Skip to content

Commit

Permalink
Fix client_authentication block. Update module versions (#92)
Browse files Browse the repository at this point in the history
* updates

* Fix `client_authentication` block

* Fix `client_authentication` block

* Fix `client_authentication` block
  • Loading branch information
aknysh authored May 21, 2023
1 parent 1a63c04 commit 1b0169e
Show file tree
Hide file tree
Showing 8 changed files with 103 additions and 43 deletions.
1 change: 1 addition & 0 deletions .github/workflows/release-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- 'docs/**'
- 'examples/**'
- 'test/**'
- 'README.*'

permissions:
contents: write
Expand Down
16 changes: 8 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -166,8 +166,8 @@ Available targets:

| Name | Source | Version |
|------|--------|---------|
| <a name="module_hostname"></a> [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.12.3 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.0.1 |
| <a name="module_hostname"></a> [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.13.0 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.1.0 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |

## Resources
Expand Down Expand Up @@ -195,15 +195,15 @@ Available targets:
| <a name="input_autoscaling_enabled"></a> [autoscaling\_enabled](#input\_autoscaling\_enabled) | To automatically expand your cluster's storage in response to increased usage, you can enable this. [More info](https://docs.aws.amazon.com/msk/latest/developerguide/msk-autoexpand.html) | `bool` | `true` | no |
| <a name="input_broker_dns_records_count"></a> [broker\_dns\_records\_count](#input\_broker\_dns\_records\_count) | This variable specifies how many DNS records to create for the broker endpoints in the DNS zone provided in the `zone_id` variable.<br>This corresponds to the total number of broker endpoints created by the module.<br>Calculate this number by multiplying the `broker_per_zone` variable by the subnet count.<br>This variable is necessary to prevent the Terraform error:<br>The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. | `number` | `0` | no |
| <a name="input_broker_instance_type"></a> [broker\_instance\_type](#input\_broker\_instance\_type) | The instance type to use for the Kafka brokers | `string` | n/a | yes |
| <a name="input_broker_per_zone"></a> [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone. | `number` | `1` | no |
| <a name="input_broker_per_zone"></a> [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone | `number` | `1` | no |
| <a name="input_broker_volume_size"></a> [broker\_volume\_size](#input\_broker\_volume\_size) | The size in GiB of the EBS volume for the data drive on each broker node | `number` | `1000` | no |
| <a name="input_certificate_authority_arns"></a> [certificate\_authority\_arns](#input\_certificate\_authority\_arns) | List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication | `list(string)` | `[]` | no |
| <a name="input_client_allow_unauthenticated"></a> [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enables unauthenticated access. | `bool` | `false` | no |
| <a name="input_client_allow_unauthenticated"></a> [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enable unauthenticated access | `bool` | `false` | no |
| <a name="input_client_broker"></a> [client\_broker](#input\_client\_broker) | Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT` | `string` | `"TLS"` | no |
| <a name="input_client_sasl_iam_enabled"></a> [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enables client authentication via IAM policies (cannot be set to `true` at the same time as `client_sasl_*_enabled`). | `bool` | `false` | no |
| <a name="input_client_sasl_scram_enabled"></a> [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enables SCRAM client authentication via AWS Secrets Manager (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `bool` | `false` | no |
| <a name="input_client_sasl_scram_secret_association_arns"></a> [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for scram authentication (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `list(string)` | `[]` | no |
| <a name="input_client_sasl_scram_secret_association_enabled"></a> [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enables the list of AWS Secrets Manager secret ARNs for scram authentication | `bool` | `true` | no |
| <a name="input_client_sasl_iam_enabled"></a> [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
| <a name="input_client_sasl_scram_enabled"></a> [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
| <a name="input_client_sasl_scram_secret_association_arns"></a> [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for SCRAM authentication | `list(string)` | `[]` | no |
| <a name="input_client_sasl_scram_secret_association_enabled"></a> [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication | `bool` | `true` | no |
| <a name="input_client_tls_auth_enabled"></a> [client\_tls\_auth\_enabled](#input\_client\_tls\_auth\_enabled) | Set `true` to enable the Client TLS Authentication | `bool` | `false` | no |
| <a name="input_cloudwatch_logs_enabled"></a> [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs | `bool` | `false` | no |
| <a name="input_cloudwatch_logs_log_group"></a> [cloudwatch\_logs\_log\_group](#input\_cloudwatch\_logs\_log\_group) | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no |
Expand Down
16 changes: 8 additions & 8 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@

| Name | Source | Version |
|------|--------|---------|
| <a name="module_hostname"></a> [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.12.3 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.0.1 |
| <a name="module_hostname"></a> [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.13.0 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.1.0 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |

