feat: New resources for client_authentication: unauthenticated, iam, …

…scram, tls

Fixes #19 #5

README.md

@@ -77,6 +77,7 @@ No modules.
 |------|------|
 | [aws_msk_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster) | resource |
 | [aws_msk_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_configuration) | resource |
+| [aws_msk_scram_secret_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_scram_secret_association) | resource |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.jmx-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.msk-plain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -91,6 +92,10 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_client_authentication_sasl_iam_enabled"></a> [client\_authentication\_sasl\_iam\_enabled](#input\_client\_authentication\_sasl\_iam\_enabled) | Enables IAM client authentication. | `bool` | `false` | no |
+| <a name="input_client_authentication_sasl_scram_secrets_arns"></a> [client\_authentication\_sasl\_scram\_secrets\_arns](#input\_client\_authentication\_sasl\_scram\_secrets\_arns) | Associates SCRAM secrets stored in the Secrets Manager. You need [secret policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_scram_secret_association). | `list(string)` | `[]` | no |
+| <a name="input_client_authentication_tls_certificate_authority_arns"></a> [client\_authentication\_tls\_certificate\_authority\_arns](#input\_client\_authentication\_tls\_certificate\_authority\_arns) | List of ACM Certificate Authority Amazon Resource Names (ARNs). | `list(string)` | `[]` | no |
+| <a name="input_client_authentication_unauthenticated_enabled"></a> [client\_authentication\_unauthenticated\_enabled](#input\_client\_authentication\_unauthenticated\_enabled) | Enables unauthenticated access. | `bool` | `false` | no |
 | <a name="input_client_subnets"></a> [client\_subnets](#input\_client\_subnets) | A list of subnets to connect to in client VPC | `list(string)` | n/a | yes |
 | <a name="input_cloudwatch_logs_group"></a> [cloudwatch\_logs\_group](#input\_cloudwatch\_logs\_group) | Name of the Cloudwatch Log Group to deliver logs to. | `string` | `""` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the MSK cluster. | `string` | n/a | yes |

main.tf

@@ -98,6 +98,13 @@ resource "aws_msk_configuration" "this" {
   }
 }
 
+resource "aws_msk_scram_secret_association" "this" {
+  count = length(var.client_authentication_sasl_scram_secrets_arns) == 0 ? 0 : 1
+
+  cluster_arn     = aws_msk_cluster.this.arn
+  secret_arn_list = var.client_authentication_sasl_scram_secrets_arns
+}
+
 resource "aws_msk_cluster" "this" {
   depends_on = [aws_msk_configuration.this]
 
@@ -129,6 +136,20 @@ resource "aws_msk_cluster" "this" {
     revision = aws_msk_configuration.this.latest_revision
   }
 
+  client_authentication {
+    unauthenticated = var.client_authentication_unauthenticated_enabled
+    sasl {
+      iam   = var.client_authentication_sasl_iam_enabled
+      scram = length(var.client_authentication_sasl_scram_secrets_arns) == 0 ? false : true
+    }
+    dynamic "tls" {
+      for_each = length(var.client_authentication_tls_certificate_authority_arns) != 0 ? ["true"] : []
+      content {
+        certificate_authority_arns = var.client_authentication_tls_certificate_authority_arns
+      }
+    }
+  }
+
   encryption_info {
     encryption_at_rest_kms_key_arn = var.encryption_at_rest_kms_key_arn
     encryption_in_transit {

variables.tf

@@ -107,6 +107,30 @@ variable "firehose_logs_delivery_stream" {
   default     = ""
 }
 
+variable "client_authentication_unauthenticated_enabled" {
+  description = "Enables unauthenticated access."
+  type        = bool
+  default     = false
+}
+
+variable "client_authentication_sasl_iam_enabled" {
+  description = "Enables IAM client authentication."
+  type        = bool
+  default     = false
+}
+
+variable "client_authentication_sasl_scram_secrets_arns" {
+  description = "Associates SCRAM secrets stored in the Secrets Manager. You need [secret policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_scram_secret_association)."
+  type        = list(string)
+  default     = []
+}
+
+variable "client_authentication_tls_certificate_authority_arns" {
+  description = "List of ACM Certificate Authority Amazon Resource Names (ARNs)."
+  type        = list(string)
+  default     = []
+}
+
 variable "provisioned_volume_throughput" {
   description = "Throughput value of the EBS volumes for the data drive on each kafka broker node in MiB per second. The minimum value is 250. The maximum value varies between broker type. See [https://docs.aws.amazon.com/msk/latest/developerguide/msk-provision-throughput.html#throughput-bottlenecks](documentation on throughput bottlenecks)."
   type        = number