Skip to content

Commit

Permalink
feat(msk): added msk cluster sasl iam property (#21798)
Browse files Browse the repository at this point in the history
When accessing the bootstrap brokers of a cluster configured with property

`clientAuthentication: msk.ClientAuthentication.sasl({ iam: true })`

One can access the bootstrap brokers from the command line:

`aws kafka get-bootstrap-brokers --cluster-arn <ClusterArn>`

This will return an object:

```
{
    "BootstrapBrokerStringSaslIam": "..."
}
```

This PR adds the ability to access the bootstrap brokers directly as a property of the Kafka cluster. This can now be
done via the `cluster.bootstrapBrokersSaslIam` property.



Fixes #18355

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
crisboarna authored Aug 29, 2022
1 parent 478b996 commit d30a530
Show file tree
Hide file tree
Showing 8 changed files with 456 additions and 44 deletions.
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-msk/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ declare const cluster: msk.Cluster;
new CfnOutput(this, 'BootstrapBrokers', { value: cluster.bootstrapBrokers });
new CfnOutput(this, 'BootstrapBrokersTls', { value: cluster.bootstrapBrokersTls });
new CfnOutput(this, 'BootstrapBrokersSaslScram', { value: cluster.bootstrapBrokersSaslScram });
new CfnOutput(this, 'BootstrapBrokerStringSaslIam', { value: cluster.bootstrapBrokersSaslIam });
new CfnOutput(this, 'ZookeeperConnection', { value: cluster.zookeeperConnectionString });
new CfnOutput(this, 'ZookeeperConnectionTls', { value: cluster.zookeeperConnectionStringTls });
```
Expand Down
15 changes: 13 additions & 2 deletions packages/@aws-cdk/aws-msk/lib/cluster.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ import * as logs from '@aws-cdk/aws-logs';
import * as s3 from '@aws-cdk/aws-s3';
import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
import * as core from '@aws-cdk/core';
import { FeatureFlags } from '@aws-cdk/core';
import * as cr from '@aws-cdk/custom-resources';
import { S3_CREATE_DEFAULT_LOGGING_POLICY } from '@aws-cdk/cx-api';
import * as constructs from 'constructs';
import { addressOf } from 'constructs/lib/private/uniqueid';
import { KafkaVersion } from './';
import { CfnCluster } from './msk.generated';
import { FeatureFlags } from '@aws-cdk/core';
import { S3_CREATE_DEFAULT_LOGGING_POLICY } from '@aws-cdk/cx-api';

/**
* Represents a MSK Cluster
Expand Down Expand Up @@ -790,6 +790,17 @@ export class Cluster extends ClusterBase {
return this._bootstrapBrokers('BootstrapBrokerStringSaslScram');
}

/**
* Get the list of brokers that a SASL/IAM authenticated client application can use to bootstrap
*
* Uses a Custom Resource to make an API call to `getBootstrapBrokers` using the Javascript SDK
*
* @returns - A string containing one or more DNS names (or IP) and TLS port pairs.
*/
public get bootstrapBrokersSaslIam() {
return this._bootstrapBrokers('BootstrapBrokerStringSaslIam');
}

/**
* A list of usersnames to register with the cluster. The password will automatically be generated using Secrets
* Manager and the { username, password } JSON object stored in Secrets Manager as `AmazonMSK_username`.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
}
},
"flattenResponse": "false",
"salt": "1660927365216"
"salt": "1661748273588"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
Expand All @@ -51,7 +51,7 @@
]
},
"expected": "{\"$ObjectLike\":{\"KeyCount\":1}}",
"salt": "1660927365216"
"salt": "1661748273588"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
Expand Down Expand Up @@ -133,7 +133,7 @@
"Runtime": "nodejs14.x",
"Code": {
"S3Bucket": {
"Ref": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7"
"Ref": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3"
},
"S3Key": {
"Fn::Join": [
Expand All @@ -146,7 +146,7 @@
"Fn::Split": [
"||",
{
"Ref": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E"
"Ref": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47"
}
]
}
Expand All @@ -159,7 +159,7 @@
"Fn::Split": [
"||",
{
"Ref": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E"
"Ref": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47"
}
]
}
Expand Down Expand Up @@ -191,17 +191,17 @@
}
},
"Parameters": {
"AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7": {
"AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3": {
"Type": "String",
"Description": "S3 bucket for asset \"0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd\""
"Description": "S3 bucket for asset \"374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458\""
},
"AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E": {
"AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47": {
"Type": "String",
"Description": "S3 key for asset version \"0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd\""
"Description": "S3 key for asset version \"374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458\""
},
"AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdArtifactHash2AC894D9": {
"AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458ArtifactHash5A9F2F48": {
"Type": "String",
"Description": "Artifact hash for asset \"0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd\""
"Description": "Artifact hash for asset \"374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458\""
}
}
}
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
"use strict";
var __create = Object.create;
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -885,6 +885,149 @@
"DependsOn": [
