diff --git a/docs/io.md b/docs/io.md index 7f637e5..a2632a7 100644 --- a/docs/io.md +++ b/docs/io.md @@ -9,6 +9,7 @@ | client\_authentication\_sasl\_iam | Enables IAM client authentication | `bool` | `false` | no | | client\_authentication\_sasl\_scram | Enables SCRAM client authentication via AWS Secrets Manager | `bool` | `false` | no | | client\_authentication\_tls\_certificate\_authority\_arns | List of ACM Certificate Authority Amazon Resource Names (ARNs) | `list(string)` | `[]` | no | +| client\_authentication\_unauthenticated | (Optional) Enables unauthenticated access. | `bool` | `false` | no | | cloudwatch\_log\_group\_kms\_key\_id | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no | | cloudwatch\_log\_group\_name | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no | | cloudwatch\_log\_group\_retention\_in\_days | Specifies the number of days you want to retain log events in the log group | `number` | `0` | no | diff --git a/examples/example.tf b/examples/example.tf index 215906c..0f81eb5 100644 --- a/examples/example.tf +++ b/examples/example.tf @@ -122,6 +122,54 @@ module "http_https" { ] } +module "kafka_sg" { + source = "clouddrove/security-group/aws" + version = "2.0.0" + + name = "${local.name}-kafka" + environment = local.environment + vpc_id = module.vpc.vpc_id + + new_sg_ingress_rules_with_cidr_blocks = [ + { + rule_count = 1 + from_port = 9092 + protocol = "tcp" + to_port = 9092 + cidr_blocks = [local.vpc_cidr_block] + description = "Allow Kafka plaintext on port 9092" + }, + { + rule_count = 2 + from_port = 9094 + protocol = "tcp" + to_port = 9094 + cidr_blocks = [local.vpc_cidr_block] + description = "Allow Kafka TLS on port 9094" + } + ] + + new_sg_egress_rules_with_cidr_blocks = [ + { + rule_count = 1 + from_port = 9092 + protocol = "tcp" + to_port = 9092 + cidr_blocks = [local.vpc_cidr_block] + description = "Egress for Kafka on port 9092" + }, + { + rule_count = 2 + from_port = 9094 + protocol = "tcp" + to_port = 9094 + cidr_blocks = [local.vpc_cidr_block] + description = "Egress for Kafka on port 9094" + } + ] +} + + module "s3_bucket" { source = "clouddrove/s3/aws" version = "2.0.0" @@ -189,7 +237,7 @@ module "kafka" { broker_node_client_subnets = module.subnets.private_subnet_id broker_node_ebs_volume_size = 20 broker_node_instance_type = "kafka.t3.small" - broker_node_security_groups = [module.ssh.security_group_id, module.http_https.security_group_id] + broker_node_security_groups = [module.ssh.security_group_id, module.http_https.security_group_id, module.kafka_sg.security_group_id] encryption_in_transit_client_broker = "TLS" encryption_in_transit_in_cluster = true diff --git a/main.tf b/main.tf index 8a5bd92..7df6726 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ locals { #tfsec:ignore:aws-msk-enable-logging resource "aws_msk_cluster" "msk-cluster" { count = var.msk_cluster_enabled ? 1 : 0 - cluster_name = format("%s-mks-cluster", module.labels.id) + cluster_name = module.labels.id kafka_version = var.kafka_version number_of_broker_nodes = var.kafka_broker_number enhanced_monitoring = var.enhanced_monitoring @@ -31,32 +31,45 @@ resource "aws_msk_cluster" "msk-cluster" { } dynamic "client_authentication" { - for_each = length(var.client_authentication_tls_certificate_authority_arns) > 0 || var.client_authentication_sasl_scram || var.client_authentication_sasl_iam ? [1] : [] + for_each = ( + ( + var.client_authentication_tls_certificate_authority_arns != null && + length(var.client_authentication_tls_certificate_authority_arns) > 0 + ) || + (var.client_authentication_sasl_scram != null) || + (var.client_authentication_sasl_iam != null) || + (var.client_authentication_unauthenticated != null) + ) ? [1] : [] content { dynamic "tls" { - for_each = length(var.client_authentication_tls_certificate_authority_arns) > 0 ? [1] : [] + for_each = ( + var.client_authentication_tls_certificate_authority_arns != null && + length(var.client_authentication_tls_certificate_authority_arns) > 0 + ) ? [1] : [] + content { certificate_authority_arns = var.client_authentication_tls_certificate_authority_arns } } - dynamic "sasl" { - for_each = var.client_authentication_sasl_iam ? [1] : [] - content { - iam = var.client_authentication_sasl_iam - } + sasl { + iam = var.client_authentication_sasl_iam != null ? var.client_authentication_sasl_iam : false + scram = var.client_authentication_sasl_scram != null ? var.client_authentication_sasl_scram : false } - dynamic "sasl" { - for_each = var.client_authentication_sasl_scram ? [1] : [] - content { - scram = var.client_authentication_sasl_scram - } - } + unauthenticated = var.client_authentication_unauthenticated != null ? var.client_authentication_unauthenticated : false } } + # Ignore empty tls{} block to avoid unnecessary drifts from AWS-managed state + lifecycle { + ignore_changes = [ + client_authentication[0].tls + ] + } + + configuration_info { arn = join("", aws_msk_configuration.this[*].arn) revision = join("", aws_msk_configuration.this[*].latest_revision) diff --git a/variables.tf b/variables.tf index 7d81614..6a3d6fa 100644 --- a/variables.tf +++ b/variables.tf @@ -100,6 +100,12 @@ variable "client_authentication_sasl_iam" { description = "Enables IAM client authentication" } +variable "client_authentication_unauthenticated" { + type = bool + default = false + description = "(Optional) Enables unauthenticated access." +} + variable "encryption_in_transit_client_broker" { type = string default = null