pulumi-aws-kotlin/com.pulumi.aws.msk.kotlin/ScramSecretAssociationArgs

ScramSecretAssociationArgs

data class ScramSecretAssociationArgs(val clusterArn: Output<String>? = null, val secretArnLists: Output<List<String>>? = null) : ConvertibleToJava<ScramSecretAssociationArgs>

Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster.

Note: The following assumes the MSK cluster has SASL/SCRAM authentication enabled. See below for example usage or refer to the Username/Password Authentication section of the MSK Developer Guide for more details.

  • To set up username and password authentication for a cluster, create an aws.secretsmanager.Secret resource and associate

  • a username and password with the secret with an aws.secretsmanager.SecretVersion resource. When creating a secret for the cluster,

  • the name must have the prefix AmazonMSK_ and you must either use an existing custom AWS KMS key or create a new

  • custom AWS KMS key for your secret with the aws.kms.Key resource. It is important to note that a policy is required for the aws.secretsmanager.Secret

  • resource in order for Kafka to be able to read it. This policy is attached automatically when the aws.msk.ScramSecretAssociation is used,

  • however, this policy will not be in the state and as such, will present a diff on plan/apply. For that reason, you must use the aws.secretsmanager.SecretPolicy

  • resource](/docs/providers/aws/r/secretsmanager_secret_policy.html) as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.msk.Cluster;
import com.pulumi.aws.msk.ClusterArgs;
import com.pulumi.aws.msk.inputs.ClusterClientAuthenticationArgs;
import com.pulumi.aws.msk.inputs.ClusterClientAuthenticationSaslArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.secretsmanager.Secret;
import com.pulumi.aws.secretsmanager.SecretArgs;
import com.pulumi.aws.secretsmanager.SecretVersion;
import com.pulumi.aws.secretsmanager.SecretVersionArgs;
import com.pulumi.aws.msk.ScramSecretAssociation;
import com.pulumi.aws.msk.ScramSecretAssociationArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.secretsmanager.SecretPolicy;
import com.pulumi.aws.secretsmanager.SecretPolicyArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleCluster = new Cluster("exampleCluster", ClusterArgs.builder()
            .clientAuthentication(ClusterClientAuthenticationArgs.builder()
                .sasl(ClusterClientAuthenticationSaslArgs.builder()
                    .scram(true)
                    .build())
                .build())
            .build());
        var exampleKey = new Key("exampleKey", KeyArgs.builder()
            .description("Example Key for MSK Cluster Scram Secret Association")
            .build());
        var exampleSecret = new Secret("exampleSecret", SecretArgs.builder()
            .kmsKeyId(exampleKey.keyId())
            .build());
        var exampleSecretVersion = new SecretVersion("exampleSecretVersion", SecretVersionArgs.builder()
            .secretId(exampleSecret.id())
            .secretString(serializeJson(
                jsonObject(
                    jsonProperty("username", "user"),
                    jsonProperty("password", "pass")
                )))
            .build());
        var exampleScramSecretAssociation = new ScramSecretAssociation("exampleScramSecretAssociation", ScramSecretAssociationArgs.builder()
            .clusterArn(exampleCluster.arn())
            .secretArnLists(exampleSecret.arn())
            .build(), CustomResourceOptions.builder()
                .dependsOn(exampleSecretVersion)
                .build());
        final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .sid("AWSKafkaResourcePolicy")
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("Service")
                    .identifiers("kafka.amazonaws.com")
                    .build())
                .actions("secretsmanager:getSecretValue")
                .resources(exampleSecret.arn())
                .build())
            .build());
        var exampleSecretPolicy = new SecretPolicy("exampleSecretPolicy", SecretPolicyArgs.builder()
            .secretArn(exampleSecret.arn())
            .policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(examplePolicyDocument -> examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
            .build());
    }
}
Content copied to clipboard

Import

MSK SCRAM Secret Associations can be imported using the id e.g.,

$ pulumi import aws:msk/scramSecretAssociation:ScramSecretAssociation example arn:aws:kafka:us-west-2:123456789012:cluster/example/279c0212-d057-4dba-9aa9-1c4e5a25bfc7-3
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(clusterArn: Output<String>? = null, secretArnLists: Output<List<String>>? = null)

Properties

Link copied to clipboard
val clusterArn: Output<String>? = null

Amazon Resource Name (ARN) of the MSK cluster.

Link copied to clipboard
val secretArnLists: Output<List<String>>? = null

List of AWS Secrets Manager secret ARNs.

Functions

Link copied to clipboard
open override fun toJava(): ScramSecretAssociationArgs