Resource: awsMskScramSecretAssociation
Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster.
-> Note: The following assumes the MSK cluster has SASL/SCRAM authentication enabled. See below for example usage or refer to the Username/Password Authentication section of the MSK Developer Guide for more details.
To set up username and password authentication for a cluster, create an awsSecretsmanagerSecret
resource and associate a username and password with the secret with an awsSecretsmanagerSecretVersion
resource. When creating a secret for the cluster, the name
must have the prefix amazonMsk
and you must either use an existing custom AWS KMS key or create a new custom AWS KMS key for your secret with the awsKmsKey
resource. It is important to note that a policy is required for the awsSecretsmanagerSecret
resource in order for Kafka to be able to read it. This policy is attached automatically when the awsMskScramSecretAssociation
is used, however, this policy will not be in terraform and as such, will present a diff on plan/apply. For that reason, you must use the awsSecretsmanagerSecretPolicy
resource as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsKmsKeyExample = new aws.kmsKey.KmsKey(this, "example", {
description: "Example Key for MSK Cluster Scram Secret Association",
});
const awsMskClusterExample = new aws.mskCluster.MskCluster(this, "example_1", {
clientAuthentication: {
sasl: {
scram: true,
},
},
clusterName: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsMskClusterExample.overrideLogicalId("example");
const awsSecretsmanagerSecretExample =
new aws.secretsmanagerSecret.SecretsmanagerSecret(this, "example_2", {
kmsKeyId: awsKmsKeyExample.keyId,
name: "AmazonMSK_example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretExample.overrideLogicalId("example");
const awsSecretsmanagerSecretVersionExample =
new aws.secretsmanagerSecretVersion.SecretsmanagerSecretVersion(
this,
"example_3",
{
secretId: awsSecretsmanagerSecretExample.id,
secretString: '${jsonencode({ username = "user", password = "pass" })}',
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretVersionExample.overrideLogicalId("example");
const dataAwsIamPolicyDocumentExample =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_4", {
statement: [
{
actions: ["secretsmanager:getSecretValue"],
effect: "Allow",
principals: [
{
identifiers: ["kafka.amazonaws.com"],
type: "Service",
},
],
resources: [awsSecretsmanagerSecretExample.arn],
sid: "AWSKafkaResourcePolicy",
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsMskScramSecretAssociationExample =
new aws.mskScramSecretAssociation.MskScramSecretAssociation(
this,
"example_5",
{
clusterArn: awsMskClusterExample.arn,
depends_on: [`\${${awsSecretsmanagerSecretVersionExample.fqn}}`],
secretArnList: [awsSecretsmanagerSecretExample.arn],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsMskScramSecretAssociationExample.overrideLogicalId("example");
const awsSecretsmanagerSecretPolicyExample =
new aws.secretsmanagerSecretPolicy.SecretsmanagerSecretPolicy(
this,
"example_6",
{
policy: dataAwsIamPolicyDocumentExample.json,
secretArn: awsSecretsmanagerSecretExample.arn,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretPolicyExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
clusterArn
- (Required, Forces new resource) Amazon Resource Name (ARN) of the MSK cluster.secretArnList
- (Required) List of AWS Secrets Manager secret ARNs.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- Amazon Resource Name (ARN) of the MSK cluster.
Import
MSK SCRAM Secret Associations can be imported using the id
e.g.,