1. Packages
  2. AWS Classic
  3. API Docs
  4. msk
  5. ScramSecretAssociation

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

aws.msk.ScramSecretAssociation

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

    Associates SCRAM secrets stored in the Secrets Manager service with a Managed Streaming for Kafka (MSK) cluster.

    Note: The following assumes the MSK cluster has SASL/SCRAM authentication enabled. See below for example usage or refer to the Username/Password Authentication section of the MSK Developer Guide for more details.

    To set up username and password authentication for a cluster, create an aws.secretsmanager.Secret resource and associate a username and password with the secret with an aws.secretsmanager.SecretVersion resource. When creating a secret for the cluster, the name must have the prefix AmazonMSK_ and you must either use an existing custom AWS KMS key or create a new custom AWS KMS key for your secret with the aws.kms.Key resource. It is important to note that a policy is required for the aws.secretsmanager.Secret resource in order for Kafka to be able to read it. This policy is attached automatically when the aws.msk.ScramSecretAssociation is used, however, this policy will not be in the state and as such, will present a diff on plan/apply. For that reason, you must use the aws.secretsmanager.SecretPolicy resource](/docs/providers/aws/r/secretsmanager_secret_policy.html) as shown below in order to ensure that the state is in a clean state after the creation of secret and the association to the cluster.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const exampleCluster = new aws.msk.Cluster("example", {
        clusterName: "example",
        clientAuthentication: {
            sasl: {
                scram: true,
            },
        },
    });
    const exampleKey = new aws.kms.Key("example", {description: "Example Key for MSK Cluster Scram Secret Association"});
    const exampleSecret = new aws.secretsmanager.Secret("example", {
        name: "AmazonMSK_example",
        kmsKeyId: exampleKey.keyId,
    });
    const exampleScramSecretAssociation = new aws.msk.ScramSecretAssociation("example", {
        clusterArn: exampleCluster.arn,
        secretArnLists: [exampleSecret.arn],
    });
    const exampleSecretVersion = new aws.secretsmanager.SecretVersion("example", {
        secretId: exampleSecret.id,
        secretString: JSON.stringify({
            username: "user",
            password: "pass",
        }),
    });
    const example = aws.iam.getPolicyDocumentOutput({
        statements: [{
            sid: "AWSKafkaResourcePolicy",
            effect: "Allow",
            principals: [{
                type: "Service",
                identifiers: ["kafka.amazonaws.com"],
            }],
            actions: ["secretsmanager:getSecretValue"],
            resources: [exampleSecret.arn],
        }],
    });
    const exampleSecretPolicy = new aws.secretsmanager.SecretPolicy("example", {
        secretArn: exampleSecret.arn,
        policy: example.apply(example => example.json),
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    example_cluster = aws.msk.Cluster("example",
        cluster_name="example",
        client_authentication=aws.msk.ClusterClientAuthenticationArgs(
            sasl=aws.msk.ClusterClientAuthenticationSaslArgs(
                scram=True,
            ),
        ))
    example_key = aws.kms.Key("example", description="Example Key for MSK Cluster Scram Secret Association")
    example_secret = aws.secretsmanager.Secret("example",
        name="AmazonMSK_example",
        kms_key_id=example_key.key_id)
    example_scram_secret_association = aws.msk.ScramSecretAssociation("example",
        cluster_arn=example_cluster.arn,
