@@ -93,7 +93,23 @@ the registry shows many of our inputs as required when in fact they are optional
...
@@ -93,7 +93,23 @@ the registry shows many of our inputs as required when in fact they are optional
The table below correctly indicates which inputs are required.
The table below correctly indicates which inputs are required.
Note that this uses secure defaults. One of the ways this module can trip users up is with `transit_encryption_enabled` which is `true` by default. With this enabled, one does not simply `redis-cli` in without setting up an `stunnel`. Amazon provides [good docs on how to connect with it enabled](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls). If this is not desired behavior, set `transit_encryption_enabled=false`.
Note that this uses secure defaults. One of the ways this module can trip users up is with `transit_encryption_enabled`
which is `true` by default. With this enabled, one does not simply `redis-cli` in without setting up an `stunnel`.
Amazon provides [good documentation on how to connect with it enabled](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls).
If this is not desired behavior, set `transit_encryption_enabled=false`.
This module creates, by default, a new security group for the Elasticache Redis Cluster. When a configuration
change (for example, a different security group name) cannot be applied to the security group, Terraform will
replace that security group with a new one with the new configuration. In order to allow Terraform to fully manage the security group, you
should not place any other resources in (or associate any other resources with) the security group this module
creates. Also, in order to keep things from breaking when this module replaces the security group, you should
not reference the created security group anywhere else (such as in rules in other security groups). If you
want to associate the cluster with a more stable security group that you can reference elsewhere, create that security group
outside this module (perhaps with [terraform-aws-security-group](https://github.com/cloudposse/terraform-aws-security-group))
and pass the security group ID in via `associated_security_group_ids`.
**Note about `zone_id`**: Previously, `zone_id` was a string. This caused problems (see [#82](https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/82)).
Now `zone_id` should be supplied as a `list(string)`, either empty or with exactly 1 zone ID in order to avoid the problem.
For a complete example, see [examples/complete](examples/complete).
For a complete example, see [examples/complete](examples/complete).
...
@@ -104,41 +120,49 @@ provider "aws" {
...
@@ -104,41 +120,49 @@ provider "aws" {
region=var.region
region=var.region
}
}
module"vpc"{
module"this"{
source="cloudposse/vpc/aws"
source="cloudposse/label/null"
# Cloud Posse recommends pinning every module to a specific version
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
# version = "x.x.x"
namespace=var.namespace
namespace=var.namespace
stage=var.stage
stage=var.stage
name=var.name
name=var.name
}
module"vpc"{
source="cloudposse/vpc/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
cidr_block="172.16.0.0/16"
cidr_block="172.16.0.0/16"
context=module.this.context
}
}
module"subnets"{
module"subnets"{
source="cloudposse/dynamic-subnets/aws"
source="cloudposse/dynamic-subnets/aws"
# Cloud Posse recommends pinning every module to a specific version
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
# version = "x.x.x"
availability_zones=var.availability_zones
availability_zones=var.availability_zones
namespace=var.namespace
stage=var.stage
name=var.name
vpc_id=module.vpc.vpc_id
vpc_id=module.vpc.vpc_id
igw_id=module.vpc.igw_id
igw_id=module.vpc.igw_id
cidr_block=module.vpc.vpc_cidr_block
cidr_block=module.vpc.vpc_cidr_block
nat_gateway_enabled=true
nat_gateway_enabled=true
nat_instance_enabled=false
nat_instance_enabled=false
context=module.this.context
}
}
module"redis"{
module"redis"{
source="cloudposse/elasticache-redis/aws"
source="cloudposse/elasticache-redis/aws"
# Cloud Posse recommends pinning every module to a specific version
# Cloud Posse recommends pinning every module to a specific version
| <aname="input_additional_security_group_rules"></a>[additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones<br>this module normally creates. (To suppress the module's rules, set `create_security_group` to false<br>and supply your own security group via `associated_security_group_ids`.)<br>The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except<br>for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.<br>To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no |
| <aname="input_additional_tag_map"></a>[additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <aname="input_additional_tag_map"></a>[additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <aname="input_alarm_actions"></a>[alarm\_actions](#input\_alarm\_actions) | Alarm action list | `list(string)` | `[]` | no |
