From 47e840d88c39f4457d0d5689dc74d1df0b4713dd Mon Sep 17 00:00:00 2001 From: Balazs Czoma Date: Tue, 19 Mar 2024 14:32:35 -0400 Subject: [PATCH 1/8] Added services config example --- README.md | 2 +- examples/basic-vpn/README.md | 2 +- examples/services-and-listen-ports/README.md | 71 +++++++++++++++++++ examples/services-and-listen-ports/main.tf | 26 +++++++ .../services-and-listen-ports/providers.tf | 24 +++++++ 5 files changed, 123 insertions(+), 2 deletions(-) create mode 100644 examples/services-and-listen-ports/README.md create mode 100644 examples/services-and-listen-ports/main.tf create mode 100644 examples/services-and-listen-ports/providers.tf diff --git a/README.md b/README.md index 88198a4..d030631 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ Exceptions: the following optional variables' default value differ from the reso | `dmr_enabled` | `true` | | `enabled` | `true` | the Message VPN and underlying created objects | | `jndi_enabled` | `true` | -| `max_msg_spool_usage` | 1500 | message VPN | +| `max_msg_spool_usage` | 1500 | MB, message VPN | -> The module default for the optional variable is `true`, which diff --git a/examples/basic-vpn/README.md b/examples/basic-vpn/README.md index fe8a281..855268e 100644 --- a/examples/basic-vpn/README.md +++ b/examples/basic-vpn/README.md @@ -2,7 +2,7 @@ Configuration in this directory creates a basic [message VPN](https://docs.solace.com/Features/VPN/Managing-Message-VPNs.htm) on the PubSub+ event broker, leveraging the Service Terraform module. -The created VPN will enable SMF and WebSocket messaging services with a message spool of 1500 MB assigned by default, as well as use of JNDI and DMR. Refer to the example [Services and listen ports](examples/services-and-listen-ports) how to enable and configure other services including REST, MQTT and AMQP. +The created VPN will enable SMF and Web Transport messaging services with a message spool of 1500 MB assigned by default, as well as use of JNDI and DMR. Refer to the example [Services and listen ports](examples/services-and-listen-ports) how to enable and configure other services including REST, MQTT and AMQP. The VPN will include a `default` permissive ACL profile and a client profile, similar to the ones in the `default` message VPN. These profiles will enable ready-to-go messaging on the VPN for development and demo purposes. For production use a customized ACL profile and a client profile should be specified as in [this example](examples/customized-client-and-acl-profiles). diff --git a/examples/services-and-listen-ports/README.md b/examples/services-and-listen-ports/README.md new file mode 100644 index 0000000..b55f6c0 --- /dev/null +++ b/examples/services-and-listen-ports/README.md @@ -0,0 +1,71 @@ +# Message VPN Services and Listen Ports Configuration Example + +The example in this directory demonstrates how to configure services including ports for a new message VPN on the PubSub+ event broker, leveraging the Service Terraform module. + +SMF and Web Transport messaging services are configured at the broker level and are enabled on the message VPN created by the Service module. Other services including REST, MQTT and AMQP are configured at the message VPN level and need to be individually setup for each VPN. They are disabled by default and need to be enabled, configured and a port assigned if required through module variables. The example will show how to do that. + +A service may also use plain text or secure transport. While it is generally recommended to use secure transport and disable plain text, secure transport requires a server certificate installed on the broker. For easier development and demo purposes, plain text SMF and Web Transport services are enabled by default on the message VPN and should be disabled through module variables to meet security requirements. + +## Module Configuration in the Example + +### Required Inputs + +* `msg_vpn_name` - set to `rest-enabled-vpn` in the example + +### Optional Inputs + +* `service_rest_incoming_plain_text_enabled` - set to `true` in this example +* `service_rest_incoming_plain_text_listen_port` - set to `9000` in this example + +Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the [documentation of "solacebroker_msg_vpn"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional). + +The module default for the `enabled` variable is true, which enables the message VPN and underlying resources. + +### Output + +The module `created_vpn` output refers to the created message VPN. + +## Created resources + +This example will create following resources: + +* `solacebroker_msg_vpn` + +Note that `default` ACL profile, client profile and client username objects will also be automatically created as part of the new VPN but are only available by referencing their name. + +## Running the Example + +### Access to a PubSub+ broker + +If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started. + +### Sample source code + +The sample is available from the module GitHub repo: + +```bash +git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git +cd examples/services-and-listen-ports +``` + +### Adjust Provider Configuration + +Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker. + +### Create the resource + +Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm) + +Execute from this folder: + +```bash +terraform init +terraform plan +terraform apply +``` + +Run `terraform destroy` to clean up created resources when no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here. + +## Additional Documentation + +Refer to the [Configuring Message VPNs](https://docs.solace.com/Features/VPN/Configuring-VPNs.htm) section in the PubSub+ documentation. diff --git a/examples/services-and-listen-ports/main.tf b/examples/services-and-listen-ports/main.tf new file mode 100644 index 0000000..d118c27 --- /dev/null +++ b/examples/services-and-listen-ports/main.tf @@ -0,0 +1,26 @@ +provider "solacebroker" { + username = "admin" + password = "admin" + url = "http://localhost:8080" +} + +module "testvpn" { + source = "../.." + + msg_vpn_name = "rest-enabled-vpn" + + // Enable and configure incoming messaging protocols, for example REST. Note that plain text is not recommended for production use. + service_rest_incoming_plain_text_enabled = true + service_rest_incoming_plain_text_listen_port = 9000 + + // Uncomment to disable plain text SMF - however secure transport SMF requires a server certificate installed on the broker + // service_smf_plain_text_enabled = false + + // No need to set the VPN enabled, it defaults to true + // enabled = true +} + +output "created_vpn" { + value = module.testvpn.msg_vpn + sensitive = true +} diff --git a/examples/services-and-listen-ports/providers.tf b/examples/services-and-listen-ports/providers.tf new file mode 100644 index 0000000..6dd1008 --- /dev/null +++ b/examples/services-and-listen-ports/providers.tf @@ -0,0 +1,24 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Terraform configuration + +terraform { + required_providers { + solacebroker = { + source = "registry.terraform.io/solaceproducts/solacebroker" + } + } + required_version = "~> 1.2" +} From b506c339c86e68909e379fd7acb39cb06422fcc5 Mon Sep 17 00:00:00 2001 From: Balazs Czoma Date: Tue, 19 Mar 2024 14:56:57 -0400 Subject: [PATCH 2/8] Adjusted example port number --- examples/services-and-listen-ports/README.md | 2 +- examples/services-and-listen-ports/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/services-and-listen-ports/README.md b/examples/services-and-listen-ports/README.md index b55f6c0..2143a51 100644 --- a/examples/services-and-listen-ports/README.md +++ b/examples/services-and-listen-ports/README.md @@ -15,7 +15,7 @@ A service may also use plain text or secure transport. While it is generally rec ### Optional Inputs * `service_rest_incoming_plain_text_enabled` - set to `true` in this example -* `service_rest_incoming_plain_text_listen_port` - set to `9000` in this example +* `service_rest_incoming_plain_text_listen_port` - set to `9001` in this example. Note that the port number must be unique for the broker, port 9000 is already used by the default VPN Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the [documentation of "solacebroker_msg_vpn"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional). diff --git a/examples/services-and-listen-ports/main.tf b/examples/services-and-listen-ports/main.tf index d118c27..24ededc 100644 --- a/examples/services-and-listen-ports/main.tf +++ b/examples/services-and-listen-ports/main.tf @@ -11,7 +11,7 @@ module "testvpn" { // Enable and configure incoming messaging protocols, for example REST. Note that plain text is not recommended for production use. service_rest_incoming_plain_text_enabled = true - service_rest_incoming_plain_text_listen_port = 9000 + service_rest_incoming_plain_text_listen_port = 9001 // Uncomment to disable plain text SMF - however secure transport SMF requires a server certificate installed on the broker // service_smf_plain_text_enabled = false From 21a8e4559323b1948624694c2c3d04683d53301a Mon Sep 17 00:00:00 2001 From: Balazs Czoma Date: Tue, 19 Mar 2024 16:13:39 -0400 Subject: [PATCH 3/8] Added client and acl profile example --- .../README.md | 73 +++++++++++++++++++ .../main.tf | 36 +++++++++ .../providers.tf | 24 ++++++ 3 files changed, 133 insertions(+) create mode 100644 examples/customized-client-and-acl-profiles/README.md create mode 100644 examples/customized-client-and-acl-profiles/main.tf create mode 100644 examples/customized-client-and-acl-profiles/providers.tf diff --git a/examples/customized-client-and-acl-profiles/README.md b/examples/customized-client-and-acl-profiles/README.md new file mode 100644 index 0000000..4827de5 --- /dev/null +++ b/examples/customized-client-and-acl-profiles/README.md @@ -0,0 +1,73 @@ +# Customized ACL and Client Profile Configuration Example + +Configuration in this directory shows how to create a customized [ACL profile](https://docs.solace.com/Security/Granting-Clients-Access.htm) or a [client profile](https://docs.solace.com/Security/Assigning-Client-Profiles.htm) on a new message VPN on the PubSub+ event broker, leveraging the Service Terraform module. + +A new message VPN will automatically include a permissive `default` ACL profile and a `default` client profile that support development and demo purposes. They are not configurable through module variables. If profiles are required to meet specific requirements, the module enables creating an additional customizable ACL and client profile. At a minimum, a name for the profile must be provided and any non-default attribute values. + +## Module Configuration in the Example + +### Required Inputs + +* `msg_vpn_name` - set to `vpn-with-acl-and-client-profiles` in the example + +### Optional Inputs + +* `acl_profile_name` - an additional ACL profile will only be created if a name is provided +* `client_connect_default_action` - a random attribute demonstrating setting a non-default value +* `client_profile_name` - an additional client profile will only be created if a name is provided +* `compression_enabled` - a random attribute demonstrating setting