        secret_arn_lists=[example_secret.arn])
    example_secret_version = aws.secretsmanager.SecretVersion("example",
        secret_id=example_secret.id,
        secret_string=json.dumps({
            "username": "user",
            "password": "pass",
        }))
    example = aws.iam.get_policy_document_output(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="AWSKafkaResourcePolicy",
        effect="Allow",
        principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["kafka.amazonaws.com"],
        )],
        actions=["secretsmanager:getSecretValue"],
        resources=[example_secret.arn],
    )])
    example_secret_policy = aws.secretsmanager.SecretPolicy("example",
        secret_arn=example_secret.arn,
        policy=example.json)
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/kms"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/msk"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		exampleCluster, err := msk.NewCluster(ctx, "example", &msk.ClusterArgs{
    			ClusterName: pulumi.String("example"),
    			ClientAuthentication: &msk.ClusterClientAuthenticationArgs{
    				Sasl: &msk.ClusterClientAuthenticationSaslArgs{
    					Scram: pulumi.Bool(true),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		exampleKey, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
    			Description: pulumi.String("Example Key for MSK Cluster Scram Secret Association"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleSecret, err := secretsmanager.NewSecret(ctx, "example", &secretsmanager.SecretArgs{
    			Name:     pulumi.String("AmazonMSK_example"),
    			KmsKeyId: exampleKey.KeyId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = msk.NewScramSecretAssociation(ctx, "example", &msk.ScramSecretAssociationArgs{
    			ClusterArn: exampleCluster.Arn,
    			SecretArnLists: pulumi.StringArray{
    				exampleSecret.Arn,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"username": "user",
    			"password": "pass",
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = secretsmanager.NewSecretVersion(ctx, "example", &secretsmanager.SecretVersionArgs{
    			SecretId:     exampleSecret.ID(),
    			SecretString: pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		example := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
    			Statements: iam.GetPolicyDocumentStatementArray{
    				&iam.GetPolicyDocumentStatementArgs{
    					Sid:    pulumi.String("AWSKafkaResourcePolicy"),
    					Effect: pulumi.String("Allow"),
    					Principals: iam.GetPolicyDocumentStatementPrincipalArray{
    						&iam.GetPolicyDocumentStatementPrincipalArgs{
    							Type: pulumi.String("Service"),
    							Identifiers: pulumi.StringArray{
    								pulumi.String("kafka.amazonaws.com"),
    							},
    						},
    					},
    					Actions: pulumi.StringArray{
    						pulumi.String("secretsmanager:getSecretValue"),
    					},
    					Resources: pulumi.StringArray{
    						exampleSecret.Arn,
    					},
    				},
    			},
    		}, nil)
    		_, err = secretsmanager.NewSecretPolicy(ctx, "example", &secretsmanager.SecretPolicyArgs{
    			SecretArn: exampleSecret.Arn,
    			Policy: example.ApplyT(func(example iam.GetPolicyDocumentResult) (*string, error) {
    				return &example.Json, nil
    			}).(pulumi.StringPtrOutput),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var exampleCluster = new Aws.Msk.Cluster("example", new()
        {
            ClusterName = "example",
            ClientAuthentication = new Aws.Msk.Inputs.ClusterClientAuthenticationArgs
            {
                Sasl = new Aws.Msk.Inputs.ClusterClientAuthenticationSaslArgs
                {
                    Scram = true,
                },
            },
        });
    
