Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster.
To set up username and password authentication for a cluster, create an aws_secretsmanager_secret
resource and associate
a username and password with the secret with an aws_secretsmanager_secret_version
resource. When creating a secret for the cluster,
the name
must have the prefix AmazonMSK_
and you must either use an existing custom AWS KMS key or create a new
custom AWS KMS key for your secret with the aws_kms_key
resource. It is important to note that a policy is required for the aws_secretsmanager_secret
resource in order for Kafka to be able to read it. This policy is attached automatically when the aws_msk_scram_secret_association
is used,
however, this policy will not be in terraform and as such, will present a diff on plan/apply. For that reason, you must use the aws_secretsmanager_secret_policy
resource as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.
resource "aws_msk_scram_secret_association" "example" {
cluster_arn = aws_msk_cluster.example.arn
secret_arn_list = [aws_secretsmanager_secret.example.arn]
depends_on = [aws_secretsmanager_secret_version.example]
}
resource "aws_msk_cluster" "example" {
cluster_name = "example"
# ... other configuration...
client_authentication {
sasl {
scram = true
}
}
}
resource "aws_secretsmanager_secret" "example" {
name = "AmazonMSK_example"
kms_key_id = aws_kms_key.example.key_id
}
resource "aws_kms_key" "example" {
description = "Example Key for MSK Cluster Scram Secret Association"
}
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = jsonencode({ username = "user", password = "pass" })
}
data "aws_iam_policy_document" "example" {
statement {
sid = "AWSKafkaResourcePolicy"
effect = "Allow"
principals {
type = "Service"
identifiers = ["kafka.amazonaws.com"]
}
actions = ["secretsmanager:getSecretValue"]
resources = [aws_secretsmanager_secret.example.arn]
}
}
resource "aws_secretsmanager_secret_policy" "example" {
secret_arn = aws_secretsmanager_secret.example.arn
policy = data.aws_iam_policy_document.example.json
}
This resource supports the following arguments:
cluster_arn
- (Required, Forces new resource) Amazon Resource Name (ARN) of the MSK cluster.secret_arn_list
- (Required) List of AWS Secrets Manager secret ARNs.This resource exports the following attributes in addition to the arguments above:
id
- Amazon Resource Name (ARN) of the MSK cluster.In Terraform v1.5.0 and later, use an import
block to import MSK SCRAM Secret Associations using the id
. For example:
import {
to = aws_msk_scram_secret_association.example
id = "arn:aws:kafka:us-west-2:123456789012:cluster/example/279c0212-d057-4dba-9aa9-1c4e5a25bfc7-3"
}
Using terraform import
, import MSK SCRAM Secret Associations using the id
. For example:
% terraform import aws_msk_scram_secret_association.example arn:aws:kafka:us-west-2:123456789012:cluster/example/279c0212-d057-4dba-9aa9-1c4e5a25bfc7-3