diff --git a/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts b/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts index 883fcb1d385fc..421ba6ca91d15 100644 --- a/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts +++ b/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts @@ -654,16 +654,16 @@ export class Cluster extends ClusterBase { } let clientAuthentication; + const { saslProps, tlsProps } = props.clientAuthentication ?? {}; + if (props.clientAuthentication) { clientAuthentication = { - sasl: props.clientAuthentication.saslProps ? { - iam: props.clientAuthentication.saslProps.iam ? { enabled: true }: undefined, - scram: props.clientAuthentication.saslProps.scram ? { enabled: true }: undefined, + sasl: saslProps ? { + iam: saslProps.iam ? { enabled: true }: undefined, + scram: saslProps.scram ? { enabled: true }: undefined, } : undefined, - tls: props.clientAuthentication.tlsProps?.certificateAuthorities ? { - certificateAuthorityArnList: props.clientAuthentication.tlsProps.certificateAuthorities?.map( - (ca) => ca.certificateAuthorityArn, - ), + tls: tlsProps?.certificateAuthorities ? { + certificateAuthorityArnList: tlsProps.certificateAuthorities?.map((ca) => ca.certificateAuthorityArn), enabled: true, } : undefined, }; diff --git a/packages/@aws-cdk/aws-msk-alpha/test/__snapshots__/cluster.test.ts.snap b/packages/@aws-cdk/aws-msk-alpha/test/__snapshots__/cluster.test.ts.snap index 16f489a90c0d4..e6d5e1694ab41 100644 --- a/packages/@aws-cdk/aws-msk-alpha/test/__snapshots__/cluster.test.ts.snap +++ b/packages/@aws-cdk/aws-msk-alpha/test/__snapshots__/cluster.test.ts.snap @@ -494,6 +494,591 @@ exports[`MSK Cluster Snapshot test with all values set 1`] = ` } `; +exports[`MSK Cluster created with authentication enabled with combinations of sasl/scram, iam, and tls Snapshot test with all values set (iam/scram/tls) 1`] = ` +{ + "Resources": { + "Vpc8378EB38": { + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc", + }, + ], + }, + "Type": "AWS::EC2::VPC", + }, + "VpcIGWD7BA715C": { + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc", + }, + ], + }, + "Type": "AWS::EC2::InternetGateway", + }, + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA", + }, + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500", + }, + }, + "Type": "AWS::EC2::Route", + }, + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500", + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + }, + "VpcPrivateSubnet1RouteTableB2C5B500": { + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PrivateSubnet1", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::RouteTable", + }, + "VpcPrivateSubnet1Subnet536B997A": { + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": "10.0.128.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private", + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private", + }, + { + "Key": "Name", + "Value": "Default/Vpc/PrivateSubnet1", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::Subnet", + }, + "VpcPrivateSubnet2DefaultRoute060D2087": { + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet2NATGateway9182C01D", + }, + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B", + }, + }, + "Type": "AWS::EC2::Route", + }, + "VpcPrivateSubnet2RouteTableA678073B": { + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PrivateSubnet2", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::RouteTable", + }, + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B", + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + }, + "VpcPrivateSubnet2Subnet3788AAA1": { + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": "10.0.192.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private", + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private", + }, + { + "Key": "Name", + "Value": "Default/Vpc/PrivateSubnet2", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::Subnet", + }, + "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "DependsOn": [ + "VpcVPCGWBF912B6E", + ], + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C", + }, + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E", + }, + }, + "Type": "AWS::EC2::Route", + }, + "VpcPublicSubnet1EIPD7E02669": { + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet1", + }, + ], + }, + "Type": "AWS::EC2::EIP", + }, + "VpcPublicSubnet1NATGateway4D7517AA": { + "DependsOn": [ + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1RouteTableAssociation97140677", + ], + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId", + ], + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4", + }, + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet1", + }, + ], + }, + "Type": "AWS::EC2::NatGateway", + }, + "VpcPublicSubnet1RouteTable6C95E38E": { + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet1", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::RouteTable", + }, + "VpcPublicSubnet1RouteTableAssociation97140677": { + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E", + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + }, + "VpcPublicSubnet1Subnet5C2D37C4": { + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": "10.0.0.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public", + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public", + }, + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet1", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::Subnet", + }, + "VpcPublicSubnet2DefaultRoute97F91067": { + "DependsOn": [ + "VpcVPCGWBF912B6E", + ], + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C", + }, + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489", + }, + }, + "Type": "AWS::EC2::Route", + }, + "VpcPublicSubnet2EIP3C605A87": { + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet2", + }, + ], + }, + "Type": "AWS::EC2::EIP", + }, + "VpcPublicSubnet2NATGateway9182C01D": { + "DependsOn": [ + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTableAssociationDD5762D8", + ], + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet2EIP3C605A87", + "AllocationId", + ], + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3", + }, + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet2", + }, + ], + }, + "Type": "AWS::EC2::NatGateway", + }, + "VpcPublicSubnet2RouteTable94F7E489": { + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet2", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::RouteTable", + }, + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489", + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3", + }, + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation", + }, + "VpcPublicSubnet2Subnet691E08A3": { + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "", + }, + ], + }, + "CidrBlock": "10.0.64.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public", + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public", + }, + { + "Key": "Name", + "Value": "Default/Vpc/PublicSubnet2", + }, + ], + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::Subnet", + }, + "VpcVPCGWBF912B6E": { + "Properties": { + "InternetGatewayId": { + "Ref": "VpcIGWD7BA715C", + }, + "VpcId": { + "Ref": "Vpc8378EB38", + }, + }, + "Type": "AWS::EC2::VPCGatewayAttachment", + }, + "kafka5BADF433": { + "DeletionPolicy": "Retain", + "Properties": { + "BrokerNodeGroupInfo": { + "ClientSubnets": [ + { + "Ref": "VpcPrivateSubnet1Subnet536B997A", + }, + { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1", + }, + ], + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + "sg-123", + "sg-456", + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 100, + }, + }, + }, + "ClientAuthentication": { + "Sasl": { + "Iam": { + "Enabled": true, + }, + "Scram": { + "Enabled": true, + }, + }, + "Tls": { + "CertificateAuthorityArnList": [ + "arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111", + ], + "Enabled": true, + }, + }, + "ClusterName": "test-cluster", + "EncryptionInfo": { + "EncryptionAtRest": { + "DataVolumeKMSKeyId": "1234abc", + }, + "EncryptionInTransit": { + "ClientBroker": "TLS", + "InCluster": true, + }, + }, + "EnhancedMonitoring": "PER_TOPIC_PER_BROKER", + "KafkaVersion": "2.6.1", + "LoggingInfo": { + "BrokerLogs": { + "CloudWatchLogs": { + "Enabled": true, + "LogGroup": "a-log-group", + }, + "Firehose": { + "DeliveryStream": "a-delivery-stream", + "Enabled": true, + }, + "S3": { + "Bucket": "a-bucket", + "Enabled": true, + }, + }, + }, + "NumberOfBrokerNodes": 2, + "OpenMonitoring": { + "Prometheus": { + "JmxExporter": { + "EnabledInBroker": true, + }, + "NodeExporter": { + "EnabledInBroker": true, + }, + }, + }, + }, + "Type": "AWS::MSK::Cluster", + "UpdateReplacePolicy": "Retain", + }, + "kafkaSASLKey69FC3AFA": { + "DeletionPolicy": "Retain", + "Properties": { + "Description": "Used for encrypting MSK secrets for SASL/SCRAM authentication.", + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition", + }, + ":iam::", + { + "Ref": "AWS::AccountId", + }, + ":root", + ], + ], + }, + }, + "Resource": "*", + }, + { + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:CreateGrant", + "kms:DescribeKey", + ], + "Condition": { + "StringEquals": { + "kms:CallerAccount": { + "Ref": "AWS::AccountId", + }, + "kms:ViaService": { + "Fn::Join": [ + "", + [ + "secretsmanager.", + { + "Ref": "AWS::Region", + }, + ".amazonaws.com", + ], + ], + }, + }, + }, + "Effect": "Allow", + "Principal": { + "AWS": "*", + }, + "Resource": "*", + "Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager", + }, + ], + "Version": "2012-10-17", + }, + }, + "Type": "AWS::KMS::Key", + "UpdateReplacePolicy": "Retain", + }, + "kafkaSASLKeyAlias7A73E101": { + "Properties": { + "AliasName": "alias/msk/test-cluster/sasl/scram", + "TargetKeyId": { + "Fn::GetAtt": [ + "kafkaSASLKey69FC3AFA", + "Arn", + ], + }, + }, + "Type": "AWS::KMS::Alias", + }, + "sg1fromsg32181E6F4C07E": { + "Properties": { + "Description": "from sg3:2181", + "FromPort": 2181, + "GroupId": "sg-123", + "IpProtocol": "tcp", + "SourceSecurityGroupId": "sg-3", + "ToPort": 2181, + }, + "Type": "AWS::EC2::SecurityGroupIngress", + }, + "sg2fromsg32181884B3B9E": { + "Properties": { + "Description": "from sg3:2181", + "FromPort": 2181, + "GroupId": "sg-456", + "IpProtocol": "tcp", + "SourceSecurityGroupId": "sg-3", + "ToPort": 2181, + }, + "Type": "AWS::EC2::SecurityGroupIngress", + }, + }, +} +`; + exports[`MSK Cluster created with authentication enabled with sasl/scram, iam, and tls Snapshot test with all values set (iam/scram/tls) 1`] = ` { "Resources": { diff --git a/packages/@aws-cdk/aws-msk-alpha/test/cluster.test.ts b/packages/@aws-cdk/aws-msk-alpha/test/cluster.test.ts index 20c9f6a857b80..435e7b7c33f0a 100644 --- a/packages/@aws-cdk/aws-msk-alpha/test/cluster.test.ts +++ b/packages/@aws-cdk/aws-msk-alpha/test/cluster.test.ts @@ -104,6 +104,34 @@ describe('MSK Cluster', () => { describe('created with authentication enabled', () => { describe('with tls auth', () => { + test('tls enabled is true', () => { + new msk.Cluster(stack, 'Cluster', { + clusterName: 'cluster', + kafkaVersion: msk.KafkaVersion.V2_6_1, + vpc, + encryptionInTransit: { + clientBroker: msk.ClientBrokerEncryption.TLS, + }, + clientAuthentication: msk.ClientAuthentication.tls({ + certificateAuthorities: [ + acmpca.CertificateAuthority.fromCertificateAuthorityArn( + stack, + 'CertificateAuthority', + 'arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111', + ), + ], + }), + }); + Template.fromStack(stack).hasResourceProperties('AWS::MSK::Cluster', { + ClientAuthentication: { + Tls: { + CertificateAuthorityArnList: ['arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111'], + Enabled: true, + }, + }, + }); + }); + test('fails if client broker encryption is set to plaintext', () => { expect( () => @@ -131,6 +159,27 @@ describe('MSK Cluster', () => { }); describe('with sasl/scram auth', () => { + test('sasl/scram enabled is true', () => { + new msk.Cluster(stack, 'Cluster', { + clusterName: 'cluster', + kafkaVersion: msk.KafkaVersion.V2_6_1, + vpc, + encryptionInTransit: { + clientBroker: msk.ClientBrokerEncryption.TLS, + }, + clientAuthentication: msk.ClientAuthentication.sasl({ + scram: true, + }), + }); + Template.fromStack(stack).hasResourceProperties('AWS::MSK::Cluster', { + ClientAuthentication: { + Sasl: { + Scram: { Enabled: true }, + }, + }, + }); + }); + test('fails if tls encryption is set to plaintext', () => { expect(() => new msk.Cluster(stack, 'Cluster', { clusterName: 'cluster', @@ -168,7 +217,7 @@ describe('MSK Cluster', () => { }); }); - describe('with sasl/iam auth', () => { + describe('with iam auth', () => { test('iam enabled is true', () => { new msk.Cluster(stack, 'Cluster', { clusterName: 'cluster', @@ -187,6 +236,7 @@ describe('MSK Cluster', () => { }, }); }); + test('fails if tls encryption is set to plaintext', () => { expect( () => @@ -226,7 +276,92 @@ describe('MSK Cluster', () => { }); }); - describe('with sasl/scram, iam, and tls', () => { + describe('with combinations of sasl/scram, iam, and tls', () => { + test('sasl/scram and iam enabled is true', () => { + new msk.Cluster(stack, 'Cluster', { + clusterName: 'cluster', + kafkaVersion: msk.KafkaVersion.V2_6_1, + vpc, + encryptionInTransit: { + clientBroker: msk.ClientBrokerEncryption.TLS, + }, + clientAuthentication: msk.ClientAuthentication.sasl({ + iam: true, + scram: true, + }), + }); + Template.fromStack(stack).hasResourceProperties('AWS::MSK::Cluster', { + ClientAuthentication: { + Sasl: { + Iam: { Enabled: true }, + Scram: { Enabled: true }, + }, + }, + }); + }); + + test('sasl/scram and tls enabled is true', () => { + new msk.Cluster(stack, 'Cluster', { + clusterName: 