Extended service module

ci/module-test/main.tf

@@ -10,11 +10,54 @@ module "testvpn" {
   msg_vpn_name        = "testvpn"
   acl_profile_name    = "testvpn-acl-profile"
   client_profile_name = "testvpn-client-profile"
+  oauth_profile_name  = "testvpnOauthProfile"
+  oauth_profile_client_required_claims = [
+    {
+      claim_name  = "audience"
+      claim_value = "{ \"aud\": \"myAudience\" }"
+    },
+    {
+      claim_name  = "sub"
+      claim_value = "{ \"sub\": 123456789 }",
+    }
+  ]
+  oauth_profile_resource_server_required_claims = [
+    {
+      claim_name  = "audience"
+      claim_value = "{ \"aud\": \"myAudience\" }"
+    },
+    {
+      claim_name  = "sub"
+      claim_value = "{ \"sub\": 123456789 }",
+    }
+  ]
+  cert_matching_rule_name = "testvpnCertMatchingRule"
+  cert_matching_rule_conditions = [
+    {
+      source = "issuer"
+      expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace"
+    }
+  ]
+  cert_matching_rule_attribute_filters = [
+    {
+      filter_name = "testFilter"
+      attribute_name = "username"
+      attribute_value = "test"
+    }
+  ]
 }
 
-# module "defaultvpn" {
-#   source = "../../internal/gen-template"
+module "testvpn2" {
+  source = "../.."
+
+  msg_vpn_name        = "testvpn2"
+  acl_profile_name    = "testvpn-acl-profile2"
+  client_profile_name = "testvpn-client-profile2"
+}
 
-#   msg_vpn_name           = "default"
-#   enabled = false
-# }
+module "defaultvpn" {
+  source = "../.."
+
+  msg_vpn_name           = "default"
+  enabled = false
+}

ci/template-test/main.tf

@@ -10,11 +10,54 @@ module "testvpn" {
   msg_vpn_name        = "testvpn"
   acl_profile_name    = "testvpn-acl-profile"
   client_profile_name = "testvpn-client-profile"
+  oauth_profile_name  = "testvpnOauthProfile"
+  oauth_profile_client_required_claims = [
+    {
+      claim_name  = "audience"
+      claim_value = "{ \"aud\": \"myAudience\" }"
+    },
+    {
+      claim_name  = "sub"
+      claim_value = "{ \"sub\": 123456789 }",
+    }
+  ]
+  oauth_profile_resource_server_required_claims = [
+    {
+      claim_name  = "audience"
+      claim_value = "{ \"aud\": \"myAudience\" }"
+    },
+    {
+      claim_name  = "sub"
+      claim_value = "{ \"sub\": 123456789 }",
+    }
+  ]
+  cert_matching_rule_name = "testvpnCertMatchingRule"
+  cert_matching_rule_conditions = [
+    {
+      source = "issuer"
+      expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace"
+    }
+  ]
+  cert_matching_rule_attribute_filters = [
+    {
+      filter_name = "testFilter"
+      attribute_name = "username"
+      attribute_value = "test"
+    }
+  ]
 }
 
-# module "defaultvpn" {
-#   source = "../../internal/gen-template"
+module "testvpn2" {
+  source = "../../internal/gen-template"
+
+  msg_vpn_name        = "testvpn2"
+  acl_profile_name    = "testvpn-acl-profile2"
+  client_profile_name = "testvpn-client-profile2"
+}
 
-#   msg_vpn_name           = "default"
-#   enabled = false
-# }
+module "defaultvpn" {
+  source = "../../internal/gen-template"
+
+  msg_vpn_name           = "default"
+  enabled = false
+}

