Skip to content

docs: Add Managed Kafka Connect terraform sample for Clusters #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Aug 7, 2025
Merged

docs: Add Managed Kafka Connect terraform sample for Clusters #876

Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
16d7b2f
docs: Add Managed Kafka Connect terraform sample
salmany Jul 23, 2025
163059e
Update tags in main.tf
salmany Jul 23, 2025
0c1763e
Merge branch 'main' into salman-mkc-code-examples
glasnt Jul 25, 2025
dec3c5a
Addressed PR comments.
salmany Jul 28, 2025
0886c4e
Add comment to clarify memory_bytes value.
salmany Jul 28, 2025
315b503
Fix incorrect Kafka cluster reference.
salmany Jul 28, 2025
5e76619
Merge branch 'main' into salman-mkc-code-examples
salmany Jul 29, 2025
612a5ac
Workaround for subnet resource deletion.
salmany Jul 30, 2025
56482a1
Disable tests and update network resource creation
salmany Aug 6, 2025
77d90a5
Merge branch 'main' into salman-mkc-code-examples
glasnt Aug 6, 2025
627f6cb
Fix lint errors.
salmany Aug 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions managedkafka/managedkafka_create_connect_cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/**
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

# [START managedkafka_create_connect_cluster_parent]
resource "google_managed_kafka_cluster" "example-kafka-cluster" {
project = data.google_project.default.project_id
cluster_id = "my-cluster-id"
location = "us-central1"
capacity_config {
vcpu_count = 3
memory_bytes = 3221225472
}
gcp_config {
access_config {
network_configs {
subnet = "projects/${data.google_project.default.number}/regions/us-central1/subnetworks/default"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this value be linked to a subnet resource? the hardcoding of the region and subnet name is suboptimal

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although I acknowledge this is suboptimal, I'm hardcoding the subnet resource due to a current limitation with deleting network attachments associated with Managed Kafka Connect clusters. I had previously attempted creating a Subnet resource as part of the code example, but it was causing test failures. (For more information, please see here)

However, hardcoding the subnet resource also seems to be no longer working (although it initially passed the test cases). This could be due to the changing test setup across runs. Do you have any suggestions on how we may proceed to pass the tests given this limitation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've committed a workaround using a provisioner for deleting leaked resources: 612a5ac

Seems to be working with test cases. Marking as resolved.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(moved my review comment to this thread)

We do not support local-exec in samples. We do not want to encourage our users to use this functionality.

If there's an upstream issue, it needs to be fixed at the resource level.

If the sample can't be tested (either now, or in general), then we can disable the terraform apply/destroy part of tests.

The google_managed_kafka_cluster takes 30 minutes to create, the google_managed_kafka_connect_cluster takes 20 minutes, unsure if this is expected.

Copy link
Contributor Author

@salmany salmany Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. Given that there is a known issue which prevents resource deletion, I believe the best path forward for now would be to disable the terraform apply/destroy part of the tests as you have suggested. Once the issue is resolved, we can update the examples to enable terraform apply/destroy.
Can you please guide how to disable the terraform apply/destroy part of tests?

(Also, it is indeed expected that the google_managed_kafka_cluster and google_managed_kafka_connect_cluster take 30 & 20 minutes to create, respectively. For reference, see here.)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glasnt:

To give you some context, there's an issue with GKE networking that leaks Network Attachment resources in a Subnet even after a ConnectCluster is deleted. This means that if we add a Subnet resource to the same Terraform config, upon TF delete action the Subnet resource's deletion will hang, as there's still a dangling Network Attachment left. The leak eventually goes away, but its indefinite - perhaps hours, perhaps days. The leak issue is pretty complex to fix and doesn't have staffing yet - so it may not land for months/quarters.

I think the best way forward is to include the subnet resources hardcoded as strings in the Terraform samples. It allows us to exercise the apply/delete logic for the ConnectCluster, which is what we care about here.

For most customers, their network resources will be managed in a separate file, often by separate teams altogether. And the lifetime of Network/Subnet resources is often longer than those of using resources like ConnectClusters. So our customers may still be ok, even with this unfortunate leak issue preventing them from putting network + ConnectCluster resources in the same file.

How does that sound?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally: Our samples should reflect best practices in real world applications. We have some samples where the configuration required to make the sample run cleanly is only useful in a CI testing instance, and not code we would suggest a user configure. In these cases, we can disable the terraform apply/destroy (among other steps), but I believe this is the best solution here.

You can disable this by adding a test.yaml file with skip: true. example. (The metadata.name is roughly the concatenation of the folder hierarchy of the sample)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the best-practice sample is not going to run without modification (ie: applying the Network resources separate from the ConnectCluster resource), is it still okay to recommend that? Should we add a comment with the limitation? We don't want to mislead users by showing them a sample that won't work out of the box.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If that staggered application is required, you can describe that in the devsite page. You can also use additional [# START and [# END tags to separate out these resources so you can describe them in context. (example)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, that sounds good - @salmany please follow the previous comment. Thank you @glasnt !

}
}
}
}

# [START managedkafka_create_connect_cluster]
resource "google_managed_kafka_connect_cluster" "example-kafka-connect-cluster" {
provider = google-beta
project = data.google_project.default.project_id # Replace this with your project ID in quotes
connect_cluster_id = "my-connect-cluster-id"
location = "us-central1"
kafka_cluster = google_managed_kafka_cluster.example-kafka-cluster.id # Replace this with the ID of the primary Managed Service for Apache Kafka cluster associated with your Connect cluster in quotes
capacity_config {
vcpu_count = 3
memory_bytes = 3221225472
}
gcp_config {
access_config {
network_configs {
primary_subnet = "projects/${data.google_project.default.number}/regions/us-central1/subnetworks/default"
}
}
}
}
# [END managedkafka_create_connect_cluster]

data "google_project" "default" {
provider = google-beta
}
# [END managedkafka_create_connect_cluster_parent]