a non-default value + +Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the documentation of ["solacebroker_msg_vpn"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional), ["solacebroker_msg_vpn_acl_profile"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_acl_profile#optional) and ["solacebroker_msg_vpn_client_profile"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_client_profile#optional). + +The module default for the `enabled` variable is true, which enables the message VPN and underlying resources. + +### Output + +The module `created_vpn` output refers to the created message VPN, `created_acl_profile` and `created_client_profile` refer to the additional ACL and client profiles included in the VPN. + +## Created resources + +This example will create following resources: + +* `solacebroker_msg_vpn` +* `solacebroker_msg_vpn_acl_profile` +* `solacebroker_msg_vpn_client_profile` + +Note that `default` ACL profile, client profile and client username objects will also be automatically created as part of the new VPN but are only available by referencing their name. + +## Running the Example + +### Access to a PubSub+ broker + +If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started. + +### Sample source code + +The sample is available from the module GitHub repo: + +```bash +git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git +cd examples/basic-vpn +``` + +### Adjust Provider Configuration + +Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker. + +### Create the resource + +Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm) + +Execute from this folder: + +```bash +terraform init +terraform plan +terraform apply +``` + +Run `terraform destroy` to clean up created resources when no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here. + +## Additional Documentation + +Refer to the [Configuring Message VPNs](https://docs.solace.com/Features/VPN/Configuring-VPNs.htm) section in the PubSub+ documentation. diff --git a/examples/customized-client-and-acl-profiles/main.tf b/examples/customized-client-and-acl-profiles/main.tf new file mode 100644 index 0000000..21bb942 --- /dev/null +++ b/examples/customized-client-and-acl-profiles/main.tf @@ -0,0 +1,36 @@ +provider "solacebroker" { + username = "admin" + password = "admin" + url = "http://localhost:8080" +} + +module "testvpn" { + source = "../.." + + msg_vpn_name = "vpn-with-acl-and-client-profiles" + + // Configure an ACL profile. This example allows clients to connect from any address. All other ACL rules are default + acl_profile_name = "my-acl-profile" + client_connect_default_action = "allow" + + // Configure a client profile. This example disables compression, which is by default enabled. All other client profile settings are default + client_profile_name = "my-client-profile" + compression_enabled = false + + // No need to set the VPN enabled, it defaults to true + // enabled = true +} + +output "created_vpn" { + value = module.testvpn.msg_vpn + sensitive = true +} + +output "created_acl_profile" { + value = module.testvpn.acl_profile +} + +output "created_client_profile" { + value = module.testvpn.client_profile +} + diff --git a/examples/customized-client-and-acl-profiles/providers.tf b/examples/customized-client-and-acl-profiles/providers.tf new file mode 100644 index 0000000..6dd1008 --- /dev/null +++ b/examples/customized-client-and-acl-profiles/providers.tf @@ -0,0 +1,24 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Terraform configuration + +terraform { + required_providers { + solacebroker = { + source = "registry.terraform.io/solaceproducts/solacebroker" + } + } + required_version = "~> 1.2" +} From 89864a6d3b6c17deb436a549a2fa8fdc020e6f74 Mon Sep 17 00:00:00 2001 From: Balazs Czoma Date: Tue, 19 Mar 2024 16:28:14 -0400 Subject: [PATCH 4/8] Example dirs rename --- README.md | 2 +- .../README.md | 0 .../main.tf | 0 .../providers.tf | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename examples/{customized-client-and-acl-profiles => customized-acl-and-client-profiles}/README.md (100%) rename examples/{customized-client-and-acl-profiles => customized-acl-and-client-profiles}/main.tf (100%) rename examples/{customized-client-and-acl-profiles => customized-acl-and-client-profiles}/providers.tf (100%) diff --git a/README.md b/README.md index d030631..74aa608 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ Refer to the following configuration examples: - [Basic VPN](examples/basic-vpn) - [Services and listen ports](examples/services-and-listen-ports) -- [Customized client and ACL profiles](examples/customized-client-and-acl-profiles) +- [Customized ACL and client profiles](examples/customized-acl-and-client-profiles) - [OAuth profile](examples/oauth-profile) - [Certification matching rule](examples/certificate-matching-rule) diff --git a/examples/customized-client-and-acl-profiles/README.md b/examples/customized-acl-and-client-profiles/README.md similarity index 100% rename from examples/customized-client-and-acl-profiles/README.md rename to examples/customized-acl-and-client-profiles/README.md diff --git a/examples/customized-client-and-acl-profiles/main.tf b/examples/customized-acl-and-client-profiles/main.tf similarity index 100% rename from examples/customized-client-and-acl-profiles/main.tf rename to examples/customized-acl-and-client-profiles/main.tf diff --git a/examples/customized-client-and-acl-profiles/providers.tf b/examples/customized-acl-and-client-profiles/providers.tf similarity index 100% rename from examples/customized-client-and-acl-profiles/providers.tf