
+The module default for the `enabled` variable is true, which enables the message VPN and underlying resources.
+
+### Output
+
+The module `created_vpn` and `created_oauth_profile` outputs refer to the created message VPN and the OAuth profile. The claims outputs provide the list of the created required claims.
+
+## Created resources
+
+This example will create following resources:
+
+* `solacebroker_msg_vpn`
+* `solacebroker_msg_vpn_authentication_oauth_profile`
+* `solacebroker_msg_vpn_authentication_oauth_profile_client_required_claim`
+* `solacebroker_msg_vpn_authentication_oauth_profile_resource_server_required_claim`
+
+## Running the Example
+
+### Access to a PubSub+ broker
+
+If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started.
+
+### Sample source code
+
+The sample is available from the module GitHub repo:
+
+```bash
+git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git
+cd examples/client-certificate-authentication
+```
+
+### Adjust Provider Configuration
+
+Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker.
+
+### Create the resource
+
+Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm)
+
+Execute from this folder:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+Run `terraform destroy` to clean up created resources when no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here.
+
+## Additional Documentation
+
+Refer to the [OAuth Authentication](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#OAuth) section in the PubSub+ documentation.

examples/client-certificate-authentication/main.tf

@@ -0,0 +1,54 @@
+provider "solacebroker" {
+  username = "admin"
+  password = "admin"
+  url      = "http://localhost:8080"
+}
+
+module "testvpn" {
+  source = "../.."
+
+  msg_vpn_name           = "vpn-with-mtls"
+  // No need to set the VPN enabled, it defaults to true
+  // enabled = true
+
+  // example VPN configuration (not strictly required required here because of certificate matching rule configured )
+  authentication_client_cert_enabled = true
+
+  // example certificate matching rule
+  cert_matching_rule_name = "testvpnCertMatchingRule"
+
+  // not required if certificate matching rule is used
+  // authentication_client_cert_certificate_matching_rules_enabled = true
+
+  cert_matching_rule_conditions = [
+    {
+      source = "issuer"
+      expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace"
+    }
+  ]
+  cert_matching_rule_attribute_filters = [
+    {
+      filter_name = "testFilter"
+      attribute_name = "username"
+      attribute_value = "test"
+    }
+  ]
+}
+
+output "created_vpn" {
+  value     = module.testvpn.msg_vpn
+  sensitive = true
+}
+
+output "created_cert_matching_rule" {
+  value     = module.testvpn.cert_matching_rule
+}
+
+output "created_cert_matching_rule_conditions" {
+  value     = module.testvpn.cert_matching_rule_conditions
+}
+
+output "created_cert_matching_rule_attribute_filters" {
+  value     = module.testvpn.cert_matching_rule_attribute_filters
+}
+

examples/customized-acl-and-client-profiles/README.md

@@ -47,7 +47,7 @@ The sample is available from the module GitHub repo:
 
 ```bash
 git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git
-cd examples/basic-vpn
+cd examples/customized-acl-and-client-profiles
 ```
 
 ### Adjust Provider Configuration

examples/oauth-profile/README.md → examples/oauth-authentication/README.md

@@ -48,7 +48,7 @@ The sample is available from the module GitHub repo:
 
 ```bash
 git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git
-cd examples/oauth-profile
+cd examples/oauth-authentication
 ```
 
 ### Adjust Provider Configuration

examples/oauth-authentication/providers.tf

@@ -0,0 +1,24 @@
+# Copyright 2024 Solace Corporation. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Terraform configuration
+
+terraform {
+  required_providers {
+    solacebroker = {
+      source = "registry.terraform.io/solaceproducts/solacebroker"
+    }
+  }
+  required_version = "~> 1.2"
+}