msk: CDK doesn't allow a cluster with multiple authentication methods

[nlongton]

General Issue

We want to use IAM auth but this is only for Java so we also need TLS for python etc.

The Question

We want to use IAM auth but this is only for Java so we also need TLS for python etc.
When i use the AWS Console to create a MSK cluster I can select none, TLS and IAM and get multiple connection string. eg:

TLS:
b-1..$$$$.kafka.us-west-2.amazonaws.com:9094,b-2..$$$$.kafka.us-west-2.amazonaws.com:9094
IAM:
b-1..$$$$.kafka.us-west-2.amazonaws.com:9098,b-2..$$$$.kafka.us-west-2.amazonaws.com:9098
Plaintext:
b-1..$$$$.kafka.us-west-2.amazonaws.com:9092,b-2..$$$$.kafka.us-west-2.amazonaws.com:9092

However the logic in the cluster.ts prevents creating a dual TLS and IAM credential properties class, and even if it did then this logic only acts on one type

let clientAuthentication;
if (props.clientAuthentication?.saslProps?.iam) {
  clientAuthentication = {
    sasl: { iam: { enabled: props.clientAuthentication.saslProps.iam } },
  };
} else if (props.clientAuthentication?.saslProps?.scram) {
  clientAuthentication = {
    sasl: {
      scram: {
        enabled: props.clientAuthentication.saslProps.scram,
      },
    },
  };
} else if (
  props.clientAuthentication?.tlsProps?.certificateAuthorities !== undefined
) {
  clientAuthentication = {
    tls: {
      certificateAuthorityArnList: props.clientAuthentication?.tlsProps?.certificateAuthorities.map(
        (ca) => ca.certificateAuthorityArn,
      ),
    },
  };
}

Is this constraint imposed by the SDK - havent had time to look there - and how does the console manage it?

CDK CLI Version

1.123.0

Framework Version

1.127.0

Node.js Version

14.17.0

OS

any

Language

Typescript

Language Version

3.9.7

Other information

No response

[ldecaro]

I wonder whether this is related to old codebase. According to this release, MSK recently added the ability to handle a combination of authentication modes.

[otaviomacedo]

I wonder whether this is related to old codebase. According to this release, MSK recently added the ability to handle a combination of authentication modes.

Yes, I believe that's the issue. I'm marking this as a p2 feature request. We welcome contributions from the community. If you can submit with a PR to resolve this, I'll be happy to review it.

[nlongton]

