This Terraform module encapsulates a Message VPN including client and ACL profiles, resource limits and service on the Solace PubSub+ Event Broker.
You can use this module to create a new Message VPN with a permissive default ACL and client profile, ready for messaging. You can also define an optional additional fully customizable ACL and client profile. The module also adds advanced client certificate authentication and OAuth authentication configuration support.
Note: the default client username that is automatically created with the new Message VPN is disabled. We recommend that you use the Client Module to setup a client username if required. In addition, services that require Message VPN specific ports, including REST, MQTT etc. are disabled by default and need to be enabled/configured through optional variables.
Use case details are provided in the Examples section.
msg_vpn_name- The name of the new Message VPN to be created.
acl_profile_name- The name of the optionally added ACL profile. Adefaultprofile is always created and if left at default empty then no additional ACL profile will be created.client_profile_name- The name of the optionally added client profile. Adefaultprofile is always created and if left at default empty then no additional ACL profile will be created.oauth_profile_name- The name of an optionally added OAuth profile. Note that there will be no OAuth profile created unless a non-empty name is provided.oauth_profile_client_required_claims- A set of optional client-required claims.oauth_profile_resource_server_required_claims- A set of optional server-required claims.cert_matching_rule_name- The name of an optionally added certificate matching rule. Note that there will be no certificate matching rule created unless a non-empty name is provided.cert_matching_rule_conditions- A set of optional certificate matching rule conditions.cert_matching_rule_attribute_filters- A set of optional certificate matching rule attribute filters.
Additional optional module variable names are the same as the underlying resource attributes. To determine the variable name mappings, we recommend that you look for matching attribute names in the documentation for the resource:
| Resource name |
|---|
| solacebroker_msg_vpn |
| solacebroker_msg_vpn_acl_profile |
| solacebroker_msg_vpn_client_profile |
| solacebroker_msg_vpn_authentication_oauth_profile |
The default value for most of the optional variables is null, meaning that if you don’t provide a value then the default value of the resource is provisioned on the event broker.
Exceptions: the following optional variables' default value differ from the resource attribute defaults:
| Input variable | Default value | Note |
|---|---|---|
authentication_basic_type |
internal |
|
dmr_enabled |
true |
|
enabled |
true |
The Message VPN and underlying created objects |
jndi_enabled |
true |
|
max_msg_spool_usage |
1500 | MB, Message VPN |
Module outputs provide reference to created resources. Any reference to a resource that has not been created will be set to (null).
Note that the "Message VPN" output is sensitive due to some sensitive attributes it contains.
| Name | Version |
|---|---|
| solacebroker | >= 1.0 |
The following table shows the resources created. "X" denotes a resource that is always created, "O" denotes a resource that you have the option to create.
| Name | Notes | |
|---|---|---|
| solacebroker_msg_vpn | X | |
| solacebroker_msg_vpn_acl_profile | O | This is an additional configurable profile. A default ACL profile is always created. |
| solacebroker_msg_vpn_client_profile | O | This is an additional configurable profile. A default client profile is always created. |
| solacebroker_msg_vpn_authentication_oauth_profile | O | |
| solacebroker_msg_vpn_authentication_oauth_profile_client_required_claim | O | This requires the above certificate matching rule and will be assigned to that rule upon creation. |
| solacebroker_msg_vpn_authentication_oauth_profile_resource_server_required_claim | O | This requires the above certificate matching rule and will be assigned to that rule upon creation. |
| solacebroker_msg_vpn_cert_matching_rule | O | |
| solacebroker_msg_vpn_cert_matching_rule_condition | O | Requires above certification matching rule and it will be assigned to that |
| solacebroker_msg_vpn_cert_matching_rule_attribute_filter | O | Requires above certification matching rule and it will be assigned to that |
The following examples demonstrate several specific use cases for this module:
- Basic VPN
- Services and listen ports
- Customized ACL and client profiles
- OAuth authentication
- Client certificate authentication
This module is expected to be used primarily by middleware teams. It is primarily concerned with setting an environment and constraints where application developer teams may add their specific requirements through the Solace Client, Queues & Endpoints, JNDI or REST Delivery modules. This module may be forked and adjusted with private defaults.
For more information about Solace technology in general please visit these resources:
- Solace Technical Documentation
- The Solace Developer Portal website at: solace.dev
- Understanding Solace technology
- Ask the Solace community.