ACL | efficient access control library for your PHP application | Database library

You have instructed the aws_wafv2_web_acl resource to use the count meta-argument [1], which as the name suggests uses numbers. It creates an array where you can access elements by referencing the element of the array. In your case that would be aws_wafv2_web_acl.waf_acl_regional[0]. On the other hand, the for_each meta-argument [2] uses key/value pairs. That means that in order to fetch a value, you have to have a key which will be used as a reference to a value. For example, that would be something like aws_wafv2_web_acl.waf_acl_regional["prod"]. That further means that the var.env would have to be of type map or set [3]. Those types are complex types in Terraform.

[1] https://www.terraform.io/language/meta-arguments/count

[2] https://www.terraform.io/language/meta-arguments/for_each

[3] https://www.terraform.io/language/expressions/type-constraints#complex-types

change that to below format as email is not proper as sendgrid accept in this format

Terraform AWS Provider is upgraded to version 4.0.0 which is published on 10 February 2022.

Major changes in the release include:

• Version 4.0.0 of the AWS Provider introduces significant changes to the aws_s3_bucket resource.
• Version 4.0.0 of the AWS Provider will be the last major version to support EC2-Classic resources as AWS plans to fully retire EC2-Classic Networking. See the AWS News Blog for additional details.
• Version 4.0.0 and 4.x.x versions of the AWS Provider will be the last versions compatible with Terraform 0.12-0.15.

The reason for this change by Terraform is as follows: To help distribute the management of S3 bucket settings via independent resources, various arguments and attributes in the aws_s3_bucket resource have become read-only. Configurations dependent on these arguments should be updated to use the corresponding aws_s3_bucket_* resource. Once updated, new aws_s3_bucket_* resources should be imported into Terraform state.

So, I updated my code accordingly by following the guide here: Terraform AWS Provider Version 4 Upgrade Guide | S3 Bucket Refactor

The new working code looks like this:

I tested this with a few folders setting up different ACLs with my own user and it seem to be working but I haven't tested enough to be sure. Basically, the script will loop through directories and add the ACLs to a dictionary where the Keys are each IdentityReference and the Values are the properties from the ACLs which you're interested on (FileSystemRights and AccessControlType) in addition to the folder's absolute path. While enumerating the directories, each object will be compared against the stored values using the Compare-Acl function which only returns $true if the object is different.

As stated in above comment. I'd try to run the scriptblock via Invoke-Command with the -AsJob parameter. Which will return a job, that you can await. Combined with PSRemoting you can fire multiple Invoke-Commands that'll return a job to a remote execution. See the PowerShell docu for an example. If you need to pass local parameters to the remote job, in a readonly manner, see this example.

It seems I had to enable ACL here:

Might adding the following check before $Permissions = (Get-Acl -Path $sys_Path).Access would resolve the issue:

I'd like to start with a disclaimer that I'm personally not familiar with AWS MSK offering in great detail so this answer is largely based on my understanding of the open source distribution of Apache Kafka.

First - The Kafka ACLs are actually stored in Zookeeper by default so if you're not using Zookeeper, it might be worth adding this if you're not using it.

Reference - Kafka Definitive Guide - 2nd edition - Chapter 11 - Securing Kafka - Page 294

Second - If you're using SASL for authentication through any of the supported mechanisms such as GSSAPI (Kerberos), then you'll need to create a principal as you would normally create one and use one of the following options:

1. Add the required permissions for topic creation/deletion etc. using the kafka-acls command (Command Reference)

   bin/kafka-acls.sh --add --cluster --operation Create --authorizer-properties zookeeper.connect=localhost:2181 --allow-principal User:admin

   Note - admin is the assumed principal name

2. Or add admin user to the super users list in server.properties file by adding the following line so it has unrestricted access on all resources

   super.users=User:Admin

   Any more users can be added in the same line delimited by ;.

To add the strictness, you'll need to set allow.everyone.if.no.acl.found to false so any access to any resources is only granted by explicitly adding these permissions.

Third - As you've asked specifically about your root user, I'm assuming you're referring to the linux root here. You could just restrict the linux level permissions using chmod command for the kafka-acls.sh script but that is quite a crude way of achieving what you need. I'm also not entirely sure if this is doable in MSK or not.

Just considering the string that you already have:

Below should give you what you are looking for: