Resource: aws_msk_scram_secret_association

Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster.

To set up username and password authentication for a cluster, create an aws_secretsmanager_secret resource and associate a username and password with the secret with an aws_secretsmanager_secret_version resource. When creating a secret for the cluster, the name must have the prefix AmazonMSK_ and you must either use an existing custom AWS KMS key or create a new custom AWS KMS key for your secret with the aws_kms_key resource. It is important to note that a policy is required for the aws_secretsmanager_secret resource in order for Kafka to be able to read it. This policy is attached automatically when the aws_msk_scram_secret_association is used, however, this policy will not be in terraform and as such, will present a diff on plan/apply. For that reason, you must use the aws_secretsmanager_secret_policy resource as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.

Example Usage

resource "aws_msk_scram_secret_association" "example" {
  cluster_arn     = aws_msk_cluster.example.arn
  secret_arn_list = [aws_secretsmanager_secret.example.arn]

  depends_on = [aws_secretsmanager_secret_version.example]
}

resource "aws_msk_cluster" "example" {
  cluster_name = "example"
  # ... other configuration...
  client_authentication {
    sasl {
      scram = true
    }
  }
}

resource "aws_secretsmanager_secret" "example" {
  name       = "AmazonMSK_example"
  kms_key_id = aws_kms_key.example.key_id
}

resource "aws_kms_key" "example" {
  description = "Example Key for MSK Cluster Scram Secret Association"
}

resource "aws_secretsmanager_secret_version" "example" {
  secret_id     = aws_secretsmanager_secret.example.id
  secret_string = jsonencode({ username = "user", password = "pass" })
}

data "aws_iam_policy_document" "example" {
  statement {
    sid    = "AWSKafkaResourcePolicy"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["kafka.amazonaws.com"]
    }

    actions   = ["secretsmanager:getSecretValue"]
    resources = [aws_secretsmanager_secret.example.arn]
  }
}

resource "aws_secretsmanager_secret_policy" "example" {
  secret_arn = aws_secretsmanager_secret.example.arn
  policy     = data.aws_iam_policy_document.example.json
}

Argument Reference

This resource supports the following arguments:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import MSK SCRAM Secret Associations using the id. For example:

import {
  to = aws_msk_scram_secret_association.example
  id = "arn:aws:kafka:us-west-2:123456789012:cluster/example/279c0212-d057-4dba-9aa9-1c4e5a25bfc7-3"
}

Using terraform import, import MSK SCRAM Secret Associations using the id. For example:

% terraform import aws_msk_scram_secret_association.example arn:aws:kafka:us-west-2:123456789012:cluster/example/279c0212-d057-4dba-9aa9-1c4e5a25bfc7-3