Open ahammond opened 8 months ago
Yes we definitely should support that. Thank you for the report.
We're waiting on AWS Support ticket 170431096601286 in our usQa account, to confirm that Cfn doesn't cause data-loss events / cluster thrash when enabling IAM on a cluster that already has SASL. We're waiting there because Cfn support for MSK is famously horrible and has cost us data-loss events in the past. If we get that validation, we'll provide the implementation here.
On Fri, Jan 5, 2024 at 1:41 PM Pahud Hsieh @.***> wrote:
Yes we definitely should support that. Thank you for the report.
— Reply to this email directly, view it on GitHub https://github.com/aws/aws-cdk/issues/28592#issuecomment-1879287850, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADM2RGPBAIEAUZ3KDMGHK3YNBXPFAVCNFSM6AAAAABBOYS5O2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZZGI4DOOBVGA . You are receiving this because you authored the thread.Message ID: @.***>
-- MiniLockID: uX4VrN5FvyFxFCxgTksGxJqvKa16iBhqseYxxA1UkZVJw GPG: 773A 6BDD 71CE 0AB8 0F5A 1176 8679 A114 FB1A 69BD
Please try this sample:
const cluster = new msk_alpha.Cluster(this, 'cdc-kafka-cluster', {
kafkaVersion: msk_alpha.KafkaVersion.V2_8_0,
vpc,
clusterName: 'cdc-kafka-cluster-v1',
clientAuthentication: msk_alpha.ClientAuthentication.sasl({
iam: true,
scram: true,
}),
});
synth
"ClientAuthentication": {
"Sasl": {
"Iam": {
"Enabled": true
},
"Scram": {
"Enabled": true
}
}
},
Let me know if it works for you.
internal reference: V1192886211
We moved all our MSK support away from CDK/Cfn to Terraform.
On Tue, Jul 9, 2024 at 12:29 PM Pahud Hsieh @.***> wrote:
internal reference: V1192886211
— Reply to this email directly, view it on GitHub https://github.com/aws/aws-cdk/issues/28592#issuecomment-2218481493, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADM2RG73RZGB6T7RCBSCK3ZLQ2Y5AVCNFSM6AAAAABBOYS5O2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJYGQ4DCNBZGM . You are receiving this because you authored the thread.Message ID: @.***>
-- MiniLockID: uX4VrN5FvyFxFCxgTksGxJqvKa16iBhqseYxxA1UkZVJw GPG: 773A 6BDD 71CE 0AB8 0F5A 1176 8679 A114 FB1A 69BD
Describe the feature
Per https://aws.amazon.com/about-aws/whats-new/2021/09/amazon-msk-multiple-authentication-modes-tls-encryption-settings/ MSK supports having any combination of mTLS, SASL/SCRAM or IAM running simultaneously.
Use Case
Existing implementation correctly implements the old constraints. We want to migrate towards using IAM, so we're either moving to TF or updating CDK to support a feature that's 2+ years old.
Proposed Solution
Refactor the existing constraints to allow multiple auth methods. Pretty low-hanging.
Other Information
No response
Acknowledgements
CDK version used
2.90.0
Environment details (OS name and version, etc.)
irrelevant