'cluster', + kafkaVersion: msk.KafkaVersion.V2_6_1, + vpc, + encryptionInTransit: { + clientBroker: msk.ClientBrokerEncryption.TLS, + }, + clientAuthentication: msk.ClientAuthentication.saslTls({ + scram: true, + certificateAuthorities: [ + acmpca.CertificateAuthority.fromCertificateAuthorityArn( + stack, + 'CertificateAuthority', + 'arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111', + ), + ], + }), + }); + Template.fromStack(stack).hasResourceProperties('AWS::MSK::Cluster', { + ClientAuthentication: { + Sasl: { + Scram: { Enabled: true }, + }, + Tls: { + CertificateAuthorityArnList: ['arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111'], + }, + }, + }); + }); + + test('iam and tls enabled is true', () => { + new msk.Cluster(stack, 'Cluster', { + clusterName: 'cluster', + kafkaVersion: msk.KafkaVersion.V2_6_1, + vpc, + encryptionInTransit: { + clientBroker: msk.ClientBrokerEncryption.TLS, + }, + clientAuthentication: msk.ClientAuthentication.saslTls({ + iam: true, + certificateAuthorities: [ + acmpca.CertificateAuthority.fromCertificateAuthorityArn( + stack, + 'CertificateAuthority', + 'arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111', + ), + ], + }), + }); + Template.fromStack(stack).hasResourceProperties('AWS::MSK::Cluster', { + ClientAuthentication: { + Sasl: { + Iam: { Enabled: true }, + }, + Tls: { + CertificateAuthorityArnList: ['arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111'], + }, + }, + }); + }); + test('Snapshot test with all values set (iam/scram/tls)', () => { const cluster = new msk.Cluster(stack, 'kafka', { clusterName: 'test-cluster', diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.assets.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/MskClusterAuthDefaultTestDeployAssert1991B19C.assets.json similarity index 87% rename from packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.assets.json rename to packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/MskClusterAuthDefaultTestDeployAssert1991B19C.assets.json index 8a84f1e39b304..f873f00421c06 100644 --- a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.assets.json +++ b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/MskClusterAuthDefaultTestDeployAssert1991B19C.assets.json @@ -3,7 +3,7 @@ "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { - "path": "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.template.json", + "path": "MskClusterAuthDefaultTestDeployAssert1991B19C.template.json", "packaging": "file" }, "destinations": { diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.template.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/MskClusterAuthDefaultTestDeployAssert1991B19C.template.json similarity index 100% rename from packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.template.json rename to packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/MskClusterAuthDefaultTestDeployAssert1991B19C.template.json diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/aws-cdk-msk-sasl-scram-iam-integ.assets.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.assets.json similarity index 65% rename from packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/aws-cdk-msk-sasl-scram-iam-integ.assets.json rename to packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.assets.json index 79e19e09daae4..0c422f5e63102 100644 --- a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/aws-cdk-msk-sasl-scram-iam-integ.assets.json +++ b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.assets.json @@ -1,15 +1,15 @@ { "version": "38.0.1", "files": { - "bebaacb803cbd7702f959bbadc925ea654fbcc46464f713f3204e122be7ad825": { + "7c12b5b1fd96903b543fbfd848373b75380666868f6a835c113706d91d538e56": { "source": { - "path": "aws-cdk-msk-sasl-scram-iam-integ.template.json", + "path": "aws-cdk-msk-auth-integ.template.json", "packaging": "file" }, "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "bebaacb803cbd7702f959bbadc925ea654fbcc46464f713f3204e122be7ad825.json", + "objectKey": "7c12b5b1fd96903b543fbfd848373b75380666868f6a835c113706d91d538e56.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/aws-cdk-msk-sasl-scram-iam-integ.template.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.template.json similarity index 79% rename from packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/aws-cdk-msk-sasl-scram-iam-integ.template.json rename to packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.template.json index 3f50153f44466..f8a5d4962c6f3 100644 --- a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/aws-cdk-msk-sasl-scram-iam-integ.template.json +++ b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.template.json @@ -10,7 +10,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC" + "Value": "aws-cdk-msk-auth-integ/VPC" } ] } @@ -39,7 +39,7 @@ }, { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ], "VpcId": { @@ -53,7 +53,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ], "VpcId": { @@ -94,7 +94,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ] } @@ -114,7 +114,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ] }, @@ -147,7 +147,7 @@ }, { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ], "VpcId": { @@ -161,7 +161,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ], "VpcId": { @@ -202,7 +202,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ] } @@ -222,7 +222,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "Value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ] }, @@ -255,7 +255,7 @@ }, { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1" + "Value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1" } ], "VpcId": { @@ -269,7 +269,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1" + "Value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1" } ], "VpcId": { @@ -324,7 +324,7 @@ }, { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2" + "Value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2" } ], "VpcId": { @@ -338,7 +338,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2" + "Value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2" } ], "VpcId": { @@ -375,7 +375,7 @@ "Tags": [ { "Key": "Name", - "Value": "aws-cdk-msk-sasl-scram-iam-integ/VPC" + "Value": "aws-cdk-msk-auth-integ/VPC" } ] } @@ -391,7 +391,64 @@ } } }, - "ClusterSaslScramIamSecurityGroup3617243A": { + "CertificateAuthority": { + "Type": "AWS::ACMPCA::CertificateAuthority", + "Properties": { + "KeyAlgorithm": "RSA_2048", + "KeyStorageSecurityStandard": "FIPS_140_2_LEVEL_3_OR_HIGHER", + "SigningAlgorithm": "SHA256WITHRSA", + "Subject": { + "CommonName": "MSK Cluster Root CA", + "Country": "DE", + "Locality": "Berlin", + "Organization": "Amazon Web Services", + "OrganizationalUnit": "AWS-CDK", + "State": "Berlin" + }, + "Type": "ROOT" + } + }, + "Certificate": { + "Type": "AWS::ACMPCA::Certificate", + "Properties": { + "CertificateAuthorityArn": { + "Fn::GetAtt": [ + "CertificateAuthority", + "Arn" + ] + }, + "CertificateSigningRequest": { + "Fn::GetAtt": [ + "CertificateAuthority", + "CertificateSigningRequest" + ] + }, + "SigningAlgorithm": "SHA256WITHRSA", + "TemplateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1", + "Validity": { + "Type": "YEARS", + "Value": 1 + } + } + }, + "CertificateActivation": { + "Type": "AWS::ACMPCA::CertificateAuthorityActivation", + "Properties": { + "Certificate": { + "Fn::GetAtt": [ + "Certificate", + "Certificate" + ] + }, + "CertificateAuthorityArn": { + "Fn::GetAtt": [ + "CertificateAuthority", + "Arn" + ] + } + } + }, + "ClusterSecurityGroup0921994B": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "MSK security group", @@ -405,9 +462,12 @@ "VpcId": { "Ref": "VPCB9E5F0B4" } - } + }, + "DependsOn": [ + "CertificateActivation" + ] }, - "ClusterSaslScramIamSASLKey1ED07A25": { + "ClusterSASLKeyC4AE65F3": { "Type": "AWS::KMS::Key", "Properties": { "Description": "Used for encrypting MSK secrets for SASL/SCRAM authentication.", @@ -475,22 +535,28 @@ "Version": "2012-10-17" } }, + "DependsOn": [ + "CertificateActivation" + ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" }, - "ClusterSaslScramIamSASLKeyAliasA5DD463A": { + "ClusterSASLKeyAliasCBD2665F": { "Type": "AWS::KMS::Alias", "Properties": { - "AliasName": "alias/msk/integ-test-sasl-scram-iam-auth/sasl/scram", + "AliasName": "alias/msk/integ-test-auth/sasl/scram", "TargetKeyId": { "Fn::GetAtt": [ - "ClusterSaslScramIamSASLKey1ED07A25", + "ClusterSASLKeyC4AE65F3", "Arn" ] } - } + }, + "DependsOn": [ + "CertificateActivation" + ] }, - "ClusterSaslScramIamBBCBE054": { + "ClusterEB0386A7": { "Type": "AWS::MSK::Cluster", "Properties": { "BrokerNodeGroupInfo": { @@ -506,7 +572,7 @@ "SecurityGroups": [ { "Fn::GetAtt": [ - "ClusterSaslScramIamSecurityGroup3617243A", + "ClusterSecurityGroup0921994B", "GroupId" ] } @@ -525,9 +591,20 @@ "Scram": { "Enabled": true } + }, + "Tls": { + "CertificateAuthorityArnList": [ + { + "Fn::GetAtt": [ + "CertificateAuthority", + "Arn" + ] + } + ], + "Enabled": true } }, - "ClusterName": "integ-test-sasl-scram-iam-auth", + "ClusterName": "integ-test-auth", "EncryptionInfo": { "EncryptionInTransit": { "ClientBroker": "TLS", @@ -550,6 +627,9 @@ }, "NumberOfBrokerNodes": 2 }, + "DependsOn": [ + "CertificateActivation" + ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" } diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/cdk.out b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/cdk.out rename to packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/cdk.out diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/integ.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/integ.json new file mode 100644 index 0000000000000..8fabed5845680 --- /dev/null +++ b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "38.0.1", + "testCases": { + "MskClusterAuth/DefaultTest": { + "stacks": [ + "aws-cdk-msk-auth-integ" + ], + "assertionStack": "MskClusterAuth/DefaultTest/DeployAssert", + "assertionStackName": "MskClusterAuthDefaultTestDeployAssert1991B19C" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/manifest.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/manifest.json similarity index 63% rename from packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/manifest.json rename to packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/manifest.json index 41003f630ee64..e08440b3a070c 100644 --- a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/manifest.json @@ -1,29 +1,29 @@ { "version": "38.0.1", "artifacts": { - "aws-cdk-msk-sasl-scram-iam-integ.assets": { + "aws-cdk-msk-auth-integ.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "aws-cdk-msk-sasl-scram-iam-integ.assets.json", + "file": "aws-cdk-msk-auth-integ.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "aws-cdk-msk-sasl-scram-iam-integ": { + "aws-cdk-msk-auth-integ": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "aws-cdk-msk-sasl-scram-iam-integ.template.json", + "templateFile": "aws-cdk-msk-auth-integ.template.json", "terminationProtection": false, "validateOnSynth": false, "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/bebaacb803cbd7702f959bbadc925ea654fbcc46464f713f3204e122be7ad825.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7c12b5b1fd96903b543fbfd848373b75380666868f6a835c113706d91d538e56.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "aws-cdk-msk-sasl-scram-iam-integ.assets" + "aws-cdk-msk-auth-integ.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -32,199 +32,225 @@ } }, "dependencies": [ - "aws-cdk-msk-sasl-scram-iam-integ.assets" + "aws-cdk-msk-auth-integ.assets" ], "metadata": { - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/Resource": [ + "/aws-cdk-msk-auth-integ/VPC/Resource": [ { "type": "aws:cdk:logicalId", "data": "VPCB9E5F0B4" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/Subnet": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet1/Subnet": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet1SubnetB4246D30" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/RouteTable": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet1/RouteTable": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet1RouteTableFEE4B781" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/RouteTableAssociation": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet1/RouteTableAssociation": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet1RouteTableAssociation0B0896DC" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/DefaultRoute": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet1/DefaultRoute": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet1DefaultRoute91CEF279" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/EIP": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet1/EIP": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet1EIP6AD938E8" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/NATGateway": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet1/NATGateway": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet1NATGatewayE0556630" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/Subnet": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet2/Subnet": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet2Subnet74179F39" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/RouteTable": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet2/RouteTable": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet2RouteTable6F1A15F1" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/RouteTableAssociation": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet2/RouteTableAssociation": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet2RouteTableAssociation5A808732" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/DefaultRoute": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet2/DefaultRoute": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet2DefaultRouteB7481BBA" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/EIP": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet2/EIP": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet2EIP4947BC00" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/NATGateway": [ + "/aws-cdk-msk-auth-integ/VPC/PublicSubnet2/NATGateway": [ { "type": "aws:cdk:logicalId", "data": "VPCPublicSubnet2NATGateway3C070193" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/Subnet": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/Subnet": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet1Subnet8BCA10E0" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/RouteTable": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/RouteTable": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet1RouteTableBE8A6027" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/RouteTableAssociation": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/RouteTableAssociation": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet1RouteTableAssociation347902D1" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/DefaultRoute": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/DefaultRoute": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet1DefaultRouteAE1D6490" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/Subnet": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/Subnet": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet2SubnetCFCDAA7A" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/RouteTable": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/RouteTable": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet2RouteTable0A19E10E" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/RouteTableAssociation": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/RouteTableAssociation": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet2RouteTableAssociation0C73D413" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/DefaultRoute": [ + "/aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/DefaultRoute": [ { "type": "aws:cdk:logicalId", "data": "VPCPrivateSubnet2DefaultRouteF4F5CFD2" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/IGW": [ + "/aws-cdk-msk-auth-integ/VPC/IGW": [ { "type": "aws:cdk:logicalId", "data": "VPCIGWB7E252D3" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/VPC/VPCGW": [ + "/aws-cdk-msk-auth-integ/VPC/VPCGW": [ { "type": "aws:cdk:logicalId", "data": "VPCVPCGW99B986DC" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SecurityGroup/Resource": [ + "/aws-cdk-msk-auth-integ/CertificateAuthority": [ { "type": "aws:cdk:logicalId", - "data": "ClusterSaslScramIamSecurityGroup3617243A" + "data": "CertificateAuthority" + }, + { + "type": "Description", + "data": "Signing authority for Certificates" + } + ], + "/aws-cdk-msk-auth-integ/Certificate": [ + { + "type": "aws:cdk:logicalId", + "data": "Certificate" + }, + { + "type": "Description", + "data": "Certificate for signing requests from MSK-Cluster" + } + ], + "/aws-cdk-msk-auth-integ/CertificateActivation": [ + { + "type": "aws:cdk:logicalId", + "data": "CertificateActivation" + } + ], + "/aws-cdk-msk-auth-integ/Cluster/SecurityGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ClusterSecurityGroup0921994B" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SASLKey/Resource": [ + "/aws-cdk-msk-auth-integ/Cluster/SASLKey/Resource": [ { "type": "aws:cdk:logicalId", - "data": "ClusterSaslScramIamSASLKey1ED07A25" + "data": "ClusterSASLKeyC4AE65F3" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SASLKey/Alias/Resource": [ + "/aws-cdk-msk-auth-integ/Cluster/SASLKey/Alias/Resource": [ { "type": "aws:cdk:logicalId", - "data": "ClusterSaslScramIamSASLKeyAliasA5DD463A" + "data": "ClusterSASLKeyAliasCBD2665F" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/Resource": [ + "/aws-cdk-msk-auth-integ/Cluster/Resource": [ { "type": "aws:cdk:logicalId", - "data": "ClusterSaslScramIamBBCBE054" + "data": "ClusterEB0386A7" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/BootstrapVersion": [ + "/aws-cdk-msk-auth-integ/BootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "BootstrapVersion" } ], - "/aws-cdk-msk-sasl-scram-iam-integ/CheckBootstrapVersion": [ + "/aws-cdk-msk-auth-integ/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } ] }, - "displayName": "aws-cdk-msk-sasl-scram-iam-integ" + "displayName": "aws-cdk-msk-auth-integ" }, - "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.assets": { + "MskClusterAuthDefaultTestDeployAssert1991B19C.assets": { "type": "cdk:asset-manifest", "properties": { - "file": "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.assets.json", + "file": "MskClusterAuthDefaultTestDeployAssert1991B19C.assets.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" } }, - "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C": { + "MskClusterAuthDefaultTestDeployAssert1991B19C": { "type": "aws:cloudformation:stack", "environment": "aws://unknown-account/unknown-region", "properties": { - "templateFile": "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.template.json", + "templateFile": "MskClusterAuthDefaultTestDeployAssert1991B19C.template.json", "terminationProtection": false, "validateOnSynth": false, "notificationArns": [], @@ -234,7 +260,7 @@ "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ - "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.assets" + "MskClusterAuthDefaultTestDeployAssert1991B19C.assets" ], "lookupRole": { "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", @@ -243,23 +269,23 @@ } }, "dependencies": [ - "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C.assets" + "MskClusterAuthDefaultTestDeployAssert1991B19C.assets" ], "metadata": { - "/MskClusterSaslScramIam/DefaultTest/DeployAssert/BootstrapVersion": [ + "/MskClusterAuth/DefaultTest/DeployAssert/BootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "BootstrapVersion" } ], - "/MskClusterSaslScramIam/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + "/MskClusterAuth/DefaultTest/DeployAssert/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } ] }, - "displayName": "MskClusterSaslScramIam/DefaultTest/DeployAssert" + "displayName": "MskClusterAuth/DefaultTest/DeployAssert" }, "Tree": { "type": "cdk:tree", diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/tree.