search

cloudposse / terraform-aws-elasticache-redis

Terraform module to provision an ElastiCache Redis Cluster
https://cloudposse.com/accelerate
Apache License 2.0
141 stars 246 forks source link

InvalidParameterCombination: Transit encryption preferred is not supported with redis access control. #239

Closed syphernl closed 3 weeks ago

syphernl commented 3 weeks ago

Describe the Bug

After updating to https://github.com/cloudposse/terraform-aws-elasticache-redis/releases/tag/1.4.0 a terraform apply is failing with

InvalidParameterCombination: Transit encryption preferred is not supported with redis access control.

Expected Behavior

No error

Steps to Reproduce

Screenshots

No response

Environment

hashicorp/aws v5.54.1

Additional Context

This is the resource it wants to create:

  + resource "aws_elasticache_replication_group" "default" {
      + apply_immediately              = true
      + arn                            = (known after apply)
      + at_rest_encryption_enabled     = false
      + auth_token                     = (sensitive value)
      + auth_token_update_strategy     = "ROTATE"
      + auto_minor_version_upgrade     = (known after apply)
      + automatic_failover_enabled     = false
      + cluster_enabled                = (known after apply)
      + configuration_endpoint_address = (known after apply)
      + data_tiering_enabled           = false
      + description                    = "example-staging-redis-sessions"
      + engine                         = "redis"
      + engine_version                 = "7.1"
      + engine_version_actual          = (known after apply)
      + global_replication_group_id    = (known after apply)
      + id                             = (known after apply)
      + ip_discovery                   = (known after apply)
      + maintenance_window             = "wed:03:00-wed:04:00"
      + member_clusters                = (known after apply)
      + multi_az_enabled               = false
      + network_type                   = (known after apply)
      + node_type                      = "cache.t4g.micro"
      + num_cache_clusters             = 1
      + num_node_groups                = (known after apply)
      + parameter_group_name           = "example-staging-redis-sessions-redis7"
      + port                           = 6379
      + primary_endpoint_address       = (known after apply)
      + reader_endpoint_address        = (known after apply)
      + replicas_per_node_group        = (known after apply)
      + replication_group_id           = "example-staging-redis-sessions"
      + security_group_ids             = [
          + "sg-01e0e15d341a8b50f",
        ]
      + security_group_names           = (known after apply)
      + snapshot_retention_limit       = 0
      + snapshot_window                = "06:30-07:30"
      + subnet_group_name              = "example-staging-redis-sessions"
      + tags                           = {
          + "Attributes" = "sessions"
          + "Name"       = "example-staging-redis-sessions"
          + "Namespace"  = "example"
          + "Stage"      = "staging"
        }
      + tags_all                       = {
          + "Attributes" = "sessions"
          + "Name"       = "example-staging-redis-sessions"
          + "Namespace"  = "example"
          + "Stage"      = "staging"
        }
      + transit_encryption_enabled     = true
      + transit_encryption_mode        = "preferred"
        # (1 unchanged attribute hidden)
    }

For 1.3.0 this is:

      + transit_encryption_enabled     = true
      + transit_encryption_mode        = (known after apply)

Due to the validation rules transit_encryption_mode cannot be set to null to get the old behavior back.

Related PR: #231

syphernl commented 3 weeks ago

Its still early, I see a PR has already been created to fix this: #238