Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Baseline Admin ACLs? #265

Closed
mattia-crypto opened this issue Jun 7, 2022 · 2 comments
Closed

Baseline Admin ACLs? #265

mattia-crypto opened this issue Jun 7, 2022 · 2 comments

Comments

@mattia-crypto
Copy link

mattia-crypto commented Jun 7, 2022
edited
Loading

So, I have added a functioning configuration for a SASL/SSL based provider to AWS MSK, looking like this:

provider "kafka" {
  // See: https://docs.aws.amazon.com/msk/latest/developerguide/port-info.html
  bootstrap_servers = split(",", aws_msk_cluster.this.bootstrap_brokers_sasl_scram)
  sasl_username     = var.enable_kafka_provider ? var.terraform_provider_username : "terraform"
  sasl_password     = random_password.this["${var.terraform_provider_username}"].result
  sasl_mechanism    = "scram-sha512"
  skip_tls_verify   = false
  tls_enabled       = true
}

As you can see, it is a bit involved in the configuration since it is created conditionally, and as it refers to some values created by my module. Regardless, as long as var.enable_kafka_provider is true, my provider configures kafka resources as expected. There is solely one caveat, which I do not really get, given the obscure error message.

The issue I am facing atm. refers to ACLs. Currently, I grant my terraform, or var.terraform_provider_username user, the following ACLs:

 {
      identifier          = "terraform-cluster-admin"
      acl_host            = "*"
      acl_operation       = "All"
      acl_permission_type = "Allow"
      acl_principal       = "User:terraform-bootnode-dev"
      resource_name       = "kafka-cluster"
      resource_type       = "Cluster"
    },
    {
      identifier          = "terraform-topic-admin"
      acl_host            = "*"
      acl_operation       = "All"
      acl_permission_type = "Allow"
      acl_principal       = "User:terraform-bootnode-dev"
      resource_name       = "*"
      resource_type.      = "Topic"
     }

When I bootstrap my cluster, these are created without issue. This is because at MSK bootstrap time, the "allow.everyone.if.no.acl.found" configuration parameter must be set to true. It is however, after I set this back top false that I encounter problems.

In particular, I encounter a problem when trying to create a new ACL for a UI component I am using, which simply requires Read permissions on all resources.

This is the error I get during apply:

Error: kafka server: failed to create one or more ACL rules: kafka server: Unexpected (unknown?) server error

This is the kafka_acl I am trying to create:

{
      identifier          = "kafka-ui"
      acl_host            = "*"
      acl_operation       = "Read"
      acl_permission_type = "Allow"
      acl_principal       = "User:kafka-ui"
      resource_name       = "*" // also tried with "kafka-cluster" but no luck
      resource_type       = "Any"
    },

Any help on this would be appreciated.

Questions

  1. What are the default ACLs that we should create with this provider for granting terraform the ability to administer all resources in a cluster with "allow.everyone.if.no.acl.found" = false`?

  2. Am I right in assuming that as long as "allow.everyone.if.no.acl.found" = false it is impossible to add new ACLs with the provider?
@mattia-crypto
Copy link
Author

Never mind, I had some incompatible parameters. Please change the error messages 😭

@enver
Copy link

enver commented Oct 19, 2023

@mattia-crypto Could you please share details of what was the problem?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@enver @mattia-crypto