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/tree.json similarity index 79% rename from packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/tree.json rename to packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/tree.json index a2ab94bbb0108..080f8b8e0b979 100644 --- a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/tree.json @@ -4,17 +4,17 @@ "id": "App", "path": "", "children": { - "aws-cdk-msk-sasl-scram-iam-integ": { - "id": "aws-cdk-msk-sasl-scram-iam-integ", - "path": "aws-cdk-msk-sasl-scram-iam-integ", + "aws-cdk-msk-auth-integ": { + "id": "aws-cdk-msk-auth-integ", + "path": "aws-cdk-msk-auth-integ", "children": { "VPC": { "id": "VPC", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC", + "path": "aws-cdk-msk-auth-integ/VPC", "children": { "Resource": { "id": "Resource", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/Resource", + "path": "aws-cdk-msk-auth-integ/VPC/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPC", "aws:cdk:cloudformation:props": { @@ -25,7 +25,7 @@ "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC" + "value": "aws-cdk-msk-auth-integ/VPC" } ] } @@ -37,11 +37,11 @@ }, "PublicSubnet1": { "id": "PublicSubnet1", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1", "children": { "Subnet": { "id": "Subnet", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/Subnet", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1/Subnet", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { @@ -66,7 +66,7 @@ }, { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ], "vpcId": { @@ -81,7 +81,7 @@ }, "Acl": { "id": "Acl", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/Acl", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1/Acl", "constructInfo": { "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" @@ -89,14 +89,14 @@ }, "RouteTable": { "id": "RouteTable", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/RouteTable", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1/RouteTable", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ], "vpcId": { @@ -111,7 +111,7 @@ }, "RouteTableAssociation": { "id": "RouteTableAssociation", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/RouteTableAssociation", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1/RouteTableAssociation", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", "aws:cdk:cloudformation:props": { @@ -130,7 +130,7 @@ }, "DefaultRoute": { "id": "DefaultRoute", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/DefaultRoute", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1/DefaultRoute", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { @@ -150,7 +150,7 @@ }, "EIP": { "id": "EIP", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/EIP", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1/EIP", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::EIP", "aws:cdk:cloudformation:props": { @@ -158,7 +158,7 @@ "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ] } @@ -170,7 +170,7 @@ }, "NATGateway": { "id": "NATGateway", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1/NATGateway", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1/NATGateway", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { @@ -186,7 +186,7 @@ "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet1" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet1" } ] } @@ -204,11 +204,11 @@ }, "PublicSubnet2": { "id": "PublicSubnet2", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2", "children": { "Subnet": { "id": "Subnet", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/Subnet", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2/Subnet", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { @@ -233,7 +233,7 @@ }, { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ], "vpcId": { @@ -248,7 +248,7 @@ }, "Acl": { "id": "Acl", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/Acl", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2/Acl", "constructInfo": { "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" @@ -256,14 +256,14 @@ }, "RouteTable": { "id": "RouteTable", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/RouteTable", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2/RouteTable", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ], "vpcId": { @@ -278,7 +278,7 @@ }, "RouteTableAssociation": { "id": "RouteTableAssociation", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/RouteTableAssociation", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2/RouteTableAssociation", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", "aws:cdk:cloudformation:props": { @@ -297,7 +297,7 @@ }, "DefaultRoute": { "id": "DefaultRoute", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/DefaultRoute", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2/DefaultRoute", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { @@ -317,7 +317,7 @@ }, "EIP": { "id": "EIP", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/EIP", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2/EIP", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::EIP", "aws:cdk:cloudformation:props": { @@ -325,7 +325,7 @@ "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ] } @@ -337,7 +337,7 @@ }, "NATGateway": { "id": "NATGateway", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2/NATGateway", + "path": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2/NATGateway", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { @@ -353,7 +353,7 @@ "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PublicSubnet2" + "value": "aws-cdk-msk-auth-integ/VPC/PublicSubnet2" } ] } @@ -371,11 +371,11 @@ }, "PrivateSubnet1": { "id": "PrivateSubnet1", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1", "children": { "Subnet": { "id": "Subnet", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/Subnet", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/Subnet", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { @@ -400,7 +400,7 @@ }, { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1" + "value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1" } ], "vpcId": { @@ -415,7 +415,7 @@ }, "Acl": { "id": "Acl", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/Acl", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/Acl", "constructInfo": { "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" @@ -423,14 +423,14 @@ }, "RouteTable": { "id": "RouteTable", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/RouteTable", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/RouteTable", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1" + "value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1" } ], "vpcId": { @@ -445,7 +445,7 @@ }, "RouteTableAssociation": { "id": "RouteTableAssociation", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/RouteTableAssociation", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/RouteTableAssociation", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", "aws:cdk:cloudformation:props": { @@ -464,7 +464,7 @@ }, "DefaultRoute": { "id": "DefaultRoute", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet1/DefaultRoute", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet1/DefaultRoute", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { @@ -490,11 +490,11 @@ }, "PrivateSubnet2": { "id": "PrivateSubnet2", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2", "children": { "Subnet": { "id": "Subnet", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/Subnet", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/Subnet", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { @@ -519,7 +519,7 @@ }, { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2" + "value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2" } ], "vpcId": { @@ -534,7 +534,7 @@ }, "Acl": { "id": "Acl", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/Acl", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/Acl", "constructInfo": { "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" @@ -542,14 +542,14 @@ }, "RouteTable": { "id": "RouteTable", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/RouteTable", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/RouteTable", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2" + "value": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2" } ], "vpcId": { @@ -564,7 +564,7 @@ }, "RouteTableAssociation": { "id": "RouteTableAssociation", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/RouteTableAssociation", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/RouteTableAssociation", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", "aws:cdk:cloudformation:props": { @@ -583,7 +583,7 @@ }, "DefaultRoute": { "id": "DefaultRoute", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/PrivateSubnet2/DefaultRoute", + "path": "aws-cdk-msk-auth-integ/VPC/PrivateSubnet2/DefaultRoute", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { @@ -609,14 +609,14 @@ }, "IGW": { "id": "IGW", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/IGW", + "path": "aws-cdk-msk-auth-integ/VPC/IGW", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::InternetGateway", "aws:cdk:cloudformation:props": { "tags": [ { "key": "Name", - "value": "aws-cdk-msk-sasl-scram-iam-integ/VPC" + "value": "aws-cdk-msk-auth-integ/VPC" } ] } @@ -628,7 +628,7 @@ }, "VPCGW": { "id": "VPCGW", - "path": "aws-cdk-msk-sasl-scram-iam-integ/VPC/VPCGW", + "path": "aws-cdk-msk-auth-integ/VPC/VPCGW", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCGatewayAttachment", "aws:cdk:cloudformation:props": { @@ -651,17 +651,106 @@ "version": "0.0.0" } }, - "ClusterSaslScramIam": { - "id": "ClusterSaslScramIam", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam", + "CertificateAuthority": { + "id": "CertificateAuthority", + "path": "aws-cdk-msk-auth-integ/CertificateAuthority", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ACMPCA::CertificateAuthority", + "aws:cdk:cloudformation:props": { + "keyAlgorithm": "RSA_2048", + "keyStorageSecurityStandard": "FIPS_140_2_LEVEL_3_OR_HIGHER", + "signingAlgorithm": "SHA256WITHRSA", + "subject": { + "commonName": "MSK Cluster Root CA", + "organization": "Amazon Web Services", + "organizationalUnit": "AWS-CDK", + "country": "DE", + "state": "Berlin", + "locality": "Berlin" + }, + "type": "ROOT" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_acmpca.CfnCertificateAuthority", + "version": "0.0.0" + } + }, + "Certificate": { + "id": "Certificate", + "path": "aws-cdk-msk-auth-integ/Certificate", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ACMPCA::Certificate", + "aws:cdk:cloudformation:props": { + "certificateAuthorityArn": { + "Fn::GetAtt": [ + "CertificateAuthority", + "Arn" + ] + }, + "certificateSigningRequest": { + "Fn::GetAtt": [ + "CertificateAuthority", + "CertificateSigningRequest" + ] + }, + "signingAlgorithm": "SHA256WITHRSA", + "templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1", + "validity": { + "type": "YEARS", + "value": 1 + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_acmpca.CfnCertificate", + "version": "0.0.0" + } + }, + "CertificateActivation": { + "id": "CertificateActivation", + "path": "aws-cdk-msk-auth-integ/CertificateActivation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::ACMPCA::CertificateAuthorityActivation", + "aws:cdk:cloudformation:props": { + "certificate": { + "Fn::GetAtt": [ + "Certificate", + "Certificate" + ] + }, + "certificateAuthorityArn": { + "Fn::GetAtt": [ + "CertificateAuthority", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_acmpca.CfnCertificateAuthorityActivation", + "version": "0.0.0" + } + }, + "PrivateCA": { + "id": "PrivateCA", + "path": "aws-cdk-msk-auth-integ/PrivateCA", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Cluster": { + "id": "Cluster", + "path": "aws-cdk-msk-auth-integ/Cluster", "children": { "SecurityGroup": { "id": "SecurityGroup", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SecurityGroup", + "path": "aws-cdk-msk-auth-integ/Cluster/SecurityGroup", "children": { "Resource": { "id": "Resource", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SecurityGroup/Resource", + "path": "aws-cdk-msk-auth-integ/Cluster/SecurityGroup/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup", "aws:cdk:cloudformation:props": { @@ -691,11 +780,11 @@ }, "SASLKey": { "id": "SASLKey", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SASLKey", + "path": "aws-cdk-msk-auth-integ/Cluster/SASLKey", "children": { "Resource": { "id": "Resource", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SASLKey/Resource", + "path": "aws-cdk-msk-auth-integ/Cluster/SASLKey/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::KMS::Key", "aws:cdk:cloudformation:props": { @@ -772,18 +861,18 @@ }, "Alias": { "id": "Alias", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SASLKey/Alias", + "path": "aws-cdk-msk-auth-integ/Cluster/SASLKey/Alias", "children": { "Resource": { "id": "Resource", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/SASLKey/Alias/Resource", + "path": "aws-cdk-msk-auth-integ/Cluster/SASLKey/Alias/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::KMS::Alias", "aws:cdk:cloudformation:props": { - "aliasName": "alias/msk/integ-test-sasl-scram-iam-auth/sasl/scram", + "aliasName": "alias/msk/integ-test-auth/sasl/scram", "targetKeyId": { "Fn::GetAtt": [ - "ClusterSaslScramIamSASLKey1ED07A25", + "ClusterSASLKeyC4AE65F3", "Arn" ] } @@ -808,7 +897,7 @@ }, "Resource": { "id": "Resource", - "path": "aws-cdk-msk-sasl-scram-iam-integ/ClusterSaslScramIam/Resource", + "path": "aws-cdk-msk-auth-integ/Cluster/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::MSK::Cluster", "aws:cdk:cloudformation:props": { @@ -825,7 +914,7 @@ "securityGroups": [ { "Fn::GetAtt": [ - "ClusterSaslScramIamSecurityGroup3617243A", + "ClusterSecurityGroup0921994B", "GroupId" ] } @@ -844,9 +933,20 @@ "scram": { "enabled": true } + }, + "tls": { + "certificateAuthorityArnList": [ + { + "Fn::GetAtt": [ + "CertificateAuthority", + "Arn" + ] + } + ], + "enabled": true } }, - "clusterName": "integ-test-sasl-scram-iam-auth", + "clusterName": "integ-test-auth", "encryptionInfo": { "encryptionInTransit": { "clientBroker": "TLS", @@ -883,7 +983,7 @@ }, "BootstrapVersion": { "id": "BootstrapVersion", - "path": "aws-cdk-msk-sasl-scram-iam-integ/BootstrapVersion", + "path": "aws-cdk-msk-auth-integ/BootstrapVersion", "constructInfo": { "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" @@ -891,7 +991,7 @@ }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", - "path": "aws-cdk-msk-sasl-scram-iam-integ/CheckBootstrapVersion", + "path": "aws-cdk-msk-auth-integ/CheckBootstrapVersion", "constructInfo": { "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" @@ -903,17 +1003,17 @@ "version": "0.0.0" } }, - "MskClusterSaslScramIam": { - "id": "MskClusterSaslScramIam", - "path": "MskClusterSaslScramIam", + "MskClusterAuth": { + "id": "MskClusterAuth", + "path": "MskClusterAuth", "children": { "DefaultTest": { "id": "DefaultTest", - "path": "MskClusterSaslScramIam/DefaultTest", + "path": "MskClusterAuth/DefaultTest", "children": { "Default": { "id": "Default", - "path": "MskClusterSaslScramIam/DefaultTest/Default", + "path": "MskClusterAuth/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", "version": "10.3.0" @@ -921,11 +1021,11 @@ }, "DeployAssert": { "id": "DeployAssert", - "path": "MskClusterSaslScramIam/DefaultTest/DeployAssert", + "path": "MskClusterAuth/DefaultTest/DeployAssert", "children": { "BootstrapVersion": { "id": "BootstrapVersion", - "path": "MskClusterSaslScramIam/DefaultTest/DeployAssert/BootstrapVersion", + "path": "MskClusterAuth/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { "fqn": "aws-cdk-lib.CfnParameter", "version": "0.0.0" @@ -933,7 +1033,7 @@ }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", - "path": "MskClusterSaslScramIam/DefaultTest/DeployAssert/CheckBootstrapVersion", + "path": "MskClusterAuth/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.ts b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.ts new file mode 100644 index 0000000000000..da4076f74a65b --- /dev/null +++ b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.ts @@ -0,0 +1,78 @@ +import { + CertificateAuthority, + CfnCertificate, + CfnCertificateAuthority, + CfnCertificateAuthorityActivation, +} from 'aws-cdk-lib/aws-acmpca'; +import * as ec2 from 'aws-cdk-lib/aws-ec2'; +import * as cdk from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import * as msk from '../lib'; + +const app = new cdk.App(); + +class MskClusterAuthTestStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props); + const vpc = new ec2.Vpc(this, 'VPC', { maxAzs: 2, restrictDefaultSecurityGroup: false }); + + const certSigningAlgorithm = 'SHA256WITHRSA'; + const privateCA = new CfnCertificateAuthority(this, 'CertificateAuthority', { + keyAlgorithm: 'RSA_2048', + signingAlgorithm: certSigningAlgorithm, + keyStorageSecurityStandard: 'FIPS_140_2_LEVEL_3_OR_HIGHER', + type: 'ROOT', + subject: { + commonName: 'MSK Cluster Root CA', + organization: 'Amazon Web Services', + organizationalUnit: 'AWS-CDK', + country: 'DE', + state: 'Berlin', + locality: 'Berlin', + }, + }); + + privateCA.node.addMetadata('Description', 'Signing authority for Certificates'); + + const cert = new CfnCertificate(this, 'Certificate', { + certificateAuthorityArn: privateCA.attrArn, + certificateSigningRequest: privateCA.attrCertificateSigningRequest, + signingAlgorithm: certSigningAlgorithm, + templateArn: 'arn:aws:acm-pca:::template/RootCACertificate/V1', + validity: { type: 'YEARS', value: 1 }, + }); + cert.node.addMetadata('Description', 'Certificate for signing requests from MSK-Cluster'); + + // Activating the certificate using the signing cert authority + const certActivation = new CfnCertificateAuthorityActivation(this, 'CertificateActivation', { + certificateAuthorityArn: privateCA.attrArn, + certificate: cert.attrCertificate, + }); + + // SASL/SCRAM, IAM, and TLS authenticated MSK cluster integ test + const cluster = new msk.Cluster(this, 'Cluster', { + clusterName: 'integ-test-auth', + kafkaVersion: msk.KafkaVersion.V3_6_0, + vpc, + encryptionInTransit: { + clientBroker: msk.ClientBrokerEncryption.TLS, + }, + clientAuthentication: msk.ClientAuthentication.saslTls({ + iam: true, + scram: true, + certificateAuthorities: [CertificateAuthority.fromCertificateAuthorityArn(this, 'PrivateCA', privateCA.attrArn)], + }), + removalPolicy: cdk.RemovalPolicy.DESTROY, + }); + + cluster.node.addDependency(certActivation); + } +} + +const stack = new MskClusterAuthTestStack(app, 'aws-cdk-msk-auth-integ'); + +new IntegTest(app, 'MskClusterAuth', { + testCases: [stack], +}); + +app.synth(); diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/integ.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/integ.json deleted file mode 100644 index 614dd7fee5203..0000000000000 --- a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.js.snapshot/integ.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "version": "38.0.1", - "testCases": { - "MskClusterSaslScramIam/DefaultTest": { - "stacks": [ - "aws-cdk-msk-sasl-scram-iam-integ" - ], - "assertionStack": "MskClusterSaslScramIam/DefaultTest/DeployAssert", - "assertionStackName": "MskClusterSaslScramIamDefaultTestDeployAssert9AC3A11C" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.ts b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.ts deleted file mode 100644 index dbe2d98974222..0000000000000 --- a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-sasl-scram-iam.ts +++ /dev/null @@ -1,36 +0,0 @@ -import * as ec2 from 'aws-cdk-lib/aws-ec2'; -import * as cdk from 'aws-cdk-lib'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; -import * as msk from '../lib'; - -const app = new cdk.App(); - -class MskClusterSaslScramIamStack extends cdk.Stack { - constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { - super(scope, id, props); - const vpc = new ec2.Vpc(this, 'VPC', { maxAzs: 2, restrictDefaultSecurityGroup: false }); - - // SASL/SCRAM and IAM authenticated msk cluster integ test - new msk.Cluster(this, 'ClusterSaslScramIam', { - clusterName: 'integ-test-sasl-scram-iam-auth', - kafkaVersion: msk.KafkaVersion.V3_6_0, - vpc, - encryptionInTransit: { - clientBroker: msk.ClientBrokerEncryption.TLS, - }, - clientAuthentication: msk.ClientAuthentication.sasl({ - iam: true, - scram: true, - }), - removalPolicy: cdk.RemovalPolicy.DESTROY, - }); - } -} - -const stack = new MskClusterSaslScramIamStack(app, 'aws-cdk-msk-sasl-scram-iam-integ'); - -new IntegTest(app, 'MskClusterSaslScramIam', { - testCases: [stack], -}); - -app.synth();