diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml
index 3f8fe62..b30901e 100644
--- a/.github/workflows/release-branch.yml
+++ b/.github/workflows/release-branch.yml
@@ -10,6 +10,7 @@ on:
- 'docs/**'
- 'examples/**'
- 'test/**'
+ - 'README.*'
permissions:
contents: write
diff --git a/README.md b/README.md
index dcfc276..4a3d250 100644
--- a/README.md
+++ b/README.md
@@ -166,8 +166,8 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
-| [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.12.3 |
-| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.0.1 |
+| [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.13.0 |
+| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.1.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
## Resources
@@ -195,15 +195,15 @@ Available targets:
| [autoscaling\_enabled](#input\_autoscaling\_enabled) | To automatically expand your cluster's storage in response to increased usage, you can enable this. [More info](https://docs.aws.amazon.com/msk/latest/developerguide/msk-autoexpand.html) | `bool` | `true` | no |
| [broker\_dns\_records\_count](#input\_broker\_dns\_records\_count) | This variable specifies how many DNS records to create for the broker endpoints in the DNS zone provided in the `zone_id` variable.
This corresponds to the total number of broker endpoints created by the module.
Calculate this number by multiplying the `broker_per_zone` variable by the subnet count.
This variable is necessary to prevent the Terraform error:
The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. | `number` | `0` | no |
| [broker\_instance\_type](#input\_broker\_instance\_type) | The instance type to use for the Kafka brokers | `string` | n/a | yes |
-| [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone. | `number` | `1` | no |
+| [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone | `number` | `1` | no |
| [broker\_volume\_size](#input\_broker\_volume\_size) | The size in GiB of the EBS volume for the data drive on each broker node | `number` | `1000` | no |
| [certificate\_authority\_arns](#input\_certificate\_authority\_arns) | List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication | `list(string)` | `[]` | no |
-| [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enables unauthenticated access. | `bool` | `false` | no |
+| [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enable unauthenticated access | `bool` | `false` | no |
| [client\_broker](#input\_client\_broker) | Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT` | `string` | `"TLS"` | no |
-| [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enables client authentication via IAM policies (cannot be set to `true` at the same time as `client_sasl_*_enabled`). | `bool` | `false` | no |
-| [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enables SCRAM client authentication via AWS Secrets Manager (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `bool` | `false` | no |
-| [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for scram authentication (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `list(string)` | `[]` | no |
-| [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enables the list of AWS Secrets Manager secret ARNs for scram authentication | `bool` | `true` | no |
+| [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
+| [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
+| [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for SCRAM authentication | `list(string)` | `[]` | no |
+| [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication | `bool` | `true` | no |
| [client\_tls\_auth\_enabled](#input\_client\_tls\_auth\_enabled) | Set `true` to enable the Client TLS Authentication | `bool` | `false` | no |
| [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs | `bool` | `false` | no |
| [cloudwatch\_logs\_log\_group](#input\_cloudwatch\_logs\_log\_group) | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index b4f28f3..b06cac4 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -16,8 +16,8 @@
| Name | Source | Version |
|------|--------|---------|
-| [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.12.3 |
-| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.0.1 |
+| [hostname](#module\_hostname) | cloudposse/route53-cluster-hostname/aws | 0.13.0 |
+| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.1.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
## Resources
@@ -45,15 +45,15 @@
| [autoscaling\_enabled](#input\_autoscaling\_enabled) | To automatically expand your cluster's storage in response to increased usage, you can enable this. [More info](https://docs.aws.amazon.com/msk/latest/developerguide/msk-autoexpand.html) | `bool` | `true` | no |
| [broker\_dns\_records\_count](#input\_broker\_dns\_records\_count) | This variable specifies how many DNS records to create for the broker endpoints in the DNS zone provided in the `zone_id` variable.
This corresponds to the total number of broker endpoints created by the module.
Calculate this number by multiplying the `broker_per_zone` variable by the subnet count.
