diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 30b3a85..ceb4644 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,7 +1,7 @@
# Use this file to define individuals or teams that are responsible for code in a repository.
# Read more:
#
-# Order is important: the last matching pattern takes the most precedence
+# Order is important: the last matching pattern has the highest precedence
# These owners will be the default owners for everything
* @cloudposse/engineering @cloudposse/contributors
@@ -13,5 +13,12 @@
# Cloud Posse must review any changes to GitHub actions
.github/* @cloudposse/engineering
-# Cloud Posse must review any changes to standard context definition
-**/context.tf @cloudposse/engineering
\ No newline at end of file
+# Cloud Posse must review any changes to standard context definition,
+# but some changes can be rubber-stamped.
+**/context.tf @cloudposse/engineering @cloudposse/approvers
+README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+
+# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
+.github/mergify.yml @cloudposse/admins
+.github/CODEOWNERS @cloudposse/admins
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
index 2836185..c78a4d8 100644
--- a/.github/auto-release.yml
+++ b/.github/auto-release.yml
@@ -4,30 +4,35 @@ version-template: '$MAJOR.$MINOR.$PATCH'
version-resolver:
major:
labels:
- - 'major'
+ - 'major'
minor:
labels:
- - 'minor'
- - 'enhancement'
+ - 'minor'
+ - 'enhancement'
patch:
labels:
- - 'patch'
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
+ - 'auto-update'
+ - 'patch'
+ - 'fix'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
default: 'minor'
categories:
- - title: '🚀 Enhancements'
- labels:
- - 'enhancement'
- - title: '🐛 Bug Fixes'
- labels:
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
+- title: '🚀 Enhancements'
+ labels:
+ - 'enhancement'
+ - 'patch'
+- title: '🐛 Bug Fixes'
+ labels:
+ - 'fix'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
+- title: '🤖 Automatic Updates'
+ labels:
+ - 'auto-update'
change-template: |
@@ -38,3 +43,11 @@ change-template: |
template: |
$CHANGES
+
+replacers:
+# Remove irrelevant information from Renovate bot
+- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
+ replace: ''
+# Remove Renovate bot banner image
+- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
+ replace: ''
diff --git a/.github/mergify.yml b/.github/mergify.yml
new file mode 100644
index 0000000..b010656
--- /dev/null
+++ b/.github/mergify.yml
@@ -0,0 +1,58 @@
+# https://docs.mergify.io/conditions.html
+# https://docs.mergify.io/actions.html
+pull_request_rules:
+- name: "approve automated PRs that have passed checks"
+ conditions:
+ - "author~=^(cloudpossebot|renovate\\[bot\\])$"
+ - "base=master"
+ - "-closed"
+ - "head~=^(auto-update|renovate)/.*"
+ - "check-success=test/bats"
+ - "check-success=test/readme"
+ - "check-success=test/terratest"
+ - "check-success=validate-codeowners"
+ actions:
+ review:
+ type: "APPROVE"
+ bot_account: "cloudposse-mergebot"
+ message: "We've automatically approved this PR because the checks from the automated Pull Request have passed."
+
+- name: "merge automated PRs when approved and tests pass"
+ conditions:
+ - "author~=^(cloudpossebot|renovate\\[bot\\])$"
+ - "base=master"
+ - "-closed"
+ - "head~=^(auto-update|renovate)/.*"
+ - "check-success=test/bats"
+ - "check-success=test/readme"
+ - "check-success=test/terratest"
+ - "check-success=validate-codeowners"
+ - "#approved-reviews-by>=1"
+ - "#changes-requested-reviews-by=0"
+ - "#commented-reviews-by=0"
+ actions:
+ merge:
+ method: "squash"
+
+- name: "delete the head branch after merge"
+ conditions:
+ - "merged"
+ actions:
+ delete_head_branch: {}
+
+- name: "ask to resolve conflict"
+ conditions:
+ - "conflict"
+ - "-closed"
+ actions:
+ comment:
+ message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏"
+
+- name: "remove outdated reviews"
+ conditions:
+ - "base=master"
+ actions:
+ dismiss_reviews:
+ changes_requested: true
+ approved: true
+ message: "This Pull Request has been updated, so we're dismissing all reviews."
diff --git a/.github/renovate.json b/.github/renovate.json
new file mode 100644
index 0000000..ae4f0aa
--- /dev/null
+++ b/.github/renovate.json
@@ -0,0 +1,12 @@
+{
+ "extends": [
+ "config:base",
+ ":preserveSemverRanges"
+ ],
+ "labels": ["auto-update"],
+ "enabledManagers": ["terraform"],
+ "terraform": {
+ "ignorePaths": ["**/context.tf", "examples/**"]
+ }
+}
+
diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml
new file mode 100644
index 0000000..ab979e0
--- /dev/null
+++ b/.github/workflows/auto-context.yml
@@ -0,0 +1,57 @@
+name: "auto-context"
+on:
+ schedule:
+ # Update context.tf nightly
+ - cron: '0 3 * * *'
+
+jobs:
+ update:
+ if: github.event_name == 'schedule'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Update context.tf
+ shell: bash
+ id: update
+ env:
+ GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+ run: |
+ if [[ -f context.tf ]]; then
+ echo "Discovered existing context.tf! Fetching most recent version to see if there is an update."
+ curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf
+ if git diff --no-patch --exit-code context.tf; then
+ echo "No changes detected! Exiting the job..."
+ else
+ echo "context.tf file has changed. Update examples and rebuild README.md."
+ make init
+ make github/init/context.tf
+ make readme/build
+ echo "::set-output name=create_pull_request::true"
+ fi
+ else
+ echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates."
+ fi
+
+ - name: Create Pull Request
+ if: steps.update.outputs.create_pull_request == 'true'
+ uses: cloudposse/actions/github/create-pull-request@0.22.0
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ committer: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>'
+ author: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>'
+ commit-message: Update context.tf from origin source
+ title: Update context.tf
+ body: |-
+ ## what
+ This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label`
+
+ ## why
+ To support all the features of the `context` interface.
+
+ branch: auto-update/context.tf
+ base: master
+ delete-branch: true
+ labels: |
+ auto-update
+ context
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
new file mode 100644
index 0000000..990abed
--- /dev/null
+++ b/.github/workflows/auto-format.yml
@@ -0,0 +1,86 @@
+name: Auto Format
+on:
+ pull_request_target:
+ types: [opened, synchronize]
+
+jobs:
+ auto-format:
+ runs-on: ubuntu-latest
+ container: cloudposse/build-harness:slim-latest
+ steps:
+ # Checkout the pull request branch
+ # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
+ # the repository’s GITHUB_TOKEN, a new workflow will not run even when the repository contains
+ # a workflow configured to run when push events occur."
+ # However, using a personal access token will cause events to be triggered.
+ # We need that to ensure a status gets posted after the auto-format commit.
+ # We also want to trigger tests if the auto-format made no changes.
+ - uses: actions/checkout@v2
+ if: github.event.pull_request.state == 'open'
+ name: Privileged Checkout
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ repository: ${{ github.event.pull_request.head.repo.full_name }}
+ # Check out the PR commit, not the merge commit
+ # Use `ref` instead of `sha` to enable pushing back to `ref`
+ ref: ${{ github.event.pull_request.head.ref }}
+
+ # Do all the formatting stuff
+ - name: Auto Format
+ if: github.event.pull_request.state == 'open'
+ shell: bash
+ run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
+
+ # Commit changes (if any) to the PR branch
+ - name: Commit changes to the PR branch
+ if: github.event.pull_request.state == 'open'
+ shell: bash
+ id: commit
+ env:
+ SENDER: ${{ github.event.sender.login }}
+ run: |
+ set -x
+ output=$(git diff --name-only)
+
+ if [ -n "$output" ]; then
+ echo "Changes detected. Pushing to the PR branch"
+ git config --global user.name 'cloudpossebot'
+ git config --global user.email '11232728+cloudpossebot@users.noreply.github.com'
+ git add -A
+ git commit -m "Auto Format"
+ # Prevent looping by not pushing changes in response to changes from cloudpossebot
+ [[ $SENDER == "cloudpossebot" ]] || git push
+ # Set status to fail, because the push should trigger another status check,
+ # and we use success to indicate the checks are finished.
+ printf "::set-output name=%s::%s\n" "changed" "true"
+ exit 1
+ else
+ printf "::set-output name=%s::%s\n" "changed" "false"
+ echo "No changes detected"
+ fi
+
+ - name: Auto Test
+ uses: cloudposse/actions/github/repository-dispatch@0.22.0
+ # match users by ID because logins (user names) are inconsistent,
+ # for example in the REST API Renovate Bot is `renovate[bot]` but
+ # in GraphQL it is just `renovate`, plus there is a non-bot
+ # user `renovate` with ID 1832810.
