Merge pull request #251 from myronjhicks/add-sasl-mechanism-config

adamdecaf · web-flow · commit 8fb95210c794 · 2025-03-07T15:11:19.000-06:00
Add Support for AWS MSK IAM authentication
diff --git a/docs/config.md b/docs/config.md
@@ -72,6 +72,13 @@ ACHGateway:
       Topic: <string>
       TLS: <boolean>
       AutoCommit: <boolean>
+      [ SASLMechanism: <string> | default = "PLAIN" ]
+      Provider:
+        AWS:
+          [ Region: <string> | default = "" ]
+          [ Profile: <string> | default = "" ]
+          [ RoleARN: <string> | default = "" ]
+          [ SessionName: <string> | default = "" ]
       Transform:
         Encoding:
           [ Base64: <boolean> | default = false ]
@@ -156,6 +163,13 @@ ACHGateway:
         Topic: <string>
         [ TLS: <boolean> | default = false ]
         [ AutoCommit: <boolean> | default = false ]
+        [ SASLMechanism: <string> | default = "PLAIN" ]
+        Provider:
+          AWS:
+            [ Region: <string> | default = "" ]
+            [ Profile: <string> | default = "" ]
+            [ RoleARN: <string> | default = "" ]
+            [ SessionName: <string> | default = "" ]
     Webhook:
       [ Endpoint: <string> | default = "" ]
 ```
diff --git a/go.mod b/go.mod
@@ -67,6 +67,7 @@ require (
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
+	github.com/aws/aws-msk-iam-sasl-signer-go v1.0.1
 	github.com/aws/aws-sdk-go v1.50.36 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.25.3 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
diff --git a/internal/kafka/kafka.go b/internal/kafka/kafka.go
@@ -1,12 +1,15 @@
 package kafka
 
 import (
+	"context"
+	"crypto/tls"
 	"time"
 
 	"github.com/moov-io/achgateway/internal/service"
 	"github.com/moov-io/base/log"
 
 	"github.com/Shopify/sarama"
+	"github.com/aws/aws-msk-iam-sasl-signer-go/signer"
 	"gocloud.dev/pubsub"
 	"gocloud.dev/pubsub/kafkapubsub"
 )
@@ -15,13 +18,58 @@ var (
 	minKafkaVersion = sarama.V2_6_0_0
 )
 
+type MSKAccessTokenProvider struct {
+	Region      string
+	Profile     string
+	RoleARN     string
+	SessionName string
+}
+
+func (m *MSKAccessTokenProvider) Token() (*sarama.AccessToken, error) {
+	var token string
+	var err error
+
+	// Choose the correct AWS authentication method
+	switch {
+	case m.Profile != "":
+		token, _, err = signer.GenerateAuthTokenFromProfile(context.TODO(), m.Region, m.Profile)
+	case m.RoleARN != "":
+		token, _, err = signer.GenerateAuthTokenFromRole(context.TODO(), m.Region, m.RoleARN, m.SessionName)
+	default:
+		token, _, err = signer.GenerateAuthToken(context.TODO(), m.Region)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	return &sarama.AccessToken{Token: token}, nil
+}
+
 func OpenTopic(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Topic, error) {
 	config := kafkapubsub.MinimalConfig()
 	config.Version = minKafkaVersion
 	config.Net.TLS.Enable = cfg.TLS
 
 	config.Net.SASL.Enable = cfg.Key != ""
-	config.Net.SASL.Mechanism = sarama.SASLMechanism("PLAIN")
+
+	switch cfg.SASLMechanism {
+	case "AWS_MSK_IAM":
+		if cfg.Provider != nil && cfg.Provider.AWS != nil {
+			config.Net.SASL.TokenProvider = &MSKAccessTokenProvider{
+				Region:      cfg.Provider.AWS.Region,
+				Profile:     cfg.Provider.AWS.Profile,
+				RoleARN:     cfg.Provider.AWS.RoleARN,
+				SessionName: cfg.Provider.AWS.SessionName,
+			}
+		}
+		config.Net.SASL.Mechanism = sarama.SASLTypeOAuth
+		config.Net.TLS.Enable = true
+		config.Net.TLS.Config = &tls.Config{}
+
+	default:
+		config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
+	}
+
 	config.Net.SASL.User = cfg.Key
 	config.Net.SASL.Password = cfg.Secret
 
@@ -33,6 +81,7 @@ func OpenTopic(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Topic, erro
 		Set("tls", log.Bool(cfg.TLS)).
