search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.87k stars 9.21k forks source link

aws_elasticache_cluster: redis in-transit and at-rest encryption #22123

Open alex4108 opened 2 years ago

alex4108 commented 2 years ago

Community Note

Description

Feature Gap in aws_elasticache_cluster prevents manging in-transit and at-rest encryption.

New or Affected Resource(s)

Potential Terraform Configuration

resource "aws_elasticache_cluster" "demo" { 
  // ...
  auth_token = "string"
  at_rest_encryption_enabled    = true
  transit_encryption_enabled    = true
  // ...
}

References

Implementation of the topic in aws_elasticache_replication_group

More descriptions & discussion about the topic

alex4108 commented 2 years ago

It looks like we can work around this using this example.

resource "aws_elasticache_replication_group" "this" { 
  // ...
  auth_token = "string"
  at_rest_encryption_enabled    = true
  transit_encryption_enabled    = true
  // ...
}

resource "aws_elasticache_cluster" "this" { 
    cluster_id = "foo"
    replication_group_id = aws_elasticache_replication_group.this
}

This yields us a Redis Cluster Mode Off ElastiCache cluster with the appropriate encryption parameters

loftwah commented 2 years ago

It looks like we can work around this using this example.

resource "aws_elasticache_replication_group" "this" { 
  // ...
  auth_token = "string"
  at_rest_encryption_enabled    = true
  transit_encryption_enabled    = true
  // ...
}

resource "aws_elasticache_cluster" "this" { 
    cluster_id = "foo"
    replication_group_id = aws_elasticache_replication_group.this
}

This yields us a Redis Cluster Mode Off ElastiCache cluster with the appropriate encryption parameters

Thank you! This helped me out and I'm surprised I had to look so deep to find it.

Edit: it turns out I don't need the aws_elasticache_cluster resource at all here.

Mifrill commented 1 year ago

Hey @alex4108 regarding your comment:

This yields us a Redis Cluster

Could you please confirm it works with Redis? According to documentation for transit_encryption_enabledoption. It seems like it's only works if the engine is Memcached, not Redis, or it works with any Redis and with Memcached but only with versions 1.6.12 and later?

@loftwah Could you also please check if you using Redis engine?

mel510 commented 6 months ago

Could you please confirm it works with Redis? According to documentation for transit_encryption_enabledoption. It seems like it's only works if the engine is Memcached, not Redis, or it works with any Redis and with Memcached but only with versions 1.6.12 and later?

@loftwah Could you also please check if you using Redis engine?

Any luck with this @Mifrill? I'm running into this as well.

loftwah commented 6 months ago

Mine came down to me using the incorrect resource type.

mel510 commented 6 months ago

@loftwah Ah, I see. We have to use the replication group to be able to use the encryption arguments, even if we only want a "group" of one. Thank you!

Mifrill commented 6 months ago

Hey, @mel510 nope. I faced it during work on enabling the Redis in-transit and at-rest encryption for a specific service. In my case, the change of this parameter has not changed anything.