Home

Awesome

AWS MSK Kafka Cluster Terraform module

Terraform module which creates AWS MSK (Managed Streaming for Kafka) resources.

SWUbanner

Usage

See examples directory for working examples to reference:

module "msk_kafka_cluster" {
  source = "terraform-aws-modules/msk-kafka-cluster/aws"

  name                   = local.name
  kafka_version          = "3.5.1"
  number_of_broker_nodes = 3
  enhanced_monitoring    = "PER_TOPIC_PER_PARTITION"

  broker_node_client_subnets = ["subnet-12345678", "subnet-024681012", "subnet-87654321"]
  broker_node_storage_info = {
    ebs_storage_info = { volume_size = 100 }
  }
  broker_node_instance_type   = "kafka.t3.small"
  broker_node_security_groups = ["sg-12345678"]

  encryption_in_transit_client_broker = "TLS"
  encryption_in_transit_in_cluster    = true

  configuration_name        = "example-configuration"
  configuration_description = "Example configuration"
  configuration_server_properties = {
    "auto.create.topics.enable" = true
    "delete.topic.enable"       = true
  }

  jmx_exporter_enabled    = true
  node_exporter_enabled   = true
  cloudwatch_logs_enabled = true
  s3_logs_enabled         = true
  s3_logs_bucket          = "aws-msk-kafka-cluster-logs"
  s3_logs_prefix          = local.name

  scaling_max_capacity = 512
  scaling_target_value = 80

  client_authentication = {
    sasl = { scram = true }
  }
  create_scram_secret_association = true
  scram_secret_association_secret_arn_list = [
    aws_secretsmanager_secret.one.arn,
    aws_secretsmanager_secret.two.arn,
  ]

  # AWS Glue Registry
  schema_registries = {
    team_a = {
      name        = "team_a"
      description = "Schema registry for Team A"
    }
    team_b = {
      name        = "team_b"
      description = "Schema registry for Team B"
    }
  }

  # AWS Glue Schemas
  schemas = {
    team_a_tweets = {
      schema_registry_name = "team_a"
      schema_name          = "tweets"
      description          = "Schema that contains all the tweets"
      compatibility        = "FORWARD"
      schema_definition    = "{\"type\": \"record\", \"name\": \"r1\", \"fields\": [ {\"name\": \"f1\", \"type\": \"int\"}, {\"name\": \"f2\", \"type\": \"string\"} ]}"
      tags                 = { Team = "Team A" }
    }
    team_b_records = {
      schema_registry_name = "team_b"
      schema_name          = "records"
      description          = "Schema that contains all the records"
      compatibility        = "FORWARD"
      team_b_records = {
        schema_registry_name = "team_b"
        schema_name          = "records"
        description          = "Schema that contains all the records"
        compatibility        = "FORWARD"
        schema_definition = jsonencode({
          type = "record"
          name = "r1"
          fields = [
            {
              name = "f1"
              type = "int"
            },
            {
              name = "f2"
              type = "string"
            },
            {
              name = "f3"
              type = "boolean"
            }
          ]
        })
        tags = { Team = "Team B" }
      }
    }
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.0
<a name="requirement_aws"></a> aws>= 5.30
<a name="requirement_random"></a> random>= 3.6

Providers

NameVersion
<a name="provider_aws"></a> aws>= 5.30
<a name="provider_random"></a> random>= 3.6

Modules

No modules.