internal/gen-template/main.tf

@@ -1,10 +1,21 @@
+locals {
+  oauth_profile_client_required_claims_list          = tolist(var.oauth_profile_client_required_claims)
+  oauth_profile_resource_server_required_claims_list = tolist(var.oauth_profile_resource_server_required_claims)
+  cert_matching_rule_conditions_list                 = tolist(var.cert_matching_rule_conditions)
+  cert_matching_rule_attribute_filters_list          = tolist(var.cert_matching_rule_attribute_filters) 
+}
+
 resource "solacebroker_msg_vpn" "main" {
-  msg_vpn_name              = var.msg_vpn_name
-  authentication_basic_type = var.authentication_basic_type
-  dmr_enabled               = var.dmr_enabled
-  enabled                   = var.enabled
-  jndi_enabled              = var.jndi_enabled
-  max_msg_spool_usage       = var.max_msg_spool_usage
+  msg_vpn_name                                                  = var.msg_vpn_name
+  authentication_basic_type                                     = var.authentication_basic_type
+  dmr_enabled                                                   = var.dmr_enabled
+  enabled                                                       = var.enabled
+  jndi_enabled                                                  = var.jndi_enabled
+  max_msg_spool_usage                                           = var.max_msg_spool_usage
+  authentication_oauth_enabled                                  = var.oauth_profile_name != "" ? true : var.authentication_oauth_enabled
+  authentication_oauth_default_profile_name                     = var.oauth_profile_name != "" ? var.oauth_profile_name : var.authentication_oauth_default_profile_name
+  authentication_client_cert_enabled                            = var.cert_matching_rule_name != "" ? true : var.authentication_client_cert_enabled
+  authentication_client_cert_certificate_matching_rules_enabled = var.cert_matching_rule_name != "" ? true : var.authentication_client_cert_certificate_matching_rules_enabled
 
   #AutoAddAttributes #EnableCommonVariables
 }
@@ -40,10 +51,64 @@ resource "solacebroker_msg_vpn_client_profile" "main" {
   #AutoAddAttributes #EnableCommonVariables
 }
 
-# resource "solacebroker_msg_vpn_authentication_oauth_profile" "main" {
-#   msg_vpn_name       = solacebroker_msg_vpn.main.msg_vpn_name
-#   oauth_profile_name = var.oauth_profile_name
-#   enabled             = var.enabled
+resource "solacebroker_msg_vpn_authentication_oauth_profile" "main" {
+  count = var.oauth_profile_name != "" ? 1 : 0
+
+  msg_vpn_name       = solacebroker_msg_vpn.main.msg_vpn_name
+  oauth_profile_name = var.oauth_profile_name
+  enabled            = var.enabled
+
+  #AutoAddAttributes #EnableCommonVariables
+}
+
+resource "solacebroker_msg_vpn_authentication_oauth_profile_client_required_claim" "main" {
+  count = var.oauth_profile_name != "" ? length(local.oauth_profile_client_required_claims_list) : 0
+
+  msg_vpn_name                = solacebroker_msg_vpn.main.msg_vpn_name
+  oauth_profile_name          = solacebroker_msg_vpn_authentication_oauth_profile.main[0].oauth_profile_name
+  client_required_claim_name  = local.oauth_profile_client_required_claims_list[count.index].claim_name
+  client_required_claim_value = local.oauth_profile_client_required_claims_list[count.index].claim_value
+}
+
+resource "solacebroker_msg_vpn_authentication_oauth_profile_resource_server_required_claim" "main" {
+  count = var.oauth_profile_name != "" ? length(local.oauth_profile_resource_server_required_claims_list) : 0
+
+  msg_vpn_name                         = solacebroker_msg_vpn.main.msg_vpn_name
+  oauth_profile_name                   = solacebroker_msg_vpn_authentication_oauth_profile.main[0].oauth_profile_name
+  resource_server_required_claim_name  = local.oauth_profile_resource_server_required_claims_list[count.index].claim_name
+  resource_server_required_claim_value = local.oauth_profile_resource_server_required_claims_list[count.index].claim_value
+}
+
+resource "solacebroker_msg_vpn_cert_matching_rule" "main" {
+  count = var.cert_matching_rule_name != "" ? 1 : 0
+
+  msg_vpn_name = solacebroker_msg_vpn.main.msg_vpn_name
+  rule_name    = var.cert_matching_rule_name
+  enabled      = var.enabled
+}
+
+resource "solacebroker_msg_vpn_cert_matching_rule_condition" "main" {
+  count = var.cert_matching_rule_name != "" ? length(local.cert_matching_rule_conditions_list) : 0
+
+  msg_vpn_name = solacebroker_msg_vpn.main.msg_vpn_name
+  rule_name    = solacebroker_msg_vpn_cert_matching_rule.main[0].rule_name
+  source       = local.cert_matching_rule_conditions_list[count.index].source
+  expression   = local.cert_matching_rule_conditions_list[count.index].expression
+}
+
+resource "solacebroker_msg_vpn_cert_matching_rule_attribute_filter" "main" {
+  count = var.cert_matching_rule_name != "" ? length(local.cert_matching_rule_attribute_filters_list) : 0
+
+  msg_vpn_name    = solacebroker_msg_vpn.main.msg_vpn_name
+  rule_name       = solacebroker_msg_vpn_cert_matching_rule.main[0].rule_name
+  filter_name     = local.cert_matching_rule_attribute_filters_list[count.index].filter_name
+  attribute_name  = local.cert_matching_rule_attribute_filters_list[count.index].attribute_name
+  attribute_value = local.cert_matching_rule_attribute_filters_list[count.index].attribute_value
+}
+
+
+
+
+
 