rename to examples/customized-acl-and-client-profiles/providers.tf From 843db6421f44527f4df5e380932e5ac204a9dc45 Mon Sep 17 00:00:00 2001 From: Balazs Czoma Date: Wed, 20 Mar 2024 15:41:53 -0400 Subject: [PATCH 5/8] Added OAuth support example --- examples/oauth-profile/README.md | 74 +++++++++++++++++++++++++++++ examples/oauth-profile/main.tf | 67 ++++++++++++++++++++++++++ examples/oauth-profile/providers.tf | 24 ++++++++++ 3 files changed, 165 insertions(+) create mode 100644 examples/oauth-profile/README.md create mode 100644 examples/oauth-profile/main.tf create mode 100644 examples/oauth-profile/providers.tf diff --git a/examples/oauth-profile/README.md b/examples/oauth-profile/README.md new file mode 100644 index 0000000..7c3585e --- /dev/null +++ b/examples/oauth-profile/README.md @@ -0,0 +1,74 @@ +# OAuth Authentication Configuration Example + +This example shows how to configure OAuth authentication for clients connecting to a PubSub+ event broker at the Message VPN level, leveraging the Service Terraform module. + +To set this up, OAuth authentication must be enabled on the new message VPN and an OAuth profile must be created. With specifying the `oauth_profile_name` variable, the module will take care of both. Necessary [OAuth profile attributes](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Managing-OAuth-Profiles) can be set through module variables. It is also possible to provide a list of required claim values for both client or resource server roles of the event broker. + +Note that the module supports creating one OAuth profile, which will also be set as the default for the message VPN. Additional OAuth profiles may be configured outside the module. + +## Module Configuration in the Example + +### Required Inputs + +* `msg_vpn_name` - set to `vpn-with-oauth` in the example + +### Optional Inputs + +* `oauth_profile_name` - set to `sampleVpnOauthProfile`, must be provided to get an OAuth profile created. This profile will be set as the default VPN OAuth profile. This will also enable OAuth authentication for the VPN. +* `oauth_role` - an example module input variable for the OAuth profile +* `oauth_profile_client_required_claims` - a set of required claims when the broker is acting as an OAuth client +* `oauth_profile_resource_server_required_claims` - a set of required claims when the broker is acting as an OAuth resource server + +Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the documentation of ["solacebroker_msg_vpn_authentication_oauth_profile"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_authentication_oauth_profile#optional). + +The module default for the `enabled` variable is true, which enables the message VPN and underlying resources. + +### Output + +The module `created_vpn` and `created_oauth_profile` outputs refer to the created message VPN and the OAuth profile. The claims outputs provide the list of the created required claims. + +## Created resources + +This example will create following resources: + +* `solacebroker_msg_vpn` +* `solacebroker_msg_vpn_authentication_oauth_profile` +* `solacebroker_msg_vpn_authentication_oauth_profile_client_required_claim` +* `solacebroker_msg_vpn_authentication_oauth_profile_resource_server_required_claim` + +## Running the Example + +### Access to a PubSub+ broker + +If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started. + +### Sample source code + +The sample is available from the module GitHub repo: + +```bash +git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git +cd examples/oauth-profile +``` + +### Adjust Provider Configuration + +Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker. + +### Create the resource + +Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm) + +Execute from this folder: + +```bash +terraform init +terraform plan +terraform apply +``` + +Run `terraform destroy` to clean up created resources when no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here. + +## Additional Documentation + +Refer to the [OAuth Authentication](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#OAuth) section in the PubSub+ documentation. diff --git a/examples/oauth-profile/main.tf b/examples/oauth-profile/main.tf new file mode 100644 index 0000000..e08d325 --- /dev/null +++ b/examples/oauth-profile/main.tf @@ -0,0 +1,67 @@ +provider "solacebroker" { + username = "admin" + password = "admin" + url = "http://localhost:8080" +} + +module "testvpn" { + source = "../.." + + msg_vpn_name = "vpn-with-oauth" + // No need to set the VPN enabled, it defaults to true + // enabled = true + + oauth_profile_name = "sampleVpnOauthProfile" + // with "oauth_profile_name" defined, OAuth authentication will be automatically enabled on the message VPN + // no need to set the following: + // authentication_oauth_enabled = true + // this profile will also be set as the default OAuth profile, so no need to set the following: + // authentication_oauth_default_profile_name = "sample-vpn-oauth-profile" + + // example additional configuration for the OAuth profile + oauth_role = "resource-server" + + // example required claims in case of client role + oauth_profile_client_required_claims = [ + { + claim_name = "audience" + claim_value = "{ \"aud\": \"myAudience\" }" + }, + { + claim_name = "sub" + claim_value = "{ \"sub\": 123456789 }", + } + ] + + // example required claims in case of resource server role + oauth_profile_resource_server_required_claims = [ + { + claim_name = "audience" + claim_value = "{ \"aud\": \"myAudience\" }" + }, + { + claim_name = "sub" + claim_value = "{ \"sub\": 123456789 }", + } + ] +} + +output "created_vpn" { + value = module.testvpn.msg_vpn + sensitive = true +} + +output "created_oauth_profile" { + value = module.testvpn.oauth_profile + sensitive = true +} + +output "created_oauth_profile_client_required_claims" { + value = module.testvpn.oauth_profile_client_required_claims +} + +output "created_oauth_profile_resource_server_required_claims" { + value = module.testvpn.oauth_profile_resource_server_required_claims +} + + diff --git a/examples/oauth-profile/providers.tf b/examples/oauth-profile/providers.tf new file mode 100644 index 0000000..6dd1008 --- /dev/null +++ b/examples/oauth-profile/providers.tf @@ -0,0 +1,24 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Terraform configuration + +terraform { + required_providers { + solacebroker = { + source = "registry.terraform.io/solaceproducts/solacebroker" + } + } + required_version = "~> 1.2" +} From 8ef1cb3839fd2fae3189eb204daeaaa2bc517b06 Mon Sep 17 00:00:00 2001 From: Balazs Czoma Date: Thu, 21 Mar 2024 07:23:40 -0400 Subject: [PATCH 6/8] Added client certificate auth example --- README.md | 4 +- .../README.md | 74 +++++++++++++++++++ .../client-certificate-authentication/main.tf | 54 ++++++++++++++ .../providers.tf | 0 .../README.md | 2 +- .../README.md | 2 +- .../main.tf | 0 examples/oauth-authentication/providers.tf | 24 ++++++ 8 files changed, 156 insertions(+), 4 deletions(-) create mode 100644 examples/client-certificate-authentication/README.md create mode 100644 examples/client-certificate-authentication/main.tf rename examples/{oauth-profile => client-certificate-authentication}/providers.tf (100%) rename examples/{oauth-profile => oauth-authentication}/README.md (99%) rename examples/{oauth-profile => oauth-authentication}/main.tf (100%) create mode 100644 examples/oauth-authentication/providers.tf diff --git a/README.md b/README.md index 74aa608..725f05a 100644 --- a/README.md +++ b/README.md @@ -83,8 +83,8 @@ Refer to the following configuration examples: - [Basic VPN](examples/basic-vpn) - [Services and listen ports](examples/services-and-listen-ports) - [Customized ACL and client profiles](examples/customized-acl-and-client-profiles) -- [OAuth profile](examples/oauth-profile) -- [Certification matching rule](examples/certificate-matching-rule) +- [OAuth authentication](examples/oauth-authentication) +- [Client certificate authentication](examples/client-certificate-authentication) ## Module use recommendations diff --git a/examples/client-certificate-authentication/README.md b/examples/client-certificate-authentication/README.md new file mode 100644 index 0000000..e04be41 --- /dev/null +++ b/examples/client-certificate-authentication/README.md @@ -0,0 +1,74 @@ +# Client Certificate Authentication Configuration Example + +This example shows how to configure [client certificate authentication](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Client-Cert) (or mTLS) for clients connecting to a PubSub+ event broker at the Message VPN level, leveraging the Service Terraform module. + +Note: a pre-requisite for client certificate authentication is broker-level server key, certificate and certificate authorities configured, which is outside the scope of this module. + +The module exposes [client certificate authentication related message VPN configuration](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Client-CERT-VPNs) through input variables. It also supports the setup of a [message VPN matching](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Configur) rule with a set of conditions or a set of attribute filters. Note that if more matching rules are required then these will need to be configured outside the module. + +## Module Configuration in the Example + +### Required Inputs + +* `msg_vpn_name` - set to `vpn-with-mtls` in the example + +### Optional Inputs + +* `authentication_client_cert_enabled` - set to `true` for client certificate authentication in the example. Automatically enabled if VPN matching is configured +* `cert_matching_rule_name` - specified if message VPN matching is required +* `cert_matching_rule_conditions` - a set of conditions for above certificate matching rule +* `cert_matching_rule_attribute_filters` - a set of filters for above certificate matching rule + +Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the documentation of ["solacebroker_msg_vpn"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional). + +The module default for the `enabled` variable is true, which enables the message VPN and underlying resources. + +### Output + +The module `created_vpn` and `created_oauth_profile` outputs refer to the created message VPN and the OAuth profile. The claims outputs provide the list of the created required claims. + +## Created resources + +This example will create following resources: + +* `solacebroker_msg_vpn` +* `solacebroker_msg_vpn_authentication_oauth_profile` +* `solacebroker_msg_vpn_authentication_oauth_profile_client_required_claim` +* `solacebroker_msg_vpn_authentication_oauth_profile_resource_server_required_claim` + +## Running the Example + +### Access to a PubSub+ broker + +If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started. + +### Sample source code + +The sample is available from the module GitHub repo: + +```bash +git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git +cd examples/client-certificate-authentication +``` + +### Adjust Provider Configuration + +Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker. + +### Create the resource + +Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm) + +Execute