search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.57k stars 3.87k forks source link

aws-elasticache: In-transit encryption is not supported for Redis? #27379

Open adworacz opened 1 year ago

adworacz commented 1 year ago

Describe the bug

When attempting to create a Redis elasticache cluster that enables in-transit encryption, we receive the following error:

Encryption feature is not supported for engine REDIS. (Service: AmazonElastiCache; Status Code: 400; Error Code: InvalidParameterCombination; Request ID: 34376205-8f3f-43e6-8fff-c7ca185ad835; Proxy: null

This doesn't make any sense though, as the public documentation clearly states that encryption is supported: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-transitencryptionenabled

This parameter is valid only if the Engine parameter is redis,

In addition, we are using VPC, per the documentation.

Here's our code that should enable easy reproduction:

    const redisSubnetGroup = new CfnSubnetGroup(this, 'APICacheSubnetGroup', {
      description: 'Subnet group for API cache',
      subnetIds: props.vpc.privateSubnets.map((subnet) => subnet.subnetId),
    })

    const redisSecurityGroup = new SecurityGroup(this, 'APICacheSecurityGroup', {
      vpc: props.vpc,
      description: 'Security group for API cache',
    })

    const redis = new CfnCacheCluster(this, 'APICache', {
      numCacheNodes: 1,
      engine: 'redis',
      // https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html
      // https://aws.amazon.com/elasticache/pricing/
      cacheNodeType: 'cache.m7g.large',
      cacheSubnetGroupName: redisSubnetGroup.ref,
      vpcSecurityGroupIds: [redisSecurityGroup.securityGroupId],
      transitEncryptionEnabled: true,
    })

Expected Behavior

I am able to create a Redis Elasticache instance with transit encryption enabled.

Current Behavior

An error occurs (see description)

Reproduction Steps

Use the CDK code in the description to deploy a Redis cluster.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.92.0 (build bf62e55)

Framework Version

No response

Node.js Version

18

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

adworacz commented 1 year ago

The workaround seems to be using a CfnReplicationGroup instead.

Something like:

    const redis = new CfnReplicationGroup(this, 'APICacheV2', {
      engine: 'redis',
      replicationGroupDescription: 'Cache for the API',
      cacheNodeType: 'cache.t4g.micro',
      cacheSubnetGroupName: redisSubnetGroup.ref,
      securityGroupIds: [redisSecurityGroup.securityGroupId],

      transitEncryptionEnabled: true,

      // As minimal of a cache cluster as I can make.
      clusterMode: 'Disabled',
      numCacheClusters: 1,
      automaticFailoverEnabled: false,
    })
indrora commented 1 year ago

Yup, this looks like an oversight somewhere.

This parameter is valid only if the Engine parameter is redis, the EngineVersion parameter is 3.2.6 or 4.x onward, and the cluster is being created in an Amazon VPC.

There's a few other checks that have to be made as well here.

adworacz commented 1 year ago

Agreed. I also realized that I included the link to the ReplicationGroup documentation instead of the CacheCluster documentation in my OP. I've fixed this.

Here's the current documentation for CacheCluster + in-transit encryption: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-transitencryptionenabled

It doesn't mention any stipulations at all, which is rather surprising given the stipulations that exist on ReplicationGroup.

manojkarrolla commented 11 months ago

I think I have a similar issue when trying to create ElastiCache with TerraForm It seems like it is working fine with same configuration via console but doesn't work through cli

Error: creating ElastiCache Cache Cluster (lab-redis): InvalidParameterCombination: Encryption feature is not supported for engine REDIS.
│       status code: 400, request id: 1a3d764c-90a2-4a25-9a1d-cf90883fd006
adworacz commented 11 months ago

Yeah, I'm starting to wonder if this isn't a CDK issue at all, and is in fact an underlying "service doesn't meet documentation" issue.

uncaught commented 2 months ago

CloudFormation template has this, too, so not an SDK problem.

The "encryption at rest" feature is also missing entirely.

tomaszczechowski commented 3 weeks ago

looks like still issue opened, I just run into the same using terraform