diff --git a/README.md b/README.md index 383c16c..64cbf0b 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,11 @@ Module usage: | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| CertificateauthorityarnList | ARN of the AWS managed CA to attach to the MSK cluster | map | `` | no | +| acmpca\_iam\_user\_name | The name of the iam user assigned to the created AWS Private CA | string | `""` | no | +| certificateauthority | ARN of the AWS managed CA to attach to the MSK cluster | string | `"false"` | no | | cidr\_blocks | MSK cluster cidr blocks | list | `` | no | +| client\_authentication\_type | ARN of the MSK configuration to attach to the MSK cluster | string | `"false"` | no | | client\_broker | Encryption setting for data in transit between clients and brokers. Valid values: TLS, TLS_PLAINTEXT, and PLAINTEXT | string | `"TLS_PLAINTEXT"` | no | | config\_arn | ARN of the MSK configuration to attach to the MSK cluster | string | `""` | no | | config\_description | The description of the MSK configuration | string | `""` | no | @@ -51,12 +55,15 @@ Module usage: | config\_server\_properties | The properties to set on the MSK cluster. Omitted properties are set to a default value | string | `""` | no | | ebs\_volume\_size | The msk custer EBS volume size | string | n/a | yes | | environment | The environment the msk cluster is running in i.e. dev, prod etc | string | n/a | yes | +| iam\_user\_policy\_name | The policy name of attached to the user | string | `""` | no | | kafka\_version | The kafka version for the AWS MSK cluster | string | `"2.2.1"` | no | | msk\_instance\_type | The msk custer instance type | string | n/a | yes | | name | name of the msk cluster | string | n/a | yes | | number\_of\_broker\_nodes | The number of broker nodes running in the msk cluster | string | n/a | yes | +| policy | The JSON policy for the acmpca | string | `""` | no | | subnet\_ids | The msk cluster subnet ID | list | n/a | yes | | tags | A map of tags to add to all resources | map | `` | no | +| type | A map of tags to add to all resources | string | `""` | no | | vpc\_id | The msk cluster VPC ID | string | n/a | yes | ## Outputs diff --git a/main.tf b/main.tf index a38bc44..7a14eea 100644 --- a/main.tf +++ b/main.tf @@ -41,6 +41,10 @@ * */ +locals { + aws_acmpca_certificate_authority_arn = "${coalesce(element(concat(aws_acmpca_certificate_authority.msk_kafka_with_ca.*.arn, list("")), 0), element(concat(aws_acmpca_certificate_authority.msk_kafka_ca_with_config.*.arn, list("")), 0))}" +} + data "aws_caller_identity" "current" {} resource "aws_security_group" "sg_msk" { @@ -91,7 +95,7 @@ resource "aws_kms_alias" "msk_cluster_kms_alias" { } resource "aws_msk_cluster" "msk_kafka" { - count = "${var.config_name == "" && var.config_arn == "" ? 1 : 0}" + count = "${var.config_name == "" && var.config_arn == "" ? 1 : 0}" cluster_name = "${var.name}" kafka_version = "${var.kafka_version}" @@ -104,6 +108,12 @@ resource "aws_msk_cluster" "msk_kafka" { security_groups = ["${aws_security_group.sg_msk.id}"] } + client_authentication { + tls { + certificate_authority_arns = ["${aws_acmpca_certificate_authority.msk_kafka_with_ca.arn}"] + } + } + encryption_info { encryption_at_rest_kms_key_arn = "${aws_kms_key.kms.arn}" @@ -116,7 +126,7 @@ resource "aws_msk_cluster" "msk_kafka" { } resource "aws_msk_cluster" "msk_kafka_with_config" { - count = "${var.config_name != "" || var.config_arn != "" ? 1 : 0}" + count = "${var.config_name != "" || var.config_arn != "" ? 1 : 0}" cluster_name = "${var.name}" kafka_version = "${var.kafka_version}" @@ -129,6 +139,12 @@ resource "aws_msk_cluster" "msk_kafka_with_config" { security_groups = ["${aws_security_group.sg_msk.id}"] } + client_authentication { + tls { + certificate_authority_arns = ["${aws_acmpca_certificate_authority.msk_kafka_ca_with_config.arn}"] + } + } + encryption_info { encryption_at_rest_kms_key_arn = "${aws_kms_key.kms.arn}" @@ -154,3 +170,77 @@ resource "aws_msk_configuration" "msk_kafka_config" { server_properties = "${var.config_server_properties}" } + +# creates CA for msk Cluster without custom config +resource "aws_acmpca_certificate_authority" "msk_kafka_with_ca" { + count = "${var.certificateauthority == "true" && var.config_name == "" && var.config_arn == "" ? 1 : 0}" + + certificate_authority_configuration { + key_algorithm = "RSA_4096" + signing_algorithm = "SHA512WITHRSA" + + subject { + common_name = "${var.name}" + + # add other subjects in this module + } + } + + type = "${var.type}" + permanent_deletion_time_in_days = 7 + tags = "${merge(var.tags, map("Name", format("%s-%s", var.environment, var.name)), map("Env", var.environment))}" +} + +# CA for msk Cluster with custom config + +resource "aws_acmpca_certificate_authority" "msk_kafka_ca_with_config" { + count = "${var.certificateauthority == "true" && var.config_name != "" || var.config_arn != "" ? 1 : 0}" + + certificate_authority_configuration { + key_algorithm = "RSA_4096" + signing_algorithm = "SHA512WITHRSA" + + subject { + common_name = "${var.name}" + } + } + + type = "${var.type}" + permanent_deletion_time_in_days = 7 + tags = "${merge(var.tags, map("Name", format("%s-%s", var.environment, var.name)), map("Env", var.environment))}" +} + +resource "aws_iam_user" "msk_acmpca_iam_user" { + count = "${var.certificateauthority == "true" ? 1 : 0}" + name = "${var.name}-acmpca-user" + path = "/" +} + +#policy attachment for default policy +resource "aws_iam_policy" "acmpca_policy_with_msk_policy" { + count = "${var.certificateauthority == "true" ? 1 : 0}" + name = "${var.name}-acmpcaPolicy" + + policy = <