Added support for mTLS auth for MSK and Kafka (#2690)

Co-authored-by: _sam <[email protected]>

Author: mbfreder

samtranslator/model/eventsources/pull.py

@@ -291,7 +291,28 @@ def get_policy_arn(self):  # type: ignore[no-untyped-def]
         return ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaMSKExecutionRole")
 
     def get_policy_statements(self):  # type: ignore[no-untyped-def]
-        return None
+        if self.SourceAccessConfigurations:
+            for conf in self.SourceAccessConfigurations:
+                # Lambda does not support multiple CLIENT_CERTIFICATE_TLS_AUTH configurations
+                if isinstance(conf, dict) and conf.get("Type") == "CLIENT_CERTIFICATE_TLS_AUTH" and conf.get("URI"):
+                    return [
+                        {
+                            "PolicyName": "MSKExecutionRolePolicy",
+                            "PolicyDocument": {
+                                "Statement": [
+                                    {
+                                        "Action": [
+                                            "secretsmanager:GetSecretValue",
+                                        ],
+                                        "Effect": "Allow",
+                                        "Resource": conf.get("URI"),
+                                    }
+                                ]
+                            },
+                        }
+                    ]
+
+            return None
 
 
 class MQ(PullEventSource):
@@ -384,7 +405,13 @@ class SelfManagedKafka(PullEventSource):
 
     resource_type = "SelfManagedKafka"
     requires_stream_queue_broker = False
-    AUTH_MECHANISM = ["SASL_SCRAM_256_AUTH", "SASL_SCRAM_512_AUTH", "BASIC_AUTH"]
+    AUTH_MECHANISM = [
+        "SASL_SCRAM_256_AUTH",
+        "SASL_SCRAM_512_AUTH",
+        "BASIC_AUTH",
+        "CLIENT_CERTIFICATE_TLS_AUTH",
+        "SERVER_ROOT_CA_CERTIFICATE",
+    ]
 
     def get_policy_arn(self):  # type: ignore[no-untyped-def]
         return None

samtranslator/schema/aws_serverless_function.py

@@ -358,6 +358,7 @@ class MSKEventProperties(BaseModel):
     StartingPositionTimestamp: PassThrough  # TODO: add documentation
     Stream: PassThrough = mskeventproperties("Stream")
     Topics: PassThrough = mskeventproperties("Topics")
+    SourceAccessConfigurations: Optional[PassThrough]  # TODO: update docs when live
 
 
 class MSKEvent(BaseModel):

samtranslator/schema/schema.json

@@ -3472,6 +3472,9 @@
           "title": "Topics",
           "description": "The name of the Kafka topic\\.  \n*Type*: List  \n*Required*: Yes  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`Topics`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html#cfn-lambda-eventsourcemapping-topics) property of an `AWS::Lambda::EventSourceMapping` resource\\.",
           "markdownDescription": "The name of the Kafka topic\\.  \n*Type*: List  \n*Required*: Yes  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`Topics`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-eventsourcemapping.html#cfn-lambda-eventsourcemapping-topics) property of an `AWS::Lambda::EventSourceMapping` resource\\."
+        },
+        "SourceAccessConfigurations": {
+          "title": "Sourceaccessconfigurations"
         }
       },
       "additionalProperties": false

tests/model/eventsources/test_msk_event_source.py

@@ -0,0 +1,46 @@
+from unittest import TestCase
+from samtranslator.model.eventsources.pull import MSK
+
+
+class MSKEventSource(TestCase):
+    def setUp(self):
+        self.logical_id = "MSKEvent"
+        self.kafka_event_source = MSK(self.logical_id)
+
+    def test_get_policy_arn(self):
+        arn = self.kafka_event_source.get_policy_arn()
+        expected_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole"
+        self.assertEqual(arn, expected_arn)
+
+    def test_get_policy_statements(self):
+        self.kafka_event_source.SourceAccessConfigurations = [
+            {"Type": "CLIENT_CERTIFICATE_TLS_AUTH", "URI": "SECRET_URI"},
+        ]
+
+        policy_statements = self.kafka_event_source.get_policy_statements()
+        expected_policy_document = [
+            {
+                "PolicyName": "MSKExecutionRolePolicy",
+                "PolicyDocument": {
+                    "Statement": [
+                        {
+                            "Action": [
+                                "secretsmanager:GetSecretValue",
+                            ],
+                            "Effect": "Allow",
+                            "Resource": "SECRET_URI",
+                        }
+                    ]
+                },
+            }
+        ]
+
+        self.assertEqual(policy_statements, expected_policy_document)
+
+    def test_get_policy_statements_with_no_auth_mechanism(self):
+        self.kafka_event_source.SourceAccessConfigurations = []
+
+        policy_statements = self.kafka_event_source.get_policy_statements()
+        expected_policy_document = None
+
+        self.assertEqual(policy_statements, expected_policy_document)

