feat: Added new input iam_token_only. If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans.<br>UPGRADE NOTE: When updating to this version, you will see an expected update for the parameters_json configuration which is adding the new iam_token_only input (#381)

kccox · web-flow · commit 1d9e7ce1a8ea · 2025-03-11T15:05:36.000Z
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-11T12:42:07Z",
+  "generated_at": "2023-12-12T12:42:07Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/README.md b/README.md
@@ -144,6 +144,7 @@ You need the following permissions to run this module.
 | <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size. | `string` | `"3h"` | no |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | The timeout value for deleting an Event Streams instance. | `string` | `"15m"` | no |
 | <a name="input_es_name"></a> [es\_name](#input\_es\_name) | The name to give the Event Streams instance created by this module. | `string` | n/a | yes |
+| <a name="input_iam_token_only"></a> [iam\_token\_only](#input\_iam\_token\_only) | If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans. | `bool` | `false` | no |
 | <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the key management service (Key Protect or Hyper Protect Crypto Services) to use to encrypt the payload data. [Learn more](https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-managing_encryption) about integrating Hyper Protect Crypto Services with Event Streams. | `string` | `null` | no |
 | <a name="input_metrics"></a> [metrics](#input\_metrics) | Enhanced metrics to activate, as list of strings. Only allowed for enterprise plans. Allowed values: 'topic', 'partition', 'consumers'. | `list(string)` | `[]` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
@@ -345,6 +345,9 @@
             },
             {
               "key": "existing_kms_key_crn"
+            },
+            {
+              "key": "iam_token_only"
             }
           ],
           "iam_permissions": [
diff --git a/main.tf b/main.tf
@@ -30,11 +30,13 @@ locals {
   validate_mirroring_topics = var.mirroring == null && var.mirroring_topic_patterns != null ? tobool("When passing values for var.mirroring_topic_patterns, values must also be passed for var.mirroring.") : true
   # tflint-ignore: terraform_unused_declarations
   validate_mirroring_config = var.mirroring != null && var.mirroring_topic_patterns == null ? tobool("When passing values for var.mirroring, values must also be passed for var.mirroring_topic_patterns.") : true
-  parsed_kms_key_crn        = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
-  kms_service               = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
-  kms_scope                 = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
-  kms_account_id            = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null
-  kms_key_id                = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null
+  # tflint-ignore: terraform_unused_declarations
+  validate_iam_token_only = var.plan != "enterprise-3nodes-2tb" && var.iam_token_only ? tobool("iam_token_only is only supported for enterprise plan") : true
+  parsed_kms_key_crn      = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
+  kms_service             = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
+  kms_scope               = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
+  kms_account_id          = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null
+  kms_key_id              = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null
 }
 
 # workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
@@ -63,6 +65,7 @@ resource "ibm_resource_instance" "es_instance" {
       service-endpoints = var.service_endpoints
       throughput        = tostring(var.throughput)
       storage_size      = tostring(var.storage_size)
+      iam_token_only    = var.iam_token_only
       metrics           = var.metrics
       kms_key_crn       = var.kms_key_crn
       mirroring         = var.mirroring
@@ -72,6 +75,7 @@ resource "ibm_resource_instance" "es_instance" {
       service-endpoints = var.service_endpoints
       throughput        = tostring(var.throughput)
       storage_size      = tostring(var.storage_size)
+      iam_token_only    = var.iam_token_only
     }
   )
 }
diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
@@ -31,6 +31,7 @@ No resources.
 | <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size. | `string` | `"3h"` | no |
 | <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | The timeout value for deleting an Event Streams instance. | `string` | `"15m"` | no |
 | <a name="input_es_name"></a> [es\_name](#input\_es\_name) | The name of the Event Streams instance. | `string` | n/a | yes |
+| <a name="input_iam_token_only"></a> [iam\_token\_only](#input\_iam\_token\_only) | If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans. | `bool` | `false` | no |
 | <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the key management service (Key Protect or Hyper Protect Crypto Services) to use to encrypt the payload data. | `string` | n/a | yes |
 | <a name="input_metrics"></a> [metrics](#input\_metrics) | Enhanced metrics to activate, as list of strings. Allowed values: 'topic', 'partition', 'consumers'. | `list(string)` | `[]` | no |
 | <a name="input_mirroring"></a> [mirroring](#input\_mirroring) | Event Streams mirroring configuration. Required only if creating mirroring instance. For more information on mirroring, see https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-mirroring. | <pre>object({<br/>    source_crn   = string<br/>    source_alias = string<br/>    target_alias = string<br/>    options = optional(object({<br/>      topic_name_transform = object({<br/>        type = string<br/>        rename = optional(object({<br/>          add_prefix    = optional(string)<br/>          add_suffix    = optional(string)<br/>          remove_prefix = optional(string)<br/>          remove_suffix = optional(string)<br/>        }))<br/>      })<br/>      group_id_transform = object({<br/>        type = string<br/>        rename = optional(object({<br/>          add_prefix    = optional(string)<br/>          add_suffix    = optional(string)<br/>          remove_prefix = optional(string)<br/>          remove_suffix = optional(string)<br/>        }))<br/>      })<br/>    }))<br/>  })</pre> | `null` | no |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
@@ -20,6 +20,7 @@ module "event_streams" {
   kms_encryption_enabled               = true
   mirroring_topic_patterns             = var.mirroring_topic_patterns
   mirroring                            = var.mirroring
+  iam_token_only                       = var.iam_token_only
   create_timeout                       = var.create_timeout
   update_timeout                       = var.update_timeout
   delete_timeout                       = var.delete_timeout
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
@@ -163,6 +163,12 @@ variable "mirroring" {
   default = null
 }
 
+variable "iam_token_only" {
+  type        = bool
+  description = "If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans."
+  default     = false
+}
+
 variable "create_timeout" {
   type        = string
   description = "The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size."
diff --git a/solutions/enterprise/main.tf b/solutions/enterprise/main.tf
@@ -159,6 +159,7 @@ module "event_streams" {
   mirroring                            = var.mirroring
   cbr_rules                            = var.cbr_rules
   schema_global_rule                   = var.schema_global_rule
+  iam_token_only                       = var.iam_token_only
   skip_kms_iam_authorization_policy    = var.skip_event_streams_kms_auth_policy
   skip_es_s2s_iam_authorization_policy = var.skip_event_streams_s2s_iam_auth_policy
   create_timeout                       = var.create_timeout
diff --git a/solutions/enterprise/variables.tf b/solutions/enterprise/variables.tf
@@ -253,6 +253,12 @@ variable "ibmcloud_kms_api_key" {
   default     = null
 }
 
+variable "iam_token_only" {
+  type        = bool
+  description = "If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans."
+  default     = false
+}
+
 variable "create_timeout" {
   type        = string
   description = "The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size."
diff --git a/variables.tf b/variables.tf
@@ -261,3 +261,9 @@ variable "mirroring" {
   })
   default = null
 }
+
+variable "iam_token_only" {
+  type        = bool
+  description = "If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans."
+  default     = false
+}

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"files": "go.sum\|^.secrets.baseline$",`
`4`	`4`	`"lines": null`
`5`	`5`	`},`
`6`		`- "generated_at": "2023-12-11T12:42:07Z",`
	`6`	`+ "generated_at": "2023-12-12T12:42:07Z",`
`7`	`7`	`"plugins_used": [`
`8`	`8`	`{`
`9`	`9`	`"name": "AWSKeyDetector"`
Original file line number	Diff line number	Diff line change
`@@ -345,6 +345,9 @@`
`345`	`345`	`},`
`346`	`346`	`{`
`347`	`347`	`"key": "existing_kms_key_crn"`
	`348`	`+ },`
	`349`	`+ {`
	`350`	`+ "key": "iam_token_only"`
`348`	`351`	`}`
`349`	`352`	`],`
`350`	`353`	`"iam_permissions": [`