MSK Serverless (Apache Kafka)

aws-msk

Amazon MSK Serverless — a fully-managed, on-demand Apache Kafka cluster with no brokers to size, patch, or pay for at idle. You provision topics, not instances; capacity scales automatically. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. Secure by default and self-contained: authentication is SASL/IAM only (the single mode serverless supports), encryption in transit and at rest is always on, the cluster is never publicly reachable, and the networking pieces (default-VPC placement + a locked-down security group) are created for you, so a minimal cluster applies with just a cluster_name.

Why serverless: it skips broker provisioning entirely (cheaper and faster to stand up than provisioned MSK, and nothing to right-size). It is billed per partition-hour, storage, and throughput rather than per broker-hour — there are no idle instances, but an empty cluster still carries a small hourly base while it exists, so tear down test clusters promptly.

Secure defaults:

• SASL/IAM authentication — every client authenticates and authorizes through IAM. There are no plaintext listeners and no SCRAM secrets to rotate (serverless does not offer unauthenticated or TLS-mutual-auth modes).
• Encryption in transit and at rest — always on, managed by the service; clients speak Kafka over TLS on port 9098.
• No public exposure — access is via a module-created security group that opens the Kafka IAM port only to allowed_cidrs / allowed_security_group_ids (no ingress at all by default).
• Multi-AZ placement — the cluster spreads its network interfaces across 2–3 Availability Zones (default-VPC subnets when you don't pin your own).

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).