adding Client Authentication

README.md

@@ -41,7 +41,11 @@ Module usage:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| CertificateauthorityarnList | ARN of the AWS managed  CA  to attach to the MSK cluster | map | `<map>` | no |
+| acmpca\_iam\_user\_name | The name of the iam user assigned to the created AWS Private CA | string | `""` | no |
+| certificateauthority | ARN of the AWS managed  CA  to attach to the MSK cluster | string | `"false"` | no |
 | cidr\_blocks | MSK cluster cidr blocks | list | `<list>` | no |
+| client\_authentication\_type | ARN of the MSK configuration to attach to the MSK cluster | string | `"false"` | no |
 | client\_broker | Encryption setting for data in transit between clients and brokers. Valid values: TLS, TLS_PLAINTEXT, and PLAINTEXT | string | `"TLS_PLAINTEXT"` | no |
 | config\_arn | ARN of the MSK configuration to attach to the MSK cluster | string | `""` | no |
 | config\_description | The description of the MSK configuration | string | `""` | no |
@@ -51,12 +55,15 @@ Module usage:
 | config\_server\_properties | The properties to set on the MSK cluster. Omitted properties are set to a default value | string | `""` | no |
 | ebs\_volume\_size | The msk custer EBS volume size | string | n/a | yes |
 | environment | The environment the msk cluster is running in i.e. dev, prod etc | string | n/a | yes |
+| iam\_user\_policy\_name | The policy name of attached to the user | string | `""` | no |
 | kafka\_version | The kafka version for the AWS MSK cluster | string | `"2.2.1"` | no |
 | msk\_instance\_type | The msk custer instance type | string | n/a | yes |
 | name | name of the msk cluster | string | n/a | yes |
 | number\_of\_broker\_nodes | The number of broker nodes running in the msk cluster | string | n/a | yes |
+| policy | The JSON policy for the acmpca | string | `""` | no |
 | subnet\_ids | The msk cluster subnet ID | list | n/a | yes |
 | tags | A map of tags to add to all resources | map | `<map>` | no |
+| type | A map of tags to add to all resources | string | `""` | no |
 | vpc\_id | The msk cluster VPC ID | string | n/a | yes |
 
 ## Outputs

main.tf

@@ -41,6 +41,10 @@
 *
  */
 
+locals {
+  aws_acmpca_certificate_authority_arn = "${coalesce(element(concat(aws_acmpca_certificate_authority.msk_kafka_with_ca.*.arn, list("")), 0), element(concat(aws_acmpca_certificate_authority.msk_kafka_ca_with_config.*.arn, list("")), 0))}"
+}
+
 data "aws_caller_identity" "current" {}
 
 resource "aws_security_group" "sg_msk" {
@@ -91,7 +95,7 @@ resource "aws_kms_alias" "msk_cluster_kms_alias" {
 }
 
 resource "aws_msk_cluster" "msk_kafka" {
-  count = "${var.config_name == "" && var.config_arn == ""  ? 1 : 0}"
+  count = "${var.config_name == "" && var.config_arn == "" ? 1 : 0}"
 
   cluster_name           = "${var.name}"
   kafka_version          = "${var.kafka_version}"
@@ -104,6 +108,12 @@ resource "aws_msk_cluster" "msk_kafka" {
     security_groups = ["${aws_security_group.sg_msk.id}"]
   }
 
+  client_authentication {
+    tls {
+      certificate_authority_arns = ["${aws_acmpca_certificate_authority.msk_kafka_with_ca.arn}"]
+    }
+  }
+
   encryption_info {
     encryption_at_rest_kms_key_arn = "${aws_kms_key.kms.arn}"
 
@@ -116,7 +126,7 @@ resource "aws_msk_cluster" "msk_kafka" {
 }
 
 resource "aws_msk_cluster" "msk_kafka_with_config" {
-  count = "${var.config_name != "" || var.config_arn != ""  ? 1 : 0}"
+  count = "${var.config_name != "" || var.config_arn != "" ? 1 : 0}"
 
   cluster_name           = "${var.name}"
   kafka_version          = "${var.kafka_version}"
@@ -129,6 +139,12 @@ resource "aws_msk_cluster" "msk_kafka_with_config" {
     security_groups = ["${aws_security_group.sg_msk.id}"]
   }
 
+  client_authentication {
+    tls {
+      certificate_authority_arns = ["${aws_acmpca_certificate_authority.msk_kafka_ca_with_config.arn}"]
+    }
+  }
+
   encryption_info {
     encryption_at_rest_kms_key_arn = "${aws_kms_key.kms.arn}"
 
