This example shows how to configure client certificate authentication (or mTLS) for clients connecting to a PubSub+ event broker at the Message VPN level, leveraging the Service Terraform module.
Note: before you can enable client certificate authentication, you need an event broker-level server key, certificate, and you must configure certificate authorities. These prerequisites are outside the scope of this module.
The module exposes client certificate authentication related Message VPN configuration through input variables. It also supports the setup of a Message VPN matching rule with a set of conditions or a set of attribute filters. Note that if more matching rules are required then you need to configure them outside the module.
msg_vpn_name- Set tovpn-with-mtlsin the example.
authentication_client_cert_enabled- Set totruefor client certificate.authentication in the example. Automatically enabled if VPN matching is configured.cert_matching_rule_name- Specified if Message VPN matching is required.cert_matching_rule_conditions- A set of conditions for above certificate matching rule.cert_matching_rule_attribute_filters- A set of filters for above certificate matching rule.
Other optional module input variables have the same name as the attributes of the underlying provider resource. If omitted, then the default for the related resource attribute will be configured on the broker. For a list of attributes and the corresponding defaults, see the documentation of "solacebroker_msg_vpn".
The module default for the enabled variable is true, which enables the Message VPN and underlying resources.
The module created_vpn and created_cert_matching_rule outputs refer to the created Message VPN and the certificate matching rule. There are also outputs for the list of conditions and attribute filters.
This example will create the following resources:
solacebroker_msg_vpnsolacebroker_msg_vpn_cert_matching_rulesolacebroker_msg_vpn_cert_matching_rule_conditionsolacebroker_msg_vpn_cert_matching_rule_attribute_filter
If you don't already have access to a broker, see the Developers page for options to get started.
The sample is available from the module GitHub repo:
git clone https://github.com/SolaceProducts/terraform-solacebroker-service.git
cd examples/client-certificate-authenticationAdjust the provider parameters in main.tf according to your broker. The example configuration shows settings for a local broker running in Docker.
Tip: You can verify configuration changes on the broker, before and after, using the PubSub+ Broker Manager Web UI.
Execute from this folder:
terraform init
terraform plan
terraform applyRun terraform destroy to clean up the created resources when they are no longer needed. Note that as part of this command there may be a warning about default objects cannot be deleted, this is normal and expected here.
For more information, see OAuth Authentication section in the PubSub+ documentation.