"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
]
},
"ClusterIAMSecurityGroupA09813F0": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "MSK security group",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow all outbound traffic by default",
"IpProtocol": "-1"
}
],
"VpcId": {
"Ref": "VPCB9E5F0B4"
}
}
},
"ClusterIAMC4B15B57": {
"Type": "AWS::MSK::Cluster",
"Properties": {
"BrokerNodeGroupInfo": {
"ClientSubnets": [
{
"Ref": "VPCPrivateSubnet1Subnet8BCA10E0"
},
{
"Ref": "VPCPrivateSubnet2SubnetCFCDAA7A"
}
],
"InstanceType": "kafka.m5.large",
"SecurityGroups": [
{
"Fn::GetAtt": [
"ClusterIAMSecurityGroupA09813F0",
"GroupId"
]
}
],
"StorageInfo": {
"EBSStorageInfo": {
"VolumeSize": 1000
}
}
},
"ClusterName": "integ-test-iam-auth",
"KafkaVersion": "2.8.1",
"NumberOfBrokerNodes": 2,
"ClientAuthentication": {
"Sasl": {
"Iam": {
"Enabled": true
}
}
},
"EncryptionInfo": {
"EncryptionInTransit": {
"ClientBroker": "TLS",
"InCluster": true
}
},
"LoggingInfo": {
"BrokerLogs": {
"CloudWatchLogs": {
"Enabled": false
},
"Firehose": {
"Enabled": false
},
"S3": {
"Bucket": {
"Ref": "LoggingBucket1E5A6F3B"
},
"Enabled": true
}
}
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamEB333452": {
"Type": "Custom::AWS",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"AWS679f53fac002430cb0da5b7982bd22872D164C4C",
"Arn"
]
},
"Create": {
"Fn::Join": [
"",
[
"{\"service\":\"Kafka\",\"action\":\"getBootstrapBrokers\",\"parameters\":{\"ClusterArn\":\"",
{
"Ref": "ClusterIAMC4B15B57"
},
"\"},\"physicalResourceId\":{\"id\":\"BootstrapBrokers\"}}"
]
]
},
"Update": {
"Fn::Join": [
"",
[
"{\"service\":\"Kafka\",\"action\":\"getBootstrapBrokers\",\"parameters\":{\"ClusterArn\":\"",
{
"Ref": "ClusterIAMC4B15B57"
},
"\"},\"physicalResourceId\":{\"id\":\"BootstrapBrokers\"}}"
]
]
},
"InstallLatestAwsSdk": true
},
"DependsOn": [
"ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "kafka:GetBootstrapBrokers",
"Effect": "Allow",
"Resource": {
"Ref": "ClusterIAMC4B15B57"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99",
"Roles": [
{
"Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
}
]
}
}
},
"Parameters": {
Expand Down Expand Up @@ -948,6 +1091,14 @@
"BootstrapBrokerStringTls"
]
}
},
"BootstrapBrokers3": {
"Value": {
"Fn::GetAtt": [
"ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamEB333452",
"BootstrapBrokerStringSaslIam"
]
}
}
}
}
54 changes: 42 additions & 12 deletions packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,36 @@
"type": "aws:cdk:logicalId",
"data": "BootstrapBrokers2"
}
],
"/aws-cdk-msk-integ/ClusterIAM/SecurityGroup/Resource": [
{
"type": "aws:cdk:logicalId",
"data": "ClusterIAMSecurityGroupA09813F0"
}
],
"/aws-cdk-msk-integ/ClusterIAM/Resource": [
{
"type": "aws:cdk:logicalId",
"data": "ClusterIAMC4B15B57"
}
],
"/aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/Resource/Default": [
{
"type": "aws:cdk:logicalId",
"data": "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamEB333452"
}
],
"/aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/CustomResourcePolicy/Resource": [
{
"type": "aws:cdk:logicalId",
"data": "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99"
}
],
"/aws-cdk-msk-integ/BootstrapBrokers3": [
{
"type": "aws:cdk:logicalId",
"data": "BootstrapBrokers3"
}
]
},
"displayName": "aws-cdk-msk-integ"
Expand All @@ -323,13 +353,13 @@
{
"type": "aws:cdk:asset",
"data": {
"path": "asset.0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd.bundle",
"id": "0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd",
"path": "asset.374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458.bundle",
"id": "374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458",
"packaging": "zip",
"sourceHash": "0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd",
"s3BucketParameter": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7",
"s3KeyParameter": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E",
"artifactHashParameter": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdArtifactHash2AC894D9"
"sourceHash": "374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458",
"s3BucketParameter": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3",
"s3KeyParameter": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47",
"artifactHashParameter": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458ArtifactHash5A9F2F48"
}
}
],
Expand Down Expand Up @@ -363,22 +393,22 @@
"data": "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F"
}
],
"/MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/S3Bucket": [
"/MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/S3Bucket": [
{
"type": "aws:cdk:logicalId",
"data": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7"
"data": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3"
}
],
"/MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/S3VersionKey": [
"/MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/S3VersionKey": [
{
"type": "aws:cdk:logicalId",
"data": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E"
"data": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47"
}
],
"/MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/ArtifactHash": [
"/MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/ArtifactHash": [
{
"type": "aws:cdk:logicalId",
"data": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdArtifactHash2AC894D9"
"data": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458ArtifactHash5A9F2F48"
}
]
},
Expand Down
Loading

0 comments on commit d30a530

Please sign in to comment.