Merge pull request #4 from bmaidics/envvar_changes

Fix publicTlsCertificateViaAcm, add zilla plus ami envvar
aklivity · Sep 30, 2024 · 97f5091 · 97f5091
2 parents 074313c + 258722d
commit 97f5091
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 42 deletions.
diff --git a/amazon-msk/cdktf/secure-public-access/README.md b/amazon-msk/cdktf/secure-public-access/README.md
@@ -38,10 +38,11 @@ cp terraform.tfvars.example terraform.tfvars
 To get a list all MSK clusters run:
 
 ```bash
-aws kafka list-clusters --query 'ClusterInfoList[*].[ClusterName,ClusterArn]' --output table
+aws kafka list-clusters --query 'ClusterInfoList[*].{Name:ClusterName, Arn:ClusterArn, Iam:ClientAuthentication.Iam.Enabled,  Scram:ClientAuthentication.Sasl.Scram.Enabled, Tls:ClientAuthentication.Tls.Enabled, mTls:ClientAuthentication.Tls.CertificateAuthorityArnList[*] | join(`,`, @) || None, Unauthenticated:ClientAuthentication.Unauthenticated.Enabled}' --output table
 ```
 
 Use the `ClusterName` of your desired MSK cluster for this variable.
+Set the desired client authentication method based on the MSK cluster setup, using `MSK_ACCESS_METHOD` environment variable.
 
 ### `public_tls_certificate_key`: Public TLS Certificate Key
 
@@ -118,13 +119,11 @@ cp .env.example .env
 
 ### MSK Client Authentication Method
 
-By default Zilla Plus will choose the most secure way configured for your MSK cluster. Order from most to least secure:
+To specify which client authentication method Zilla should use set the `MSK_ACCESS_METHOD` environment variable to the desired access method (mTLS, SASL/SCRAM or Unauthorized).
 
-1. mTLS
-1. SASL/SCRAM
-1. Unauthorized
+### Public TLS Certificate Via ACM
 
-If you want to specify which client authentication method Zilla should use set the `MSK_ACCESS_METHOD` environment variable to the desired access method (mTLS, SASL/SCRAM or Unauthorized).
+By default Zilla Plus will assume TLS certificate coming from Secrets Manager. You can use Zilla Plus with TLS certificate via ACM. To enable this set `PUBLIC_TLS_CERTIFICATE_VIA_ACM` to `true`.
 
 ### Custom Zilla Plus Role
 

diff --git a/amazon-msk/cdktf/secure-public-access/main.ts b/amazon-msk/cdktf/secure-public-access/main.ts
@@ -29,7 +29,6 @@ import { UserVariables } from "./variables";
 import { AwsProvider } from "@cdktf/provider-aws/lib/provider";
 import { ec2EnclaveCertificateIamRoleAssociation } from "./.gen/providers/awscc"
 import { AwsccProvider } from "./.gen/providers/awscc/provider";
-import { DataAwsccMskCluster } from "./.gen/providers/awscc/data-awscc-msk-cluster";
 
 
 export class ZillaPlusSecurePublicAccessStack extends TerraformStack {
@@ -132,22 +131,7 @@ export class ZillaPlusSecurePublicAccessStack extends TerraformStack {
       });
     }
 
-    const awsccMskCluster = new DataAwsccMskCluster(this, "awsccMskCluster", {
-      id: mskCluster.id
-    })
-
-    const mtlsEnabled = Fn.lengthOf(awsccMskCluster.clientAuthentication.tls.certificateAuthorityArnList) > 0;
-
     let mskClientAuthentication = userVariables.mskClientAuthentication;
-    if (userVariables.mskClientAuthentication === "Unknown") {
-      mskClientAuthentication = mtlsEnabled
-        ? "mTLS"
-        : mskCluster.bootstrapBrokersSaslScram
-        ? "SASL/SCRAM"
-        : mskCluster.bootstrapBrokers
-        ? "Unauthorized"
-        : userVariables.mskClientAuthentication;
-    }
 
     const bootstrapServers =
       mskClientAuthentication === "mTLS"
@@ -204,7 +188,7 @@ export class ZillaPlusSecurePublicAccessStack extends TerraformStack {
       description: "TLS Certificate SecretsManager or CertificateManager ARN",
     });
 
