We currently have a MSK cluster and everything is working fine. The person that wrote the terraform code for it has left us and they way he set it up was that we would have to manually enter the username and password for making any plans or applies against this stack. This is not ideal since we use Atlantis for running our deploys and we do not want to have any manual interaction.
There are 4 users and I need to pull the password from aws secrets for only the admin user. I thought I could do this with a data source call but Terraform complains if I try to use anything of this variation in the provider,
_providers.tf line 25, in provider "kafka":
│ 25: sasl_password = data.aws_secretsmanager_secret_version.sasl_user_admin[each.key]
│
│ The "each" object can be used only in "module" or "resource" blocks, and only when the "for_each" argument is set.
Currently the code looks like this…
provider "kafka" {
bootstrap_servers = split(",", module.msk.broker_connect_string_sasl_scram)
sasl_username = "admin"
sasl_password = WHAT DO I PUT HERE TO ONLY PULL THE ADMIN PASSWORD FROM AWS SECRETS?
sasl_mechanism = "scram-sha512"
}
data "aws_secretsmanager_secret_version" "sasl_user_admin" {
for_each = var.sasl_users
secret_id = aws_secretsmanager_secret.sasl_user[each.value].id
}
resource "aws_secretsmanager_secret" "sasl_user" {
for_each = toset(var.sasl_users[terraform.workspace])
name = "AmazonMSK-ts-${each.value}"
kms_key_id = module.msk.kms_key_id
}
variable "sasl_users" {
type = map(list(string))
default = {
dev = ["A-user-write", "B-user-read", "C-user-read-write", "admin"]
stage = ["A-user-write", "B-user-read", "C-user-read-write", "admin"]
prod = ["A-user-write", "B-user-read", "C-user-read-write", "admin"]
}
}
Anyone have any ideas about this or maybe have a better way considering the code Ive posted? TIA