MSK updates (#252)

ManagedKube · Feb 11, 2022 · 46ad8a7 · 46ad8a7
1 parent 54bc862
commit 46ad8a7
Show file tree

Hide file tree

Showing 2 changed files with 144 additions and 20 deletions.
diff --git a/terraform-modules/aws/msk/main.tf b/terraform-modules/aws/msk/main.tf
@@ -1,24 +1,127 @@
-provider "aws" {
-  region = var.aws_region
+locals{
+  years_valid = 10 
 }
 
 resource "aws_cloudwatch_log_group" "msk_cloudwatch_log_group" {
   name = var.cloudwatch_logs_log_group
   tags = var.tags
 }
 
-module "msk_log_bucket" {
-  source                  = "git::[email protected]:managedkube/kubernetes-ops.git//terraform-modules/aws/s3_bucket?ref=v0.0.8"
-  bucket                  = var.s3_logs_bucket
-  acl                     = "private"
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+#######################################
+# S3 bucket
+#######################################
+resource "aws_kms_key" "this" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = 10
 }
 
+resource "aws_s3_bucket" "this" {
+  bucket = var.s3_logs_bucket
+  tags   = var.tags
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.this.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.this.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "acmpca_bucket_access" {
+  statement {
+    actions = [
+      "s3:GetBucketAcl",
+      "s3:GetBucketLocation",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+    ]
+
+    resources = [
+      aws_s3_bucket.this.arn,
+      "${aws_s3_bucket.this.arn}/*",
+    ]
+
+    principals {
+      identifiers = ["acm-pca.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.acmpca_bucket_access.json
+}
+
+#######################################
+# Private CA
+#######################################
+data "aws_partition" "current" {
+}
+
+resource "aws_acmpca_certificate_authority_certificate" "cacert" {
+  certificate_authority_arn = aws_acmpca_certificate_authority.this.arn
+
+  certificate       = aws_acmpca_certificate.cert.certificate
+  certificate_chain = aws_acmpca_certificate.cert.certificate_chain
+}
+
+resource "aws_acmpca_certificate" "cert" {
+  certificate_authority_arn   = aws_acmpca_certificate_authority.this.arn
+  certificate_signing_request = aws_acmpca_certificate_authority.this.certificate_signing_request
+  signing_algorithm           = "SHA512WITHRSA"
+
+  template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1"
+
+  validity {
+    type  = "YEARS"
+    value = local.years_valid
+  }
+}
+
+resource "aws_acmpca_certificate_authority" "this" {
+  certificate_authority_configuration {
+    key_algorithm     = var.key_algorithm
+    signing_algorithm = var.signing_algorithm
+
+    subject {
+      common_name = var.common_name
+    }
+  }
+
+  type = "ROOT"
+
+  revocation_configuration {
+    crl_configuration {
+      custom_cname       = "crl.${var.common_name}"
+      # Disabling the CRL b/c the S3 bucket requirements are weird.  When creating the CA resource
+      # it keeps on complaining about the S3 bucket permissions is not set correctly.
+      enabled            = false
+      expiration_in_days = var.expiration_in_days
+      s3_bucket_name     = aws_s3_bucket.this.id
+    }
+  }
+
+  tags   = var.tags
+
+  depends_on = [aws_s3_bucket_policy.this]
+}
+
+#######################################
+# MSK Cluster
+#######################################
 module "msk" {
-  source                         = "git::https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster.git?ref=0.6.0"
+  source                         = "cloudposse/msk-apache-kafka-cluster/aws"
+  version                        = "v0.8.3"
   namespace                      = var.namespace
   name                           = var.name
   vpc_id                         = var.vpc_id
@@ -31,21 +134,22 @@ module "msk" {
   broker_instance_type           = var.broker_instance_type
   broker_volume_size             = var.broker_volume_size
   tags                           = var.tags
-  certificate_authority_arns     = var.certificate_authority_arns
+  certificate_authority_arns     = [aws_acmpca_certificate_authority.this.arn]
   client_tls_auth_enabled        = var.client_tls_auth_enabled
   encryption_in_cluster          = var.encryption_in_cluster
   encryption_at_rest_kms_key_arn = var.encryption_at_rest_kms_key_arn
   cloudwatch_logs_enabled        = var.cloudwatch_logs_enabled
   cloudwatch_logs_log_group      = var.cloudwatch_logs_enabled == true ? var.cloudwatch_logs_log_group : ""
   enhanced_monitoring            = var.enhanced_monitoring
   node_exporter_enabled          = var.node_exporter_enabled
-  s3_logs_bucket                 = var.s3_logs_enabled == true ? var.s3_logs_bucket : ""
+  s3_logs_bucket                 = var.s3_logs_enabled == true ? aws_s3_bucket.this.id : ""
   s3_logs_enabled                = var.s3_logs_enabled
   s3_logs_prefix                 = var.s3_logs_enabled == true ? var.s3_logs_prefix : ""
 
   depends_on = [
     aws_cloudwatch_log_group.msk_cloudwatch_log_group,
-    module.msk_log_bucket
+    aws_s3_bucket.this,
+    aws_acmpca_certificate.cert
   ]
 }
 

diff --git a/terraform-modules/aws/msk/variables.tf b/terraform-modules/aws/msk/variables.tf
@@ -109,12 +109,32 @@ variable "security_groups" {
   description = "The security_group_id_list output from the security_groups module"
 }
 
-variable "certificate_authority_arns" {
-  type        = list(string)
-  description = "List of ACM Certificate Authority Amazon Resource Names (ARNs) to be used for TLS client authentication"
-}
-
 variable "client_tls_auth_enabled" {
   type        = bool
   description = "Set true to enable the Client TLS Authentication"
-}
+}
+
+variable "common_name" {
+ type        = string
+ description = "The common name for the CA"
+ default     = "example.com"
+}
+
+variable "expiration_in_days" {
+ type        = number
+ description = "The CA expiration in days"
+ default     = 7
+}
+
+variable "key_algorithm" {
+ type        = string
+ description = "The CA key algorithm"
+ default     = "RSA_4096"
+}
+
+variable "signing_algorithm" {
+ type        = string
+ description = "The CA signing algorithm"
+ default     = "SHA512WITHRSA"
+}
+