I’ll see If I can work out how to do it – would you want this in v1 or v2 of the CDK? From: Otavio Macedo ***@***.***> Sent: Friday, October 15, 2021 2:26 PM To: aws/aws-cdk ***@***.***> Cc: Longton, Nigel ***@***.***>; Author ***@***.***> Subject: Re: [aws/aws-cdk] msk: CDK doesn't allow a cluster with multiple authentication methods (#16980) I wonder whether this is related to old codebase. According to this release, MSK recently added the ability to handle a combination of authentication modes. Yes, I believe that's the issue. I'm marking this as a p2 feature request. We welcome I wonder whether this is related to old codebase. According to this<https://urldefense.proofpoint.com/v2/url?u=https-3A__aws.amazon.com_about-2Daws_whats-2Dnew_2021_09_amazon-2Dmsk-2Dmultiple-2Dauthentication-2Dmodes-2Dtls-2Dencryption-2Dsettings_&d=DwMCaQ&c=91HTncUBNS9Yv-Uuv2IlCA&r=UnyokQK8C_XFW3f5jNuttk8j8TS_QRQ_sjjKPfPGScQ&m=D-qHgzk0jn7cLi-jeKgjN3ijT3UHGpwTJ2s5Zq99XOA&s=0lKm4sUeT8Ejrz6_IpTu2yHy1rV7ST9_p_AowekKMNc&e=> release, MSK recently added the ability to handle a combination of authentication modes. Yes, I believe that's the issue. I'm marking this as a p2 feature request. We welcome contributions from the community. If you can submit with a PR to resolve this, I'll be happy to review it. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_aws_aws-2Dcdk_issues_16980-23issuecomment-2D944300828&d=DwMCaQ&c=91HTncUBNS9Yv-Uuv2IlCA&r=UnyokQK8C_XFW3f5jNuttk8j8TS_QRQ_sjjKPfPGScQ&m=D-qHgzk0jn7cLi-jeKgjN3ijT3UHGpwTJ2s5Zq99XOA&s=NZKeZ-5tOdwGQqg6TqCOzxY6bwx3uJ61-WQ6GQakn0E&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AQCCO4L5ROM654UMEIYZSUTUHATXRANCNFSM5F7KQPCQ&d=DwMCaQ&c=91HTncUBNS9Yv-Uuv2IlCA&r=UnyokQK8C_XFW3f5jNuttk8j8TS_QRQ_sjjKPfPGScQ&m=D-qHgzk0jn7cLi-jeKgjN3ijT3UHGpwTJ2s5Zq99XOA&s=YBbZBUhn1yIyKI1yfa8q3i1VHR4dXNtNUFRMA9yYF5I&e=>. Triage notifications on the go with GitHub Mobile for iOS<https://urldefense.proofpoint.com/v2/url?u=https-3A__apps.apple.com_app_apple-2Dstore_id1477376905-3Fct-3Dnotification-2Demail-26mt-3D8-26pt-3D524675&d=DwMCaQ&c=91HTncUBNS9Yv-Uuv2IlCA&r=UnyokQK8C_XFW3f5jNuttk8j8TS_QRQ_sjjKPfPGScQ&m=D-qHgzk0jn7cLi-jeKgjN3ijT3UHGpwTJ2s5Zq99XOA&s=T-HFz0Pm04MUxBzbJN59gKpyH1DaUZ1SLRYo71sRUvM&e=> or Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__play.google.com_store_apps_details-3Fid-3Dcom.github.android-26referrer-3Dutm-5Fcampaign-253Dnotification-2Demail-2526utm-5Fmedium-253Demail-2526utm-5Fsource-253Dgithub&d=DwMCaQ&c=91HTncUBNS9Yv-Uuv2IlCA&r=UnyokQK8C_XFW3f5jNuttk8j8TS_QRQ_sjjKPfPGScQ&m=D-qHgzk0jn7cLi-jeKgjN3ijT3UHGpwTJ2s5Zq99XOA&s=pn-C5tedNiOwg4NLfCW8jDk0RurluUWeJDu1cLNArOY&e=>. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, alter or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmissions cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message which arise during or as a result of e-mail transmission. If verification is required, please request a hard-copy version. This message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments in any jurisdiction.  Securities are offered in the U.S. through PIMCO Investments LLC, distributor and a company of PIMCO LLCThe individual providing the information herein is an employee of Pacific Investment Management Company LLC ("PIMCO"), an SEC-registered investment adviser.  To the extent such individual advises you regarding a PIMCO investment strategy, he or she does so as an associated person of PIMCO.  To the extent that any information is provided to you related to a PIMCO-sponsored investment fund ("PIMCO Fund"), it is being provided to you in the individual's capacity as a registered representative of PIMCO Investments LLC ("PI"), an SEC-registered broker-dealer.  PI is not registered, and does not intend to register, as a municipal advisor and therefore does not provide advice with respect to the investment of the proceeds of municipal securities or municipal escrow investments.  In addition, unless otherwise agreed by PIMCO, this communication and any related attachments are being provided on the express basis that they will not cause PIMCO LLC, or its affiliates, to become an investment advice fiduciary under ERISA or the Internal Revenue Code.

[otaviomacedo]

I’ll see If I can work out how to do it – would you want this in v1 or v2 of the CDK?

All PRs should be created against master. Both v1 and v2 are generated from there.

[dberry-trip]

any update on when this is going to be fixed?

the workaround of setting up one auth in the cdk, and then turning on the another auth in the console doesn't really work in an IAC (infrastructure as code) context where you're not allowed to use the console in production, hence the reliance on cdk.

fix in cdk v2 please.