New release v0.1.0-rc.2

README.md

@@ -44,7 +44,7 @@ Exceptions: the following optional variables' default value differ from the reso
 | `dmr_enabled` | `true` | 
 | `enabled` | `true` | the Message VPN and underlying created objects |
 | `jndi_enabled` | `true` |
-| `max_msg_spool_usage` | 1500 | message VPN |
+| `max_msg_spool_usage` | 1500 | MB, message VPN |
 
 -> The module default for the  optional variable is `true`, which 
 
@@ -82,9 +82,9 @@ Refer to the following configuration examples:
 
 - [Basic VPN](examples/basic-vpn)
 - [Services and listen ports](examples/services-and-listen-ports)
-- [Customized client and ACL profiles](examples/customized-client-and-acl-profiles)
-- [OAuth profile](examples/oauth-profile)
-- [Certification matching rule](examples/certificate-matching-rule)
+- [Customized ACL and client profiles](examples/customized-acl-and-client-profiles)
+- [OAuth authentication](examples/oauth-authentication)
+- [Client certificate authentication](examples/client-certificate-authentication)
 
 ## Module use recommendations
 

VERSION

@@ -1 +1 @@
-0.1.0-rc.1
+0.1.0-rc.2

ci/module-test/main.tf

@@ -35,22 +35,22 @@ module "testvpn" {
   cert_matching_rule_name = "testvpnCertMatchingRule"
   cert_matching_rule_conditions = [
     {
-      source = "issuer"
+      source     = "issuer"
       expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace"
     }
   ]
   cert_matching_rule_attribute_filters = [
     {
-      filter_name = "testFilter"
-      attribute_name = "username"
+      filter_name     = "testFilter"
+      attribute_name  = "username"
       attribute_value = "test"
     }
   ]
   authentication_kerberos_enabled = true
 }
 
 output "created_msg_vpn" {
-  value = module.testvpn.msg_vpn
+  value     = module.testvpn.msg_vpn
   sensitive = true
 }
 
@@ -63,7 +63,7 @@ output "created_client_profile" {
 }
 
 output "created_oauth_profile" {
-  value = module.testvpn.oauth_profile
+  value     = module.testvpn.oauth_profile
   sensitive = true
 }
 
@@ -100,6 +100,6 @@ module "defaultvpn" {
   source = "../.."
   # version = ""
 
-  msg_vpn_name           = "default"
-  enabled = false
+  msg_vpn_name = "default"
+  enabled      = false
 }

ci/template-test/main.tf

@@ -34,21 +34,21 @@ module "testvpn" {
   cert_matching_rule_name = "testvpnCertMatchingRule"
   cert_matching_rule_conditions = [
     {
-      source = "issuer"
+      source     = "issuer"
       expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace"
     }
   ]
   cert_matching_rule_attribute_filters = [
     {
-      filter_name = "testFilter"
-      attribute_name = "username"
+      filter_name     = "testFilter"
+      attribute_name  = "username"
       attribute_value = "test"
     }
   ]
 }
 
 output "created_msg_vpn" {
-  value = module.testvpn.msg_vpn
+  value     = module.testvpn.msg_vpn
   sensitive = true
 }
 
@@ -61,7 +61,7 @@ output "created_client_profile" {
 }
 
 output "created_oauth_profile" {
-  value = module.testvpn.oauth_profile
+  value     = module.testvpn.oauth_profile
   sensitive = true
 }
 
@@ -96,6 +96,6 @@ module "testvpn2" {
 module "defaultvpn" {
   source = "../../internal/gen-template"
 
-  msg_vpn_name           = "default"
-  enabled = false
+  msg_vpn_name = "default"
+  enabled      = false
 }

examples/basic-vpn/README.md

@@ -2,7 +2,7 @@
 
 Configuration in this directory creates a basic [message VPN](https://docs.solace.com/Features/VPN/Managing-Message-VPNs.htm) on the PubSub+ event broker, leveraging the Service Terraform module.
 
-The created VPN will enable SMF and WebSocket messaging services with a message spool of 1500 MB assigned by default, as well as use of JNDI and DMR. Refer to the example [Services and listen ports](examples/services-and-listen-ports) how to enable and configure other services including REST, MQTT and AMQP.
+The created VPN will enable SMF and Web Transport messaging services with a message spool of 1500 MB assigned by default, as well as use of JNDI and DMR. Refer to the example [Services and listen ports](examples/services-and-listen-ports) how to enable and configure other services including REST, MQTT and AMQP.
 
 The VPN will include a `default` permissive ACL profile and a client profile, similar to the ones in the `default` message VPN.
 These profiles will enable ready-to-go messaging on the VPN for development and demo purposes. For production use a customized ACL profile and a client profile should be specified as in [this example](examples/customized-client-and-acl-profiles).

examples/basic-vpn/main.tf

@@ -1,3 +1,17 @@
+# Copyright 2024 Solace Corporation. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 provider "solacebroker" {
   username = "admin"
   password = "admin"
@@ -7,7 +21,7 @@ provider "solacebroker" {
 module "testvpn" {
   source = "../.."
 
-  msg_vpn_name           = "myvpn"
+  msg_vpn_name = "myvpn"
 
   // No need to set the VPN enabled, it defaults to true
   // enabled = true

examples/client-certificate-authentication/README.md

@@ -0,0 +1,74 @@
+# Client Certificate Authentication Configuration Example
+
+This example shows how to configure [client certificate authentication](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Client-Cert) (or mTLS) for clients connecting to a PubSub+ event broker at the Message VPN level, leveraging the Service Terraform module.
+
+Note: a pre-requisite for client certificate authentication is broker-level server key, certificate and certificate authorities configured, which is outside the scope of this module.
+
+The module exposes [client certificate authentication related message VPN configuration](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Client-CERT-VPNs) through input variables. It also supports the setup of a [message VPN matching](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#Configur) rule with a set of conditions or a set of attribute filters. Note that if more matching rules are required then these will need to be configured outside the module.
+
+## Module Configuration in the Example
+
+### Required Inputs
+
+* `msg_vpn_name` - set to `vpn-with-mtls` in the example
+
+### Optional Inputs
+
+* `authentication_client_cert_enabled` - set to `true` for client certificate authentication in the example. Automatically enabled if VPN matching is configured
+* `cert_matching_rule_name` - specified if message VPN matching is required
+* `cert_matching_rule_conditions` - a set of conditions for above certificate matching rule
+* `cert_matching_rule_attribute_filters` - a set of filters for above certificate matching rule
+
+Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the documentation of ["solacebroker_msg_vpn"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional).
+
+The module default for the `enabled` variable is true, which enables the message VPN and underlying resources.
+
+### Output
+
+The module `created_vpn` and `created_cert_matching_rule` outputs refer to the created message VPN and the certificate matching rule. There are also outputs for the list of conditions and attribute filters.
+
+## Created resources
+
+This example will create following resources:
+
+* `solacebroker_msg_vpn`
+* `solacebroker_msg_vpn_cert_matching_rule`
+* `solacebroker_msg_vpn_cert_matching_rule_condition`
+* `solacebroker_msg_vpn_cert_matching_rule_attribute_filter`
+
+## Running the Example
+
+### Access to a PubSub+ broker
+
+If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started.
+
+### Sample source code
+
+The sample is available from the module GitHub repo:
+
+```bash
+git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git
+cd examples/client-certificate-authentication
+```
+
+### Adjust Provider Configuration
+
+Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker.
+
+### Create the resource
+
+Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm)
+
+Execute from this folder:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+Run `terraform destroy` to clean up created resources when no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here.
+
+## Additional Documentation
+
+Refer to the [OAuth Authentication](https://docs.solace.com/Security/Configuring-Client-Authentication.htm#OAuth) section in the PubSub+ documentation.

examples/client-certificate-authentication/main.tf

@@ -0,0 +1,68 @@
+# Copyright 2024 Solace Corporation. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+provider "solacebroker" {
+  username = "admin"
+  password = "admin"
+  url      = "http://localhost:8080"
+}
+
+module "testvpn" {
+  source = "../.."
+
+  msg_vpn_name = "vpn-with-mtls"
+  // No need to set the VPN enabled, it defaults to true
+  // enabled = true
+
+  // example VPN configuration (not strictly required required here because of certificate matching rule configured )
+  authentication_client_cert_enabled = true
+
+  // example certificate matching rule
+  cert_matching_rule_name = "testvpnCertMatchingRule"
+
+  // not required if certificate matching rule is configured
+  // authentication_client_cert_certificate_matching_rules_enabled = true
+
+  cert_matching_rule_conditions = [
+    {
+      source     = "issuer"
+      expression = "C = CA, ST = Ontario, L = Kanata, O = Solace Systems, OU = IT, CN = *.messaging.solace"
+    }
+  ]
+  cert_matching_rule_attribute_filters = [
+    {
+      filter_name     = "testFilter"
+      attribute_name  = "username"
+      attribute_value = "test"
+    }
+  ]
+}
+
+output "created_vpn" {
+  value     = module.testvpn.msg_vpn
+  sensitive = true
+}
+
+output "created_cert_matching_rule" {
+  value = module.testvpn.cert_matching_rule
+}
+
+output "created_cert_matching_rule_conditions" {
+  value = module.testvpn.cert_matching_rule_conditions
+}
+
+output "created_cert_matching_rule_attribute_filters" {
+  value = module.testvpn.cert_matching_rule_attribute_filters
+}
+