This variable is necessary to prevent the Terraform error:
The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. | `number` | `0` | no |
| [broker\_instance\_type](#input\_broker\_instance\_type) | The instance type to use for the Kafka brokers | `string` | n/a | yes |
-| [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone. | `number` | `1` | no |
+| [broker\_per\_zone](#input\_broker\_per\_zone) | Number of Kafka brokers per zone | `number` | `1` | no |
| [broker\_volume\_size](#input\_broker\_volume\_size) | The size in GiB of the EBS volume for the data drive on each broker node | `number` | `1000` | no |
| [certificate\_authority\_arns](#input\_certificate\_authority\_arns) | List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication | `list(string)` | `[]` | no |
-| [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enables unauthenticated access. | `bool` | `false` | no |
+| [client\_allow\_unauthenticated](#input\_client\_allow\_unauthenticated) | Enable unauthenticated access | `bool` | `false` | no |
| [client\_broker](#input\_client\_broker) | Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT` | `string` | `"TLS"` | no |
-| [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enables client authentication via IAM policies (cannot be set to `true` at the same time as `client_sasl_*_enabled`). | `bool` | `false` | no |
-| [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enables SCRAM client authentication via AWS Secrets Manager (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `bool` | `false` | no |
-| [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for scram authentication (cannot be set to `true` at the same time as `client_tls_auth_enabled`). | `list(string)` | `[]` | no |
-| [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enables the list of AWS Secrets Manager secret ARNs for scram authentication | `bool` | `true` | no |
+| [client\_sasl\_iam\_enabled](#input\_client\_sasl\_iam\_enabled) | Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
+| [client\_sasl\_scram\_enabled](#input\_client\_sasl\_scram\_enabled) | Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled` | `bool` | `false` | no |
+| [client\_sasl\_scram\_secret\_association\_arns](#input\_client\_sasl\_scram\_secret\_association\_arns) | List of AWS Secrets Manager secret ARNs for SCRAM authentication | `list(string)` | `[]` | no |
+| [client\_sasl\_scram\_secret\_association\_enabled](#input\_client\_sasl\_scram\_secret\_association\_enabled) | Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication | `bool` | `true` | no |
| [client\_tls\_auth\_enabled](#input\_client\_tls\_auth\_enabled) | Set `true` to enable the Client TLS Authentication | `bool` | `false` | no |
| [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs | `bool` | `false` | no |
| [cloudwatch\_logs\_log\_group](#input\_cloudwatch\_logs\_log\_group) | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no |
diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars
index e129246..ca4d7a5 100644
--- a/examples/complete/fixtures.us-east-2.tfvars
+++ b/examples/complete/fixtures.us-east-2.tfvars
@@ -11,7 +11,7 @@ name = "msk-test"
availability_zones = ["us-east-2a", "us-east-2b"]
# https://docs.aws.amazon.com/msk/latest/developerguide/supported-kafka-versions.html
-kafka_version = "3.3.2"
+kafka_version = "3.4.0"
broker_per_zone = 2
@@ -27,3 +27,6 @@ zone_id = "Z3SO0TKDDQ0RGG"
# This variable is necessary to prevent the Terraform error:
# The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created.
broker_dns_records_count = 4
+
+# Unauthenticated cannot be set to `false` without enabling any authentication mechanisms
+client_allow_unauthenticated = true
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 0c40569..93f3121 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -4,7 +4,7 @@ provider "aws" {
module "vpc" {
source = "cloudposse/vpc/aws"
- version = "2.0.0"
+ version = "2.1.0"
ipv4_primary_cidr_block = "172.16.0.0/16"
@@ -13,7 +13,7 @@ module "vpc" {
module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
- version = "2.1.0"
+ version = "2.3.0"
availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
@@ -51,5 +51,14 @@ module "kafka" {
additional_security_group_rules = var.additional_security_group_rules
inline_rules_enabled = var.inline_rules_enabled
+ client_allow_unauthenticated = var.client_allow_unauthenticated
+ client_sasl_scram_enabled = var.client_sasl_scram_enabled
+ client_sasl_iam_enabled = var.client_sasl_iam_enabled
+ client_tls_auth_enabled = var.client_tls_auth_enabled
+ client_sasl_scram_secret_association_enabled = var.client_sasl_scram_secret_association_enabled
+ client_sasl_scram_secret_association_arns = var.client_sasl_scram_secret_association_arns
+
+ certificate_authority_arns = var.certificate_authority_arns
+
context = module.this.context
}
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index 85d2de2..19d3348 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -55,3 +55,52 @@ variable "public_access_enabled" {
description = "Enable public access to MSK cluster (given that all of the requirements are met)"
nullable = false
}
+
+variable "client_allow_unauthenticated" {
+ type = bool
+ default = false
+ description = "Enable unauthenticated access"
+ nullable = false
+}
+
+variable "client_sasl_iam_enabled" {
+ type = bool
+ default = false
+ description = "Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
+ nullable = false
+}
+
+variable "client_tls_auth_enabled" {
+ type = bool
+ default = false
+ description = "Set `true` to enable the Client TLS Authentication"
+ nullable = false
+}
+
+variable "client_sasl_scram_enabled" {
+ type = bool
+ default = false
+ description = "Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
+ nullable = false
+}
+
+variable "certificate_authority_arns" {
+ type = list(string)
+ default = []
+ description = "List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication"
+ nullable = false
+}
+
+variable "client_sasl_scram_secret_association_enabled" {
+ type = bool
+ default = true
+ description = "Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication"
+ nullable = false
+}
+
+variable "client_sasl_scram_secret_association_arns" {
+ type = list(string)
+ default = []
+ description = "List of AWS Secrets Manager secret ARNs for SCRAM authentication"
+ nullable = false
+}
diff --git a/main.tf b/main.tf
index 1c49c77..3192bab 100644
--- a/main.tf
+++ b/main.tf
@@ -76,7 +76,7 @@ data "aws_msk_broker_nodes" "default" {
# https://github.com/cloudposse/terraform-aws-security-group/blob/master/docs/migration-v1-v2.md
module "security_group" {
source = "cloudposse/security-group/aws"
- version = "2.0.1"
+ version = "2.1.0"
enabled = local.enabled && var.create_security_group
@@ -168,23 +168,21 @@ resource "aws_msk_cluster" "default" {
encryption_at_rest_kms_key_arn = var.encryption_at_rest_kms_key_arn
}
- dynamic "client_authentication" {
- for_each = var.client_tls_auth_enabled || var.client_sasl_scram_enabled || var.client_sasl_iam_enabled ? [1] : []
- content {
- dynamic "tls" {
- for_each = var.client_tls_auth_enabled ? [1] : []
- content {
- certificate_authority_arns = var.certificate_authority_arns
- }
- }
- dynamic "sasl" {
- for_each = var.client_sasl_scram_enabled || var.client_sasl_iam_enabled ? [1] : []
- content {
- scram = var.client_sasl_scram_enabled
- iam = var.client_sasl_iam_enabled
- }
+ # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster.html#client_authentication
+ client_authentication {
+ # Unauthenticated cannot be set to `false` without enabling any authentication mechanisms
+ unauthenticated = var.client_allow_unauthenticated
+
+ dynamic "tls" {
+ for_each = var.client_tls_auth_enabled ? [1] : []
+ content {
+ certificate_authority_arns = var.certificate_authority_arns
}
- unauthenticated = var.client_allow_unauthenticated
+ }
+
+ sasl {
+ scram = var.client_sasl_scram_enabled
+ iam = var.client_sasl_iam_enabled
}
}
@@ -238,7 +236,7 @@ module "hostname" {
count = local.enabled && var.zone_id != null && var.zone_id != "" ? var.broker_dns_records_count : 0
source = "cloudposse/route53-cluster-hostname/aws"
- version = "0.12.3"
+ version = "0.13.0"
zone_id = var.zone_id
dns_name = var.custom_broker_dns_name == null ? "${module.this.name}-broker-${count.index + 1}" : replace(var.custom_broker_dns_name, "%%ID%%", count.index + 1)
diff --git a/variables.tf b/variables.tf
index b6f7357..60cc51f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -16,7 +16,7 @@ variable "broker_instance_type" {
variable "broker_per_zone" {
type = number
default = 1
- description = "Number of Kafka brokers per zone."
+ description = "Number of Kafka brokers per zone"
validation {
condition = var.broker_per_zone > 0
error_message = "The broker_per_zone value must be at least 1."
@@ -103,35 +103,35 @@ variable "certificate_authority_arns" {
variable "client_allow_unauthenticated" {
type = bool
default = false
- description = "Enables unauthenticated access."
+ description = "Enable unauthenticated access"
nullable = false
}
variable "client_sasl_scram_enabled" {
type = bool
default = false
- description = "Enables SCRAM client authentication via AWS Secrets Manager (cannot be set to `true` at the same time as `client_tls_auth_enabled`)."
+ description = "Enable SCRAM client authentication via AWS Secrets Manager. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
nullable = false
}
variable "client_sasl_scram_secret_association_enabled" {
type = bool
default = true
- description = "Enables the list of AWS Secrets Manager secret ARNs for scram authentication"
+ description = "Enable the list of AWS Secrets Manager secret ARNs for SCRAM authentication"
nullable = false
}
variable "client_sasl_scram_secret_association_arns" {
type = list(string)
default = []
- description = "List of AWS Secrets Manager secret ARNs for scram authentication (cannot be set to `true` at the same time as `client_tls_auth_enabled`)."
+ description = "List of AWS Secrets Manager secret ARNs for SCRAM authentication"
nullable = false
}
variable "client_sasl_iam_enabled" {
type = bool
default = false
- description = "Enables client authentication via IAM policies (cannot be set to `true` at the same time as `client_sasl_*_enabled`)."
+ description = "Enable client authentication via IAM policies. Cannot be set to `true` at the same time as `client_tls_auth_enabled`"
nullable = false
}