-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathscram-secrets.tf
55 lines (40 loc) · 1.3 KB
/
scram-secrets.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
resource "random_password" "this" {
for_each = var.authentication.sasl_scram.users
length = 16
min_lower = 2
min_upper = 1
min_numeric = 2
min_special = 1
override_special = "!#$%&*()-=<>:"
}
###################################################
# SASL/SCRAM User & Password for MSK Cluster
###################################################
# TODO: Create an independant module for msk-scram-users
module "secret" {
source = "tedilabs/secret/aws//modules/secrets-manager-secret"
version = "~> 0.5.0"
for_each = var.authentication.sasl_scram.users
name = "AmazonMSK_SCRAM/${var.name}/${each.key}"
description = "The SASL/SCRAM secret to provide username and password for MSK cluster authenticaiton."
type = "KEY_VALUE"
value = {
username = each.key
password = random_password.this[each.key].result
}
kms_key = var.authentication.sasl_scram.kms_key
policy = null
block_public_policy = true
deletion_window_in_days = 7
resource_group_enabled = false
module_tags_enabled = false
tags = merge(
local.module_tags,
var.tags,
)
}
resource "aws_msk_scram_secret_association" "this" {
count = length(module.secret) > 0 ? 1 : 0
cluster_arn = aws_msk_cluster.this.arn
secret_arn_list = values(module.secret)[*].arn
}