examples/client-certificate-authentication/providers.tf

@@ -0,0 +1,24 @@
+# Copyright 2024 Solace Corporation. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Terraform configuration
+
+terraform {
+  required_providers {
+    solacebroker = {
+      source = "registry.terraform.io/solaceproducts/solacebroker"
+    }
+  }
+  required_version = "~> 1.2"
+}

examples/customized-acl-and-client-profiles/README.md

@@ -0,0 +1,73 @@
+# Customized ACL and Client Profile Configuration Example
+
+Configuration in this directory shows how to create a customized [ACL profile](https://docs.solace.com/Security/Granting-Clients-Access.htm) or a [client profile](https://docs.solace.com/Security/Assigning-Client-Profiles.htm) on a new message VPN on the PubSub+ event broker, leveraging the Service Terraform module.
+
+A new message VPN will automatically include a permissive `default` ACL profile and a `default` client profile that support development and demo purposes. They are not configurable through module variables. If profiles are required to meet specific requirements, the module enables creating an additional customizable ACL and client profile. At a minimum, a name for the profile must be provided and any non-default attribute values.
+
+## Module Configuration in the Example
+
+### Required Inputs
+
+* `msg_vpn_name` - set to `vpn-with-acl-and-client-profiles` in the example
+
+### Optional Inputs
+
+* `acl_profile_name` - an additional ACL profile will only be created if a name is provided
+* `client_connect_default_action` - a random attribute demonstrating setting a non-default value
+* `client_profile_name` - an additional client profile will only be created if a name is provided
+* `compression_enabled` - a random attribute demonstrating setting a non-default value
+
+Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted then the default for the related resource attribute will be configured on the broker. For attributes and defaults, refer to the documentation of ["solacebroker_msg_vpn"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn#optional), ["solacebroker_msg_vpn_acl_profile"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_acl_profile#optional) and ["solacebroker_msg_vpn_client_profile"](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs/resources/msg_vpn_client_profile#optional).
+
+The module default for the `enabled` variable is true, which enables the message VPN and underlying resources.
+
+### Output
+
+The module `created_vpn` output refers to the created message VPN, `created_acl_profile` and `created_client_profile` refer to the additional ACL and client profiles included in the VPN.
+
+## Created resources
+
+This example will create following resources:
+
+* `solacebroker_msg_vpn`
+* `solacebroker_msg_vpn_acl_profile`
+* `solacebroker_msg_vpn_client_profile`
+
+Note that `default` ACL profile, client profile and client username objects will also be automatically created as part of the new VPN but are only available by referencing their name.
+
+## Running the Example
+
+### Access to a PubSub+ broker
+
+If you don't already have access to a broker, refer to the [Developers page](https://www.solace.dev/) for options to get started.
+
+### Sample source code
+
+The sample is available from the module GitHub repo:
+
+```bash
+git clone https://github.com/SolaceProducts/terraform-solacebroker-rest-delivery.git
+cd examples/customized-acl-and-client-profiles
+```
+
+### Adjust Provider Configuration
+
+Adjust the [provider parameters](https://registry.terraform.io/providers/SolaceProducts/solacebroker/latest/docs#schema) in `main.tf` according to your broker. The example configuration shows settings for a local broker running in Docker.
+
+### Create the resource
+
+Hint: You can verify configuration changes on the broker, before and after, using the [PubSub+ Broker Manager Web UI](https://docs.solace.com/Admin/Broker-Manager/PubSub-Manager-Overview.htm)
+
+Execute from this folder:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+Run `terraform destroy` to clean up created resources when no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here.
+
+## Additional Documentation
+
+Refer to the [Configuring Message VPNs](https://docs.solace.com/Features/VPN/Configuring-VPNs.htm) section in the PubSub+ documentation.