 		Set("group", log.String(cfg.Group)).
 		Set("sasl.enable", log.Bool(config.Net.SASL.Enable)).
+		Set("sasl.mechanism", log.String(string(config.Net.SASL.Mechanism))).
 		Set("sasl.user", log.String(cfg.Key)).
 		Set("topic", log.String(cfg.Topic)).
 		Log("opening kafka topic")
@@ -46,7 +95,25 @@ func OpenSubscription(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Subs
 	config.Net.TLS.Enable = cfg.TLS
 
 	config.Net.SASL.Enable = cfg.Key != ""
-	config.Net.SASL.Mechanism = sarama.SASLMechanism("PLAIN")
+	// Default to PLAIN if no SASL mechanism is specified
+	switch cfg.SASLMechanism {
+	case "AWS_MSK_IAM":
+		if cfg.Provider != nil && cfg.Provider.AWS != nil {
+			config.Net.SASL.TokenProvider = &MSKAccessTokenProvider{
+				Region:      cfg.Provider.AWS.Region,
+				Profile:     cfg.Provider.AWS.Profile,
+				RoleARN:     cfg.Provider.AWS.RoleARN,
+				SessionName: cfg.Provider.AWS.SessionName,
+			}
+		}
+		config.Net.SASL.Mechanism = sarama.SASLTypeOAuth
+		config.Net.TLS.Enable = true
+		config.Net.TLS.Config = &tls.Config{}
+
+	default:
+		config.Net.SASL.Mechanism = sarama.SASLTypePlaintext
+	}
+
 	config.Net.SASL.User = cfg.Key
 	config.Net.SASL.Password = cfg.Secret
 
@@ -62,6 +129,7 @@ func OpenSubscription(logger log.Logger, cfg *service.KafkaConfig) (*pubsub.Subs
 		Set("tls", log.Bool(cfg.TLS)).
 		Set("group", log.String(cfg.Group)).
 		Set("sasl.enable", log.Bool(config.Net.SASL.Enable)).
+		Set("sasl.mechanism", log.String(string(config.Net.SASL.Mechanism))).
 		Set("sasl.user", log.String(cfg.Key)).
 		Set("topic", log.String(cfg.Topic)).
 		Log("setting up kafka subscription")
diff --git a/internal/service/model_inbound.go b/internal/service/model_inbound.go
@@ -66,6 +66,20 @@ func (cfg *InMemory) Validate() error {
 	return nil
 }
 
+// AWSConfig holds authentication settings for AWS MSK clusters.
+// Used when KafkaConfig.SASLMechanism is set to AWS_MSK_IAM.
+type AWSConfig struct {
+	Region      string
+	Profile     string
+	RoleARN     string
+	SessionName string
+}
+
+// KafkaProvider represents the cloud provider settings for Kafka
+type KafkaProvider struct {
+	AWS *AWSConfig
+}
+
 type KafkaConfig struct {
 	Brokers []string
 	Key     string
@@ -77,7 +91,10 @@ type KafkaConfig struct {
 	// AutoCommit in Sarama refers to "automated publishing of consumer offsets
 	// to the broker" rather than a Kafka broker's meaning of "commit consumer
 	// offsets on read" which leads to "at-most-once" delivery.
-	AutoCommit bool
+	AutoCommit    bool
+	SASLMechanism string
+
+	Provider *KafkaProvider
 
 	Consumer KafkaConsumerConfig
 	Producer KafkaProducerConfig