        var exampleKey = new Aws.Kms.Key("example", new()
        {
            Description = "Example Key for MSK Cluster Scram Secret Association",
        });
    
        var exampleSecret = new Aws.SecretsManager.Secret("example", new()
        {
            Name = "AmazonMSK_example",
            KmsKeyId = exampleKey.KeyId,
        });
    
        var exampleScramSecretAssociation = new Aws.Msk.ScramSecretAssociation("example", new()
        {
            ClusterArn = exampleCluster.Arn,
            SecretArnLists = new[]
            {
                exampleSecret.Arn,
            },
        });
    
        var exampleSecretVersion = new Aws.SecretsManager.SecretVersion("example", new()
        {
            SecretId = exampleSecret.Id,
            SecretString = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["username"] = "user",
                ["password"] = "pass",
            }),
        });
    
        var example = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "AWSKafkaResourcePolicy",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "kafka.amazonaws.com",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "secretsmanager:getSecretValue",
                    },
                    Resources = new[]
                    {
                        exampleSecret.Arn,
                    },
                },
            },
        });
    
        var exampleSecretPolicy = new Aws.SecretsManager.SecretPolicy("example", new()
        {
            SecretArn = exampleSecret.Arn,
            Policy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.msk.Cluster;
    import com.pulumi.aws.msk.ClusterArgs;
    import com.pulumi.aws.msk.inputs.ClusterClientAuthenticationArgs;
    import com.pulumi.aws.msk.inputs.ClusterClientAuthenticationSaslArgs;
    import com.pulumi.aws.kms.Key;
    import com.pulumi.aws.kms.KeyArgs;
    import com.pulumi.aws.secretsmanager.Secret;
    import com.pulumi.aws.secretsmanager.SecretArgs;
    import com.pulumi.aws.msk.ScramSecretAssociation;
    import com.pulumi.aws.msk.ScramSecretAssociationArgs;
    import com.pulumi.aws.secretsmanager.SecretVersion;
    import com.pulumi.aws.secretsmanager.SecretVersionArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.secretsmanager.SecretPolicy;
    import com.pulumi.aws.secretsmanager.SecretPolicyArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var exampleCluster = new Cluster("exampleCluster", ClusterArgs.builder()        
                .clusterName("example")
                .clientAuthentication(ClusterClientAuthenticationArgs.builder()
                    .sasl(ClusterClientAuthenticationSaslArgs.builder()
                        .scram(true)
                        .build())
                    .build())
                .build());
    
            var exampleKey = new Key("exampleKey", KeyArgs.builder()        
                .description("Example Key for MSK Cluster Scram Secret Association")
                .build());
    
            var exampleSecret = new Secret("exampleSecret", SecretArgs.builder()        
                .name("AmazonMSK_example")
                .kmsKeyId(exampleKey.keyId())
                .build());
    
            var exampleScramSecretAssociation = new ScramSecretAssociation("exampleScramSecretAssociation", ScramSecretAssociationArgs.builder()        
                .clusterArn(exampleCluster.arn())
                .secretArnLists(exampleSecret.arn())
                .build());
    
            var exampleSecretVersion = new SecretVersion("exampleSecretVersion", SecretVersionArgs.builder()        
                .secretId(exampleSecret.id())
                .secretString(serializeJson(
                    jsonObject(
                        jsonProperty("username", "user"),
                        jsonProperty("password", "pass")
                    )))
                .build());
    
            final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("AWSKafkaResourcePolicy")
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("kafka.amazonaws.com")
                        .build())
                    .actions("secretsmanager:getSecretValue")
                    .resources(exampleSecret.arn())
                    .build())
                .build());
    
            var exampleSecretPolicy = new SecretPolicy("exampleSecretPolicy", SecretPolicyArgs.builder()        
                .secretArn(exampleSecret.arn())
                .policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(example -> example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
                .build());
    
        }
    }
    
    resources:
      exampleScramSecretAssociation:
        type: aws:msk:ScramSecretAssociation
        name: example
        properties:
          clusterArn: ${exampleCluster.arn}
          secretArnLists:
            - ${exampleSecret.arn}
      exampleCluster:
        type: aws:msk:Cluster
        name: example
        properties:
          clusterName: example
          clientAuthentication:
            sasl:
              scram: true
      exampleSecret:
        type: aws:secretsmanager:Secret
        name: example
        properties:
          name: AmazonMSK_example
          kmsKeyId: ${exampleKey.keyId}
      exampleKey:
        type: aws:kms:Key
        name: example
        properties:
          description: Example Key for MSK Cluster Scram Secret Association
      exampleSecretVersion:
        type: aws:secretsmanager:SecretVersion
        name: example
        properties:
          secretId: ${exampleSecret.id}
          secretString:
            fn::toJSON:
              username: user
              password: pass
      exampleSecretPolicy:
        type: aws:secretsmanager:SecretPolicy
        name: example
        properties:
          secretArn: ${exampleSecret.arn}
          policy: ${example.json}
    variables:
      example:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: AWSKafkaResourcePolicy
                effect: Allow
                principals:
                  - type: Service
                    identifiers:
                      - kafka.amazonaws.com
                actions:
                  - secretsmanager:getSecretValue
                resources:
                  - ${exampleSecret.arn}
    