## Resources
Expand Down Expand Up @@ -45,15 +45,15 @@
| <a name="input_autoscaling_enabled"></a> [autoscaling\_enabled](#input\_autoscaling\_enabled) | To automatically expand your cluster's storage in response to increased usage, you can enable this. [More info](https://docs.aws.amazon.com/msk/latest/developerguide/msk-autoexpand.html) | `bool` | `true` | no |
| <a name="input_broker_dns_records_count"></a> [broker\_dns\_records\_count](#input\_broker\_dns\_records\_count) | This variable specifies how many DNS records to create for the broker endpoints in the DNS zone provided in the `zone_id` variable.<br>This corresponds to the total number of broker endpoints created by the module.<br>Calculate this number by multiplying the `broker_per_zone` variable by the subnet count.<br>This variable is necessary to prevent the Terraform error:<br>The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. | `number` | `0` | no |
| <a name="input_broker_instance_type"></a> [broker\_instance\_type](#input\_broker\_instance\_type) | The instance type to use for the Kafka brokers | `string` | n/a | yes |
| <a name="input_broker_per_zone"></a> [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone. | `number` | `1` | no |
| <a name="input_broker_per_zone"></a> [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone | `number` | `1` | no |
| <a name="input_broker_volume_size"></a> [broker\_volume\_size](#input\_broker\_volume\_size) | The size in GiB of the EBS volume for the data drive on each broker node | `number` | `1000` | no |
| <a name="input_certificate_authority_arns"></a> [certificate\_authority\_arns](#input\_certificate\_authority\_arns) | List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication | `list(string)` | `[]` | no |
| <a name="input_client_allow_unauthenticated"></a> [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enables unauthenticated access. | `bool` | `false` | no |
| <a name="input_client_allow_unauthenticated"></a> [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enable unauthenticated access | `bool` | `false` | no |
| <a name="input_client_broker"></a> [client\_broker](#input\_client\_broker) | Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT` | `string` | `"TLS"` | no |
| <a name="input_client_sasl_iam_enabled"></a> [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enables client authentication via IAM policies (cannot be set to `true` at the same time as `client_sasl_*_enabled`). | `bool` | `false` | no |
| <a name="input_client_sasl_scram_enabled"></a> [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enables SCRAM client authentication via AWS Secrets Manager (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `bool` | `false` | no |
| <a name="input_client_sasl_scram_secret_association_arns"></a> [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for scram authentication (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `list(string)` | `[]` | no |
| <a name="input_client_sasl_scram_secret_association_enabled"></a> [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enables the list of AWS Secrets Manager secret ARNs for scram authentication | `bool` | `true` | no |
| <a name="input_client_sasl_iam_enabled"></a> [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
| <a name="input_client_sasl_scram_enabled"></a> [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
| <a name="input_client_sasl_scram_secret_association_arns"></a> [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for SCRAM authentication | `list(string)` | `[]` | no |
| <a name="input_client_sasl_scram_secret_association_enabled"></a> [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication | `bool` | `true` | no |
| <a name="input_client_tls_auth_enabled"></a> [client\_tls\_auth\_enabled](#input\_client\_tls\_auth\_enabled) | Set `true` to enable the Client TLS Authentication | `bool` | `false` | no |
| <a name="input_cloudwatch_logs_enabled"></a> [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs | `bool` | `false` | no |
| <a name="input_cloudwatch_logs_log_group"></a> [cloudwatch\_logs\_log\_group](#input\_cloudwatch\_logs\_log\_group) | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no |
Expand Down
5 changes: 4 additions & 1 deletion examples/complete/fixtures.us-east-2.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ name = "msk-test"
availability_zones = ["us-east-2a", "us-east-2b"]

# https://docs.aws.amazon.com/msk/latest/developerguide/supported-kafka-versions.html
kafka_version = "3.3.2"
kafka_version = "3.4.0"

broker_per_zone = 2

Expand All @@ -27,3 +27,6 @@ zone_id = "Z3SO0TKDDQ0RGG"
# This variable is necessary to prevent the Terraform error:
# The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created.
broker_dns_records_count = 4

# Unauthenticated cannot be set to `false` without enabling any authentication mechanisms
client_allow_unauthenticated = true
13 changes: 11 additions & 2 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ provider "aws" {

module "vpc" {
source = "cloudposse/vpc/aws"
version = "2.0.0"
version = "2.1.0"

ipv4_primary_cidr_block = "172.16.0.0/16"

Expand All @@ -13,7 +13,7 @@ module "vpc" {

module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
version = "2.1.0"
version = "2.3.0"

availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
Expand Down Expand Up @@ -51,5 +51,14 @@ module "kafka" {
additional_security_group_rules = var.additional_security_group_rules
inline_rules_enabled = var.inline_rules_enabled

client_allow_unauthenticated = var.client_allow_unauthenticated
client_sasl_scram_enabled = var.client_sasl_scram_enabled
client_sasl_iam_enabled = var.client_sasl_iam_enabled
client_tls_auth_enabled = var.client_tls_auth_enabled
client_sasl_scram_secret_association_enabled = var.client_sasl_scram_secret_association_enabled
client_sasl_scram_secret_association_arns = var.client_sasl_scram_secret_association_arns

