aws-msk-alpha: should support multiple auth modes

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code

https://aws.amazon.com/cdk

Apache License 2.0

11.5k stars 3.84k forks source link

aws-msk-alpha: should support multiple auth modes #28592

Open ahammond opened 8 months ago

ahammond commented 8 months ago

Describe the feature

Per https://aws.amazon.com/about-aws/whats-new/2021/09/amazon-msk-multiple-authentication-modes-tls-encryption-settings/ MSK supports having any combination of mTLS, SASL/SCRAM or IAM running simultaneously.

Use Case

Existing implementation correctly implements the old constraints. We want to migrate towards using IAM, so we're either moving to TF or updating CDK to support a feature that's 2+ years old.

Proposed Solution

Refactor the existing constraints to allow multiple auth methods. Pretty low-hanging.

Other Information

No response

Acknowledgements

[X] I may be able to implement this feature request
[ ] This feature might incur a breaking change

CDK version used

2.90.0

Environment details (OS name and version, etc.)

irrelevant

pahud commented 8 months ago

Yes we definitely should support that. Thank you for the report.

ahammond commented 8 months ago

We're waiting on AWS Support ticket 170431096601286 in our usQa account, to confirm that Cfn doesn't cause data-loss events / cluster thrash when enabling IAM on a cluster that already has SASL. We're waiting there because Cfn support for MSK is famously horrible and has cost us data-loss events in the past. If we get that validation, we'll provide the implementation here.

On Fri, Jan 5, 2024 at 1:41 PM Pahud Hsieh @.***> wrote:

Yes we definitely should support that. Thank you for the report.

— Reply to this email directly, view it on GitHub https://github.com/aws/aws-cdk/issues/28592#issuecomment-1879287850, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADM2RGPBAIEAUZ3KDMGHK3YNBXPFAVCNFSM6AAAAABBOYS5O2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZZGI4DOOBVGA . You are receiving this because you authored the thread.Message ID: @.***>

-- MiniLockID: uX4VrN5FvyFxFCxgTksGxJqvKa16iBhqseYxxA1UkZVJw GPG: 773A 6BDD 71CE 0AB8 0F5A 1176 8679 A114 FB1A 69BD

pahud commented 2 months ago

Please try this sample:

const cluster = new msk_alpha.Cluster(this, 'cdc-kafka-cluster', {
  kafkaVersion: msk_alpha.KafkaVersion.V2_8_0,
  vpc,
  clusterName: 'cdc-kafka-cluster-v1',
  clientAuthentication: msk_alpha.ClientAuthentication.sasl({
    iam: true,
    scram: true,
  }),
});

synth

"ClientAuthentication": {
 "Sasl": {
  "Iam": {
   "Enabled": true
  },
  "Scram": {
   "Enabled": true
  }
 }
},

Let me know if it works for you.

pahud commented 2 months ago

internal reference: V1192886211

ahammond commented 1 month ago

We moved all our MSK support away from CDK/Cfn to Terraform.

On Tue, Jul 9, 2024 at 12:29 PM Pahud Hsieh @.***> wrote:

internal reference: V1192886211

— Reply to this email directly, view it on GitHub https://github.com/aws/aws-cdk/issues/28592#issuecomment-2218481493, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADM2RG73RZGB6T7RCBSCK3ZLQ2Y5AVCNFSM6AAAAABBOYS5O2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJYGQ4DCNBZGM . You are receiving this because you authored the thread.Message ID: @.***>

-- MiniLockID: uX4VrN5FvyFxFCxgTksGxJqvKa16iBhqseYxxA1UkZVJw GPG: 773A 6BDD 71CE 0AB8 0F5A 1176 8679 A114 FB1A 69BD