from this folder: + +```bash +terraform init +terraform plan +terraform apply +``` + +Run `terraform destroy` to clean up created resources when no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here. + +## Additional Documentation + +Refer to the [OAuth Authentication](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#OAuth) section in the PubSub+ documentation. diff --git a/examples/client-certificate-authentication/main.tf b/examples/client-certificate-authentication/main.tf new file mode 100644 index 0000000..5491e62 --- /dev/null +++ b/examples/client-certificate-authentication/main.tf @@ -0,0 +1,54 @@ +provider "solacebroker" { + username = "admin" + password = "admin" + url = "http://localhost:8080" +} + +module "testvpn" { + source = "../.." + + msg_vpn_name = "vpn-with-mtls" + // No need to set the VPN enabled, it defaults to true + // enabled = true + + // example VPN configuration (not strictly required required here because of certificate matching rule configured ) + authentication_client_cert_enabled = true + + // example certificate matching rule + cert_matching_rule_name = "testvpnCertMatchingRule" + + // not required if certificate matching rule is used + // authentication_client_cert_certificate_matching_rules_enabled = true + + cert_matching_rule_conditions = [ + { + source = "issuer" + expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace" + } + ] + cert_matching_rule_attribute_filters = [ + { + filter_name = "testFilter" + attribute_name = "username" + attribute_value = "test" + } + ] +} + +output "created_vpn" { + value = module.testvpn.msg_vpn + sensitive = true +} + +output "created_cert_matching_rule" { + value = module.testvpn.cert_matching_rule +} + +output "created_cert_matching_rule_conditions" { + value = module.testvpn.cert_matching_rule_conditions +} + +output "created_cert_matching_rule_attribute_filters" { + value = module.testvpn.cert_matching_rule_attribute_filters +} + diff --git a/examples/oauth-profile/providers.tf b/examples/client-certificate-authentication/providers.tf similarity index 100% rename from examples/oauth-profile/providers.tf rename to examples/client-certificate-authentication/providers.tf diff --git a/examples/customized-acl-and-client-profiles/README.md b/examples/customized-acl-and-client-profiles/README.md index 4827de5..d9eb1cb 100644 --- a/examples/customized-acl-and-client-profiles/README.md +++ b/examples/customized-acl-and-client-profiles/README.md @@ -47,7 +47,7 @@ The sample is available from the module GitHub repo: ```bash git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git -cd examples/basic-vpn +cd examples/customized-acl-and-client-profiles ``` ### Adjust Provider Configuration diff --git a/examples/oauth-profile/README.md b/examples/oauth-authentication/README.md similarity index 99% rename from examples/oauth-profile/README.md rename to examples/oauth-authentication/README.md index 7c3585e..6efb7ce 100644 --- a/examples/oauth-profile/README.md +++ b/examples/oauth-authentication/README.md @@ -48,7 +48,7 @@ The sample is available from the module GitHub repo: ```bash git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git -cd examples/oauth-profile +cd examples/oauth-authentication ``` ### Adjust Provider Configuration diff --git a/examples/oauth-profile/main.tf b/examples/oauth-authentication/main.tf similarity index 100% rename from examples/oauth-profile/main.tf rename to examples/oauth-authentication/main.tf diff --git a/examples/oauth-authentication/providers.tf b/examples/oauth-authentication/providers.tf new file mode 100644 index 0000000..6dd1008 --- /dev/null +++ b/examples/oauth-authentication/providers.tf @@ -0,0 +1,24 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Terraform configuration + +terraform { + required_providers { + solacebroker = { + source = "registry.terraform.io/solaceproducts/solacebroker" + } + } + required_version = "~> 1.2" +} From c794d6f9f5d6be3822679489156600c010536bf2 Mon Sep 17 00:00:00 2001 From: Balazs Czoma Date: Thu, 21 Mar 2024 08:56:04 -0400 Subject: [PATCH 7/8] client auth doc fixes --- examples/client-certificate-authentication/README.md | 8 ++++---- examples/client-certificate-authentication/main.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/client-certificate-authentication/README.md b/examples/client-certificate-authentication/README.md index e04be41..f79b161 100644 --- a/examples/client-certificate-authentication/README.md +++ b/examples/client-certificate-authentication/README.md @@ -25,16 +25,16 @@ The module default for the `enabled` variable is true, which enables the message ### Output -The module `created_vpn` and `created_oauth_profile` outputs refer to the created message VPN and the OAuth profile. The claims outputs provide the list of the created required claims. +The module `created_vpn` and `created_cert_matching_rule` outputs refer to the created message VPN and the certificate matching rule. There are also outputs for the list of conditions and attribute filters. ## Created resources This example will create following resources: * `solacebroker_msg_vpn` -* `solacebroker_msg_vpn_authentication_oauth_profile` -* `solacebroker_msg_vpn_authentication_oauth_profile_client_required_claim` -* `solacebroker_msg_vpn_authentication_oauth_profile_resource_server_required_claim` +* `solacebroker_msg_vpn_cert_matching_rule` +* `solacebroker_msg_vpn_cert_matching_rule_condition` +* `solacebroker_msg_vpn_cert_matching_rule_attribute_filter` ## Running the Example diff --git a/examples/client-certificate-authentication/main.tf