Resources

NameType
aws_appautoscaling_policy.thisresource
aws_appautoscaling_target.thisresource
aws_cloudwatch_log_group.thisresource
aws_glue_registry.thisresource
aws_glue_schema.thisresource
aws_msk_cluster.thisresource
aws_msk_cluster_policy.thisresource
aws_msk_configuration.thisresource
aws_msk_scram_secret_association.thisresource
aws_msk_vpc_connection.thisresource
aws_mskconnect_custom_plugin.thisresource
aws_mskconnect_worker_configuration.thisresource
random_id.thisresource
aws_iam_policy_document.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_broker_node_az_distribution"></a> broker_node_az_distributionThe distribution of broker nodes across availability zones (documentation). Currently the only valid value is DEFAULTstringnullno
<a name="input_broker_node_client_subnets"></a> broker_node_client_subnetsA list of subnets to connect to in client VPC (documentation)list(string)[]no
<a name="input_broker_node_connectivity_info"></a> broker_node_connectivity_infoInformation about the cluster access configurationany{}no
<a name="input_broker_node_instance_type"></a> broker_node_instance_typeSpecify the instance type to use for the kafka brokers. e.g. kafka.m5.large. (Pricing info)stringnullno
<a name="input_broker_node_security_groups"></a> broker_node_security_groupsA list of the security groups to associate with the elastic network interfaces to control who can communicate with the clusterlist(string)[]no
<a name="input_broker_node_storage_info"></a> broker_node_storage_infoA block that contains information about storage volumes attached to MSK broker nodesany{}no
<a name="input_client_authentication"></a> client_authenticationConfiguration block for specifying a client authenticationany{}no
<a name="input_cloudwatch_log_group_class"></a> cloudwatch_log_group_classSpecifies the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS.stringnullno
<a name="input_cloudwatch_log_group_kms_key_id"></a> cloudwatch_log_group_kms_key_idThe ARN of the KMS Key to use when encrypting log datastringnullno
<a name="input_cloudwatch_log_group_name"></a> cloudwatch_log_group_nameName of the Cloudwatch Log Group to deliver logs tostringnullno
<a name="input_cloudwatch_log_group_retention_in_days"></a> cloudwatch_log_group_retention_in_daysSpecifies the number of days you want to retain log events in the log groupnumber0no
<a name="input_cloudwatch_logs_enabled"></a> cloudwatch_logs_enabledIndicates whether you want to enable or disable streaming broker logs to Cloudwatch Logsboolfalseno
<a name="input_cluster_override_policy_documents"></a> cluster_override_policy_documentsOverride policy documents for cluster policylist(string)nullno
<a name="input_cluster_policy_statements"></a> cluster_policy_statementsMap of policy statements for cluster policyanynullno
<a name="input_cluster_source_policy_documents"></a> cluster_source_policy_documentsSource policy documents for cluster policylist(string)nullno
<a name="input_configuration_arn"></a> configuration_arnARN of an externally created configuration to usestringnullno
<a name="input_configuration_description"></a> configuration_descriptionDescription of the configurationstringnullno
<a name="input_configuration_name"></a> configuration_nameName of the configurationstringnullno
<a name="input_configuration_revision"></a> configuration_revisionRevision of the externally created configuration to usenumbernullno
<a name="input_configuration_server_properties"></a> configuration_server_propertiesContents of the server.properties file. Supported properties are documented in the MSK Developer Guidemap(string){}no
<a name="input_connect_custom_plugin_timeouts"></a> connect_custom_plugin_timeoutsTimeout configurations for the connect custom pluginsmap(string)<pre>{<br/> "create": null<br/>}</pre>no
<a name="input_connect_custom_plugins"></a> connect_custom_pluginsMap of custom plugin configuration details (map of maps)any{}no
<a name="input_connect_worker_config_description"></a> connect_worker_config_descriptionA summary description of the worker configurationstringnullno
<a name="input_connect_worker_config_name"></a> connect_worker_config_nameThe name of the worker configurationstringnullno
<a name="input_connect_worker_config_properties_file_content"></a> connect_worker_config_properties_file_contentContents of connect-distributed.properties file. The value can be either base64 encoded or in raw formatstringnullno
<a name="input_create"></a> createDetermines whether cluster resources will be createdbooltrueno
<a name="input_create_cloudwatch_log_group"></a> create_cloudwatch_log_groupDetermines whether to create a CloudWatch log groupbooltrueno
<a name="input_create_cluster_policy"></a> create_cluster_policyDetermines whether to create an MSK cluster policyboolfalseno
<a name="input_create_configuration"></a> create_configurationDetermines whether to create a configurationbooltrueno
<a name="input_create_connect_worker_configuration"></a> create_connect_worker_configurationDetermines whether to create connect worker configurationboolfalseno
<a name="input_create_schema_registry"></a> create_schema_registryDetermines whether to create a Glue schema registry for managing Avro schemas for the clusterbooltrueno
<a name="input_create_scram_secret_association"></a> create_scram_secret_associationDetermines whether to create SASL/SCRAM secret associationboolfalseno
<a name="input_enable_storage_autoscaling"></a> enable_storage_autoscalingDetermines whether autoscaling is enabled for storagebooltrueno
<a name="input_encryption_at_rest_kms_key_arn"></a> encryption_at_rest_kms_key_arnYou may specify a KMS key short ID or ARN (it will always output an ARN) to use for encrypting your data at rest. If no key is specified, an AWS managed KMS ('aws/msk' managed service) key will be used for encrypting the data at reststringnullno
<a name="input_encryption_in_transit_client_broker"></a> encryption_in_transit_client_brokerEncryption setting for data in transit between clients and brokers. Valid values: TLS, TLS_PLAINTEXT, and PLAINTEXT. Default value is TLSstringnullno
<a name="input_encryption_in_transit_in_cluster"></a> encryption_in_transit_in_clusterWhether data communication among broker nodes is encrypted. Default value: trueboolnullno
<a name="input_enhanced_monitoring"></a> enhanced_monitoringSpecify the desired enhanced MSK CloudWatch monitoring level. See Monitoring Amazon MSK with Amazon CloudWatchstringnullno
<a name="input_firehose_delivery_stream"></a> firehose_delivery_streamName of the Kinesis Data Firehose delivery stream to deliver logs tostringnullno
<a name="input_firehose_logs_enabled"></a> firehose_logs_enabledIndicates whether you want to enable or disable streaming broker logs to Kinesis Data Firehoseboolfalseno
<a name="input_jmx_exporter_enabled"></a> jmx_exporter_enabledIndicates whether you want to enable or disable the JMX Exporterboolfalseno
<a name="input_kafka_version"></a> kafka_versionSpecify the desired Kafka software versionstringnullno
<a name="input_name"></a> nameName of the MSK clusterstring"msk"no
<a name="input_node_exporter_enabled"></a> node_exporter_enabledIndicates whether you want to enable or disable the Node Exporterboolfalseno
<a name="input_number_of_broker_nodes"></a> number_of_broker_nodesThe desired total number of broker nodes in the kafka cluster. It must be a multiple of the number of specified client subnetsnumbernullno
<a name="input_s3_logs_bucket"></a> s3_logs_bucketName of the S3 bucket to deliver logs tostringnullno
<a name="input_s3_logs_enabled"></a> s3_logs_enabledIndicates whether you want to enable or disable streaming broker logs to S3boolfalseno
<a name="input_s3_logs_prefix"></a> s3_logs_prefixPrefix to append to the folder namestringnullno
<a name="input_scaling_max_capacity"></a> scaling_max_capacityMax storage capacity for Kafka broker autoscalingnumber250no
<a name="input_scaling_role_arn"></a> scaling_role_arnThe ARN of the IAM role that allows Application AutoScaling to modify your scalable target on your behalf. This defaults to an IAM Service-Linked Rolestringnullno
<a name="input_scaling_target_value"></a> scaling_target_valueThe Kafka broker storage utilization at which scaling is initiatednumber70no
<a name="input_schema_registries"></a> schema_registriesA map of schema registries to be createdmap(any){}no
<a name="input_schemas"></a> schemasA map schemas to be created within the schema registrymap(any){}no
<a name="input_scram_secret_association_secret_arn_list"></a> scram_secret_association_secret_arn_listList of AWS Secrets Manager secret ARNs to associate with SCRAMlist(string)[]no
<a name="input_storage_mode"></a> storage_modeControls storage mode for supported storage tiers. Valid values are: LOCAL or TIEREDstringnullno
<a name="input_tags"></a> tagsA map of tags to assign to the resources createdmap(string){}no
<a name="input_timeouts"></a> timeoutsCreate, update, and delete timeout configurations for the clustermap(string){}no
<a name="input_vpc_connections"></a> vpc_connectionsMap of VPC Connections to createany{}no