@@ -154,3 +170,77 @@ resource "aws_msk_configuration" "msk_kafka_config" {
 
   server_properties = "${var.config_server_properties}"
 }
+
+# creates CA for msk Cluster without custom config
+resource "aws_acmpca_certificate_authority" "msk_kafka_with_ca" {
+  count = "${var.certificateauthority == "true" && var.config_name == "" && var.config_arn == "" ? 1 : 0}"
+
+  certificate_authority_configuration {
+    key_algorithm     = "RSA_4096"
+    signing_algorithm = "SHA512WITHRSA"
+
+    subject {
+      common_name = "${var.name}"
+
+      # add other subjects in this module
+    }
+  }
+
+  type                            = "${var.type}"
+  permanent_deletion_time_in_days = 7
+  tags                            = "${merge(var.tags, map("Name", format("%s-%s", var.environment, var.name)), map("Env", var.environment))}"
+}
+
+# CA for msk Cluster with custom config
+
+resource "aws_acmpca_certificate_authority" "msk_kafka_ca_with_config" {
+  count = "${var.certificateauthority == "true" && var.config_name != "" || var.config_arn != "" ? 1 : 0}"
+
+  certificate_authority_configuration {
+    key_algorithm     = "RSA_4096"
+    signing_algorithm = "SHA512WITHRSA"
+
+    subject {
+      common_name = "${var.name}"
+    }
+  }
+
+  type                            = "${var.type}"
+  permanent_deletion_time_in_days = 7
+  tags                            = "${merge(var.tags, map("Name", format("%s-%s", var.environment, var.name)), map("Env", var.environment))}"
+}
+
+resource "aws_iam_user" "msk_acmpca_iam_user" {
+  count = "${var.certificateauthority == "true" ? 1 : 0}"
+  name  = "${var.name}-acmpca-user"
+  path  = "/"
+}
+
+#policy attachment for default policy
+resource "aws_iam_policy" "acmpca_policy_with_msk_policy" {
+  count = "${var.certificateauthority == "true" ? 1 : 0}"
+  name  = "${var.name}-acmpcaPolicy"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "IAMacmpcaPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "acm-pca:IssueCertificate",
+        "acm-pca:GetCertificate"
+      ],
+      "Resource": "${local.aws_acmpca_certificate_authority_arn}"
+    }
+  ]
+}
+EOF
+}
+
+resource aws_iam_policy_attachment "msk_acmpca_iam_policy_attachment" {
+  name       = "${var.name}-acmpcaPolicy-attachment"
+  users      = ["${aws_iam_user.msk_acmpca_iam_user.name}"]
+  policy_arn = "${aws_iam_policy.acmpca_policy_with_msk_policy.arn}"
+}

variable.tf

@@ -32,11 +32,6 @@ variable "subnet_ids" {
   type        = "list"
 }
 
-variable "tags" {
-  description = "A map of tags to add to all resources"
-  default     = {}
-}
-
 variable "cidr_blocks" {
   description = "MSK cluster cidr blocks"
   default     = ["0.0.0.0/0"]
@@ -47,6 +42,26 @@ variable "client_broker" {
   default     = "TLS_PLAINTEXT"
 }
 
+variable "certificateauthority" {
+  description = "ARN of the AWS managed  CA  to attach to the MSK cluster"
+  default     = false
+}
+
+variable "CertificateauthorityarnList" {
+  description = "ARN of the AWS managed  CA  to attach to the MSK cluster"
+  default     = {}
+}
+
+variable "client_authentication_type" {
+  description = "ARN of the MSK configuration to attach to the MSK cluster"
+  default     = false
+}
+
+variable "acmpca_iam_user_name" {
+  description = "The name of the iam user assigned to the created AWS Private CA"
+  default     = ""
+}
+
 variable "config_name" {
   description = "Name of the MSK configuration to attach to the MSK cluster"
   default     = ""
@@ -77,3 +92,23 @@ variable "config_arn" {
   description = "ARN of the MSK configuration to attach to the MSK cluster"
   default     = ""
 }
+
+variable "iam_user_policy_name" {
+  description = "The policy name of attached to the user"
+  default     = ""
+}
+
+variable "policy" {
+  description = "The JSON policy for the acmpca"
+  default     = ""
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  default     = {}
+}
+
+variable "type" {
+  description = "A map of tags to add to all resources"
+  default     = ""
+}