feedback changes and example update

Author: magreenbaum

README.md

@@ -156,6 +156,7 @@ No modules.
 | [aws_msk_vpc_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_vpc_connection) | resource |
 | [aws_mskconnect_custom_plugin.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mskconnect_custom_plugin) | resource |
 | [aws_mskconnect_worker_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mskconnect_worker_configuration) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -172,7 +173,9 @@ No modules.
 | <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Name of the Cloudwatch Log Group to deliver logs to | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `0` | no |
 | <a name="input_cloudwatch_logs_enabled"></a> [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs | `bool` | `false` | no |
-| <a name="input_cluster_policy"></a> [cluster\_policy](#input\_cluster\_policy) | Resource policy for cluster | `string` | `null` | no |
+| <a name="input_cluster_override_policy_documents"></a> [cluster\_override\_policy\_documents](#input\_cluster\_override\_policy\_documents) | Override policy documents for cluster policy | `list(string)` | `null` | no |
+| <a name="input_cluster_policy_statements"></a> [cluster\_policy\_statements](#input\_cluster\_policy\_statements) | Map of policy statements for cluster policy | `any` | `null` | no |
+| <a name="input_cluster_source_policy_documents"></a> [cluster\_source\_policy\_documents](#input\_cluster\_source\_policy\_documents) | Source policy documents for cluster policy | `list(string)` | `null` | no |
 | <a name="input_configuration_arn"></a> [configuration\_arn](#input\_configuration\_arn) | ARN of an externally created configuration to use | `string` | `null` | no |
 | <a name="input_configuration_description"></a> [configuration\_description](#input\_configuration\_description) | Description of the configuration | `string` | `null` | no |
 | <a name="input_configuration_name"></a> [configuration\_name](#input\_configuration\_name) | Name of the configuration | `string` | `null` | no |

examples/complete/README.md

@@ -53,6 +53,7 @@ Note that this example may create resources which will incur monetary charges on
 | [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 
 ## Inputs
 

examples/complete/main.tf

@@ -4,6 +4,8 @@ provider "aws" {
 
 data "aws_availability_zones" "available" {}
 
+data "aws_caller_identity" "current" {}
+
 locals {
   name   = "ex-${basename(path.cwd)}"
   region = "us-east-1"
@@ -136,6 +138,43 @@ module "msk_cluster" {
     }
   }
 
+  # cross account cluster policy
+  create_cluster_policy = true
+  cluster_policy_statements = {
+    basic = {
+      sid = "basic"
+      principals = [
+        {
+          type = "AWS"
+          # identifiers would be cross account IDs to provide access to the cluster
+          identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+        }
+      ]
+      actions = [
+        "kafka:CreateVpcConnection",
+        "kafka:GetBootstrapBrokers",
+        "kafka:DescribeCluster",
+        "kafka:DescribeClusterV2"
+      ]
+      effect = "Allow"
+    }
+    firehose = {
+      sid = "firehose"
+      principals = [
+        {
+          type        = "Service"
+          identifiers = ["firehose.amazonaws.com"]
+        }
+      ]
+      actions = [
+        "kafka:CreateVpcConnection",
+        "kafka:GetBootstrapBrokers",
+        "kafka:DescribeCluster",
+        "kafka:DescribeClusterV2"
+      ]
+    }
+  }
+
   tags = local.tags
 }
 
@@ -177,7 +216,8 @@ module "security_group" {
   ingress_cidr_blocks = module.vpc.private_subnets_cidr_blocks
   ingress_rules = [
     "kafka-broker-tcp",
-    "kafka-broker-tls-tcp"
+    "kafka-broker-tls-tcp",
+    "kafka-broker-sasl-scram-tcp"
   ]
 
   tags = local.tags
@@ -275,6 +315,15 @@ module "vpc_connection_security_group" {
     "kafka-broker-tcp",
     "kafka-broker-tls-tcp"
   ]
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 14001
+      to_port     = 14003
+      protocol    = "tcp"
+      description = "Service name"
+      cidr_blocks = module.vpc_connection.vpc_cidr_block
+    }
+  ]
 
   tags = local.tags
 }

main.tf

@@ -192,7 +192,55 @@ resource "aws_msk_cluster_policy" "this" {
   count = var.create && var.create_cluster_policy ? 1 : 0
 
   cluster_arn = aws_msk_cluster.this[0].arn
-  policy      = var.cluster_policy
+  policy      = data.aws_iam_policy_document.this[0].json
+}
+
+data "aws_iam_policy_document" "this" {
+  count = var.create && var.create_cluster_policy ? 1 : 0
+
+  source_policy_documents   = var.cluster_source_policy_documents
+  override_policy_documents = var.cluster_override_policy_documents
+
+  dynamic "statement" {
+    for_each = var.cluster_policy_statements
+
+    content {
+      sid           = try(statement.value.sid, null)
+      actions       = try(statement.value.actions, null)
+      not_actions   = try(statement.value.not_actions, null)
+      effect        = try(statement.value.effect, null)
+      resources     = try(statement.value.resources, [aws_msk_cluster.this[0].arn])
+      not_resources = try(statement.value.not_resources, null)
+
+      dynamic "principals" {
+        for_each = try(statement.value.principals, [])
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = try(statement.value.not_principals, [])
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = try(statement.value.conditions, [])
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
+    }
+  }
 }
 
 ################################################################################

variables.tf

@@ -234,9 +234,21 @@ variable "create_cluster_policy" {
   default     = false
 }
 
-variable "cluster_policy" {
-  description = "Resource policy for cluster"
-  type        = string
+variable "cluster_source_policy_documents" {
+  description = "Source policy documents for cluster policy"
+  type        = list(string)
+  default     = null
+}
+
+variable "cluster_override_policy_documents" {
+  description = "Override policy documents for cluster policy"
+  type        = list(string)
+  default     = null
+}
+
+variable "cluster_policy_statements" {
+  description = "Map of policy statements for cluster policy"
+  type        = any
   default     = null
 }