+ # Mergify bot: 37929162
+ # Renovate bot: 29139614
+ # Cloudpossebot: 11232728
+ # Need to use space separators to prevent "21" from matching "112144"
+ if: >
+ contains(' 37929162 29139614 11232728 ', format(' {0} ', github.event.pull_request.user.id))
+ && steps.commit.outputs.changed == 'false' && github.event.pull_request.state == 'open'
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ repository: cloudposse/actions
+ event-type: test-command
+ client-payload: |-
+ { "slash_command":{"args": {"unnamed": {"all": "all", "arg1": "all"}}},
+ "pull_request": ${{ toJSON(github.event.pull_request) }},
+ "github":{"payload":{"repository": ${{ toJSON(github.event.repository) }},
+ "comment": {"id": ""}
+ }
+ }
+ }
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index e21fbfe..3f48017 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -3,17 +3,17 @@ name: auto-release
on:
push:
branches:
- - master
+ - master
jobs:
- semver:
+ publish:
runs-on: ubuntu-latest
steps:
- # Drafts your next Release notes as Pull Requests are merged into "master"
- - uses: release-drafter/release-drafter@v5
- with:
- publish: true
- prerelease: false
- config-name: auto-release.yml
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # Drafts your next Release notes as Pull Requests are merged into "master"
+ - uses: release-drafter/release-drafter@v5
+ with:
+ publish: true
+ prerelease: false
+ config-name: auto-release.yml
+ env:
+ GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml
index 31523a8..4ddc067 100644
--- a/.github/workflows/chatops.yml
+++ b/.github/workflows/chatops.yml
@@ -9,13 +9,13 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: "Handle common commands"
- uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+ uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
repository: cloudposse/actions
commands: rebuild-readme, terraform-fmt
- permission: none
+ permission: triage
issue-type: pull-request
test:
@@ -24,13 +24,13 @@ jobs:
- name: "Checkout commit"
uses: actions/checkout@v2
- name: "Run tests"
- uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+ uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
repository: cloudposse/actions
commands: test
- permission: none
+ permission: triage
issue-type: pull-request
reactions: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
deleted file mode 100644
index 496663f..0000000
--- a/.github/workflows/lint.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-name: lint
-
-on:
- push:
- branches:
- - master
- pull_request:
- types: [opened, synchronize, reopened]
-
-
-jobs:
- lint-readme:
- name: readme
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - uses: cloudposse/build-harness@0.44.1
- with:
- entrypoint: /usr/bin/make
- args: readme/lint
-
- super-linter:
- name: superlinter
- runs-on: ubuntu-latest
- steps:
- - name: Checkout Code
- uses: actions/checkout@v2
- - name: Lint Code Base
- uses: docker://github/super-linter:v3
- env:
- VALIDATE_ALL_CODEBASE: false
- VALIDATE_TERRAFORM_TERRASCAN: false
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- VALIDATE_GO: false
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
new file mode 100644
index 0000000..386eb28
--- /dev/null
+++ b/.github/workflows/validate-codeowners.yml
@@ -0,0 +1,25 @@
+name: Validate Codeowners
+on:
+ pull_request:
+
+jobs:
+ validate-codeowners:
+ runs-on: ubuntu-latest
+ steps:
+ - name: "Checkout source code at current commit"
+ uses: actions/checkout@v2
+ - uses: mszostok/codeowners-validator@v0.5.0
+ if: github.event.pull_request.head.repo.full_name == github.repository
+ name: "Full check of CODEOWNERS"
+ with:
+ # For now, remove "files" check to allow CODEOWNERS to specify non-existent
+ # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
+ # checks: "files,syntax,owners,duppatterns"
+ checks: "syntax,owners,duppatterns"
+ # GitHub access token is required only if the `owners` check is enabled
+ github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
+ - uses: mszostok/codeowners-validator@v0.5.0
+ if: github.event.pull_request.head.repo.full_name != github.repository
+ name: "Syntax check of CODEOWNERS"
+ with:
+ checks: "syntax,duppatterns"
diff --git a/.gitignore b/.gitignore
index 1c768ad..f123b94 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@
*.tfstate.*
.terraform
.terraform.tfstate.lock.info
+.terraform.lock.hcl
**/.idea
**/*.iml
diff --git a/README.md b/README.md
index 4fda303..38939ec 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
+
# terraform-aws-msk-apache-kafka-cluster
[](https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster/releases/latest) [](https://slack.cloudposse.com) [](https://ask.sweetops.com/)
+
[![README Header][readme_header_img]][readme_header_link]
@@ -67,8 +69,15 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
## Usage
-**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
-Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster/releases).
+**IMPORTANT:** We do not pin modules to versions in our examples because of the
+difficulty of keeping the versions in the documentation in sync with the latest released versions.
+We highly recommend that in your code you pin the version to the exact version you are
+using so that your infrastructure remains stable, and update versions in a
+systematic way so that they do not catch you by surprise.
+
+Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
+the registry shows many of our inputs as required when in fact they are optional.
+The table below correctly indicates which inputs are required.
Here's how to invoke this example module in your projects
@@ -138,6 +147,8 @@ Available targets:
| broker\_volume\_size | The size in GiB of the EBS volume for the data drive on each broker node | `number` | `1000` | no |
| certificate\_authority\_arns | List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication | `list(string)` | `[]` | no |
| client\_broker | Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT` | `string` | `"TLS"` | no |
+| client\_sasl\_scram\_enabled | Enables SCRAM client authentication via AWS Secrets Manager. | `bool` | `false` | no |
+| client\_sasl\_scram\_secret\_association\_arns | List of AWS Secrets Manager secret ARNs for scram authentication. | `list(string)` | `[]` | no |
| client\_tls\_auth\_enabled | Set `true` to enable the Client TLS Authentication | `bool` | `false` | no |
| cloudwatch\_logs\_enabled | Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs | `bool` | `false` | no |
| cloudwatch\_logs\_log\_group | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no |
@@ -176,6 +187,7 @@ Available targets:
|------|-------------|
| bootstrap\_broker\_tls | A comma separated list of one or more DNS names (or IPs) and TLS port pairs kafka brokers suitable to boostrap connectivity to the kafka cluster |
| bootstrap\_brokers | A comma separated list of one or more hostname:port pairs of kafka brokers suitable to boostrap connectivity to the kafka cluster |
+| bootstrap\_brokers\_scram | A comma separated list of one or more DNS names (or IPs) and TLS port pairs kafka brokers suitable to boostrap connectivity using SASL/SCRAM to the kafka cluster. |
| cluster\_arn | Amazon Resource Name (ARN) of the MSK cluster |
| cluster\_name | MSK Cluster name |
| config\_arn | Amazon Resource Name (ARN) of the configuration |
@@ -290,7 +302,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
## Copyrights
-Copyright © 2020-2020 [Cloud Posse, LLC](https://cloudposse.com)
+Copyright © 2020-2021 [Cloud Posse, LLC](https://cloudposse.com)
@@ -349,8 +361,10 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
### Contributors
+
| [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Hugo Samayoa][htplbc_avatar]][htplbc_homepage]
[Hugo Samayoa][htplbc_homepage] |
|---|---|
+
[osterman_homepage]: https://github.com/osterman
[osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png
diff --git a/context.tf b/context.tf
index eb8d5d5..f5f2797 100644
--- a/context.tf
+++ b/context.tf
@@ -19,7 +19,8 @@
#
module "this" {
- source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.19.2"
+ source = "cloudposse/label/null"
+ version = "0.22.1" // requires Terraform >= 0.12.26
enabled = var.enabled
namespace = var.namespace
@@ -164,4 +165,4 @@ variable "id_length_limit" {
EOT
}
-#### End of copy of cloudposse/terraform-null-label/variables.tf
\ No newline at end of file
+#### End of copy of cloudposse/terraform-null-label/variables.tf
diff --git a/docs/terraform.md b/docs/terraform.md
index ebf74a5..fc9767b 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -25,6 +25,8 @@
| broker\_volume\_size | The size in GiB of the EBS volume for the data drive on each broker node | `number` | `1000` | no |
| certificate\_authority\_arns | List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication | `list(string)` | `[]` | no |
| client\_broker | Encryption setting for data in transit between clients and brokers. Valid values: `TLS`, `TLS_PLAINTEXT`, and `PLAINTEXT` | `string` | `"TLS"` | no |
+| client\_sasl\_scram\_enabled | Enables SCRAM client authentication via AWS Secrets Manager. | `bool` | `false` | no |
+| client\_sasl\_scram\_secret\_association\_arns | List of AWS Secrets Manager secret ARNs for scram authentication. | `list(string)` | `[]` | no |
| client\_tls\_auth\_enabled | Set `true` to enable the Client TLS Authentication | `bool` | `false` | no |
| cloudwatch\_logs\_enabled | Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs | `bool` | `false` | no |
| cloudwatch\_logs\_log\_group | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no |
@@ -63,6 +65,7 @@
|------|-------------|
| bootstrap\_broker\_tls | A comma separated list of one or more DNS names (or IPs) and TLS port pairs kafka brokers suitable to boostrap connectivity to the kafka cluster |
| bootstrap\_brokers | A comma separated list of one or more hostname:port pairs of kafka brokers suitable to boostrap connectivity to the kafka cluster |
+| bootstrap\_brokers\_scram | A comma separated list of one or more DNS names (or IPs) and TLS port pairs kafka brokers suitable to boostrap connectivity using SASL/SCRAM to the kafka cluster. |
| cluster\_arn | Amazon Resource Name (ARN) of the MSK cluster |
| cluster\_name | MSK Cluster name |
| config\_arn | Amazon Resource Name (ARN) of the configuration |
diff --git a/examples/complete/context.tf b/examples/complete/context.tf
index eb8d5d5..f5f2797 100644
--- a/examples/complete/context.tf
+++ b/examples/complete/context.tf
@@ -19,7 +19,8 @@
#
module "this" {
- source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.19.2"
+ source = "cloudposse/label/null"
+ version = "0.22.1" // requires Terraform >= 0.12.26
enabled = var.enabled
namespace = var.namespace
@@ -164,4 +165,4 @@ variable "id_length_limit" {
EOT
}
-#### End of copy of cloudposse/terraform-null-label/variables.tf
\ No newline at end of file
+#### End of copy of cloudposse/terraform-null-label/variables.tf
diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars
index 96782e7..d3c6ca4 100644
--- a/examples/complete/fixtures.us-east-2.tfvars
+++ b/examples/complete/fixtures.us-east-2.tfvars
@@ -16,7 +16,7 @@ zone_id = "Z3SO0TKDDQ0RGG"
availability_zones = ["us-east-2a", "us-east-2b", "us-east-2c"]
-kafka_version = "2.4.1"
+kafka_version = "2.4.1.1"
number_of_broker_nodes = 3
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 0b5f20d..88b3276 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -3,7 +3,8 @@ provider "aws" {
}
module "vpc" {
- source = "git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.17.0"
+ source = "cloudposse/vpc/aws"
+ version = "0.18.1"
cidr_block = "172.16.0.0/16"
@@ -11,7 +12,8 @@ module "vpc" {
}
module "subnets" {
- source = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.28.0"
+ source = "cloudposse/dynamic-subnets/aws"
+ version = "0.33.0"
availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
@@ -24,7 +26,7 @@ module "subnets" {
}
resource "random_id" "config_id" {
- count = var.enabled ? 1 : 0
+ count = module.this.enabled ? 1 : 0
byte_length = 2
}
@@ -39,6 +41,7 @@ module "kafka" {
number_of_broker_nodes = var.number_of_broker_nodes
broker_instance_type = var.broker_instance_type
- name = "${var.name}${var.delimiter}${try(random_id.config_id[0].hex, "")}"
+ name = "${module.this.name}${module.this.delimiter}${try(random_id.config_id[0].hex, "")}"
+
context = module.this.context
}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index a75cdcb..042e58c 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -8,11 +8,14 @@ terraform {
}
template = {
source = "hashicorp/template"
- version = "~> 2.0"
+ version = ">= 2.0"
}
local = {
source = "hashicorp/local"
- version = "~> 1.3"
+ version = ">= 1.3"
+ }
+ random = {
+ source = "hashicorp/random"
}
}
}
diff --git a/main.tf b/main.tf
index a64d0e9..95394e5 100644
--- a/main.tf
+++ b/main.tf
@@ -3,7 +3,9 @@ locals {
bootstrap_brokers_list = local.bootstrap_brokers != "" ? sort(split(",", local.bootstrap_brokers)) : []