    Create ScramSecretAssociation Resource

    new ScramSecretAssociation(name: string, args: ScramSecretAssociationArgs, opts?: CustomResourceOptions);
    @overload
    def ScramSecretAssociation(resource_name: str,
                               opts: Optional[ResourceOptions] = None,
                               cluster_arn: Optional[str] = None,
                               secret_arn_lists: Optional[Sequence[str]] = None)
    @overload
    def ScramSecretAssociation(resource_name: str,
                               args: ScramSecretAssociationArgs,
                               opts: Optional[ResourceOptions] = None)
    func NewScramSecretAssociation(ctx *Context, name string, args ScramSecretAssociationArgs, opts ...ResourceOption) (*ScramSecretAssociation, error)
    public ScramSecretAssociation(string name, ScramSecretAssociationArgs args, CustomResourceOptions? opts = null)
    public ScramSecretAssociation(String name, ScramSecretAssociationArgs args)
    public ScramSecretAssociation(String name, ScramSecretAssociationArgs args, CustomResourceOptions options)
    
    type: aws:msk:ScramSecretAssociation
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ScramSecretAssociationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ScramSecretAssociationArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ScramSecretAssociationArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ScramSecretAssociationArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ScramSecretAssociationArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    ScramSecretAssociation Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ScramSecretAssociation resource accepts the following input properties:

    ClusterArn string
    Amazon Resource Name (ARN) of the MSK cluster.
    SecretArnLists List<string>
    List of AWS Secrets Manager secret ARNs.
    ClusterArn string
    Amazon Resource Name (ARN) of the MSK cluster.
    SecretArnLists []string
    List of AWS Secrets Manager secret ARNs.
    clusterArn String
    Amazon Resource Name (ARN) of the MSK cluster.
    secretArnLists List<String>
    List of AWS Secrets Manager secret ARNs.
    clusterArn string
    Amazon Resource Name (ARN) of the MSK cluster.
    secretArnLists string[]
    List of AWS Secrets Manager secret ARNs.
    cluster_arn str
    Amazon Resource Name (ARN) of the MSK cluster.
    secret_arn_lists Sequence[str]
    List of AWS Secrets Manager secret ARNs.
    clusterArn String
    Amazon Resource Name (ARN) of the MSK cluster.
    secretArnLists List<String>
    List of AWS Secrets Manager secret ARNs.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ScramSecretAssociation resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing ScramSecretAssociation Resource

    Get an existing ScramSecretAssociation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ScramSecretAssociationState, opts?: CustomResourceOptions): ScramSecretAssociation
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            cluster_arn: Optional[str] = None,
            secret_arn_lists: Optional[Sequence[str]] = None) -> ScramSecretAssociation
    func GetScramSecretAssociation(ctx *Context, name string, id IDInput, state *ScramSecretAssociationState, opts ...ResourceOption) (*ScramSecretAssociation, error)
    public static ScramSecretAssociation Get(string name, Input<string> id, ScramSecretAssociationState? state, CustomResourceOptions? opts = null)
    public static ScramSecretAssociation get(String name, Output<String> id, ScramSecretAssociationState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    ClusterArn string
    Amazon Resource Name (ARN) of the MSK cluster.
    SecretArnLists List<string>
    List of AWS Secrets Manager secret ARNs.
    ClusterArn string
    Amazon Resource Name (ARN) of the MSK cluster.
    SecretArnLists []string
    List of AWS Secrets Manager secret ARNs.
    clusterArn String
    Amazon Resource Name (ARN) of the MSK cluster.
    secretArnLists List<String>
    List of AWS Secrets Manager secret ARNs.
    clusterArn string
    Amazon Resource Name (ARN) of the MSK cluster.
    secretArnLists string[]
    List of AWS Secrets Manager secret ARNs.
    cluster_arn str
    Amazon Resource Name (ARN) of the MSK cluster.
    secret_arn_lists Sequence[str]
    List of AWS Secrets Manager secret ARNs.
    clusterArn String
    Amazon Resource Name (ARN) of the MSK cluster.
    secretArnLists List<String>
    List of AWS Secrets Manager secret ARNs.

    Import

    Using pulumi import, import MSK SCRAM Secret Associations using the id. For example:

    $ pulumi import aws:msk/scramSecretAssociation:ScramSecretAssociation example arn:aws:kafka:us-west-2:123456789012:cluster/example/279c0212-d057-4dba-9aa9-1c4e5a25bfc7-3
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi