feat: add the ability to write msk connection strings to ssm #35

RoseSecurity · 2025-07-10T15:58:40Z

Why

Standardize a pattern for sharing data and information outside of Atmos. This involves implementing functionality using the msk component to write connection strings to SSM.

What

Add an ssm.tf file that writes MSK and Zookeeper connection strings to SSM
Toggle this functionality via:

    vars:
      # Write connection data to SSM
      ssm_parameters_enabled: true

New feature (non-breaking change which adds functionality)

Usage

atmos terraform apply msk -s <stack>

Testing

Validated with atmos validate stacks
Performed successful atmos terraform plan on component

References

Aurora Postgres Module Pattern

Summary by CodeRabbit

New Features
- Optional support for storing MSK cluster connection details in AWS Systems Manager Parameter Store (SSM).
- New configuration options to enable SSM, set a path prefix, and override cluster name.
- Added an output that lists SSM parameter key paths for the MSK cluster.
Documentation
- Updated usage examples and README to show SSM integration options.
Tests
- Added test scenarios with SSM enabled and an assertion checking the number of stored SSM parameters.

coderabbitai · 2025-07-10T15:58:47Z

Walkthrough

Adds optional SSM Parameter Store support for MSK connection details: new variables, Terraform logic to build and write SSM parameters, an output exposing SSM key paths, README/test updates, and minor Go test type updates and assertion for the new output.

Changes

Cohort / File(s)	Change Summary
Documentation `README.yaml`	Added `ssm_parameters_enabled` to example usage and documented its behavior.
SSM integration `src/ssm.tf`	New locals to build SSM path and parameter list; conditional instantiation of `parameter_store_write` module to write Kafka/zk connection values (SecureString) when enabled.
Variables `src/variables.tf`	Added variables: `ssm_parameters_enabled` (bool), `ssm_path_prefix` (string), `ssm_cluster_name_override` (string).
Outputs `src/outputs.tf`	Added `ssm_key_paths` output that returns stored parameter names when SSM writing is enabled.
Tests — fixtures `test/fixtures/stacks/catalog/usecase/basic.yaml`, `test/fixtures/stacks/catalog/usecase/disabled.yaml`	Set `ssm_parameters_enabled: true` in component vars for fixtures.
Tests — code `test/component_test.go`	Replaced `map[string]interface{}` with `map[string]any`; added assertion that `ssm_key_paths` output list length equals 5.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant TerraformModule as Module
    participant SSM as SSMParameterStore

    User->>Module: configure var.ssm_parameters_enabled (true/false)
    Module->>Module: collect Kafka & ZK outputs
    alt enabled
        Module->>SSM: write filtered SecureString parameters (via parameter_store_write module)
        SSM-->>Module: return names (module.parameter_store_write[*].names)
        Module->>User: expose ssm_key_paths output
    else disabled
        Module-->>SSM: skip writing parameters
        Module->>User: ssm_key_paths = null
    end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Added tests #15 — Related test adjustments and Terratest changes for MSK component; likely overlaps with test updates and MSK outputs.

Poem

In a burrow of bytes I quietly hop,
Paths for secrets now ready to drop.
Toggle the switch, let the parameters be,
Secure strings tucked under the SSM tree.
A rabbit-approved change — quick as a hop, never stop! 🐇

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1b574b5 and fa5c87e.

📒 Files selected for processing (1)

README.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

README.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: Summary

✨ Finishing Touches

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch add-ssm-parameter-outputs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (1)

test/fixtures/stacks/catalog/usecase/basic.yaml (1)

57-59: Same note as the disabled stack

If the fix in src/ssm.tf is applied, this fixture is fine. Otherwise the plan will also break when the MSK component is toggled off in other scenarios.

🧹 Nitpick comments (2)

README.yaml (1)

72-74: Missing documentation for the two complementary variables

The snippet now shows ssm_parameters_enabled, but ssm_path_prefix and ssm_cluster_name_override – which are required to control the actual SSM path – are absent. Mentioning them (even with defaults) will spare users a trip to the codebase.
src/ssm.tf (1)
72-76: Pin the module source to a commit SHA for supply-chain safety

Checkov flagged CKV_TF_1. Using a fixed version is good, but pinning to a commit hash (e.g. ?ref=sha) prevents unexpected changes if 0.13.0 is re-tagged.
-source  = "cloudposse/ssm-parameter-store/aws"
-version = "0.13.0"
+source  = "cloudposse/ssm-parameter-store/aws?ref=6c4d7e5"
Update when bumping versions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 152e26d and 24228e5.

📒 Files selected for processing (5)

README.yaml (1 hunks)
src/ssm.tf (1 hunks)
src/variables.tf (1 hunks)
test/fixtures/stacks/catalog/usecase/basic.yaml (1 hunks)
test/fixtures/stacks/catalog/usecase/disabled.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

test/fixtures/stacks/catalog/usecase/disabled.yaml (1)

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

test/fixtures/stacks/catalog/usecase/basic.yaml (1)

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

README.yaml (1)

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

src/ssm.tf (1)

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

src/variables.tf (1)

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

🪛 Checkov (3.2.334)

src/ssm.tf

[MEDIUM] 72-81: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: Summary

🔇 Additional comments (1)

test/fixtures/stacks/catalog/usecase/disabled.yaml (1)

57-59: Potentially inconsistent flags when the component is disabled

enabled: false disables the whole component, yet ssm_parameters_enabled: true is set.
Because src/ssm.tf ignores the top-level enabled flag, Terraform will still attempt to
evaluate module.kafka.* outputs and fail when the module count is zero (see comment in src/ssm.tf).
Please keep these flags aligned or fix the gating logic.

src/variables.tf

src/ssm.tf

RoseSecurity · 2025-07-10T16:16:11Z

/terratest

goruha

@RoseSecurity could you add an assertion in tests to verify connection strings saved to the SSM parameter store?

logic to avoid invalid count

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/ssm.tf (1)
1-70: Critical: Locals block still doesn't honor the component-level enabled flag

The locals block directly references module.kafka.* outputs without conditional guards. When the kafka module is disabled (enabled = false), these outputs don't exist, causing "Invalid reference" errors during Terraform planning.

Apply the suggested fix from the previous review:
 locals {
   ssm_path_prefix = length(var.ssm_cluster_name_override) > 0 ? format("/%s/%s", var.ssm_path_prefix, var.ssm_cluster_name_override) : format("/%s/%s", var.ssm_path_prefix, module.this.name)
 
-  all_kafka_parameters = [
+  all_kafka_parameters = var.ssm_parameters_enabled && local.enabled ? [
     {
       name        = format("%s/broker_endpoints", local.ssm_path_prefix)
       value       = join(",", module.kafka.broker_endpoints)
       description = "List of broker endpoints"
       type        = "SecureString"
     },
     # ... rest of parameters unchanged ...
-  ]
+  ] : []
+
   kafka_parameters = [
     for p in local.all_kafka_parameters : p
     if p.value != "" && p.value != null
   ]
 }

🧹 Nitpick comments (1)

src/ssm.tf (1)
72-81: Consider pinning the module to a specific commit hash for better reproducibility

While the current version constraint is acceptable, using a commit hash provides better reproducibility and security.

Consider updating the module source to use a commit hash:
 module "parameter_store_write" {
-  source  = "cloudposse/ssm-parameter-store/aws"
-  version = "0.13.0"
+  source  = "git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store.git?ref=<commit-hash>"
However, using version constraints is also a valid approach and may be preferred in some organizations for easier dependency management.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b09508a and 9db53c5.

📒 Files selected for processing (5)

src/outputs.tf (1 hunks)
src/ssm.tf (1 hunks)
test/component_test.go (2 hunks)
test/fixtures/stacks/catalog/usecase/basic.yaml (1 hunks)
test/fixtures/stacks/catalog/usecase/disabled.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

test/fixtures/stacks/catalog/usecase/disabled.yaml
test/fixtures/stacks/catalog/usecase/basic.yaml

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

src/outputs.tf (1)

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

src/ssm.tf (1)

Learnt from: RoseSecurity
PR: cloudposse-terraform-components/aws-msk#21
File: src/main.tf:10-10
Timestamp: 2025-05-14T15:10:36.045Z
Learning: The CloudPosse MSK Apache Kafka Cluster module (cloudposse/msk-apache-kafka-cluster/aws) supports the `enabled` flag for conditionally creating/destroying resources, even though this input variable might not be explicitly documented. This is consistent with the CloudPosse module pattern where modules inherit behavior from the context object.

🪛 Checkov (3.2.334)

src/ssm.tf

[MEDIUM] 72-81: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: Summary

🔇 Additional comments (3)

src/outputs.tf (1)

100-103: LGTM! Well-structured output addition.

The new output follows the established pattern and correctly exposes the SSM parameter key paths created by the parameter store module.

test/component_test.go (2)

27-27: Good modernization of Go type declaration.

Using any instead of interface{} is the preferred approach in Go 1.18+.

58-59: Appropriate test coverage for the new SSM functionality.

The assertion validates that the expected number of SSM parameters are created, providing good test coverage for the new feature.

aknysh · 2025-07-21T18:42:24Z

/terratest

goruha · 2025-07-30T18:36:40Z

/terratest

RoseSecurity · 2025-07-30T19:29:28Z

I may have to rework the logic as it appears to fail with an invalid count argument. Is there any way to clean up the outputs of the tests in CI? It's difficult to read, and I know Terratest is very verbose, but I was curious if there were ways to make it more readable

mergify · 2025-09-02T08:59:15Z