gruntwork-io
diff --git a/‎docs/reference/modules/terraform-aws-messaging/kinesis-firehose/kinesis-firehose.md‎
Lines changed: 51 additions & 23 deletions b/‎docs/reference/modules/terraform-aws-messaging/kinesis-firehose/kinesis-firehose.md‎
Lines changed: 51 additions & 23 deletions
diff --git a/‎docs/reference/modules/terraform-aws-messaging/kinesis/kinesis.md‎
Lines changed: 9 additions & 9 deletions b/‎docs/reference/modules/terraform-aws-messaging/kinesis/kinesis.md‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎docs/reference/modules/terraform-aws-messaging/msk/msk.md‎
Lines changed: 78 additions & 13 deletions b/‎docs/reference/modules/terraform-aws-messaging/msk/msk.md‎
Lines changed: 78 additions & 13 deletions
@@ -9,13 +9,13 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
 import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
 import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
 
-<VersionBadge repoTitle="AWS Messaging" version="1.0.2" lastModifiedVersion="0.13.0"/>
+<VersionBadge repoTitle="AWS Messaging" version="1.0.3" lastModifiedVersion="1.0.3"/>
 
 # Kinesis Firehose Delivery Stream Module
 
-<a href="https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis-firehose" className="link-button" title="View the source code for this module in GitHub.">View Source</a>
+<a href="https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis-firehose" className="link-button" title="View the source code for this module in GitHub.">View Source</a>
 
-<a href="https://github.com/gruntwork-io/terraform-aws-messaging/releases/tag/v0.13.0" className="link-button" title="Release notes for only versions which impacted this module.">Release Notes</a>
+<a href="https://github.com/gruntwork-io/terraform-aws-messaging/releases/tag/v1.0.3" className="link-button" title="Release notes for only versions which impacted this module.">Release Notes</a>
 
 This module creates
 an [Amazon Kinesis Data Firehose](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html).
@@ -40,15 +40,12 @@ the `var.kinesis_stream_arn` to specify the kinesis data stream, we also have a
 
 module "kinesis_firehose" {
 
-  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis-firehose?ref=v1.0.2"
+  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis-firehose?ref=v1.0.3"
 
   # ----------------------------------------------------------------------------------------------------
   # REQUIRED VARIABLES
   # ----------------------------------------------------------------------------------------------------
 
-  # The ARN of the kinesis data stream.
-  kinesis_stream_arn = <string>
-
   # The name of the Kinesis Data Firehose.
   name = <string>
 
@@ -59,9 +56,21 @@ module "kinesis_firehose" {
   # OPTIONAL VARIABLES
   # ----------------------------------------------------------------------------------------------------
 
+  # Set to true to use a Kinesis Data Stream as the source for the Firehose.
+  # When true, kinesis_stream_arn must also be provided. When false, the
+  # Firehose will use Direct PUT as the source. This variable is needed because
+  # kinesis_stream_arn may come from a resource that isn't created yet, and
+  # Terraform needs to know at plan time whether to create the kinesis source
+  # configuration.
+  enable_kinesis_source = false
+
   # The processing configuration for the Kinesis Data Firehose.
   extended_s3_processors = []
 
+  # The ARN of the kinesis data stream. Must be set when enable_kinesis_source
+  # is true.
+  kinesis_stream_arn = null
+
 }
 
 
@@ -77,7 +86,7 @@ module "kinesis_firehose" {
 # ------------------------------------------------------------------------------------------------------
 
 terraform {
-  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis-firehose?ref=v1.0.2"
+  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis-firehose?ref=v1.0.3"
 }
 
 inputs = {
@@ -86,9 +95,6 @@ inputs = {
   # REQUIRED VARIABLES
   # ----------------------------------------------------------------------------------------------------
 
-  # The ARN of the kinesis data stream.
-  kinesis_stream_arn = <string>
-
   # The name of the Kinesis Data Firehose.
   name = <string>
 
@@ -99,9 +105,21 @@ inputs = {
   # OPTIONAL VARIABLES
   # ----------------------------------------------------------------------------------------------------
 
+  # Set to true to use a Kinesis Data Stream as the source for the Firehose.
+  # When true, kinesis_stream_arn must also be provided. When false, the
+  # Firehose will use Direct PUT as the source. This variable is needed because
+  # kinesis_stream_arn may come from a resource that isn't created yet, and
+  # Terraform needs to know at plan time whether to create the kinesis source
+  # configuration.
+  enable_kinesis_source = false
+
   # The processing configuration for the Kinesis Data Firehose.
   extended_s3_processors = []
 
+  # The ARN of the kinesis data stream. Must be set when enable_kinesis_source
+  # is true.
+  kinesis_stream_arn = null
+
 }
 
 
@@ -120,14 +138,6 @@ inputs = {
 
 ### Required
 
-<HclListItem name="kinesis_stream_arn" requirement="required" type="string">
-<HclListItemDescription>
-
-The ARN of the kinesis data stream.
-
-</HclListItemDescription>
-</HclListItem>
-
 <HclListItem name="name" requirement="required" type="string">
 <HclListItemDescription>
 
@@ -146,6 +156,15 @@ The ARN of the S3 bucket you want to export the data to.
 
 ### Optional
 
+<HclListItem name="enable_kinesis_source" requirement="optional" type="bool">
+<HclListItemDescription>
+
+Set to true to use a Kinesis Data Stream as the source for the Firehose. When true, kinesis_stream_arn must also be provided. When false, the Firehose will use Direct PUT as the source. This variable is needed because kinesis_stream_arn may come from a resource that isn't created yet, and Terraform needs to know at plan time whether to create the kinesis source configuration.
+
+</HclListItemDescription>
+<HclListItemDefaultValue defaultValue="false"/>
+</HclListItem>
+
 <HclListItem name="extended_s3_processors" requirement="optional" type="list(object(…))">
 <HclListItemDescription>
 
@@ -168,6 +187,15 @@ list(object({
 <HclListItemDefaultValue defaultValue="[]"/>
 </HclListItem>
 
+<HclListItem name="kinesis_stream_arn" requirement="optional" type="string">
+<HclListItemDescription>
+
+The ARN of the kinesis data stream. Must be set when enable_kinesis_source is true.
+
+</HclListItemDescription>
+<HclListItemDefaultValue defaultValue="null"/>
+</HclListItem>
+
 </TabItem>
 <TabItem value="outputs" label="Outputs">
 
@@ -209,11 +237,11 @@ Name of the role for Kinesis Firehose
 <!-- ##DOCS-SOURCER-START
 {
   "originalSources": [
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis-firehose/readme.md",
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis-firehose/variables.tf",
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis-firehose/outputs.tf"
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis-firehose/readme.md",
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis-firehose/variables.tf",
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis-firehose/outputs.tf"
   ],
   "sourcePlugin": "module-catalog-api",
-  "hash": "8db9113fa20e099ec86d9419e57763ea"
+  "hash": "be90673f4a06c106ae6392ce58e39820"
 }
 ##DOCS-SOURCER-END -->
@@ -9,13 +9,13 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
 import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
 import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
 
-<VersionBadge repoTitle="AWS Messaging" version="1.0.2" lastModifiedVersion="0.13.0"/>
+<VersionBadge repoTitle="AWS Messaging" version="1.0.3" lastModifiedVersion="1.0.3"/>
 
 # Kinesis Data Stream Module
 
-<a href="https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis" className="link-button" title="View the source code for this module in GitHub.">View Source</a>
+<a href="https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis" className="link-button" title="View the source code for this module in GitHub.">View Source</a>
 
-<a href="https://github.com/gruntwork-io/terraform-aws-messaging/releases/tag/v0.13.0" className="link-button" title="Release notes for only versions which impacted this module.">Release Notes</a>
+<a href="https://github.com/gruntwork-io/terraform-aws-messaging/releases/tag/v1.0.3" className="link-button" title="Release notes for only versions which impacted this module.">Release Notes</a>
 
 This module creates a [Kinesis Data Stream](https://docs.aws.amazon.com/streams/latest/dev/key-concepts.html).
 
@@ -152,7 +152,7 @@ regions: https://github.com/aws-samples/aws-kinesis-data-streams-replicator
 
 module "kinesis" {
 
-  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis?ref=v1.0.2"
+  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis?ref=v1.0.3"
 
