Skip to content

Resource: awsMskScramSecretAssociation

Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster.

-> Note: The following assumes the MSK cluster has SASL/SCRAM authentication enabled. See below for example usage or refer to the Username/Password Authentication section of the MSK Developer Guide for more details.

To set up username and password authentication for a cluster, create an awsSecretsmanagerSecret resource and associate a username and password with the secret with an awsSecretsmanagerSecretVersion resource. When creating a secret for the cluster, the name must have the prefix amazonMsk and you must either use an existing custom AWS KMS key or create a new custom AWS KMS key for your secret with the awsKmsKey resource. It is important to note that a policy is required for the awsSecretsmanagerSecret resource in order for Kafka to be able to read it. This policy is attached automatically when the awsMskScramSecretAssociation is used, however, this policy will not be in terraform and as such, will present a diff on plan/apply. For that reason, you must use the awsSecretsmanagerSecretPolicy resource as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsKmsKeyExample = new aws.kmsKey.KmsKey(this, "example", {
  description: "Example Key for MSK Cluster Scram Secret Association",
});
const awsMskClusterExample = new aws.mskCluster.MskCluster(this, "example_1", {
  clientAuthentication: {
    sasl: {
      scram: true,
    },
  },
  clusterName: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsMskClusterExample.overrideLogicalId("example");
const awsSecretsmanagerSecretExample =
  new aws.secretsmanagerSecret.SecretsmanagerSecret(this, "example_2", {
    kmsKeyId: awsKmsKeyExample.keyId,
    name: "AmazonMSK_example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretExample.overrideLogicalId("example");
const awsSecretsmanagerSecretVersionExample =
  new aws.secretsmanagerSecretVersion.SecretsmanagerSecretVersion(
    this,
    "example_3",
    {
      secretId: awsSecretsmanagerSecretExample.id,
      secretString: '${jsonencode({ username = "user", password = "pass" })}',
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretVersionExample.overrideLogicalId("example");
const dataAwsIamPolicyDocumentExample =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_4", {
    statement: [
      {
        actions: ["secretsmanager:getSecretValue"],
        effect: "Allow",
        principals: [
          {
            identifiers: ["kafka.amazonaws.com"],
            type: "Service",
          },
        ],
        resources: [awsSecretsmanagerSecretExample.arn],
        sid: "AWSKafkaResourcePolicy",
      },
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsMskScramSecretAssociationExample =
  new aws.mskScramSecretAssociation.MskScramSecretAssociation(
    this,
    "example_5",
    {
      clusterArn: awsMskClusterExample.arn,
      depends_on: [`\${${awsSecretsmanagerSecretVersionExample.fqn}}`],
      secretArnList: [awsSecretsmanagerSecretExample.arn],
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsMskScramSecretAssociationExample.overrideLogicalId("example");
const awsSecretsmanagerSecretPolicyExample =
  new aws.secretsmanagerSecretPolicy.SecretsmanagerSecretPolicy(
    this,
    "example_6",
    {
      policy: dataAwsIamPolicyDocumentExample.json,
      secretArn: awsSecretsmanagerSecretExample.arn,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretPolicyExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • clusterArn - (Required, Forces new resource) Amazon Resource Name (ARN) of the MSK cluster.
  • secretArnList - (Required) List of AWS Secrets Manager secret ARNs.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - Amazon Resource Name (ARN) of the MSK cluster.

Import

MSK SCRAM Secret Associations can be imported using the id e.g.,

$ terraform import aws_msk_scram_secret_association.example arn:aws:kafka:us-west-2:123456789012:cluster/example/279c0212-d057-4dba-9aa9-1c4e5a25bfc7-3