-# }
 

internal/gen-template/variables.tf

@@ -40,16 +40,88 @@ variable "max_msg_spool_usage" {
 }
 
 variable "acl_profile_name" {
-  description = "The name of the ACL Profile to be added to the Message VPN. If not specified, no ACL Profile will be added. Default is \"\""
+  description = "The name of the ACL Profile to be created and added to the Message VPN. If not specified, no ACL Profile will be added. Default is \"\""
   type        = string
   default     = ""
 }
 
-
 variable "client_profile_name" {
-  description = "The name of the Client Profile to be added to the Message VPN. If not specified, no Client Profile will be added. Default is \"\""
+  description = "The name of the Client Profile to be created and added to the Message VPN. If not specified, no Client Profile will be added. Default is \"\""
+  type        = string
+  default     = ""
+}
+
+variable "oauth_profile_name" {
+  description = "The name of the OAuth Profile to be created and added to the Message VPN. If not specified, no OAuth Profile will be added. If specified, OAUth will be enabled on the VPN and this profile will be set as the default profile. Default is \"\""
   type        = string
   default     = ""
 }
 
+variable "authentication_oauth_enabled" {
+  description = "Enable or disable OAuth authentication"
+  type        = bool
+  default     = null
+}
+
+variable "cert_matching_rule_name" {
+  description = "The name of the Certification Matching Rule to be created and added to the Message VPN. A Cert Matching Rule is a collection of conditions and attribute filters that all have to be satisfied for certificate to be acceptable as authentication for a given username. If not specified, no Cert Matching Rule will be added. Default is \"\""
+  type        = string
+  default     = ""
+}
+
+variable "authentication_client_cert_enabled" {
+  description = "Enable or disable client certificate authentication in the Message VPN"
+  type        = bool
+  default     = null
+}
+
+variable "authentication_client_cert_certificate_matching_rules_enabled" {
+  description = "Enable or disable certificate matching rules"
+  type        = bool
+  default     = null
+}
+
+variable "authentication_oauth_default_profile_name" {
+  description = "The name of the profile to use when the client does not supply a profile name"
+  type        = string
+  default     = null
+}
+
+variable "oauth_profile_client_required_claims" {
+  description = "Additional claims to be verified in the ID token. Ignored if `oauth_profile_name` is not set"
+  type = set(object({
+    claim_name  = string
+    claim_value = string
+  }))
+  default = []
+}
+
+variable "oauth_profile_resource_server_required_claims" {
+  description = "Additional claims to be verified in the access token. Ignored if `oauth_profile_name` is not set"
+  type        = set(object({
+    claim_name  = string
+    claim_value = string
+  }))
+  default     = []
+}
+
+variable "cert_matching_rule_conditions" {
+  description = "The conditions to be added to the Certification Matching Rule. Ignored if `cert_matching_rule_name` is not set"
+  type        = set(object({
+    source = string
+    expression = string
+  }))
+  default     = []
+}
+
+variable "cert_matching_rule_attribute_filters" {
+  description = "The filters to be added to the Certification Matching Rule. A Cert Matching Rule Attribute Filter compares a username attribute to a string. Ignored if `cert_matching_rule_name` is not set"
+  type        = set(object({
+    filter_name = string
+    attribute_name = string
+    attribute_value = string
+  }))
+  default     = []
+}
+
 #AutoAddAttributes