   # ----------------------------------------------------------------------------------------------------
   # REQUIRED VARIABLES
@@ -223,7 +223,7 @@ module "kinesis" {
 # ------------------------------------------------------------------------------------------------------
 
 terraform {
-  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis?ref=v1.0.2"
+  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/kinesis?ref=v1.0.3"
 }
 
 inputs = {
@@ -458,11 +458,11 @@ A map of key value pairs to apply as tags to the Kinesis stream.
 <!-- ##DOCS-SOURCER-START
 {
   "originalSources": [
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis/readme.md",
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis/variables.tf",
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/kinesis/outputs.tf"
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis/readme.md",
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis/variables.tf",
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/kinesis/outputs.tf"
   ],
   "sourcePlugin": "module-catalog-api",
-  "hash": "2b94249fc636a9a4579cb779b2eaec9c"
+  "hash": "1fb71b42d108b2810e4c70690a1c593a"
 }
 ##DOCS-SOURCER-END -->
@@ -9,13 +9,13 @@ import VersionBadge from '../../../../../src/components/VersionBadge.tsx';
 import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../../src/components/HclListItem.tsx';
 import { ModuleUsage } from "../../../../../src/components/ModuleUsage";
 
-<VersionBadge repoTitle="AWS Messaging" version="1.0.2" lastModifiedVersion="1.0.1"/>
+<VersionBadge repoTitle="AWS Messaging" version="1.0.3" lastModifiedVersion="1.0.3"/>
 
 # Amazon Managed Streaming for Apache Kafka (Amazon MSK) Module
 
-<a href="https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/msk" className="link-button" title="View the source code for this module in GitHub.">View Source</a>
+<a href="https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/msk" className="link-button" title="View the source code for this module in GitHub.">View Source</a>
 
-<a href="https://github.com/gruntwork-io/terraform-aws-messaging/releases/tag/v1.0.1" className="link-button" title="Release notes for only versions which impacted this module.">Release Notes</a>
+<a href="https://github.com/gruntwork-io/terraform-aws-messaging/releases/tag/v1.0.3" className="link-button" title="Release notes for only versions which impacted this module.">Release Notes</a>
 
 This Terraform module configures and launches an [Amazon MSK](https://aws.amazon.com/msk/) cluster.
 
@@ -145,12 +145,58 @@ The MSK module supports the following authentication and authorization methods:
 
 *   [IAM access control](https://docs.aws.amazon.com/msk/latest/developerguide/iam-access-control.html)
     using `var.enable_client_sasl_iam`. You can refer
-    to the [msk-with-iam-auth example module](https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/examples/msk-with-iam-auth).
-*   [TLS](https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html) using `var.enable_client_tls`
-    and `var.client_tls_certificate_authority_arns`
+    to the [msk-with-iam-auth example module](https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/examples/msk-with-iam-auth).
+*   [SASL/SCRAM authentication](https://docs.aws.amazon.com/msk/latest/developerguide/msk-password.html) using
+    `var.enable_client_sasl_scram` and `var.client_sasl_scram_secret_arns`.
+*   [TLS (Mutual TLS)](https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html) using `var.enable_client_tls`
+    and `var.client_tls_certificate_authority_arns`.
 *   [Apache Kafka ACLs](https://docs.aws.amazon.com/msk/latest/developerguide/msk-acls.html)
     using `var.server_properties`.
 
+#### Using Multiple Authentication Methods
+
+Amazon MSK supports enabling multiple authentication methods simultaneously. You can activate any combination
+of authentication modes (mutual TLS, SASL/SCRAM, or IAM access control) on new or existing clusters. This is
+useful if you are migrating to a new authentication mode or must run multiple authentication modes simultaneously.
+
+To enable multiple authentication methods, set the corresponding variables to `true`:
+
+```hcl
+module "msk" {
+  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/msk?ref=v0.x.x"
+
+  # ... other required variables ...
+
+  # Enable multiple authentication methods
+  enable_client_tls                      = true
+  client_tls_certificate_authority_arns  = ["arn:aws:acm-pca:..."]
+  enable_client_sasl_iam                 = true
+  enable_client_sasl_scram               = true
+  client_sasl_scram_secret_arns          = ["arn:aws:secretsmanager:..."]
+
+  # TLS encryption is required for SASL authentication
+  encryption_in_transit_client_broker = "TLS"
+}
+```
+
+**Note**: When using multiple authentication methods, ensure `encryption_in_transit_client_broker` is set to
+`TLS` or `TLS_PLAINTEXT` as SASL authentication requires TLS encryption for client-broker communication.
+
+**Important**: This feature requires Terraform AWS Provider version 4.13.0 or later. If you encounter a
+`ConflictsWith` error when enabling both TLS and SASL, please upgrade your AWS provider version.
+
+#### Unauthenticated Access
+
+By default, the module sets `enable_client_unauthenticated = false`, which disables unauthenticated client access
+when any authentication method is enabled. If you need to allow unauthenticated access alongside authenticated
+methods (e.g., during a migration), you can set `enable_client_unauthenticated = true`.
+
+**Note**: If you have an existing cluster with `unauthenticated = true` and want to enable authentication methods,
+you should explicitly set `enable_client_unauthenticated = true` to prevent Terraform from changing the
+unauthenticated setting unexpectedly.
+
+See the [msk-with-multi-auth example](https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/examples/msk-with-multi-auth) for a complete working example.
+
 You can read more about available authentication and authorization options from
 the [Authentication and authorization for Apache Kafka APIs page](https://docs.aws.amazon.com/msk/latest/developerguide/kafka_apis_iam.html)
 