Outputs

NameDescription
<a name="output_appautoscaling_policy_arn"></a> appautoscaling_policy_arnThe ARN assigned by AWS to the scaling policy
<a name="output_appautoscaling_policy_name"></a> appautoscaling_policy_nameThe scaling policy's name
<a name="output_appautoscaling_policy_policy_type"></a> appautoscaling_policy_policy_typeThe scaling policy's type
<a name="output_arn"></a> arnAmazon Resource Name (ARN) of the MSK cluster
<a name="output_bootstrap_brokers"></a> bootstrap_brokersComma separated list of one or more hostname:port pairs of kafka brokers suitable to bootstrap connectivity to the kafka cluster
<a name="output_bootstrap_brokers_plaintext"></a> bootstrap_brokers_plaintextComma separated list of one or more hostname:port pairs of kafka brokers suitable to bootstrap connectivity to the kafka cluster. Contains a value if encryption_in_transit_client_broker is set to PLAINTEXT or TLS_PLAINTEXT
<a name="output_bootstrap_brokers_sasl_iam"></a> bootstrap_brokers_sasl_iamOne or more DNS names (or IP addresses) and SASL IAM port pairs. This attribute will have a value if encryption_in_transit_client_broker is set to TLS_PLAINTEXT or TLS and client_authentication_sasl_iam is set to true
<a name="output_bootstrap_brokers_sasl_scram"></a> bootstrap_brokers_sasl_scramOne or more DNS names (or IP addresses) and SASL SCRAM port pairs. This attribute will have a value if encryption_in_transit_client_broker is set to TLS_PLAINTEXT or TLS and client_authentication_sasl_scram is set to true
<a name="output_bootstrap_brokers_tls"></a> bootstrap_brokers_tlsOne or more DNS names (or IP addresses) and TLS port pairs. This attribute will have a value if encryption_in_transit_client_broker is set to TLS_PLAINTEXT or TLS
<a name="output_cluster_uuid"></a> cluster_uuidUUID of the MSK cluster, for use in IAM policies
<a name="output_configuration_arn"></a> configuration_arnAmazon Resource Name (ARN) of the configuration
<a name="output_configuration_latest_revision"></a> configuration_latest_revisionLatest revision of the configuration
<a name="output_connect_custom_plugins"></a> connect_custom_pluginsA map of output attributes for the connect custom plugins created
<a name="output_connect_worker_configuration_arn"></a> connect_worker_configuration_arnThe Amazon Resource Name (ARN) of the worker configuration
<a name="output_connect_worker_configuration_latest_revision"></a> connect_worker_configuration_latest_revisionAn ID of the latest successfully created revision of the worker configuration
<a name="output_current_version"></a> current_versionCurrent version of the MSK Cluster used for updates, e.g. K13V1IB3VIYZZH
<a name="output_log_group_arn"></a> log_group_arnThe Amazon Resource Name (ARN) specifying the log group
<a name="output_schema_registries"></a> schema_registriesA map of output attributes for the schema registries created
<a name="output_schemas"></a> schemasA map of output attributes for the schemas created
<a name="output_scram_secret_association_id"></a> scram_secret_association_idAmazon Resource Name (ARN) of the MSK cluster
<a name="output_vpc_connections"></a> vpc_connectionsA map of output attributes for the VPC connections created
<a name="output_zookeeper_connect_string"></a> zookeeper_connect_stringA comma separated list of one or more hostname:port pairs to use to connect to the Apache Zookeeper cluster. The returned values are sorted alphabetically
<a name="output_zookeeper_connect_string_tls"></a> zookeeper_connect_string_tlsA comma separated list of one or more hostname:port pairs to use to connect to the Apache Zookeeper cluster via TLS. The returned values are sorted alphabetically
<!-- END_TF_DOCS -->

License

Apache-2.0 Licensed. See LICENSE.