| <aname="input_alarm_actions"></a>[alarm\_actions](#input\_alarm\_actions) | Alarm action list | `list(string)` | `[]` | no |
| <aname="input_alarm_cpu_threshold_percent"></a>[alarm\_cpu\_threshold\_percent](#input\_alarm\_cpu\_threshold\_percent) | CPU threshold alarm level | `number` | `75` | no |
| <aname="input_alarm_cpu_threshold_percent"></a>[alarm\_cpu\_threshold\_percent](#input\_alarm\_cpu\_threshold\_percent) | CPU threshold alarm level | `number` | `75` | no |
| <aname="input_allow_all_egress"></a>[allow\_all\_egress](#input\_allow\_all\_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.<br>If this is false and no egress rules are otherwise specified, then no egress will be allowed.<br>Defaults to `true` unless the deprecated `egress_cidr_blocks` is provided and is not `["0.0.0.0/0"]`, in which case defaults to `false`. | `bool` | `null` | no |
| <aname="input_allowed_cidr_blocks"></a>[allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | DEPRECATED: Use `additional_security_group_rules` instead.<br>Historical description: List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module | `list(string)` | `[]` | no |
| <aname="input_allowed_security_group_ids"></a>[allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no |
| <aname="input_allowed_security_groups"></a>[allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead. | `list(string)` | `[]` | no |
| <aname="input_associated_security_group_ids"></a>[associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.<br>These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. | `list(string)` | `[]` | no |
| <aname="input_at_rest_encryption_enabled"></a>[at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Enable encryption at rest | `bool` | `false` | no |
| <aname="input_at_rest_encryption_enabled"></a>[at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Enable encryption at rest | `bool` | `false` | no |
| <aname="input_attributes"></a>[attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
| <aname="input_attributes"></a>[attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
| <aname="input_auth_token"></a>[auth\_token](#input\_auth\_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no |
| <aname="input_auth_token"></a>[auth\_token](#input\_auth\_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no |
...
@@ -253,13 +263,16 @@ Available targets:
...
@@ -253,13 +263,16 @@ Available targets:
| <aname="input_cluster_mode_replicas_per_node_group"></a>[cluster\_mode\_replicas\_per\_node\_group](#input\_cluster\_mode\_replicas\_per\_node\_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no |
| <aname="input_cluster_mode_replicas_per_node_group"></a>[cluster\_mode\_replicas\_per\_node\_group](#input\_cluster\_mode\_replicas\_per\_node\_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no |
| <aname="input_cluster_size"></a>[cluster\_size](#input\_cluster\_size) | Number of nodes in cluster. *Ignored when `cluster_mode_enabled` == `true`* | `number` | `1` | no |
| <aname="input_cluster_size"></a>[cluster\_size](#input\_cluster\_size) | Number of nodes in cluster. *Ignored when `cluster_mode_enabled` == `true`* | `number` | `1` | no |
| <aname="input_context"></a>[context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <aname="input_context"></a>[context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <aname="input_create_security_group"></a>[create\_security\_group](#input\_create\_security\_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no |
| <aname="input_delimiter"></a>[delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| <aname="input_delimiter"></a>[delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| <aname="input_descriptor_formats"></a>[descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <aname="input_descriptor_formats"></a>[descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <aname="input_dns_subdomain"></a>[dns\_subdomain](#input\_dns\_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no |
| <aname="input_dns_subdomain"></a>[dns\_subdomain](#input\_dns\_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no |
| <aname="input_egress_cidr_blocks"></a>[egress\_cidr\_blocks](#input\_egress\_cidr\_blocks) | DEPRECATED: Use `allow_all_egress` and `additional_security_group_rules` instead.<br>Historical description: Outbound traffic address.<br>Historical default: ["0.0.0.0/0"] | `list(any)` | `null` | no |
| <aname="input_elasticache_subnet_group_name"></a>[elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no |
| <aname="input_elasticache_subnet_group_name"></a>[elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no |
| <aname="input_enabled"></a>[enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <aname="input_enabled"></a>[enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <aname="input_engine_version"></a>[engine\_version](#input\_engine\_version) | Redis engine version | `string` | `"4.0.10"` | no |
| <aname="input_engine_version"></a>[engine\_version](#input\_engine\_version) | Redis engine version | `string` | `"4.0.10"` | no |
| <aname="input_environment"></a>[environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <aname="input_environment"></a>[environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <aname="input_existing_security_groups"></a>[existing\_security\_groups](#input\_existing\_security\_groups) | DEPRECATED: Use `associated_security_group_ids` instead.<br>Historical description: List of existing Security Group IDs to place the cluster into.<br>Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster. | `list(string)` | `[]` | no |
| <aname="input_family"></a>[family](#input\_family) | Redis family | `string` | `"redis4.0"` | no |
| <aname="input_family"></a>[family](#input\_family) | Redis family | `string` | `"redis4.0"` | no |
| <aname="input_final_snapshot_identifier"></a>[final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no |
| <aname="input_final_snapshot_identifier"></a>[final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no |
| <aname="input_id_length_limit"></a>[id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
| <aname="input_id_length_limit"></a>[id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
...
@@ -279,11 +292,11 @@ Available targets:
...
@@ -279,11 +292,11 @@ Available targets:
| <aname="input_port"></a>[port](#input\_port) | Redis port | `number` | `6379` | no |
| <aname="input_port"></a>[port](#input\_port) | Redis port | `number` | `6379` | no |
| <aname="input_regex_replace_chars"></a>[regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <aname="input_regex_replace_chars"></a>[regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <aname="input_replication_group_id"></a>[replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints: <br>A name must contain from 1 to 20 alphanumeric characters or hyphens. <br> The first character must be a letter. <br> A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no |
| <aname="input_replication_group_id"></a>[replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints: <br>A name must contain from 1 to 20 alphanumeric characters or hyphens. <br> The first character must be a letter. <br> A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no |
| <aname="input_security_group_description"></a>[security\_group\_description](#input\_security\_group\_description) | The Security Group description. | `string` | `"ElastiCache Security Group"` | no |
| <aname="input_security_group_create_before_destroy"></a>[security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.<br>We only recommend setting this `false` if you are upgrading this module and need to keep<br>the existing security group from being replaced.<br>Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no |
| <aname="input_security_group_enabled"></a>[security\_group\_enabled](#input\_security\_group\_enabled) | Whether to create default Security Group for ElastiCache. | `bool` | `true` | no |
| <aname="input_security_group_create_timeout"></a>[security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no |
| <aname="input_security_group_rules"></a>[security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules. <br>The values of map is fully complated with `aws_security_group_rule` resource. <br>To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | <pre>[<br> {<br> "cidr_blocks": [<br> "0.0.0.0/0"<br> ],<br> "description": "Allow all outbound traffic",<br> "from_port": 0,<br> "protocol": "-1",<br> "to_port": 65535,<br> "type": "egress"<br> }<br>]</pre> | no |
| <aname="input_security_group_delete_timeout"></a>[security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no |
| <aname="input_security_group_use_name_prefix"></a>[security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no |
| <aname="input_security_group_description"></a>[security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.<br>Warning: Changing the description causes the security group to be replaced.<br>Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no |
| <aname="input_security_groups"></a>[security\_groups](#input\_security\_groups) | A list of Security Group IDs to associate with ElastiCache. | `list(string)` | `[]` | no |
| <aname="input_security_group_name"></a>[security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.<br>If not provided, will be derived from the `null-label.context` passed in.<br>If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no |
| <aname="input_snapshot_arns"></a>[snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no |
| <aname="input_snapshot_arns"></a>[snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no |
| <aname="input_snapshot_name"></a>[snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no |
| <aname="input_snapshot_name"></a>[snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no |
| <aname="input_snapshot_retention_limit"></a>[snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no |
| <aname="input_snapshot_retention_limit"></a>[snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
| <aname="input_tenant"></a>[tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
| <aname="input_tenant"></a>[tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
| <aname="input_transit_encryption_enabled"></a>[transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Whether to enable encryption in transit. If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis | `bool` | `true` | no |
| <aname="input_transit_encryption_enabled"></a>[transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.<br>If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no |
| <aname="input_use_existing_security_groups"></a>[use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | DEPRECATED: Use `create_security_group` instead.<br>Historical description: Flag to enable/disable creation of Security Group in the module.<br>Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.<br>Historical default: `false` | `bool` | `null` | no |
| <aname="input_zone_id"></a>[zone\_id](#input\_zone\_id) | Route53 DNS Zone ID | `string` | `""` | no |
| <aname="input_zone_id"></a>[zone\_id](#input\_zone\_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.<br>If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.<br>Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no |
| <aname="output_arn"></a>[arn](#output\_arn) | Elasticache Replication Group ARN |
| <aname="output_cluster_enabled"></a>[cluster\_enabled](#output\_cluster\_enabled) | Indicates if cluster mode is enabled |
| <aname="output_endpoint"></a>[endpoint](#output\_endpoint) | Redis primary or configuration endpoint, whichever is appropriate for the given cluster mode |
| <aname="output_engine_version_actual"></a>[engine\_version\_actual](#output\_engine\_version\_actual) | The running version of the cache engine |
| <aname="output_id"></a>[id](#output\_id) | Redis cluster ID |
| <aname="output_id"></a>[id](#output\_id) | Redis cluster ID |
| <aname="output_member_clusters"></a>[member\_clusters](#output\_member\_clusters) | Redis cluster members |
| <aname="output_member_clusters"></a>[member\_clusters](#output\_member\_clusters) | Redis cluster members |
| <aname="output_port"></a>[port](#output\_port) | Redis port |
| <aname="output_port"></a>[port](#output\_port) | Redis port |
| <aname="output_security_group_arn"></a>[security\_group\_arn](#output\_security\_group\_arn) | Redis Security Group ARN |
| <aname="output_reader_endpoint_address"></a>[reader\_endpoint\_address](#output\_reader\_endpoint\_address) | The address of the endpoint for the reader node in the replication group, if the cluster mode is disabled. |
| <aname="output_security_group_id"></a>[security\_group\_id](#output\_security\_group\_id) | Redis Security Group ID |
| <aname="output_security_group_id"></a>[security\_group\_id](#output\_security\_group\_id) | The ID of the created security group |
| <aname="output_security_group_name"></a>[security\_group\_name](#output\_security\_group\_name) | Redis Security Group name |
| <aname="output_security_group_name"></a>[security\_group\_name](#output\_security\_group\_name) | The name of the created security group |
<!-- markdownlint-restore -->
<!-- markdownlint-restore -->
...
@@ -324,6 +341,7 @@ Are you using this project or any of our other projects? Consider [leaving a tes
...
@@ -324,6 +341,7 @@ Are you using this project or any of our other projects? Consider [leaving a tes
Check out these related projects.
Check out these related projects.
-[terraform-aws-security-group](https://github.com/cloudposse/terraform-aws-security-group) - Terraform module to provision an AWS Security Group.
-[terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention.
-[terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention.
## Help
## Help
...
@@ -455,8 +473,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
...
@@ -455,8 +473,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
Terraform module to provision an [`ElastiCache`](https://aws.amazon.com/elasticache/) Redis Cluster
Terraform module to provision an [`ElastiCache`](https://aws.amazon.com/elasticache/) Redis Cluster
# How to use this project
# How to use this project
usage:|-
usage:|-
Note that this uses secure defaults. One of the ways this module can trip users up is with `transit_encryption_enabled` which is `true` by default. With this enabled, one does not simply `redis-cli` in without setting up an `stunnel`. Amazon provides [good docs on how to connect with it enabled](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls). If this is not desired behavior, set `transit_encryption_enabled=false`.
Note that this uses secure defaults. One of the ways this module can trip users up is with `transit_encryption_enabled`
which is `true` by default. With this enabled, one does not simply `redis-cli` in without setting up an `stunnel`.
Amazon provides [good documentation on how to connect with it enabled](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls).
If this is not desired behavior, set `transit_encryption_enabled=false`.
This module creates, by default, a new security group for the Elasticache Redis Cluster. When a configuration
change (for example, a different security group name) cannot be applied to the security group, Terraform will
replace that security group with a new one with the new configuration. In order to allow Terraform to fully manage the security group, you
should not place any other resources in (or associate any other resources with) the security group this module
creates. Also, in order to keep things from breaking when this module replaces the security group, you should
not reference the created security group anywhere else (such as in rules in other security groups). If you
want to associate the cluster with a more stable security group that you can reference elsewhere, create that security group
outside this module (perhaps with [terraform-aws-security-group](https://github.com/cloudposse/terraform-aws-security-group))
and pass the security group ID in via `associated_security_group_ids`.
**Note about `zone_id`**: Previously, `zone_id` was a string. This caused problems (see [#82](https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/82)).
Now `zone_id` should be supplied as a `list(string)`, either empty or with exactly 1 zone ID in order to avoid the problem.
For a complete example, see [examples/complete](examples/complete).
For a complete example, see [examples/complete](examples/complete).
...
@@ -62,41 +81,49 @@ usage: |-
...
@@ -62,41 +81,49 @@ usage: |-
region = var.region
region = var.region
}
}
module "vpc" {
module "this" {
source = "cloudposse/vpc/aws"
source = "cloudposse/label/null"
# Cloud Posse recommends pinning every module to a specific version
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
# version = "x.x.x"
namespace = var.namespace
namespace = var.namespace
stage = var.stage
stage = var.stage
name = var.name
name = var.name
}
module "vpc" {
source = "cloudposse/vpc/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
cidr_block = "172.16.0.0/16"
cidr_block = "172.16.0.0/16"
context = module.this.context
}
}
module "subnets" {
module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
source = "cloudposse/dynamic-subnets/aws"
# Cloud Posse recommends pinning every module to a specific version
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
# version = "x.x.x"
availability_zones = var.availability_zones
availability_zones = var.availability_zones
namespace = var.namespace
stage = var.stage
name = var.name
vpc_id = module.vpc.vpc_id
vpc_id = module.vpc.vpc_id
igw_id = module.vpc.igw_id
igw_id = module.vpc.igw_id
cidr_block = module.vpc.vpc_cidr_block
cidr_block = module.vpc.vpc_cidr_block
nat_gateway_enabled = true
nat_gateway_enabled = true
nat_instance_enabled = false
nat_instance_enabled = false
context = module.this.context
}
}
module "redis" {
module "redis" {
source = "cloudposse/elasticache-redis/aws"
source = "cloudposse/elasticache-redis/aws"
# Cloud Posse recommends pinning every module to a specific version
# Cloud Posse recommends pinning every module to a specific version
| <aname="input_additional_security_group_rules"></a>[additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones<br>this module normally creates. (To suppress the module's rules, set `create_security_group` to false<br>and supply your own security group via `associated_security_group_ids`.)<br>The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except<br>for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.<br>To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no |
| <aname="input_additional_tag_map"></a>[additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <aname="input_additional_tag_map"></a>[additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <aname="input_alarm_actions"></a>[alarm\_actions](#input\_alarm\_actions) | Alarm action list | `list(string)` | `[]` | no |
| <aname="input_alarm_actions"></a>[alarm\_actions](#input\_alarm\_actions) | Alarm action list | `list(string)` | `[]` | no |
| <aname="input_alarm_cpu_threshold_percent"></a>[alarm\_cpu\_threshold\_percent](#input\_alarm\_cpu\_threshold\_percent) | CPU threshold alarm level | `number` | `75` | no |