-    const publicTlsCertificateViaAcm =  Fn.startswith(publicTlsCertificateKey.stringValue, "arn:aws:acm:");
+    const publicTlsCertificateViaAcm = userVariables.publicTlsCertificateViaAcm;
 
     let zillaPlusRole;
     if (!userVariables.createZillaPlusRole) {
@@ -309,6 +293,11 @@ export class ZillaPlusSecurePublicAccessStack extends TerraformStack {
             "Resource": [ `arn:aws:iam::*:role/${iamRole.name}` ]
           }]
         );
+
+        new ec2EnclaveCertificateIamRoleAssociation.Ec2EnclaveCertificateIamRoleAssociation(this, "ZillaPlusEnclaveIamRoleAssociation", {
+          roleArn: iamRole.arn,
+          certificateArn: publicTlsCertificateKey.stringValue
+        });
       }
 
       new IamRolePolicy(this, "ZillaPlusRolePolicy", {
@@ -317,11 +306,6 @@ export class ZillaPlusSecurePublicAccessStack extends TerraformStack {
       });
 
       zillaPlusRole = iamInstanceProfile.name;
-
-      new ec2EnclaveCertificateIamRoleAssociation.Ec2EnclaveCertificateIamRoleAssociation(this, "ZillaPlusEnclaveIamRoleAssociation", {
-        roleArn: iamRole.arn,
-        certificateArn: publicTlsCertificateKey.stringValue
-      });
     }
 
     let zillaPlusSecurityGroups;
@@ -488,19 +472,24 @@ ${metricsSection}`;
       errorMessage: "must be a valid EC2 instance type.",
     });
 
-    const ami = new dataAwsAmi.DataAwsAmi(this, "LatestAmi", {
-      mostRecent: true,
-      filter: [
-        {
-          name: "product-code",
-          values: ["ca5mgk85pjtbyuhtfluzisgzy"],
-        },
-        {
-          name: "is-public",
-          values: ["true"],
-        },
-      ],
-    });
+    let imageId = userVariables.zillaPlusAmi;
+    if (!imageId)
+    {
+      const ami = new dataAwsAmi.DataAwsAmi(this, "LatestAmi", {
+        mostRecent: true,
+        filter: [
+          {
+            name: "product-code",
+            values: ["ca5mgk85pjtbyuhtfluzisgzy"],
+          },
+          {
+            name: "is-public",
+            values: ["true"],
+          },
+        ],
+      });
+      imageId = ami.imageId;
+    }
 
     const nlb = new Lb(this, `NetworkLoadBalancer-${id}`, {
       name: "network-load-balancer",
@@ -643,7 +632,7 @@ systemctl start zilla-plus
     `;
 
     const ZillaPlusLaunchTemplate = new launchTemplate.LaunchTemplate(this, "ZillaPlusLaunchTemplate", {
-      imageId: ami.imageId,
+      imageId: imageId,
       instanceType: instanceType.stringValue,
       networkInterfaces: [
         {

diff --git a/amazon-msk/cdktf/secure-public-access/variables.ts b/amazon-msk/cdktf/secure-public-access/variables.ts
@@ -5,9 +5,11 @@ export class UserVariables extends Construct {
   mskClientAuthentication: "mTLS" | "SASL/SCRAM" | "Unauthorized" | "Unknown";
   publicCertificateAuthority: boolean = false;
   createZillaPlusRole: boolean = false;
+  publicTlsCertificateViaAcm: boolean = false;
   createZillaPlusSecurityGroup: boolean = false;
   sshKeyEnabled: boolean = false;
   cloudwatchDisabled: boolean = false;
+  zillaPlusAmi: string = "";
 
   constructor(scope: Construct, name: string) {
     super(scope, name);
@@ -28,8 +30,10 @@ export class UserVariables extends Construct {
     }
     this.publicCertificateAuthority = process.env.PUBLIC_CERTIFICATE_AUTHORITY === "true";
     this.createZillaPlusRole = process.env.CREATE_ZILLA_PLUS_ROLE !== "false";
+    this.publicTlsCertificateViaAcm = process.env.PUBLIC_TLS_CERTIFICATE_VIA_ACM === "true";
     this.createZillaPlusSecurityGroup = process.env.CREATE_ZILLA_PLUS_SECURITY_GROUP !== "false";
     this.sshKeyEnabled = process.env.SSH_KEY_ENABLED === "true";
     this.cloudwatchDisabled = process.env.CLOUDWATCH_DISABLED === "true";
+    this.zillaPlusAmi = process.env.ZILLA_PLUS_AMI ? process.env.ZILLA_PLUS_AMI : "";
   }
 }