Skip navigation links

Package software.amazon.awscdk.services.msk

Amazon Managed Streaming for Apache Kafka Construct Library

See: Description

Package software.amazon.awscdk.services.msk Description

Amazon Managed Streaming for Apache Kafka Construct Library

---

cfn-resources: Stable

All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

cdk-constructs: Experimental

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.


Amazon MSK is a fully managed service that makes it easy for you to build and run applications that use Apache Kafka to process streaming data.

The following example creates an MSK Cluster.

 Vpc vpc;
 
 Cluster cluster = Cluster.Builder.create(this, "Cluster")
         .clusterName("myCluster")
         .kafkaVersion(KafkaVersion.V2_8_1)
         .vpc(vpc)
         .build();
 

Allowing Connections

To control who can access the Cluster, use the .connections attribute. For a list of ports used by MSK, refer to the MSK documentation.

 Vpc vpc;
 
 Cluster cluster = Cluster.Builder.create(this, "Cluster")
         .clusterName("myCluster")
         .kafkaVersion(KafkaVersion.V2_8_1)
         .vpc(vpc)
         .build();
 
 cluster.connections.allowFrom(Peer.ipv4("1.2.3.4/8"), Port.tcp(2181));
 cluster.connections.allowFrom(Peer.ipv4("1.2.3.4/8"), Port.tcp(9094));
 

Cluster Endpoints

You can use the following attributes to get a list of the Kafka broker or ZooKeeper node endpoints

 Cluster cluster;
 
 CfnOutput.Builder.create(this, "BootstrapBrokers").value(cluster.getBootstrapBrokers()).build();
 CfnOutput.Builder.create(this, "BootstrapBrokersTls").value(cluster.getBootstrapBrokersTls()).build();
 CfnOutput.Builder.create(this, "BootstrapBrokersSaslScram").value(cluster.getBootstrapBrokersSaslScram()).build();
 CfnOutput.Builder.create(this, "ZookeeperConnection").value(cluster.getZookeeperConnectionString()).build();
 CfnOutput.Builder.create(this, "ZookeeperConnectionTls").value(cluster.getZookeeperConnectionStringTls()).build();
 

Importing an existing Cluster

To import an existing MSK cluster into your CDK app use the .fromClusterArn() method.

 ICluster cluster = Cluster.fromClusterArn(this, "Cluster", "arn:aws:kafka:us-west-2:1234567890:cluster/a-cluster/11111111-1111-1111-1111-111111111111-1");
 

Client Authentication

MSK supports the following authentication mechanisms.

Only one authentication method can be enabled.

TLS

To enable client authentication with TLS set the certificateAuthorityArns property to reference your ACM Private CA. More info on Private CAs.

 import software.amazon.awscdk.services.acmpca.*;
 
 Vpc vpc;
 
 Cluster cluster = Cluster.Builder.create(this, "Cluster")
         .clusterName("myCluster")
         .kafkaVersion(KafkaVersion.V2_8_1)
         .vpc(vpc)
         .encryptionInTransit(EncryptionInTransitConfig.builder()
                 .clientBroker(ClientBrokerEncryption.TLS)
                 .build())
         .clientAuthentication(ClientAuthentication.tls(TlsAuthProps.builder()
                 .certificateAuthorities(List.of(CertificateAuthority.fromCertificateAuthorityArn(this, "CertificateAuthority", "arn:aws:acm-pca:us-west-2:1234567890:certificate-authority/11111111-1111-1111-1111-111111111111")))
                 .build()))
         .build();
 

SASL/SCRAM

Enable client authentication with SASL/SCRAM:

 Vpc vpc;
 
 Cluster cluster = Cluster.Builder.create(this, "cluster")
         .clusterName("myCluster")
         .kafkaVersion(KafkaVersion.V2_8_1)
         .vpc(vpc)
         .encryptionInTransit(EncryptionInTransitConfig.builder()
                 .clientBroker(ClientBrokerEncryption.TLS)
                 .build())
         .clientAuthentication(ClientAuthentication.sasl(SaslAuthProps.builder()
                 .scram(true)
                 .build()))
         .build();
 

SASL/IAM

Enable client authentication with IAM:

 Vpc vpc;
 
 Cluster cluster = Cluster.Builder.create(this, "cluster")
         .clusterName("myCluster")
         .kafkaVersion(KafkaVersion.V2_8_1)
         .vpc(vpc)
         .encryptionInTransit(EncryptionInTransitConfig.builder()
                 .clientBroker(ClientBrokerEncryption.TLS)
                 .build())
         .clientAuthentication(ClientAuthentication.sasl(SaslAuthProps.builder()
                 .iam(true)
                 .build()))
         .build();
 
Skip navigation links