search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
466 stars 157 forks source link

Unable to create aws.pipes.Pipe with source PipeSourceParametersManagedStreamingKafkaParameters and clientCertificateTlsAuth authentication mode #2879

Closed vukvl01 closed 2 months ago

vukvl01 commented 1 year ago

What happened?

Unable to create aws.pipes.Pipe with source PipeSourceParametersManagedStreamingKafkaParameters and PipeSourceParametersManagedStreamingKafkaParametersCredentials set to clientCertificateTlsAuth authentication mode. Interface PipeSourceParametersSelfManagedKafkaParametersCredentials specifies basicAuth as required and other modes as optional. There is no way to specify just clientCertificateTlsAuth.

interface PipeSourceParametersSelfManagedKafkaParametersCredentials {
        /**
         * The ARN of the Secrets Manager secret containing the basic auth credentials.
         */

        basicAuth: pulumi.Input<string>;

        /**
         * The ARN of the Secrets Manager secret containing the credentials.
         */
        clientCertificateTlsAuth?: pulumi.Input<string>;

        /**
         * The ARN of the Secrets Manager secret containing the credentials.
         */
        saslScram256Auth?: pulumi.Input<string>;

        /**
         * The ARN of the Secrets Manager secret containing the credentials.
         */
        saslScram512Auth?: pulumi.Input<string>;

    }

In AWS I am able to manually create a pipe with CLIENT_CERTIFICATE_TLS_AUTH, this does not require the basic auth to be specified.

Example

If both authentication credentials are specified then a pipe with basic authentication is created in AWS.

const pipe = new aws.pipes.Pipe(this.name, {
            source: `smk://${this.kafkaBrokerURL}`,
            roleArn: pipeExecutionRole.arn,
            sourceParameters: {
                selfManagedKafkaParameters: {
                    additionalBootstrapServers: [this.kafkaBrokerURL],
                    topicName: this.topic,
                    credentials: {
                        basicAuth: this.BasicAuthSecret.arn,
                        clientCertificateTlsAuth: this.MTLSAuthSecret.arn,
                    },
                }
            },
            target: queue.arn,
        }, {
            dependsOn: [
                sendSQSPolicy,
                getCredentialsPolicy,
                describeSecGroupsAndSubnetsPolicy
            ],
        });

    }

Output of pulumi about

`CLI
Version 3.78.1 Go Version go1.20.7 Go Compiler gc

Plugins NAME VERSION aws 6.0.4 aws-native 0.80.0 nodejs unknown

Host
OS darwin Version 14.0 Arch arm64

This project is written in nodejs: executable='/Users/vladimir.vukojevic/.nvm/versions/node/v16.20.1/bin/node' version='v16.20.1'

Backend
Name pulumi.com URL https://app.pulumi.com/vladimir_vukojevic User vladimir_vukojevic Organizations vladimir_vukojevic, razrmarketing

Dependencies: NAME VERSION @pulumi/aws-native 0.80.0 @pulumi/aws 6.0.4 @pulumi/pulumi 3.81.0 @types/node 16.18.48

Pulumi locates its logs in /var/folders/dd/40r6j50s5tb5n3qq2brw6x140000gp/T/ by default `

Additional context

Manual creation of Pipe in AWS allows to choose authentication more first and then prompts for the arn of the secret that needs to be used, may be good to explicitly declare the authentication mode.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

mikhailshilkov commented 1 year ago

Thank you for reporting this issue! It's tracked upstream in https://github.com/hashicorp/terraform-provider-aws/issues/33025

mikhailshilkov commented 2 months ago

Closing since the upstream issue has been closed in https://github.com/hashicorp/terraform-provider-aws/issues/33025