Allow multiple clientAuthentication methods in MSK (IAM + TLS) (#22041)

This PR adds a method (`saslTls `) to have both IAM And TLS for the ClientAuthentication given that this is already supported since October 2021 as feature in the Console as well as in the CloudFormation level. It addresses this issue: #16980 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Sep 15, 2022 · 77ea83c · 77ea83c
1 parent 8f7ee2b
commit 77ea83c
Show file tree

Hide file tree

Showing 11 changed files with 1,316 additions and 18 deletions.
diff --git a/packages/@aws-cdk/aws-msk/README.md b/packages/@aws-cdk/aws-msk/README.md
@@ -84,8 +84,6 @@ const cluster = msk.Cluster.fromClusterArn(this, 'Cluster',
 
 [MSK supports](https://docs.aws.amazon.com/msk/latest/developerguide/kafka_apis_iam.html) the following authentication mechanisms.
 
-> Only one authentication method can be enabled.
-
 ### TLS
 
 To enable client authentication with TLS set the `certificateAuthorityArns` property to reference your ACM Private CA. [More info on Private CAs.](https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html)
@@ -151,6 +149,37 @@ const cluster = new msk.Cluster(this, 'cluster', {
 });
 ```
 
+
+### SASL/IAM + TLS
+
+Enable client authentication with [IAM](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html) 
+as well as enable client authentication with TLS by setting the `certificateAuthorityArns` property to reference your ACM Private CA. [More info on Private CAs.](https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html)
+
+```ts
+import * as acmpca from '@aws-cdk/aws-acmpca';
+
+declare const vpc: ec2.Vpc;
+const cluster = new msk.Cluster(this, 'Cluster', {
+  clusterName: 'myCluster',
+  kafkaVersion: msk.KafkaVersion.V2_8_1,
+  vpc,
+  encryptionInTransit: {
+    clientBroker: msk.ClientBrokerEncryption.TLS,
+  },
+  clientAuthentication: msk.ClientAuthentication.saslTls({
+    iam: true,
+    certificateAuthorities: [
+      acmpca.CertificateAuthority.fromCertificateAuthorityArn(
+        this,
+        'CertificateAuthority',
+        'arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111',
+      ),
+    ],
+  }),
+});
+```
+
+
 ## Logging
 
 You can deliver Apache Kafka broker logs to one or more of the following destination types:

diff --git a/packages/@aws-cdk/aws-msk/lib/cluster.ts b/packages/@aws-cdk/aws-msk/lib/cluster.ts
@@ -343,6 +343,11 @@ export interface TlsAuthProps {
   readonly certificateAuthorities?: acmpca.ICertificateAuthority[];
 }
 
+/**
+ * SASL + TLS authentication properties
+ */
+export interface SaslTlsAuthProps extends SaslAuthProps, TlsAuthProps { }
+
 /**
  * Configuration properties for client authentication.
  */
@@ -361,6 +366,13 @@ export class ClientAuthentication {
     return new ClientAuthentication(undefined, props);
   }
 
+  /**
+   * SASL + TLS authentication
+   */
+  public static saslTls(saslTlsProps: SaslTlsAuthProps): ClientAuthentication {
+    return new ClientAuthentication(saslTlsProps, saslTlsProps);
+  }
+
   /**
    * @param saslProps - properties for SASL authentication
    * @param tlsProps - properties for TLS authentication
@@ -616,6 +628,16 @@ export class Cluster extends ClusterBase {
       clientAuthentication = {
         sasl: { iam: { enabled: props.clientAuthentication.saslProps.iam } },
       };
+      if (props.clientAuthentication?.tlsProps) {
+        clientAuthentication = {
+          sasl: { iam: { enabled: props.clientAuthentication.saslProps.iam } },
+          tls: {
+            certificateAuthorityArnList: props.clientAuthentication?.tlsProps?.certificateAuthorities?.map(
+              (ca) => ca.certificateAuthorityArn,
+            ),
+          },
+        };
+      }
     } else if (props.clientAuthentication?.saslProps?.scram) {
       clientAuthentication = {
         sasl: {