Back to Initiative Library
Infrastructure Medium complexity

Migrate kafka-user Module to redpanda-user

Terraform Kafka Redpanda Module Migration
Run this Initiative Get Demo
✦ Sample Prompt 
Migrate every usage of the internal `kafka-user` Terraform module to the new
`redpanda-user` module.

For each Terraform repository:
1. Find every `module "<name>" { ... }` block whose `source` references
   `kafka-user` (e.g.,
   `git::ssh://[email protected]/example/terraform-modules.git//kafka-user?ref=...`).
2. Rewrite the `source` to point at the `redpanda-user` module at the pinned target
   version (e.g., `//redpanda-user?ref=v1.0.0`, pass the version explicitly).
3. Rename input arguments using the input map:
   - `username` → `principal`
   - `kafka_cluster_id` → `redpanda_cluster_id`
   - `topic_acls = { topic = ["WRITE"] }` keeps the same shape but values must use
     the Redpanda ACL operation names (`READ`, `WRITE`, `DESCRIBE`, `ALL`)
4. Update downstream references to module outputs across the same repo:
   - `module.x.kafka_password` → `module.x.sasl_password`
   - `module.x.kafka_username` → `module.x.principal`
5. If a call site uses an input not in the rename map, leave it untouched,
   prepend `[MANUAL-REVIEW]` to the PR title, and list the unmapped inputs
   under a `## Inputs needing manual review` section in the PR body.
6. Do not run `terraform apply`, the change must be reviewed by service owners.

The Problem

Once the platform team publishes the `redpanda-user` Terraform module, every service that previously instantiated `kafka-user` needs to switch; otherwise both modules race to own the same SASL principals and topic ACLs.

The signatures differ slightly (`username` → `principal`, `topic_acls` shape changes), so the swap can’t be a pure find-and-replace. Each call site needs the input mapping applied carefully.

What Tidra Does

  1. Finds every module "..." block whose source points at the kafka-user module
  2. Rewrites source to the redpanda-user module at the version you specify
  3. Translates input arguments using the documented input map (usernameprincipal, etc.)
  4. Updates downstream references to module outputs (module.x.kafka_passwordmodule.x.sasl_password)
  5. Opens one PR per repo and lists any call sites with unmappable inputs for human review

Before & After

diff
main.tf
@@ -1,8 +1,8 @@
- module "events_user" {
- source = "git::ssh://[email protected]/example/terraform-modules.git//kafka-user?ref=v3.2.0"
- username = "events-writer"
+ module "events_user" {
+ source = "git::ssh://[email protected]/example/terraform-modules.git//redpanda-user?ref=v1.0.0"
+ principal = "events-writer"
topic_acls = {
events = ["WRITE", "DESCRIBE"]
}
}

Customization Tips

  • Input map: Provide the full input rename map. Anything not mapped is left to a human review with a [MANUAL-REVIEW] title prefix on the PR.
  • Output references: List the output renames (old name → new name) so downstream references update consistently.
  • Module version: Pin the target redpanda-user version explicitly so the migration is reproducible.

Ready to run this across your repos?

Connect your Git provider and Tidra opens pull requests in every repo that needs them.

Run this Initiative Get Demo