AWS Amazon MSK Scram Secret Association
This page shows how to write Terraform and CloudFormation for Amazon MSK Scram Secret Association and write them securely.
aws_msk_scram_secret_association (Terraform)
The Scram Secret Association in Amazon MSK can be configured in Terraform with the resource name aws_msk_scram_secret_association. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_msk_scram_secret_association" "msk_scram_secret_association" {
count = var.enable_msk_scram_secret_association ? 1 : 0
cluster_arn = var.msk_scram_secret_association_cluster_arn != "" ? var.msk_scram_secret_association_cluster_arn : (var.enable_msk_cluster ? element(aws_msk_cluster.msk_cluster.*.arn, 0) : null)
secret_arn_list = var.msk_scram_secret_association_secret_arn_list
resource "aws_msk_scram_secret_association" "msk_scram_secret_association" {
count = var.enable_msk_scram_secret_association ? 1 : 0
cluster_arn = var.msk_scram_secret_association_cluster_arn != "" ? var.msk_scram_secret_association_cluster_arn : (var.enable_msk_cluster ? element(aws_msk_cluster.msk_cluster.*.arn, 0) : null)
secret_arn_list = var.msk_scram_secret_association_secret_arn_list
resource "aws_msk_scram_secret_association" "default" {
count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
cluster_arn = aws_msk_cluster.default[0].arn
secret_arn_list = [aws_secretsmanager_secret.msk_secret[0].arn]
Parameters
-
cluster_arnrequired - string -
idoptional computed - string -
secret_arn_listrequired - set of string
Explanation in Terraform Registry
Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster. -> Note: The following assumes the MSK cluster has SASL/SCRAM authentication enabled. See below for example usage or refer to the Username/Password Authentication section of the MSK Developer Guide for more details. To set up username and password authentication for a cluster, create an
aws_secretsmanager_secretresource and associate a username and password with the secret with anaws_secretsmanager_secret_versionresource. When creating a secret for the cluster, thenamemust have the prefixAmazonMSK_and you must either use an existing custom AWS KMS key or create a new custom AWS KMS key for your secret with theaws_kms_keyresource. It is important to note that a policy is required for theaws_secretsmanager_secretresource in order for Kafka to be able to read it. This policy is attached automatically when theaws_msk_scram_secret_associationis used, however, this policy will not be in terraform and as such, will present a diff on plan/apply. For that reason, you must use theaws_secretsmanager_secret_policyresource as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.
AWS::MSK::Cluster Scram (CloudFormation)
The Cluster Scram in MSK can be configured in CloudFormation with the resource name AWS::MSK::Cluster Scram. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
Enabled
SASL/SCRAM authentication is enabled or not.
Required: Yes
Type: Boolean
Update requires: No interruption
Explanation in CloudFormation Registry
Details for SASL/SCRAM client authentication.
Frequently asked questions
What is AWS Amazon MSK Scram Secret Association?
AWS Amazon MSK Scram Secret Association is a resource for Amazon MSK of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon MSK Scram Secret Association?
For Terraform, the SebastianUA/terraform, asrkata/SebastianUA-terraform and vishalbhogate/terraform-aws-msk-default source code examples are useful. See the Terraform Example section for further details.
