From 9ce3a04637bfd3151ec812d8dca0649811b0706c Mon Sep 17 00:00:00 2001 From: crisboarna Date: Mon, 29 Aug 2022 16:42:14 +0300 Subject: [PATCH] feat(msk): added msk cluster sasl iam property (#21798) When accessing the bootstrap brokers of a cluster configured with property `clientAuthentication: msk.ClientAuthentication.sasl({ iam: true })` One can access the bootstrap brokers from the command line: `aws kafka get-bootstrap-brokers --cluster-arn ` This will return an object: ``` { "BootstrapBrokerStringSaslIam": "..." } ``` This PR adds the ability to access the bootstrap brokers directly as a property of the Kafka cluster. This can now be done via the `cluster.bootstrapBrokersSaslIam` property. Fixes https://github.com/aws/aws-cdk/issues/18355 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-msk/README.md | 1 + packages/@aws-cdk/aws-msk/lib/cluster.ts | 15 +- ...aultTestDeployAssertC2F074AF.template.json | 22 +- .../index.js | 1 - .../aws-cdk-msk-integ.template.json | 151 ++++++++++++ .../test/cluster.integ.snapshot/manifest.json | 54 +++- .../test/cluster.integ.snapshot/tree.json | 232 ++++++++++++++++-- .../@aws-cdk/aws-msk/test/integ.cluster.ts | 24 +- 8 files changed, 456 insertions(+), 44 deletions(-) rename packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/{asset.0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd.bundle => asset.374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458.bundle}/index.js (99%) diff --git a/packages/@aws-cdk/aws-msk/README.md b/packages/@aws-cdk/aws-msk/README.md index dc99262aff6f7..3ca501bfb4908 100644 --- a/packages/@aws-cdk/aws-msk/README.md +++ b/packages/@aws-cdk/aws-msk/README.md @@ -65,6 +65,7 @@ declare const cluster: msk.Cluster; new CfnOutput(this, 'BootstrapBrokers', { value: cluster.bootstrapBrokers }); new CfnOutput(this, 'BootstrapBrokersTls', { value: cluster.bootstrapBrokersTls }); new CfnOutput(this, 'BootstrapBrokersSaslScram', { value: cluster.bootstrapBrokersSaslScram }); +new CfnOutput(this, 'BootstrapBrokerStringSaslIam', { value: cluster.bootstrapBrokersSaslIam }); new CfnOutput(this, 'ZookeeperConnection', { value: cluster.zookeeperConnectionString }); new CfnOutput(this, 'ZookeeperConnectionTls', { value: cluster.zookeeperConnectionStringTls }); ``` diff --git a/packages/@aws-cdk/aws-msk/lib/cluster.ts b/packages/@aws-cdk/aws-msk/lib/cluster.ts index 11660067d4263..7b604deab2cd7 100644 --- a/packages/@aws-cdk/aws-msk/lib/cluster.ts +++ b/packages/@aws-cdk/aws-msk/lib/cluster.ts @@ -6,13 +6,13 @@ import * as logs from '@aws-cdk/aws-logs'; import * as s3 from '@aws-cdk/aws-s3'; import * as secretsmanager from '@aws-cdk/aws-secretsmanager'; import * as core from '@aws-cdk/core'; +import { FeatureFlags } from '@aws-cdk/core'; import * as cr from '@aws-cdk/custom-resources'; +import { S3_CREATE_DEFAULT_LOGGING_POLICY } from '@aws-cdk/cx-api'; import * as constructs from 'constructs'; import { addressOf } from 'constructs/lib/private/uniqueid'; import { KafkaVersion } from './'; import { CfnCluster } from './msk.generated'; -import { FeatureFlags } from '@aws-cdk/core'; -import { S3_CREATE_DEFAULT_LOGGING_POLICY } from '@aws-cdk/cx-api'; /** * Represents a MSK Cluster @@ -790,6 +790,17 @@ export class Cluster extends ClusterBase { return this._bootstrapBrokers('BootstrapBrokerStringSaslScram'); } + /** + * Get the list of brokers that a SASL/IAM authenticated client application can use to bootstrap + * + * Uses a Custom Resource to make an API call to `getBootstrapBrokers` using the Javascript SDK + * + * @returns - A string containing one or more DNS names (or IP) and TLS port pairs. + */ + public get bootstrapBrokersSaslIam() { + return this._bootstrapBrokers('BootstrapBrokerStringSaslIam'); + } + /** * A list of usersnames to register with the cluster. The password will automatically be generated using Secrets * Manager and the { username, password } JSON object stored in Secrets Manager as `AmazonMSK_username`. diff --git a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/MskLoggingDefaultTestDeployAssertC2F074AF.template.json b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/MskLoggingDefaultTestDeployAssertC2F074AF.template.json index de05cffa11df3..71ab9375f0684 100644 --- a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/MskLoggingDefaultTestDeployAssertC2F074AF.template.json +++ b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/MskLoggingDefaultTestDeployAssertC2F074AF.template.json @@ -30,7 +30,7 @@ } }, "flattenResponse": "false", - "salt": "1660927365216" + "salt": "1661748273588" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -51,7 +51,7 @@ ] }, "expected": "{\"$ObjectLike\":{\"KeyCount\":1}}", - "salt": "1660927365216" + "salt": "1661748273588" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" @@ -133,7 +133,7 @@ "Runtime": "nodejs14.x", "Code": { "S3Bucket": { - "Ref": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7" + "Ref": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3" }, "S3Key": { "Fn::Join": [ @@ -146,7 +146,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E" + "Ref": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47" } ] } @@ -159,7 +159,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E" + "Ref": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47" } ] } @@ -191,17 +191,17 @@ } }, "Parameters": { - "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7": { + "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3": { "Type": "String", - "Description": "S3 bucket for asset \"0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd\"" + "Description": "S3 bucket for asset \"374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458\"" }, - "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E": { + "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47": { "Type": "String", - "Description": "S3 key for asset version \"0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd\"" + "Description": "S3 key for asset version \"374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458\"" }, - "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdArtifactHash2AC894D9": { + "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458ArtifactHash5A9F2F48": { "Type": "String", - "Description": "Artifact hash for asset \"0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd\"" + "Description": "Artifact hash for asset \"374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/asset.0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd.bundle/index.js b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/asset.374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458.bundle/index.js similarity index 99% rename from packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/asset.0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd.bundle/index.js rename to packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/asset.374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458.bundle/index.js index b3ec1b8c53d30..8bf779074d7d4 100644 --- a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/asset.0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd.bundle/index.js +++ b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/asset.374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458.bundle/index.js @@ -1,4 +1,3 @@ -"use strict"; var __create = Object.create; var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; diff --git a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/aws-cdk-msk-integ.template.json b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/aws-cdk-msk-integ.template.json index 9e5c03338593e..949bb850dab60 100644 --- a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/aws-cdk-msk-integ.template.json +++ b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/aws-cdk-msk-integ.template.json @@ -885,6 +885,149 @@ "DependsOn": [ "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" ] + }, + "ClusterIAMSecurityGroupA09813F0": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "MSK security group", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "ClusterIAMC4B15B57": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "BrokerNodeGroupInfo": { + "ClientSubnets": [ + { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + }, + { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ClusterIAMSecurityGroupA09813F0", + "GroupId" + ] + } + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 1000 + } + } + }, + "ClusterName": "integ-test-iam-auth", + "KafkaVersion": "2.8.1", + "NumberOfBrokerNodes": 