-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/aws_msk_sasl_scram_secret: New Resource #15302
Conversation
fdc5aee
to
6911211
Compare
The output of the For my use case I would need access to this, so ideally this would be added as a new attribute to the
I would assume this would go alongside the existing
aws-sdk-go |
@ant1441 Ok, I will add this to the changes, im still working on tests for the new resource, but this will be included in the PR |
Just as an update The BatchAssociateScramSecret operation. Once that is run, a secret policy is attached to any secret associated with MSK, which includes the ARN of the secret that has just been created and attached. If the policy is left blank, then an AWS created policy will be attached, creating a diff in the terraform and meaning there will always be changes presented. My tests will not pass due to the fact there are changes after the apply, I can ignore this, but it would present as an undesirable result for the user, they create a custom policy, or empty policy, then create the resources, then changes are presented based on the MSK service changes. |
awesome work! Looking forward to seeing it soon. |
Further update: After speaking with AWS, it seems that the resources policy for a secret for MSK will be generated regardless of whether a policy exists and is sufficient. However, to overcome this, I will use the https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#SecretsManager.PutResourcePolicy I will create a new PR with that resource in a new PR and once it is merged will update this PR to reflect the usage. |
Looks like there is already a PR for the new ressource |
I had an issue when trying to add multiple secrets to the same cluster:
I created a module inside which there is a Does the secrets can be managed in multiple Terraform project or they need to be managed by a single |
Update: same issue when removing and adding some secrets in the same plan (even with Not sure if it's related but looks like the params of |
Thanks for feedback, will add a test for this and update |
Hi @dblooman! I'm trying to get caught up on your PR, and wanted to check that I understanding of the need for the If the secret is applied before a policy is associated, a default policy will be applied, and that policy may not be as restrictive as what is needed. If you create the policy before applying the secret, then the desired policy will be in place from the start. So the idea would be that the secret would be created, then the policy would be associated with it then the cluster is created with the new secret (and policy)? Please let me know if I have that wrong or missed any important points. |
Hi Team, a polite ping. This would be really cool to get into the next provider rls. |
@bill-rich Hi, agreed on the points, except where the API call to associate secret is concerned. If you don't create a policy, that is fine, once you associate the secret, a new policy is created for you on behalf of the kafka aws service, e.g {
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : "kafka.amazonaws.com"
},
"Action" : "secretsmanager:getSecretValue",
"Resource" : "arn:aws:secretsmanager:us-east-1:0000000:secret:AmazonMSK_testing-3KUWHE"
} ]
} Where the unique ID at the end after the name of the secret is random. In the same way that we wish to attach the policy, the kafka service will use the resource ARN to determine the policy, but you can't use the ARN before the resource exists and therefor, cannot create the resource and the policy at the same time. I asked the MSK product team about this and they suggested that we use an attachment, which is why I would like to use the AWS secrets manager secret policy resource. @jurgenweber Im working on this all day today, writing tests and fixing issues seen by @haidaraM, hopefully will have something ready today or tommorrow. |
@dblooman Thank you for the clarification. I'm focusing on getting these two resources approved and merged also, so please ping me when you're ready for me to take another look at |
@dblooman Thanks mate, really appreciate the effort. I Apologise that I am too time pressed to assist but always happy to cheer from the side lines. :) |
09c04b3
to
d3888f2
Compare
d3888f2
to
7a04701
Compare
@haidaraM I think my latest commit should take care of the bug you found. Fun fact, if you associate a secret, then delete the secret before disassociating it, the secret still stays associated, but doesn't present in the console. Test to be completed tomorrow and will submit for review. @bill-rich For now i have added the secrets manager code to test, but once that is merge it will be rebased out. |
totally understand @dblooman, thank you for letting me know👍 happy to continue the work here and get it into an upcoming release |
25ec2fd
to
325a889
Compare
325a889
to
3380eaa
Compare
Output of acceptance tests (Commercial):
Output of failed acctest when run locally:
|
@anGie44 great work! Thank you! Hopefuly we'll see it in upcoming release |
Hi, thanks for the work @anGie44. Do we know which release this will be in? |
e23500a
to
81e6229
Compare
81e6229
to
cd3158f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again @dblooman for the great work and your (and other's following this feature) patience! Getting this work into the upcoming 3.18.0
release 👍
Confirming output of acceptance tests (commercial):
--- SKIP: TestAccAWSMskCluster_ClientAuthentication_Tls_CertificateAuthorityArns (0.00s)
--- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionAtRestKmsKeyArn (1812.73s)
--- PASS: TestAccAWSMskCluster_basic (1953.64s)
--- PASS: TestAccAwsMskScramSecretAssociation_clusterDisappears (2002.34s)
--- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionInTransit_ClientBroker (2017.27s)
--- PASS: TestAccAwsMskScramSecretAssociation_disappears (2083.90s)
--- PASS: TestAccAWSMskCluster_EnhancedMonitoring (2181.96s)
--- PASS: TestAccAWSMskCluster_LoggingInfo (2190.62s)
--- PASS: TestAccAWSMskCluster_OpenMonitoring (2201.28s)
--- PASS: TestAccAWSMskCluster_EncryptionInfo_EncryptionInTransit_InCluster (2221.78s)
--- PASS: TestAccAwsMskScramSecretAssociation_basic (2287.63s)
--- PASS: TestAccAWSMskClusterDataSource_Name (2301.83s)
--- PASS: TestAccAWSMskCluster_Tags (2322.30s)
--- PASS: TestAccAwsMskScramSecretAssociation_update (2373.08s)
--- PASS: TestAccAWSMskCluster_BrokerNodeGroupInfo_EbsVolumeSize (2530.99s)
--- PASS: TestAccAWSMskCluster_NumberOfBrokerNodes (2740.42s)
--- PASS: TestAccAWSMskCluster_ConfigurationInfo_Revision (2987.14s)
--- PASS: TestAccAWSMskCluster_ClientAuthentication_Sasl_Scram (3303.68s)
--- PASS: TestAccAWSMskCluster_KafkaVersionDowngrade (3363.70s)
--- PASS: TestAccAWSMskCluster_KafkaVersionUpgrade (5974.84s)
--- PASS: TestAccAWSMskCluster_KafkaVersionUpgradeWithConfigurationInfo (5983.46s)
This has been released in version 3.18.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Fixes #15237 and #15298
Looking for feedback on the approach here, should this be included in the
resource_aws_msk_cluster
resource?Community Note
Relates OR Closes #0000
Release note for CHANGELOG:
Output from acceptance testing: