-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(lambda-event-sources): add
rootCACertificate to `SelfManagedKa…
…fkaEventSource` (#21422) Co-authored-by: @abks90 <alexander.backes@codecentric.de> Co-authored-by: @ccoltx <59687842+ccoltx@users.noreply.github.com> ---- ### Description In AWS its possible to configure a self hosted Kafka as an eventsource for a Lambda, described [here](https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-topic-add). Optional its possible to choose to reference the root certificate (CA) secret in the field encryption (see below screenshot `4.h)`). However in CDK in the [SelfManagedKafkaEventSourceProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.SelfManagedKafkaEventSourceProps.html#secret) of [SelfManagedKafkaEventSource](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.SelfManagedKafkaEventSource.html) its not possible to specify that encryption secret. Its only possible to specify a secret for the also optional authentication field. This PR add the possibly to specify the encryption secret to reference a root ca for self signed certificates in [SelfManagedKafkaEventSource](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.SelfManagedKafkaEventSource.html). _Screenshot of docs explaining how to set secret for root ca (field encryption)_  _Screenshot of aws console, where the field encryption is visible while adding a self hosted kafka as lambda eventsource trigger_  ## Technical Approach We started by adding a test (extending the `kafka.test.ts`) which allows to pass an optional property `encryption` of type secret. In case this property is set, we add it to the [sourceAccessConfiguration](https://docs.aws.amazon.com/lambda/latest/dg/API_SourceAccessConfiguration.html) in the [AWS::Lambda::EventSourceMapping](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html#aws-resource-lambda-eventsourcemapping-syntax). As a small bonus we also added the missing static variable for `SERVER_ROOT_CA_CERTIFICATE` in the class `SourceAccessConfigurationType` with the value taken from this [documented list of possible values](https://docs.aws.amazon.com/lambda/latest/dg/API_SourceAccessConfiguration.html) ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? No, as there was no integration test there, but we extended the regular unit tests. * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information
Showing
11 changed files
with
690 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
68 changes: 68 additions & 0 deletions
68
packages/@aws-cdk/aws-lambda-event-sources/test/integ.kafka-selfmanaged.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| import * as lambda from '@aws-cdk/aws-lambda'; | ||
| import * as secretsmanager from '@aws-cdk/aws-secretsmanager'; | ||
| import * as cdk from '@aws-cdk/core'; | ||
| import * as integ from '@aws-cdk/integ-tests'; | ||
| import { AuthenticationMethod, SelfManagedKafkaEventSource } from '../lib'; | ||
| import { TestFunction } from './test-function'; | ||
|
|
||
| class KafkaSelfManagedEventSourceTest extends cdk.Stack { | ||
| constructor(scope: cdk.App, id: string) { | ||
| super(scope, id); | ||
|
|
||
| const dummyCertString = `-----BEGIN CERTIFICATE----- | ||
| MIIE5DCCAsygAwIBAgIRAPJdwaFaNRrytHBto0j5BA0wDQYJKoZIhvcNAQELBQAw | ||
| cmUuiAii9R0= | ||
| -----END CERTIFICATE----- | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIFgjCCA2qgAwIBAgIQdjNZd6uFf9hbNC5RdfmHrzANBgkqhkiG9w0BAQsFADBb | ||
| c8PH3PSoAaRwMMgOSA2ALJvbRz8mpg== | ||
| -----END CERTIFICATE-----" | ||
| `; | ||
|
|
||
| const dummyPrivateKey = `-----BEGIN ENCRYPTED PRIVATE KEY----- | ||
| zp2mwJn2NYB7AZ7+imp0azDZb+8YG2aUCiyqb6PnnA== | ||
| -----END ENCRYPTED PRIVATE KEY-----`; | ||
|
|
||
| const fn = new TestFunction(this, 'F'); | ||
| const rootCASecret = new secretsmanager.Secret(this, 'S', { | ||
| secretObjectValue: { | ||
| certificate: cdk.SecretValue.unsafePlainText(dummyCertString), | ||
| }, | ||
| }); | ||
| const clientCertificatesSecret = new secretsmanager.Secret(this, 'SC', { | ||
| secretObjectValue: { | ||
| certificate: cdk.SecretValue.unsafePlainText(dummyCertString), | ||
| privateKey: cdk.SecretValue.unsafePlainText(dummyPrivateKey), | ||
| }, | ||
| }); | ||
| rootCASecret.grantRead(fn); | ||
| clientCertificatesSecret.grantRead(fn); | ||
|
|
||
| const bootstrapServers = [ | ||
| 'my-self-hosted-kafka-broker-1:9092', | ||
| 'my-self-hosted-kafka-broker-2:9092', | ||
| 'my-self-hosted-kafka-broker-3:9092', | ||
| ]; | ||
|
|
||
| fn.addEventSource( | ||
| new SelfManagedKafkaEventSource({ | ||
| bootstrapServers, | ||
| topic: 'my-test-topic', | ||
| secret: clientCertificatesSecret, | ||
| authenticationMethod: AuthenticationMethod.CLIENT_CERTIFICATE_TLS_AUTH, | ||
| rootCACertificate: rootCASecret, | ||
| startingPosition: lambda.StartingPosition.TRIM_HORIZON, | ||
| }), | ||
| ); | ||
| } | ||
| } | ||
|
|
||
| const app = new cdk.App(); | ||
| const stack = new KafkaSelfManagedEventSourceTest( | ||
| app, | ||
| 'lambda-event-source-kafka-self-managed', | ||
| ); | ||
| new integ.IntegTest(app, 'LambdaEventSourceKafkaSelfManagedTest', { | ||
| testCases: [stack], | ||
| }); | ||
| app.synth(); |
1 change: 1 addition & 0 deletions
1
...apshot/LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.template.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {} |
1 change: 1 addition & 0 deletions
1
packages/@aws-cdk/aws-lambda-event-sources/test/kafka-selfmanaged.integ.snapshot/cdk.out
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {"version":"20.0.0"} |
11 changes: 11 additions & 0 deletions
11
packages/@aws-cdk/aws-lambda-event-sources/test/kafka-selfmanaged.integ.snapshot/integ.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| { | ||
| "version": "20.0.0", | ||
| "testCases": { | ||
| "LambdaEventSourceKafkaSelfManagedTest/DefaultTest": { | ||
| "stacks": [ | ||
| "lambda-event-source-kafka-self-managed" | ||
| ], | ||
| "assertionStack": "LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F" | ||
| } | ||
| } | ||
| } |
138 changes: 138 additions & 0 deletions
138
...est/kafka-selfmanaged.integ.snapshot/lambda-event-source-kafka-self-managed.template.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,138 @@ | ||
| { | ||
| "Resources": { | ||