2, + "ClientAuthentication": { + "Sasl": { + "Iam": { + "Enabled": true + } + } + }, + "EncryptionInfo": { + "EncryptionInTransit": { + "ClientBroker": "TLS", + "InCluster": true + } + }, + "LoggingInfo": { + "BrokerLogs": { + "CloudWatchLogs": { + "Enabled": false + }, + "Firehose": { + "Enabled": false + }, + "S3": { + "Bucket": { + "Ref": "LoggingBucket1E5A6F3B" + }, + "Enabled": true + } + } + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamEB333452": { + "Type": "Custom::AWS", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "AWS679f53fac002430cb0da5b7982bd22872D164C4C", + "Arn" + ] + }, + "Create": { + "Fn::Join": [ + "", + [ + "{\"service\":\"Kafka\",\"action\":\"getBootstrapBrokers\",\"parameters\":{\"ClusterArn\":\"", + { + "Ref": "ClusterIAMC4B15B57" + }, + "\"},\"physicalResourceId\":{\"id\":\"BootstrapBrokers\"}}" + ] + ] + }, + "Update": { + "Fn::Join": [ + "", + [ + "{\"service\":\"Kafka\",\"action\":\"getBootstrapBrokers\",\"parameters\":{\"ClusterArn\":\"", + { + "Ref": "ClusterIAMC4B15B57" + }, + "\"},\"physicalResourceId\":{\"id\":\"BootstrapBrokers\"}}" + ] + ] + }, + "InstallLatestAwsSdk": true + }, + "DependsOn": [ + "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "kafka:GetBootstrapBrokers", + "Effect": "Allow", + "Resource": { + "Ref": "ClusterIAMC4B15B57" + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99", + "Roles": [ + { + "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" + } + ] + } } }, "Parameters": { @@ -948,6 +1091,14 @@ "BootstrapBrokerStringTls" ] } + }, + "BootstrapBrokers3": { + "Value": { + "Fn::GetAtt": [ + "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamEB333452", + "BootstrapBrokerStringSaslIam" + ] + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/manifest.json index 8c4ba3a32707b..442a923ed3060 100644 --- a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/manifest.json @@ -304,6 +304,36 @@ "type": "aws:cdk:logicalId", "data": "BootstrapBrokers2" } + ], + "/aws-cdk-msk-integ/ClusterIAM/SecurityGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ClusterIAMSecurityGroupA09813F0" + } + ], + "/aws-cdk-msk-integ/ClusterIAM/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ClusterIAMC4B15B57" + } + ], + "/aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/Resource/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamEB333452" + } + ], + "/aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/CustomResourcePolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99" + } + ], + "/aws-cdk-msk-integ/BootstrapBrokers3": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapBrokers3" + } ] }, "displayName": "aws-cdk-msk-integ" @@ -323,13 +353,13 @@ { "type": "aws:cdk:asset", "data": { - "path": "asset.0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd.bundle", - "id": "0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd", + "path": "asset.374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458.bundle", + "id": "374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458", "packaging": "zip", - "sourceHash": "0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd", - "s3BucketParameter": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7", - "s3KeyParameter": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E", - "artifactHashParameter": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdArtifactHash2AC894D9" + "sourceHash": "374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458", + "s3BucketParameter": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3", + "s3KeyParameter": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47", + "artifactHashParameter": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458ArtifactHash5A9F2F48" } } ], @@ -363,22 +393,22 @@ "data": "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F" } ], - "/MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/S3Bucket": [ + "/MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/S3Bucket": [ { "type": "aws:cdk:logicalId", - "data": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3BucketF94385B7" + "data": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3Bucket4DAC9CD3" } ], - "/MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/S3VersionKey": [ + "/MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/S3VersionKey": [ { "type": "aws:cdk:logicalId", - "data": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdS3VersionKey66DB0F9E" + "data": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458S3VersionKey22D10A47" } ], - "/MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/ArtifactHash": [ + "/MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/ArtifactHash": [ { "type": "aws:cdk:logicalId", - "data": "AssetParameters0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbdArtifactHash2AC894D9" + "data": "AssetParameters374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458ArtifactHash5A9F2F48" } ] }, diff --git a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/tree.json b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/tree.json index 70c692e26321a..b6317d86beff1 100644 --- a/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/tree.json +++ b/packages/@aws-cdk/aws-msk/test/cluster.integ.snapshot/tree.json @@ -9,7 +9,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } }, "aws-cdk-msk-integ": { @@ -944,7 +944,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } }, "105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286": { @@ -978,13 +978,13 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } }, "Cluster": { @@ -1193,7 +1193,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } }, "AWS679f53fac002430cb0da5b7982bd2287": { @@ -1356,6 +1356,204 @@ "fqn": "@aws-cdk/core.CfnOutput", "version": "0.0.0" } + }, + "ClusterIAM": { + "id": "ClusterIAM", + "path": "aws-cdk-msk-integ/ClusterIAM", + "children": { + "SecurityGroup": { + "id": "SecurityGroup", + "path": "aws-cdk-msk-integ/ClusterIAM/SecurityGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-msk-integ/ClusterIAM/SecurityGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup", + "aws:cdk:cloudformation:props": { + "groupDescription": "MSK security group", + "securityGroupEgress": [ + { + "cidrIp": "0.0.0.0/0", + "description": "Allow all outbound traffic by default", + "ipProtocol": "-1" + } + ], + "vpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-ec2.CfnSecurityGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-ec2.SecurityGroup", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-msk-integ/ClusterIAM/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::MSK::Cluster", + "aws:cdk:cloudformation:props": { + "brokerNodeGroupInfo": { + "instanceType": "kafka.m5.large", + "clientSubnets": [ + { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + }, + { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "securityGroups": [ + { + "Fn::GetAtt": [ + "ClusterIAMSecurityGroupA09813F0", + "GroupId" + ] + } + ], + "storageInfo": { + "ebsStorageInfo": { + "volumeSize": 1000 + } + } + }, + "clusterName": "integ-test-iam-auth", + "kafkaVersion": "2.8.1", + "numberOfBrokerNodes": 2, + "clientAuthentication": { + "sasl": { + "iam": { + "enabled": true + } + } + }, + "encryptionInfo": { + "encryptionInTransit": { + "clientBroker": "TLS", + "inCluster": true + } + }, + "loggingInfo": { + "brokerLogs": { + "cloudWatchLogs": { + "enabled": false + }, + "firehose": { + "enabled": false + }, + "s3": { + "enabled": true, + "bucket": { + "Ref": "LoggingBucket1E5A6F3B" + } + } + } + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-msk.CfnCluster", + "version": "0.0.0" + } + }, + "BootstrapBrokersBootstrapBrokerStringSaslIam": { + "id": "BootstrapBrokersBootstrapBrokerStringSaslIam", + "path": "aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam", + "children": { + "Provider": { + "id": "Provider", + "path": "aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/Provider", + "constructInfo": { + "fqn": "@aws-cdk/aws-lambda.SingletonFunction", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/Resource", + "children": { + "Default": { + "id": "Default", + "path": "aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/Resource/Default", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/core.CustomResource", + "version": "0.0.0" + } + }, + "CustomResourcePolicy": { + "id": "CustomResourcePolicy", + "path": "aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/CustomResourcePolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-msk-integ/ClusterIAM/BootstrapBrokersBootstrapBrokerStringSaslIam/CustomResourcePolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "kafka:GetBootstrapBrokers", + "Effect": "Allow", + "Resource": { + "Ref": "ClusterIAMC4B15B57" + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "ClusterIAMBootstrapBrokersBootstrapBrokerStringSaslIamCustomResourcePolicy51509D99", + "roles": [ + { + "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2" + } + ] + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/custom-resources.AwsCustomResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-msk.Cluster", + "version": "0.0.0" + } + }, + "BootstrapBrokers3": { + "id": "BootstrapBrokers3", + "path": "aws-cdk-msk-integ/BootstrapBrokers3", + "constructInfo": { + "fqn": "@aws-cdk/core.CfnOutput", + "version": "0.0.0" + } } }, "constructInfo": { @@ -1376,7 +1574,7 @@ "path": "MskLogging/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } }, "DeployAssert": { @@ -1396,7 +1594,7 @@ "path": "MskLogging/DefaultTest/DeployAssert/AwsApiCallS3listObjectsV2/SdkProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } } }, @@ -1436,7 +1634,7 @@ "path": "MskLogging/DefaultTest/DeployAssert/AwsApiCallS3listObjectsV2/AssertEqualsS3listObjectsV2/AssertionProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } } }, @@ -1514,20 +1712,20 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } }, "AssetParameters": { "id": "AssetParameters", "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters", "children": { - "0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd": { - "id": "0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd", - "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd", + "374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458": { + "id": "374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458", + "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458", "children": { "S3Bucket": { "id": "S3Bucket", - "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/S3Bucket", + "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/S3Bucket", "constructInfo": { "fqn": "@aws-cdk/core.CfnParameter", "version": "0.0.0" @@ -1535,7 +1733,7 @@ }, "S3VersionKey": { "id": "S3VersionKey", - "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/S3VersionKey", + "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/S3VersionKey", "constructInfo": { "fqn": "@aws-cdk/core.CfnParameter", "version": "0.0.0" @@ -1543,7 +1741,7 @@ }, "ArtifactHash": { "id": "ArtifactHash", - "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/0d8d96305807ac805d23c6d7b279eef238715605efad63c839ad1e7e8236bdbd/ArtifactHash", + "path": "MskLogging/DefaultTest/DeployAssert/AssetParameters/374e4c6bf67290e7a1839e32e1c4ec413fe48477e9585dc2e042bc07509f7458/ArtifactHash", "constructInfo": { "fqn": "@aws-cdk/core.CfnParameter", "version": "0.0.0" @@ -1552,13 +1750,13 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.78" + "version": "10.1.85" } } }, diff --git a/packages/@aws-cdk/aws-msk/test/integ.cluster.ts b/packages/@aws-cdk/aws-msk/test/integ.cluster.ts index 55aa8dd6948d2..177f06ba51e2c 100644 --- a/packages/@aws-cdk/aws-msk/test/integ.cluster.ts +++ b/packages/@aws-cdk/aws-msk/test/integ.cluster.ts @@ -1,6 +1,6 @@ import * as ec2 from '@aws-cdk/aws-ec2'; -import * as cdk from '@aws-cdk/core'; import * as s3 from '@aws-cdk/aws-s3'; +import * as cdk from '@aws-cdk/core'; import { IntegTest, AssertionsProvider, ExpectedResult } from '@aws-cdk/integ-tests'; import * as msk from '../lib'; @@ -34,6 +34,28 @@ class FeatureFlagStack extends cdk.Stack { // Test lazy instance of the AwsCustomResource new cdk.CfnOutput(this, 'BootstrapBrokers', { value: cluster.bootstrapBrokersTls }); new cdk.CfnOutput(this, 'BootstrapBrokers2', { value: cluster.bootstrapBrokersTls }); + + // iam authenticated msk cluster integ test + const cluster2 = new msk.Cluster(this, 'ClusterIAM', { + clusterName: 'integ-test-iam-auth', + kafkaVersion: msk.KafkaVersion.V2_8_1, + vpc, + logging: { + s3: { + bucket: this.bucket, + }, + }, + encryptionInTransit: { + clientBroker: msk.ClientBrokerEncryption.TLS, + }, + clientAuthentication: msk.ClientAuthentication.sasl({ + iam: true, + }), + removalPolicy: cdk.RemovalPolicy.DESTROY, + }); + + // Test lazy instance of the AwsCustomResource + new cdk.CfnOutput(this, 'BootstrapBrokers3', { value: cluster2.bootstrapBrokersSaslIam }); } }