b/examples/client-certificate-authentication/main.tf index 5491e62..1a66a42 100644 --- a/examples/client-certificate-authentication/main.tf +++ b/examples/client-certificate-authentication/main.tf @@ -17,7 +17,7 @@ module "testvpn" { // example certificate matching rule cert_matching_rule_name = "testvpnCertMatchingRule" - // not required if certificate matching rule is used + // not required if certificate matching rule is configured // authentication_client_cert_certificate_matching_rules_enabled = true cert_matching_rule_conditions = [ From 18c96dc6cfe5b9151f97271c267cf01c75586026 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 09:22:04 -0400 Subject: [PATCH 8/8] Formatting updates --- VERSION | 2 +- ci/module-test/main.tf | 14 +++++----- ci/template-test/main.tf | 14 +++++----- examples/basic-vpn/main.tf | 16 ++++++++++- .../client-certificate-authentication/main.tf | 28 ++++++++++++++----- .../main.tf | 22 ++++++++++++--- examples/oauth-authentication/main.tf | 18 ++++++++++-- examples/services-and-listen-ports/main.tf | 18 ++++++++++-- internal/gen-template/main.tf | 2 +- internal/gen-template/outputs.tf | 4 +-- internal/gen-template/variables.tf | 18 ++++++------ 11 files changed, 113 insertions(+), 43 deletions(-) diff --git a/VERSION b/VERSION index 3738566..f2e984b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.1.0-rc.1 +0.1.0-rc.2 diff --git a/ci/module-test/main.tf b/ci/module-test/main.tf index e899365..0abc538 100644 --- a/ci/module-test/main.tf +++ b/ci/module-test/main.tf @@ -35,14 +35,14 @@ module "testvpn" { cert_matching_rule_name = "testvpnCertMatchingRule" cert_matching_rule_conditions = [ { - source = "issuer" + source = "issuer" expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace" } ] cert_matching_rule_attribute_filters = [ { - filter_name = "testFilter" - attribute_name = "username" + filter_name = "testFilter" + attribute_name = "username" attribute_value = "test" } ] @@ -50,7 +50,7 @@ module "testvpn" { } output "created_msg_vpn" { - value = module.testvpn.msg_vpn + value = module.testvpn.msg_vpn sensitive = true } @@ -63,7 +63,7 @@ output "created_client_profile" { } output "created_oauth_profile" { - value = module.testvpn.oauth_profile + value = module.testvpn.oauth_profile sensitive = true } @@ -100,6 +100,6 @@ module "defaultvpn" { source = "../.." # version = "" - msg_vpn_name = "default" - enabled = false + msg_vpn_name = "default" + enabled = false } diff --git a/ci/template-test/main.tf b/ci/template-test/main.tf index 0c27234..8108c83 100644 --- a/ci/template-test/main.tf +++ b/ci/template-test/main.tf @@ -34,21 +34,21 @@ module "testvpn" { cert_matching_rule_name = "testvpnCertMatchingRule" cert_matching_rule_conditions = [ { - source = "issuer" + source = "issuer" expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace" } ] cert_matching_rule_attribute_filters = [ { - filter_name = "testFilter" - attribute_name = "username" + filter_name = "testFilter" + attribute_name = "username" attribute_value = "test" } ] } output "created_msg_vpn" { - value = module.testvpn.msg_vpn + value = module.testvpn.msg_vpn sensitive = true } @@ -61,7 +61,7 @@ output "created_client_profile" { } output "created_oauth_profile" { - value = module.testvpn.oauth_profile + value = module.testvpn.oauth_profile sensitive = true } @@ -96,6 +96,6 @@ module "testvpn2" { module "defaultvpn" { source = "../../internal/gen-template" - msg_vpn_name = "default" - enabled = false + msg_vpn_name = "default" + enabled = false } diff --git a/examples/basic-vpn/main.tf b/examples/basic-vpn/main.tf index c3b5c76..b52d203 100644 --- a/examples/basic-vpn/main.tf +++ b/examples/basic-vpn/main.tf @@ -1,3 +1,17 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + provider "solacebroker" { username = "admin" password = "admin" @@ -7,7 +21,7 @@ provider "solacebroker" { module "testvpn" { source = "../.." - msg_vpn_name = "myvpn" + msg_vpn_name = "myvpn" // No need to set the VPN enabled, it defaults to true // enabled = true diff --git a/examples/client-certificate-authentication/main.tf b/examples/client-certificate-authentication/main.tf index 1a66a42..24a4b7b 100644 --- a/examples/client-certificate-authentication/main.tf +++ b/examples/client-certificate-authentication/main.tf @@ -1,3 +1,17 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + provider "solacebroker" { username = "admin" password = "admin" @@ -7,7 +21,7 @@ provider "solacebroker" { module "testvpn" { source = "../.." - msg_vpn_name = "vpn-with-mtls" + msg_vpn_name = "vpn-with-mtls" // No need to set the VPN enabled, it defaults to true // enabled = true @@ -22,14 +36,14 @@ module "testvpn" { cert_matching_rule_conditions = [ { - source = "issuer" + source = "issuer" expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace" } ] cert_matching_rule_attribute_filters = [ { - filter_name = "testFilter" - attribute_name = "username" + filter_name = "testFilter" + attribute_name = "username" attribute_value = "test" } ] @@ -41,14 +55,14 @@ output "created_vpn" { } output "created_cert_matching_rule" { - value = module.testvpn.cert_matching_rule + value = module.testvpn.cert_matching_rule } output "created_cert_matching_rule_conditions" { - value = module.testvpn.cert_matching_rule_conditions + value = module.testvpn.cert_matching_rule_conditions } output "created_cert_matching_rule_attribute_filters" { - value = module.testvpn.cert_matching_rule_attribute_filters + value = module.testvpn.cert_matching_rule_attribute_filters } diff --git a/examples/customized-acl-and-client-profiles/main.tf b/examples/customized-acl-and-client-profiles/main.tf index 21bb942..dc306da 100644 --- a/examples/customized-acl-and-client-profiles/main.tf +++ b/examples/customized-acl-and-client-profiles/main.tf @@ -1,3 +1,17 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + provider "solacebroker" { username = "admin" password = "admin" @@ -7,10 +21,10 @@ provider "solacebroker" { module "testvpn" { source = "../.." - msg_vpn_name = "vpn-with-acl-and-client-profiles" + msg_vpn_name = "vpn-with-acl-and-client-profiles" // Configure an ACL profile. This example allows clients to connect from any address. All other ACL rules are default - acl_profile_name = "my-acl-profile" + acl_profile_name = "my-acl-profile" client_connect_default_action = "allow" // Configure a client profile. This example disables compression, which is by default enabled. All other client profile settings are default @@ -27,10 +41,10 @@ output "created_vpn" { } output "created_acl_profile" { - value = module.testvpn.acl_profile + value = module.testvpn.acl_profile } output "created_client_profile" { - value = module.testvpn.client_profile + value = module.testvpn.client_profile } diff --git a/examples/oauth-authentication/main.tf b/examples/oauth-authentication/main.tf index e08d325..398abd5 100644 --- a/examples/oauth-authentication/main.tf +++ b/examples/oauth-authentication/main.tf @@ -1,3 +1,17 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + provider "solacebroker" { username = "admin" password = "admin" @@ -7,11 +21,11 @@ provider "solacebroker" { module "testvpn" { source = "../.." - msg_vpn_name = "vpn-with-oauth" + msg_vpn_name = "vpn-with-oauth" // No need to set the VPN enabled, it defaults to true // enabled = true - oauth_profile_name = "sampleVpnOauthProfile" + oauth_profile_name = "sampleVpnOauthProfile" // with "oauth_profile_name" defined, OAuth authentication will be automatically enabled on the message VPN // no need to set the following: // authentication_oauth_enabled = true diff --git a/examples/services-and-listen-ports/main.tf b/examples/services-and-listen-ports/main.tf index 24ededc..72c4508 100644 --- a/examples/services-and-listen-ports/main.tf +++ b/examples/services-and-listen-ports/main.tf @@ -1,3 +1,17 @@ +# Copyright 2024 Solace Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + provider "solacebroker" { username = "admin" password = "admin" @@ -7,10 +21,10 @@ provider "solacebroker" { module "testvpn" { source = "../.." - msg_vpn_name = "rest-enabled-vpn" + msg_vpn_name = "rest-enabled-vpn" // Enable and configure incoming messaging protocols, for example REST. Note that plain text is not recommended for production use. - service_rest_incoming_plain_text_enabled = true + service_rest_incoming_plain_text_enabled = true service_rest_incoming_plain_text_listen_port = 9001 // Uncomment to disable plain text SMF - however secure transport SMF requires a server certificate installed on the broker diff --git a/internal/gen-template/main.tf b/internal/gen-template/main.tf index 0e478e9..923c66b 100644 --- a/internal/gen-template/main.tf +++ b/internal/gen-template/main.tf @@ -2,7 +2,7 @@ locals { oauth_profile_client_required_claims_list = tolist(var.oauth_profile_client_required_claims) oauth_profile_resource_server_required_claims_list = tolist(var.oauth_profile_resource_server_required_claims) cert_matching_rule_conditions_list = tolist(var.cert_matching_rule_conditions) - cert_matching_rule_attribute_filters_list = tolist(var.cert_matching_rule_attribute_filters) + cert_matching_rule_attribute_filters_list = tolist(var.cert_matching_rule_attribute_filters) } resource "solacebroker_msg_vpn" "main" { diff --git a/internal/gen-template/outputs.tf b/internal/gen-template/outputs.tf index 3c0c889..09e41b9 100644 --- a/internal/gen-template/outputs.tf +++ b/internal/gen-template/outputs.tf @@ -1,7 +1,7 @@ # Output variable definitions output "msg_vpn" { - value = try(solacebroker_msg_vpn.main, null) + value = try(solacebroker_msg_vpn.main, null) sensitive = true } @@ -14,7 +14,7 @@ output "client_profile" { } output "oauth_profile" { - value = try(solacebroker_msg_vpn_authentication_oauth_profile.main, null) + value = try(solacebroker_msg_vpn_authentication_oauth_profile.main, null) sensitive = true } diff --git a/internal/gen-template/variables.tf b/internal/gen-template/variables.tf index d24ec61..957647e 100644 --- a/internal/gen-template/variables.tf +++ b/internal/gen-template/variables.tf @@ -98,30 +98,30 @@ variable "oauth_profile_client_required_claims" { variable "oauth_profile_resource_server_required_claims" { description = "Additional claims to be verified in the access token. Ignored if `oauth_profile_name` is not set" - type = set(object({ + type = set(object({ claim_name = string claim_value = string })) - default = [] + default = [] } variable "cert_matching_rule_conditions" { description = "The conditions to be added to the Certification Matching Rule. Ignored if `cert_matching_rule_name` is not set" - type = set(object({ - source = string + type = set(object({ + source = string expression = string })) - default = [] + default = [] } variable "cert_matching_rule_attribute_filters" { description = "The filters to be added to the Certification Matching Rule. A Cert Matching Rule Attribute Filter compares a username attribute to a string. Ignored if `cert_matching_rule_name` is not set" - type = set(object({ - filter_name = string - attribute_name = string + type = set(object({ + filter_name = string + attribute_name = string attribute_value = string })) - default = [] + default = [] } #AutoAddAttributes