certificate_authority_arns = var.certificate_authority_arns

context = module.this.context
}
49 changes: 49 additions & 0 deletions examples/complete/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,52 @@ variable "public_access_enabled" {
description = "Enable public access to MSK cluster (given that all of the requirements are met)"
nullable = false
}

variable "client_allow_unauthenticated" {
type = bool
default = false
description = "Enable unauthenticated access"
nullable = false
}

variable "client_sasl_iam_enabled" {
type = bool
default = false
description = "Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
nullable = false
}

variable "client_tls_auth_enabled" {
type = bool
default = false
description = "Set `true` to enable the Client TLS Authentication"
nullable = false
}

variable "client_sasl_scram_enabled" {
type = bool
default = false
description = "Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
nullable = false
}

variable "certificate_authority_arns" {
type = list(string)
default = []
description = "List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication"
nullable = false
}

variable "client_sasl_scram_secret_association_enabled" {
type = bool
default = true
description = "Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication"
nullable = false
}

variable "client_sasl_scram_secret_association_arns" {
type = list(string)
default = []
description = "List of AWS Secrets Manager secret ARNs for SCRAM authentication"
nullable = false
}
34 changes: 16 additions & 18 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ data "aws_msk_broker_nodes" "default" {
# https://github.com/cloudposse/terraform-aws-security-group/blob/master/docs/migration-v1-v2.md
module "security_group" {
source = "cloudposse/security-group/aws"
version = "2.0.1"
version = "2.1.0"

enabled = local.enabled && var.create_security_group

Expand Down Expand Up @@ -168,23 +168,21 @@ resource "aws_msk_cluster" "default" {
encryption_at_rest_kms_key_arn = var.encryption_at_rest_kms_key_arn
}

dynamic "client_authentication" {
for_each = var.client_tls_auth_enabled || var.client_sasl_scram_enabled || var.client_sasl_iam_enabled ? [1] : []
content {
dynamic "tls" {
for_each = var.client_tls_auth_enabled ? [1] : []
content {
certificate_authority_arns = var.certificate_authority_arns
}
}
dynamic "sasl" {
for_each = var.client_sasl_scram_enabled || var.client_sasl_iam_enabled ? [1] : []
content {
scram = var.client_sasl_scram_enabled
iam = var.client_sasl_iam_enabled
}
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster.html#client_authentication
client_authentication {
# Unauthenticated cannot be set to `false` without enabling any authentication mechanisms
unauthenticated = var.client_allow_unauthenticated

dynamic "tls" {
for_each = var.client_tls_auth_enabled ? [1] : []
content {
certificate_authority_arns = var.certificate_authority_arns
}
unauthenticated = var.client_allow_unauthenticated
}

sasl {
scram = var.client_sasl_scram_enabled
iam = var.client_sasl_iam_enabled
}
}

Expand Down Expand Up @@ -238,7 +236,7 @@ module "hostname" {
count = local.enabled && var.zone_id != null && var.zone_id != "" ? var.broker_dns_records_count : 0

source = "cloudposse/route53-cluster-hostname/aws"
version = "0.12.3"
version = "0.13.0"

zone_id = var.zone_id
dns_name = var.custom_broker_dns_name == null ? "${module.this.name}-broker-${count.index + 1}" : replace(var.custom_broker_dns_name, "%%ID%%", count.index + 1)
Expand Down
12 changes: 6 additions & 6 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ variable "broker_instance_type" {
variable "broker_per_zone" {
type = number
default = 1
description = "Number of Kafka brokers per zone."
description = "Number of Kafka brokers per zone"
validation {
condition = var.broker_per_zone > 0
error_message = "The broker_per_zone value must be at least 1."
Expand Down Expand Up @@ -103,35 +103,35 @@ variable "certificate_authority_arns" {
variable "client_allow_unauthenticated" {
type = bool
default = false
description = "Enables unauthenticated access."
description = "Enable unauthenticated access"
nullable = false
}

variable "client_sasl_scram_enabled" {
type = bool
default = false
description = "Enables SCRAM client authentication via AWS Secrets Manager (cannot be set to `true` at the same time as `client_tls_auth_enabled`)."
description = "Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
nullable = false
}

variable "client_sasl_scram_secret_association_enabled" {
type = bool
default = true
description = "Enables the list of AWS Secrets Manager secret ARNs for scram authentication"
description = "Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication"
nullable = false
}

variable "client_sasl_scram_secret_association_arns" {
type = list(string)
default = []
description = "List of AWS Secrets Manager secret ARNs for scram authentication (cannot be set to `true` at the same time as `client_tls_auth_enabled`)."
description = "List of AWS Secrets Manager secret ARNs for SCRAM authentication"
nullable = false
}

variable "client_sasl_iam_enabled" {
type = bool
default = false
description = "Enables client authentication via IAM policies (cannot be set to `true` at the same time as `client_sasl_*_enabled`)."
description = "Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
nullable = false
}

Expand Down

0 comments on commit 1b0169e

Please sign in to comment.