Skip to content

Commit 1d9e7ce

Browse files
authored
feat: Added new input iam_token_only. If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans.<br>UPGRADE NOTE: When updating to this version, you will see an expected update for the parameters_json configuration which is adding the new iam_token_only input (#381)
1 parent b7aa629 commit 1d9e7ce

File tree

10 files changed

+35
-6
lines changed

10 files changed

+35
-6
lines changed

.secrets.baseline

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"files": "go.sum|^.secrets.baseline$",
44
"lines": null
55
},
6-
"generated_at": "2023-12-11T12:42:07Z",
6+
"generated_at": "2023-12-12T12:42:07Z",
77
"plugins_used": [
88
{
99
"name": "AWSKeyDetector"

README.md

+1
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,7 @@ You need the following permissions to run this module.
144144
| <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size. | `string` | `"3h"` | no |
145145
| <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | The timeout value for deleting an Event Streams instance. | `string` | `"15m"` | no |
146146
| <a name="input_es_name"></a> [es\_name](#input\_es\_name) | The name to give the Event Streams instance created by this module. | `string` | n/a | yes |
147+
| <a name="input_iam_token_only"></a> [iam\_token\_only](#input\_iam\_token\_only) | If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans. | `bool` | `false` | no |
147148
| <a name="input_kms_encryption_enabled"></a> [kms\_encryption\_enabled](#input\_kms\_encryption\_enabled) | Set this to true to control the encryption keys used to encrypt the data that you store in IBM Cloud® Databases. If set to false, the data is encrypted by using randomly generated keys. For more info on Key Protect integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-key-protect. For more info on HPCS integration, see https://cloud.ibm.com/docs/cloud-databases?topic=cloud-databases-hpcs | `bool` | `false` | no |
148149
| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the key management service (Key Protect or Hyper Protect Crypto Services) to use to encrypt the payload data. [Learn more](https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-managing_encryption) about integrating Hyper Protect Crypto Services with Event Streams. | `string` | `null` | no |
149150
| <a name="input_metrics"></a> [metrics](#input\_metrics) | Enhanced metrics to activate, as list of strings. Only allowed for enterprise plans. Allowed values: 'topic', 'partition', 'consumers'. | `list(string)` | `[]` | no |

ibm_catalog.json

+3
Original file line numberDiff line numberDiff line change
@@ -345,6 +345,9 @@
345345
},
346346
{
347347
"key": "existing_kms_key_crn"
348+
},
349+
{
350+
"key": "iam_token_only"
348351
}
349352
],
350353
"iam_permissions": [

main.tf

+9-5
Original file line numberDiff line numberDiff line change
@@ -30,11 +30,13 @@ locals {
3030
validate_mirroring_topics = var.mirroring == null && var.mirroring_topic_patterns != null ? tobool("When passing values for var.mirroring_topic_patterns, values must also be passed for var.mirroring.") : true
3131
# tflint-ignore: terraform_unused_declarations
3232
validate_mirroring_config = var.mirroring != null && var.mirroring_topic_patterns == null ? tobool("When passing values for var.mirroring, values must also be passed for var.mirroring_topic_patterns.") : true
33-
parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
34-
kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
35-
kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
36-
kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null
37-
kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null
33+
# tflint-ignore: terraform_unused_declarations
34+
validate_iam_token_only = var.plan != "enterprise-3nodes-2tb" && var.iam_token_only ? tobool("iam_token_only is only supported for enterprise plan") : true
35+
parsed_kms_key_crn = var.kms_key_crn != null ? split(":", var.kms_key_crn) : []
36+
kms_service = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[4] : null
37+
kms_scope = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[6] : null
38+
kms_account_id = length(local.parsed_kms_key_crn) > 0 ? split("/", local.kms_scope)[1] : null
39+
kms_key_id = length(local.parsed_kms_key_crn) > 0 ? local.parsed_kms_key_crn[9] : null
3840
}
3941

4042
# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
@@ -63,6 +65,7 @@ resource "ibm_resource_instance" "es_instance" {
6365
service-endpoints = var.service_endpoints
6466
throughput = tostring(var.throughput)
6567
storage_size = tostring(var.storage_size)
68+
iam_token_only = var.iam_token_only
6669
metrics = var.metrics
6770
kms_key_crn = var.kms_key_crn
6871
mirroring = var.mirroring
@@ -72,6 +75,7 @@ resource "ibm_resource_instance" "es_instance" {
7275
service-endpoints = var.service_endpoints
7376
throughput = tostring(var.throughput)
7477
storage_size = tostring(var.storage_size)
78+
iam_token_only = var.iam_token_only
7579
}
7680
)
7781
}

modules/fscloud/README.md

+1
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ No resources.
3131
| <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size. | `string` | `"3h"` | no |
3232
| <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | The timeout value for deleting an Event Streams instance. | `string` | `"15m"` | no |
3333
| <a name="input_es_name"></a> [es\_name](#input\_es\_name) | The name of the Event Streams instance. | `string` | n/a | yes |
34+
| <a name="input_iam_token_only"></a> [iam\_token\_only](#input\_iam\_token\_only) | If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans. | `bool` | `false` | no |
3435
| <a name="input_kms_key_crn"></a> [kms\_key\_crn](#input\_kms\_key\_crn) | The root key CRN of the key management service (Key Protect or Hyper Protect Crypto Services) to use to encrypt the payload data. | `string` | n/a | yes |
3536
| <a name="input_metrics"></a> [metrics](#input\_metrics) | Enhanced metrics to activate, as list of strings. Allowed values: 'topic', 'partition', 'consumers'. | `list(string)` | `[]` | no |
3637
| <a name="input_mirroring"></a> [mirroring](#input\_mirroring) | Event Streams mirroring configuration. Required only if creating mirroring instance. For more information on mirroring, see https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-mirroring. | <pre>object({<br/> source_crn = string<br/> source_alias = string<br/> target_alias = string<br/> options = optional(object({<br/> topic_name_transform = object({<br/> type = string<br/> rename = optional(object({<br/> add_prefix = optional(string)<br/> add_suffix = optional(string)<br/> remove_prefix = optional(string)<br/> remove_suffix = optional(string)<br/> }))<br/> })<br/> group_id_transform = object({<br/> type = string<br/> rename = optional(object({<br/> add_prefix = optional(string)<br/> add_suffix = optional(string)<br/> remove_prefix = optional(string)<br/> remove_suffix = optional(string)<br/> }))<br/> })<br/> }))<br/> })</pre> | `null` | no |

modules/fscloud/main.tf

+1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ module "event_streams" {
2020
kms_encryption_enabled = true
2121
mirroring_topic_patterns = var.mirroring_topic_patterns
2222
mirroring = var.mirroring
23+
iam_token_only = var.iam_token_only
2324
create_timeout = var.create_timeout
2425
update_timeout = var.update_timeout
2526
delete_timeout = var.delete_timeout

modules/fscloud/variables.tf

+6
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,12 @@ variable "mirroring" {
163163
default = null
164164
}
165165

166+
variable "iam_token_only" {
167+
type = bool
168+
description = "If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans."
169+
default = false
170+
}
171+
166172
variable "create_timeout" {
167173
type = string
168174
description = "The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size."

solutions/enterprise/main.tf

+1
Original file line numberDiff line numberDiff line change
@@ -159,6 +159,7 @@ module "event_streams" {
159159
mirroring = var.mirroring
160160
cbr_rules = var.cbr_rules
161161
schema_global_rule = var.schema_global_rule
162+
iam_token_only = var.iam_token_only
162163
skip_kms_iam_authorization_policy = var.skip_event_streams_kms_auth_policy
163164
skip_es_s2s_iam_authorization_policy = var.skip_event_streams_s2s_iam_auth_policy
164165
create_timeout = var.create_timeout

solutions/enterprise/variables.tf

+6
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,12 @@ variable "ibmcloud_kms_api_key" {
253253
default = null
254254
}
255255

256+
variable "iam_token_only" {
257+
type = bool
258+
description = "If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans."
259+
default = false
260+
}
261+
256262
variable "create_timeout" {
257263
type = string
258264
description = "The timeout value for creating an Event Streams instance. Specify `3h` for an Enterprise plan instance. Add 1 h for each level of non-default throughput. Add 30 min for each level of non-default storage size."

variables.tf

+6
Original file line numberDiff line numberDiff line change
@@ -261,3 +261,9 @@ variable "mirroring" {
261261
})
262262
default = null
263263
}
264+
265+
variable "iam_token_only" {
266+
type = bool
267+
description = "If set to true, disables Kafka's SASL PLAIN authentication method, only allowing clients to authenticate with SASL OAUTHBEARER via IAM access token. For more information, see: https://cloud.ibm.com/docs/EventStreams?topic=EventStreams-security. Only allowed for enterprise plans."
268+
default = false
269+
}

0 commit comments

Comments
 (0)