Support at-rest and in-transit encryption for aws_elasticache_cluster (Redis)

[tomdev]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

ElastiCache Redis version 4.0+ supports encryption at-rest and in-transit, also for non-clustered mode.

The terraform aws_elasticache_cluster currently does not support these features.

New or Affected Resource(s)

• aws_elasticache_cluster

Potential Terraform Configuration

Similar to how this is implemented in aws_elasticache_replication_group:

resource "aws_elasticache_cluster" "encrypted_redis" {
    [...]
    engine_version: "4.0.10"
    at_rest_encryption_enabled: true
    transit_encryption_enabled: true
}

References

• https://github.com/terraform-providers/terraform-provider-aws/pull/2090
• https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html
• https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html

[saravanan30erd]

related #4105

[saravanan30erd]

Looks like TransitEncryptionEnabled is still not configured in AWS API(https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheCluster.html).

[bflad]

@saravanan30erd appears to be correct here -- this feature is not available with the aws_elasticache_cluster resource because the underlying Elasticache API does not support it.

Elasticache has some confusing terminology when it comes to "clusters", where a Redis "cluster" (cluster mode enabled or disabled) is actually a "replication group" in terms of the API (and subsequently Terraform since it follows to the API implementation).

You can create encrypted Redis replication groups (cluster mode enabled or disabled) via the aws_elasticache_replication_group resource.

Since there's nothing to implement here until AWS adds encryption support for individual Redis nodes (annoyingly "clusters" in the API) or Memcached clusters, we'll close this issue out until that changes.

[michal-kosinski]

@bflad can we please reopen? Encryption in-transit and at-rest is now available both in create-cache-cluster and create-replication-group in AWS API.

[facos86]

Yes, we badly need this to improve the security of our redis cache cluster

[krishnaastica]

Yep.. This feature is most essential

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!