| "FServiceRole3AC82EE1": { | ||
| "Type": "AWS::IAM::Role", | ||
| "Properties": { | ||
| "AssumeRolePolicyDocument": { | ||
| "Statement": [ | ||
| { | ||
| "Action": "sts:AssumeRole", | ||
| "Effect": "Allow", | ||
| "Principal": { | ||
| "Service": "lambda.amazonaws.com" | ||
| } | ||
| } | ||
| ], | ||
| "Version": "2012-10-17" | ||
| }, | ||
| "ManagedPolicyArns": [ | ||
| { | ||
| "Fn::Join": [ | ||
| "", | ||
| [ | ||
| "arn:", | ||
| { | ||
| "Ref": "AWS::Partition" | ||
| }, | ||
| ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" | ||
| ] | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| "FServiceRoleDefaultPolicy17A19BFA": { | ||
| "Type": "AWS::IAM::Policy", | ||
| "Properties": { | ||
| "PolicyDocument": { | ||
| "Statement": [ | ||
| { | ||
| "Action": [ | ||
| "secretsmanager:DescribeSecret", | ||
| "secretsmanager:GetSecretValue" | ||
| ], | ||
| "Effect": "Allow", | ||
| "Resource": [ | ||
| { | ||
| "Ref": "S509448A1" | ||
| }, | ||
| { | ||
| "Ref": "SC0855C491" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "Version": "2012-10-17" | ||
| }, | ||
| "PolicyName": "FServiceRoleDefaultPolicy17A19BFA", | ||
| "Roles": [ | ||
| { | ||
| "Ref": "FServiceRole3AC82EE1" | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| "FC4345940": { | ||
| "Type": "AWS::Lambda::Function", | ||
| "Properties": { | ||
| "Code": { | ||
| "ZipFile": "exports.handler = async function handler(event) {\n console.log('event:', JSON.stringify(event, undefined, 2));\n return { event };\n}" | ||
| }, | ||
| "Role": { | ||
| "Fn::GetAtt": [ | ||
| "FServiceRole3AC82EE1", | ||
| "Arn" | ||
| ] | ||
| }, | ||
| "Handler": "index.handler", | ||
| "Runtime": "nodejs14.x" | ||
| }, | ||
| "DependsOn": [ | ||
| "FServiceRoleDefaultPolicy17A19BFA", | ||
| "FServiceRole3AC82EE1" | ||
| ] | ||
| }, | ||
| "FKafkaEventSource838c4d5ff3c99c1a617120adfca83e5bmytesttopic1E7A7798": { | ||
| "Type": "AWS::Lambda::EventSourceMapping", | ||
| "Properties": { | ||
| "FunctionName": { | ||
| "Ref": "FC4345940" | ||
| }, | ||
| "BatchSize": 100, | ||
| "SelfManagedEventSource": { | ||
| "Endpoints": { | ||
| "KafkaBootstrapServers": [ | ||
| "my-self-hosted-kafka-broker-1:9092", | ||
| "my-self-hosted-kafka-broker-2:9092", | ||
| "my-self-hosted-kafka-broker-3:9092" | ||
| ] | ||
| } | ||
| }, | ||
| "SourceAccessConfigurations": [ | ||
| { | ||
| "Type": "CLIENT_CERTIFICATE_TLS_AUTH", | ||
| "URI": { | ||
| "Ref": "SC0855C491" | ||
| } | ||
| }, | ||
| { | ||
| "Type": "SERVER_ROOT_CA_CERTIFICATE", | ||
| "URI": { | ||
| "Ref": "S509448A1" | ||
| } | ||
| } | ||
| ], | ||
| "StartingPosition": "TRIM_HORIZON", | ||
| "Topics": [ | ||
| "my-test-topic" | ||
| ] | ||
| } | ||
| }, | ||
| "S509448A1": { | ||
| "Type": "AWS::SecretsManager::Secret", | ||
| "Properties": { | ||
| "SecretString": "{\"certificate\":\"-----BEGIN CERTIFICATE-----\\nMIIE5DCCAsygAwIBAgIRAPJdwaFaNRrytHBto0j5BA0wDQYJKoZIhvcNAQELBQAw\\ncmUuiAii9R0=\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\nMIIFgjCCA2qgAwIBAgIQdjNZd6uFf9hbNC5RdfmHrzANBgkqhkiG9w0BAQsFADBb\\nc8PH3PSoAaRwMMgOSA2ALJvbRz8mpg==\\n-----END CERTIFICATE-----\\\"\\n\"}" | ||
| }, | ||
| "UpdateReplacePolicy": "Delete", | ||
| "DeletionPolicy": "Delete" | ||
| }, | ||
| "SC0855C491": { | ||
| "Type": "AWS::SecretsManager::Secret", | ||
| "Properties": { | ||
| "SecretString": "{\"certificate\":\"-----BEGIN CERTIFICATE-----\\nMIIE5DCCAsygAwIBAgIRAPJdwaFaNRrytHBto0j5BA0wDQYJKoZIhvcNAQELBQAw\\ncmUuiAii9R0=\\n-----END CERTIFICATE-----\\n-----BEGIN CERTIFICATE-----\\nMIIFgjCCA2qgAwIBAgIQdjNZd6uFf9hbNC5RdfmHrzANBgkqhkiG9w0BAQsFADBb\\nc8PH3PSoAaRwMMgOSA2ALJvbRz8mpg==\\n-----END CERTIFICATE-----\\\"\\n\",\"privateKey\":\"-----BEGIN ENCRYPTED PRIVATE KEY-----\\nzp2mwJn2NYB7AZ7+imp0azDZb+8YG2aUCiyqb6PnnA==\\n-----END ENCRYPTED PRIVATE KEY-----\"}" | ||
| }, | ||
| "UpdateReplacePolicy": "Delete", | ||
| "DeletionPolicy": "Delete" | ||
| } | ||
| } | ||
| } |
67 changes: 67 additions & 0 deletions
67
...ges/@aws-cdk/aws-lambda-event-sources/test/kafka-selfmanaged.integ.snapshot/manifest.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| { | ||
| "version": "20.0.0", | ||
| "artifacts": { | ||
| "Tree": { | ||
| "type": "cdk:tree", | ||
| "properties": { | ||
| "file": "tree.json" | ||
| } | ||
| }, | ||
| "lambda-event-source-kafka-self-managed": { | ||
| "type": "aws:cloudformation:stack", | ||
| "environment": "aws://unknown-account/unknown-region", | ||
| "properties": { | ||
| "templateFile": "lambda-event-source-kafka-self-managed.template.json", | ||
| "validateOnSynth": false | ||
| }, | ||
| "metadata": { | ||
| "/lambda-event-source-kafka-self-managed/F/ServiceRole/Resource": [ | ||
| { | ||
| "type": "aws:cdk:logicalId", | ||
| "data": "FServiceRole3AC82EE1" | ||
| } | ||
| ], | ||
| "/lambda-event-source-kafka-self-managed/F/ServiceRole/DefaultPolicy/Resource": [ | ||
| { | ||
| "type": "aws:cdk:logicalId", | ||
| "data": "FServiceRoleDefaultPolicy17A19BFA" | ||
| } | ||
| ], | ||
| "/lambda-event-source-kafka-self-managed/F/Resource": [ | ||
| { | ||
| "type": "aws:cdk:logicalId", | ||
| "data": "FC4345940" | ||
| } | ||
| ], | ||
| "/lambda-event-source-kafka-self-managed/F/KafkaEventSource:838c4d5ff3c99c1a617120adfca83e5b:my-test-topic/Resource": [ | ||
| { | ||
| "type": "aws:cdk:logicalId", | ||
| "data": "FKafkaEventSource838c4d5ff3c99c1a617120adfca83e5bmytesttopic1E7A7798" | ||
| } | ||
| ], | ||
| "/lambda-event-source-kafka-self-managed/S/Resource": [ | ||
| { | ||
| "type": "aws:cdk:logicalId", | ||
| "data": "S509448A1" | ||
| } | ||
| ], | ||
| "/lambda-event-source-kafka-self-managed/SC/Resource": [ | ||
| { | ||
| "type": "aws:cdk:logicalId", | ||
| "data": "SC0855C491" | ||
| } | ||
| ] | ||
| }, | ||
| "displayName": "lambda-event-source-kafka-self-managed" | ||
| }, | ||
| "LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F": { | ||
| "type": "aws:cloudformation:stack", | ||
| "environment": "aws://unknown-account/unknown-region", | ||
| "properties": { | ||
| "templateFile": "LambdaEventSourceKafkaSelfManagedTestDefaultTestDeployAssertAF78BD0F.template.json", | ||
| "validateOnSynth": false | ||
| }, | ||
| "displayName": "LambdaEventSourceKafkaSelfManagedTest/DefaultTest/DeployAssert" | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.