tests/translator/input/error_msk_invalid_sourceaccessconfigurations.yaml

@@ -0,0 +1,20 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Parameters: {}
+
+Resources:
+  MyMskStreamProcessor:
+    Type: AWS::Serverless::Function
+    Properties:
+      Runtime: nodejs12.x
+      Handler: index.handler
+      CodeUri: s3://sam-demo-bucket/kafka.zip
+      Events:
+        MyMskEvent:
+          Type: MSK
+          Properties:
+            StartingPosition: LATEST
+            Stream: !Sub arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2
+            Topics:
+            - MyDummyTestTopic
+            ConsumerGroupId: consumergroup1
+            SourceAccessConfigurations: This should be a list

tests/translator/input/msk_with_mtls_auth.yaml

@@ -0,0 +1,22 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Parameters: {}
+
+Resources:
+  MyMskStreamProcessor:
+    Type: AWS::Serverless::Function
+    Properties:
+      Runtime: nodejs12.x
+      Handler: index.handler
+      CodeUri: s3://sam-demo-bucket/kafka.zip
+      Events:
+        MyMskEvent:
+          Type: MSK
+          Properties:
+            StartingPosition: LATEST
+            Stream: !Sub arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2
+            Topics:
+            - MyDummyTestTopic
+            ConsumerGroupId: consumergroup1
+            SourceAccessConfigurations:
+            - Type: CLIENT_CERTIFICATE_TLS_AUTH
+              URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c

tests/translator/input/self_managed_kafka_with_mtls_auth.yaml

@@ -0,0 +1,26 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Parameters: {}
+Resources:
+  KafkaFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/kafka.zip
+      Handler: index.kafka_handler
+      Runtime: python3.9
+      Events:
+        MyKafkaCluster:
+          Type: SelfManagedKafka
+          Properties:
+            KafkaBootstrapServers:
+            - abc.xyz.com:9092
+            - 123.45.67.89:9096
+            Topics:
+            - Topic1
+            SourceAccessConfigurations:
+            - Type: CLIENT_CERTIFICATE_TLS_AUTH
+              URI: !Sub arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c
+            - Type: VPC_SUBNET
+              URI: subnet:subnet-12345
+            - Type: VPC_SECURITY_GROUP
+              URI: security_group:sg-67890
+            ConsumerGroupId: consumergroup1

tests/translator/output/aws-cn/msk_with_mtls_auth.json

@@ -0,0 +1,104 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Parameters": {},
+  "Resources": {
+    "MyMskStreamProcessor": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "kafka.zip"
+        },
+        "Handler": "index.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "MyMskStreamProcessorRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "nodejs12.x",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "MyMskStreamProcessorMyMskEvent": {
+      "Properties": {
+        "AmazonManagedKafkaEventSourceConfig": {
+          "ConsumerGroupId": "consumergroup1"
+        },
+        "EventSourceArn": {
+          "Fn::Sub": "arn:${AWS::Partition}:kafka:${AWS::Region}:012345678901:cluster/mycluster/6cc0432b-8618-4f44-bccc-e1fbd8fb7c4d-2"
+        },
+        "FunctionName": {
+          "Ref": "MyMskStreamProcessor"
+        },
+        "SourceAccessConfigurations": [
+          {
+            "Type": "CLIENT_CERTIFICATE_TLS_AUTH",
+            "URI": {
+              "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c"
+            }
+          }
+        ],
+        "StartingPosition": "LATEST",
+        "Topics": [
+          "MyDummyTestTopic"
+        ]
+      },
+      "Type": "AWS::Lambda::EventSourceMapping"
+    },
+    "MyMskStreamProcessorRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole"
+        ],
+        "Policies": [
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "secretsmanager:GetSecretValue"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c"
+                  }
+                }
+              ]
+            },
+            "PolicyName": "MSKExecutionRolePolicy"
+          }
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}