Terraform-provider-aws: Provide SASL/SCRAM based client-authentication for aws_msk_cluster

Created on 23 Sep 2020  路  4Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In addition to client_authentication possible via tls there is no option provided for SASL/SCRAM based client_authentication in aws_msk_cluster resource. Additionally, there are no/selective resources available for the list of operations possible for kafka (AWS MSK) as mentioned in the reference below.

I am specifically looking for batch-associate-scram-secret operation to enable SASL/SCRAM based authentication via terraform.

New or Affected Resource(s)

  • aws_msk_cluster
  • aws_msk_configuration

Potential Terraform Configuration

Possible option for SASL/SCRAM based authentication can be as follows for the client_authentication Argument Reference

```
resource "aws_msk_cluster" "example" {
cluster_name = "example"
kafka_version = "2.4.1"
number_of_broker_nodes = 3

broker_node_group_info {
instance_type = "kafka.m5.large"
ebs_volume_size = 1000
client_subnets = [
aws_subnet.subnet_az1.id,
aws_subnet.subnet_az2.id,
aws_subnet.subnet_az3.id,
]
security_groups = [aws_security_group.sg.id]
}

client_authentication {
sasl {
secretArnList = [aws_secretsmanager_secret.example-1.arn, aws_secretsmanager_secret.example-2.arn]
}
}

encryption_info {
encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn
}

open_monitoring {
prometheus {
jmx_exporter {
enabled_in_broker = true
}
node_exporter {
enabled_in_broker = true
}
}
}
```

References

enhancement new-resource servickafka
Source
picture dishantkamble
👍20

All 4 comments

Related (enabling SASL/SCRAM on aws_msk_cluster):

The SCRAM secret will need to be a new resource.
It looks like #15302 will address both.

ewbankkit picture ewbankkit on 23 Sep 2020

Any news so far?

PavelDemyanenko picture PavelDemyanenko on 16 Nov 2020
😕3

Hi @dishantkamble et al. 馃憢 dropping a note here that we've just merged in (PR #15302) sasl/scram authentication support in the msk_cluster resource in addition to adding a new resource, namely aws_msk_scram_secret_association for associating secrets with an MSK cluster. These additions will be in v3.18.0 of the Terraform AWS Provider, expected out later today.

sasl/scram auth can be enabled by configuring your resource cluster such as:

resource "aws_msk_cluster" "example" {
  # ... other configuration ...
  client_authentication {
    sasl {
      scram = true
   }
  }

and secrets can be associated with something like:

resource "aws_msk_scram_secret_association" "example" {
  cluster_arn     = aws_msk_cluster.test.arn
  secret_arn_list = [aws_secretsmanager_secret.example1.arn, aws_secretsmanager_secret.example2.arn]
}

a more detailed example is available in https://github.com/hashicorp/terraform-provider-aws/blob/master/website/docs/r/msk_scram_secret_association.html.markdown

anGie44 picture anGie44 on 25 Nov 2020
👍1

This has been released in version 3.18.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

hashibot[bot] picture hashibot[bot] on 25 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  路  3Comments
andywirv picture andywirv  路  3Comments
hashibot picture hashibot  路  3Comments
EmmN picture EmmN  路  3Comments
gothrek22 picture gothrek22  路  3Comments