fix: Correct IAM policies for pipes that use MSK as a source. #165 #179
Conversation
The ec2:* actions accept only "*" as a resource. Added example of pipes with MSK as a source and sqs as a target.
|
This PR has been automatically marked as stale because it has been open 30 days |
|
This PR has been automatically marked as stale because it has been open 30 days |
| sid = replace(replace(title(replace("${each.key}${title(statement.key)}", "/[_-]/", " ")), " ", ""), "/[^0-9A-Za-z]*/", "") | ||
| actions = local.aws_service_policies[statement.key]["actions"] | ||
| resources = tolist(statement.value) | ||
| resources = try(local.aws_service_policies[statement.key].resources, tolist(statement.value)) |
There was a problem hiding this comment.
what is the reason for this change?
| #################### | ||
| # MSK | ||
| #################### | ||
| resource "aws_vpc" "main" { |
There was a problem hiding this comment.
lets use our modules to show this https://github.com/terraform-aws-modules/terraform-aws-msk-kafka-cluster/blob/master/examples/basic/main.tf
also, lets add a variable to enable/disable the MSK resources/integration. provisioning a cluster takes quite a bit of time 😅
|
This PR has been automatically marked as stale because it has been open 30 days |
2 participants
Description
This addresses issue #164
The current implementation of the IAM policy for pipes that use MSK as a source is incorrect. It restricts the following actions:
to the MSK cluster ARN, but all of them require a wildcard resource ("*").
I am aiming to fix this issue with the change in this PR.
In addition, I added an example of a pipe with MSK as a source and a sqs as a target.
Motivation and Context
The correct IAM permissions are not valid for a pipe with MSK source.
Breaking Changes
No
How Has This Been Tested?
examples/*to demonstrate and validate my change(s)examples/*projectspre-commit run -aon my pull request