bootstrap_brokers_tls = try(aws_msk_cluster.default[0].bootstrap_brokers_tls, "")
bootstrap_brokers_tls_list = local.bootstrap_brokers_tls != "" ? sort(split(",", local.bootstrap_brokers_tls)) : []
- bootstrap_brokers_combined_list = concat(local.bootstrap_brokers_list, local.bootstrap_brokers_tls_list)
+ bootstrap_brokers_scram = try(aws_msk_cluster.default[0].bootstrap_brokers_sasl_scram, "")
+ bootstrap_brokers_scram_list = local.bootstrap_brokers_scram != "" ? sort(split(",", local.bootstrap_brokers_scram)) : []
+ bootstrap_brokers_combined_list = concat(local.bootstrap_brokers_list, local.bootstrap_brokers_tls_list, local.bootstrap_brokers_scram_list)
}
resource "aws_security_group" "default" {
@@ -84,11 +86,19 @@ resource "aws_msk_cluster" "default" {
}
dynamic "client_authentication" {
- for_each = var.client_tls_auth_enabled ? [1] : []
-
+ for_each = var.client_tls_auth_enabled || var.client_sasl_scram_enabled ? [1] : []
content {
- tls {
- certificate_authority_arns = var.certificate_authority_arns
+ dynamic "tls" {
+ for_each = var.client_tls_auth_enabled ? [1] : []
+ content {
+ certificate_authority_arns = var.certificate_authority_arns
+ }
+ }
+ dynamic "sasl" {
+ for_each = var.client_sasl_scram_enabled ? [1] : []
+ content {
+ scram = var.client_sasl_scram_enabled
+ }
}
}
}
@@ -125,9 +135,17 @@ resource "aws_msk_cluster" "default" {
tags = module.this.tags
}
+resource "aws_msk_scram_secret_association" "default" {
+ count = var.client_sasl_scram_enabled ? 1 : 0
+
+ cluster_arn = aws_msk_cluster.default[0].arn
+ secret_arn_list = var.client_sasl_scram_secret_association_arns
+}
+
module "hostname" {
count = var.number_of_broker_nodes > 0 ? var.number_of_broker_nodes : 0
- source = "git::https://github.com/cloudposse/terraform-aws-route53-cluster-hostname.git?ref=tags/0.6.0"
+ source = "cloudposse/route53-cluster-hostname/aws"
+ version = "0.9.0"
enabled = module.this.enabled && length(var.zone_id) > 0
name = "${module.this.name}-broker-${count.index + 1}"
zone_id = var.zone_id
diff --git a/outputs.tf b/outputs.tf
index cc0798c..1d5bea2 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -13,6 +13,11 @@ output "bootstrap_broker_tls" {
value = join("", aws_msk_cluster.default.*.bootstrap_brokers_tls)
}
+output "bootstrap_brokers_scram" {
+ description = "A comma separated list of one or more DNS names (or IPs) and TLS port pairs kafka brokers suitable to boostrap connectivity using SASL/SCRAM to the kafka cluster."
+ value = join("", aws_msk_cluster.default.*.bootstrap_brokers_sasl_scram)
+}
+
output "current_version" {
description = "Current version of the MSK Cluster used for updates"
value = join("", aws_msk_cluster.default.*.current_version)
diff --git a/variables.tf b/variables.tf
index 79ab1e7..b07d24c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -76,6 +76,18 @@ variable "certificate_authority_arns" {
description = "List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication"
}
+variable "client_sasl_scram_enabled" {
+ type = bool
+ default = false
+ description = "Enables SCRAM client authentication via AWS Secrets Manager."
+}
+
+variable "client_sasl_scram_secret_association_arns" {
+ type = list(string)
+ default = []
+ description = "List of AWS Secrets Manager secret ARNs for scram authentication."
+}
+
variable "client_tls_auth_enabled" {
type = bool
default = false
@@ -141,5 +153,3 @@ variable "properties" {
default = {}
description = "Contents of the server.properties file. Supported properties are documented in the [MSK Developer Guide](https://docs.aws.amazon.com/msk/latest/developerguide/msk-configuration-properties.html)"
}
-
-
diff --git a/versions.tf b/versions.tf
index da49e97..2750e0a 100644
--- a/versions.tf
+++ b/versions.tf
@@ -2,8 +2,17 @@ terraform {
required_version = ">= 0.13.0"
required_providers {
- aws = ">= 2.0"
- local = ">= 1.2"
- random = ">= 2.2"
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 2.0"
+ }
+ local = {
+ source = "hashicorp/local"
+ version = ">= 1.2"
+ }
+ random = {
+ source = "hashicorp/random"
+ version = ">= 2.2"
+ }
}
}