confluent_kafka_acl
provides a Kafka ACL resource that enables creating and deleting Kafka ACLs on Confluent Cloud.
provider "confluent" {
cloud_api_key = var.confluent_cloud_api_key # optionally use CONFLUENT_CLOUD_API_KEY env var
cloud_api_secret = var.confluent_cloud_api_secret # optionally use CONFLUENT_CLOUD_API_SECRET env var
}
resource "confluent_kafka_acl" "describe-basic-cluster" {
kafka_cluster {
id = confluent_kafka_cluster.basic-cluster.id
}
resource_type = "CLUSTER"
resource_name = "kafka-cluster"
pattern_type = "LITERAL"
principal = "User:sa-xyz123"
host = "*"
operation = "DESCRIBE"
permission = "ALLOW"
rest_endpoint = confluent_kafka_cluster.basic-cluster.rest_endpoint
credentials {
key = confluent_api_key.app-manager-kafka-api-key.id
secret = confluent_api_key.app-manager-kafka-api-key.secret
}
lifecycle {
prevent_destroy = true
}
}
provider "confluent" {
kafka_id = var.kafka_id # optionally use KAFKA_ID env var
kafka_rest_endpoint = var.kafka_rest_endpoint # optionally use KAFKA_REST_ENDPOINT env var
kafka_api_key = var.kafka_api_key # optionally use KAFKA_API_KEY env var
kafka_api_secret = var.kafka_api_secret # optionally use KAFKA_API_SECRET env var
}
resource "confluent_kafka_acl" "describe-basic-cluster" {
resource_type = "CLUSTER"
resource_name = "kafka-cluster"
pattern_type = "LITERAL"
principal = "User:sa-xyz123"
host = "*"
operation = "DESCRIBE"
permission = "ALLOW"
lifecycle {
prevent_destroy = true
}
}
The following arguments are supported:
kafka_cluster
- (Optional Configuration Block) supports the following:
id
- (Required String) The ID of the Kafka cluster, for example, lkc-abc123
.resource_type
- (Required String) The type of the resource. Accepted values are: TOPIC
, GROUP
, CLUSTER
, TRANSACTIONAL_ID
, DELEGATION_TOKEN
. See Authorization using ACLs to find definitions of resource types and mappings of (resource_type, operation)
to one or more Kafka APIs or request types.resource_name
- (Required String) The resource name for the ACL. Must be kafka-cluster
if resource_type
equals to CLUSTER
.pattern_type
- (Required String) The pattern type for the ACL. Accepted values are: LITERAL
and PREFIXED
.principal
- (Required String) The principal for the ACL.operation
- (Required String) The operation type for the ACL. Accepted values are: ALL
, READ
, WRITE
, CREATE
, DELETE
, ALTER
, DESCRIBE
, CLUSTER_ACTION
, DESCRIBE_CONFIGS
, ALTER_CONFIGS
, and IDEMPOTENT_WRITE
. See Authorization using ACLs to find mappings of (resource_type, operation)
to one or more Kafka APIs or request types.permission
- (Required String) The permission for the ACL. Accepted values are: DENY
and ALLOW
.rest_endpoint
- (Optional String) The REST endpoint of the Kafka cluster, for example, https://pkc-00000.us-central1.gcp.confluent.cloud:443
.credentials
(Optional Configuration Block) supports the following:
key
- (Required String) The Kafka API Key.secret
- (Required String, Sensitive) The Kafka API Secret.host
- (Required String) The host for the ACL. Should be set to *
for Confluent Cloud.In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the Kafka ACL in the format <Kafka cluster ID>/<Kafka ACL resource type>#<Kafka ACL resource name>#<Kafka ACL pattern type>#<Kafka ACL principal>#<Kafka ACL host>#<Kafka ACL operation>#<Kafka ACL permission>
.You can import Kafka ACLs by using the Kafka cluster ID and attributes of confluent_kafka_acl
resource in the format <Kafka cluster ID>/<Kafka ACL resource type>#<Kafka ACL resource name>#<Kafka ACL pattern type>#<Kafka ACL principal>#<Kafka ACL host>#<Kafka ACL operation>#<Kafka ACL permission>
, for example:
# Option #1: Manage multiple Kafka clusters in the same Terraform workspace
$ export IMPORT_KAFKA_API_KEY="<kafka_api_key>"
$ export IMPORT_KAFKA_API_SECRET="<kafka_api_secret>"
$ export IMPORT_KAFKA_REST_ENDPOINT="<kafka_rest_endpoint>"
$ terraform import confluent_kafka_acl.describe-cluster "lkc-12345/CLUSTER#kafka-cluster#LITERAL#User:sa-xyz123#*#DESCRIBE#ALLOW"
# Option #2: Manage a single Kafka cluster in the same Terraform workspace
$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ terraform import confluent_kafka_acl.describe-cluster "lkc-12345/CLUSTER#kafka-cluster#LITERAL#User:sa-xyz123#*#DESCRIBE#ALLOW"
The following end-to-end examples might help to get started with confluent_kafka_acl
resource:
basic-kafka-acls
: _Basic_ Kafka cluster with authorization using ACLsbasic-kafka-acls-with-alias
: _Basic_ Kafka cluster with authorization using ACLsstandard-kafka-acls
: _Standard_ Kafka cluster with authorization using ACLsdedicated-public-kafka-acls
: _Dedicated_ Kafka cluster that is accessible over the public internet with authorization using ACLsdedicated-privatelink-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using ACLsdedicated-privatelink-azure-kafka-acls
: _Dedicated_ Kafka cluster on Azure that is accessible via PrivateLink connections with authorization using ACLsdedicated-private-service-connect-gcp-kafka-acls
: _Dedicated_ Kafka cluster on GCP that is accessible via Private Service Connect connections with authorization using ACLsdedicated-private-service-connect-gcp-kafka-rbac
: _Dedicated_ Kafka cluster on GCP that is accessible via Private Service Connect connections with authorization using RBACdedicated-vnet-peering-azure-kafka-acls
: _Dedicated_ Kafka cluster on Azure that is accessible via VPC Peering connections with authorization using ACLsdedicated-vpc-peering-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via VPC Peering connections with authorization using ACLsdedicated-vpc-peering-gcp-kafka-acls
: _Dedicated_ Kafka cluster on GCP that is accessible via VPC Peering connections with authorization using ACLsdedicated-transit-gateway-attachment-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using ACLsdedicated-transit-gateway-attachment-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using RBACenterprise-privatelinkattachment-aws-kafka-acls
: _Enterprise_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using ACLs