@@ -246,7 +292,7 @@ the [Tiered storage](https://docs.aws.amazon.com/msk/latest/developerguide/msk-t
 You can enable the tiered storage by setting the following variables:
 
 *   `var.storage_info = "TIERED"`
-*   `var.kafka_version = "2.8.2.tiered"` (Note: this is the only supported kafka version for tiered storage)
+*   `var.kafka_version`: set to version 3.6.0 or higher (e.g., "3.6.0", "3.7.x", "3.8.x", etc.)
 *   `var.instance_type`: set to other than `kafka.t3.small`.
 
 It's only supported for the provisioned cluster type (non-serverless mode).
@@ -264,7 +310,7 @@ It's only supported for the provisioned cluster type (non-serverless mode).
 
 module "msk" {
 
-  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/msk?ref=v1.0.2"
+  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/msk?ref=v1.0.3"
 
   # ----------------------------------------------------------------------------------------------------
   # REQUIRED VARIABLES
@@ -337,6 +383,11 @@ module "msk" {
   # Whether TLS client authentication is enabled.
   enable_client_tls = false
 
+  # Whether unauthenticated client access is enabled. When set to true, clients
+  # can connect without authentication. When using TLS or SASL authentication,
+  # you typically want this set to false.
+  enable_client_unauthenticated = false
+
   # Indicates whether you want to enable or disable streaming broker logs to
   # Cloudwatch Logs.
   enable_cloudwatch_logs = false
@@ -444,7 +495,7 @@ module "msk" {
 # ------------------------------------------------------------------------------------------------------
 
 terraform {
-  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/msk?ref=v1.0.2"
+  source = "git::git@github.com:gruntwork-io/terraform-aws-messaging.git//modules/msk?ref=v1.0.3"
 }
 
 inputs = {
@@ -520,6 +571,11 @@ inputs = {
   # Whether TLS client authentication is enabled.
   enable_client_tls = false
 
+  # Whether unauthenticated client access is enabled. When set to true, clients
+  # can connect without authentication. When using TLS or SASL authentication,
+  # you typically want this set to false.
+  enable_client_unauthenticated = false
+
   # Indicates whether you want to enable or disable streaming broker logs to
   # Cloudwatch Logs.
   enable_cloudwatch_logs = false
@@ -821,6 +877,15 @@ Whether TLS client authentication is enabled.
 <HclListItemDefaultValue defaultValue="false"/>
 </HclListItem>
 
+<HclListItem name="enable_client_unauthenticated" requirement="optional" type="bool">
+<HclListItemDescription>
+
+Whether unauthenticated client access is enabled. When set to true, clients can connect without authentication. When using TLS or SASL authentication, you typically want this set to false.
+
+</HclListItemDescription>
+<HclListItemDefaultValue defaultValue="false"/>
+</HclListItem>
+
 <HclListItem name="enable_cloudwatch_logs" requirement="optional" type="bool">
 <HclListItemDescription>
 
@@ -1180,11 +1245,11 @@ A comma separated list of one or more hostname:port pairs to use to connect to t
 <!-- ##DOCS-SOURCER-START
 {
   "originalSources": [
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/msk/readme.md",
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/msk/variables.tf",
-    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.2/modules/msk/outputs.tf"
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/msk/readme.md",
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/msk/variables.tf",
+    "https://github.com/gruntwork-io/terraform-aws-messaging/tree/v1.0.3/modules/msk/outputs.tf"
   ],
   "sourcePlugin": "module-catalog-api",
-  "hash": "59f6d6055769f56876cab99505541f86"
+  "hash": "6638bb3b448949c0f5682284c3b40ddf"
 }
 ##DOCS-SOURCER-END -->