AWS Amazon MSK Scram Secret Association

This page shows how to write Terraform and CloudFormation for Amazon MSK Scram Secret Association and write them securely.

aws_msk_scram_secret_association (Terraform)

The Scram Secret Association in Amazon MSK can be configured in Terraform with the resource name aws_msk_scram_secret_association. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

github-iconSebastianUA/terraform
resource "aws_msk_scram_secret_association" "msk_scram_secret_association" {
  count = var.enable_msk_scram_secret_association ? 1 : 0

  cluster_arn     = var.msk_scram_secret_association_cluster_arn != "" ? var.msk_scram_secret_association_cluster_arn : (var.enable_msk_cluster ? element(aws_msk_cluster.msk_cluster.*.arn, 0) : null)
  secret_arn_list = var.msk_scram_secret_association_secret_arn_list

github-iconasrkata/SebastianUA-terraform
resource "aws_msk_scram_secret_association" "msk_scram_secret_association" {
  count = var.enable_msk_scram_secret_association ? 1 : 0

  cluster_arn     = var.msk_scram_secret_association_cluster_arn != "" ? var.msk_scram_secret_association_cluster_arn : (var.enable_msk_cluster ? element(aws_msk_cluster.msk_cluster.*.arn, 0) : null)
  secret_arn_list = var.msk_scram_secret_association_secret_arn_list

github-iconvishalbhogate/terraform-aws-msk-default
resource "aws_msk_scram_secret_association" "default" {
  count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0

  cluster_arn     = aws_msk_cluster.default[0].arn
  secret_arn_list = [aws_secretsmanager_secret.msk_secret[0].arn]

Parameters

Explanation in Terraform Registry

Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster. -> Note: The following assumes the MSK cluster has SASL/SCRAM authentication enabled. See below for example usage or refer to the Username/Password Authentication section of the MSK Developer Guide for more details. To set up username and password authentication for a cluster, create an aws_secretsmanager_secret resource and associate a username and password with the secret with an aws_secretsmanager_secret_version resource. When creating a secret for the cluster, the name must have the prefix AmazonMSK_ and you must either use an existing custom AWS KMS key or create a new custom AWS KMS key for your secret with the aws_kms_key resource. It is important to note that a policy is required for the aws_secretsmanager_secret resource in order for Kafka to be able to read it. This policy is attached automatically when the aws_msk_scram_secret_association is used, however, this policy will not be in terraform and as such, will present a diff on plan/apply. For that reason, you must use the aws_secretsmanager_secret_policy resource as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.

AWS::MSK::Cluster Scram (CloudFormation)

The Cluster Scram in MSK can be configured in CloudFormation with the resource name AWS::MSK::Cluster Scram. The following sections describe how to use the resource and its parameters.

Parameters

Enabled SASL/SCRAM authentication is enabled or not.
Required: Yes
Type: Boolean
Update requires: No interruption

Explanation in CloudFormation Registry

Details for SASL/SCRAM client authentication.

Frequently asked questions

What is AWS Amazon MSK Scram Secret Association?

AWS Amazon MSK Scram Secret Association is a resource for Amazon MSK of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon MSK Scram Secret Association?

For Terraform, the SebastianUA/terraform, asrkata/SebastianUA-terraform and vishalbhogate/terraform-aws-msk-default source code examples are useful. See the Terraform Example section for further details.