| <aname="input_alarm_cpu_threshold_percent"></a>[alarm\_cpu\_threshold\_percent](#input\_alarm\_cpu\_threshold\_percent) | CPU threshold alarm level | `number` | `75` | no |
| <aname="input_allow_all_egress"></a>[allow\_all\_egress](#input\_allow\_all\_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP address.<br>If this is false and no egress rules are otherwise specified, then no egress will be allowed.<br>Defaults to `true` unless the deprecated `egress_cidr_blocks` is provided and is not `["0.0.0.0/0"]`, in which case defaults to `false`. | `bool` | `null` | no |
| <aname="input_allowed_cidr_blocks"></a>[allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | DEPRECATED: Use `additional_security_group_rules` instead.<br>Historical description: List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module | `list(string)` | `[]` | no |
| <aname="input_allowed_security_group_ids"></a>[allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no |
| <aname="input_allowed_security_groups"></a>[allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead. | `list(string)` | `[]` | no |
| <aname="input_associated_security_group_ids"></a>[associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.<br>These security groups will not be modified and, if `create_security_group` is `false`, must provide all the required access. | `list(string)` | `[]` | no |
| <aname="input_at_rest_encryption_enabled"></a>[at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Enable encryption at rest | `bool` | `false` | no |
| <aname="input_at_rest_encryption_enabled"></a>[at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Enable encryption at rest | `bool` | `false` | no |
| <aname="input_attributes"></a>[attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
| <aname="input_attributes"></a>[attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
| <aname="input_auth_token"></a>[auth\_token](#input\_auth\_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no |
| <aname="input_auth_token"></a>[auth\_token](#input\_auth\_token) | Auth token for password protecting redis, `transit_encryption_enabled` must be set to `true`. Password must be longer than 16 chars | `string` | `null` | no |
...
@@ -51,13 +56,16 @@
...
@@ -51,13 +56,16 @@
| <aname="input_cluster_mode_replicas_per_node_group"></a>[cluster\_mode\_replicas\_per\_node\_group](#input\_cluster\_mode\_replicas\_per\_node\_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no |
| <aname="input_cluster_mode_replicas_per_node_group"></a>[cluster\_mode\_replicas\_per\_node\_group](#input\_cluster\_mode\_replicas\_per\_node\_group) | Number of replica nodes in each node group. Valid values are 0 to 5. Changing this number will force a new resource | `number` | `0` | no |
| <aname="input_cluster_size"></a>[cluster\_size](#input\_cluster\_size) | Number of nodes in cluster. *Ignored when `cluster_mode_enabled` == `true`* | `number` | `1` | no |
| <aname="input_cluster_size"></a>[cluster\_size](#input\_cluster\_size) | Number of nodes in cluster. *Ignored when `cluster_mode_enabled` == `true`* | `number` | `1` | no |
| <aname="input_context"></a>[context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <aname="input_context"></a>[context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br> "additional_tag_map": {},<br> "attributes": [],<br> "delimiter": null,<br> "descriptor_formats": {},<br> "enabled": true,<br> "environment": null,<br> "id_length_limit": null,<br> "label_key_case": null,<br> "label_order": [],<br> "label_value_case": null,<br> "labels_as_tags": [<br> "unset"<br> ],<br> "name": null,<br> "namespace": null,<br> "regex_replace_chars": null,<br> "stage": null,<br> "tags": {},<br> "tenant": null<br>}</pre> | no |
| <aname="input_create_security_group"></a>[create\_security\_group](#input\_create\_security\_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no |
| <aname="input_delimiter"></a>[delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| <aname="input_delimiter"></a>[delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| <aname="input_descriptor_formats"></a>[descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <aname="input_descriptor_formats"></a>[descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <aname="input_dns_subdomain"></a>[dns\_subdomain](#input\_dns\_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no |
| <aname="input_dns_subdomain"></a>[dns\_subdomain](#input\_dns\_subdomain) | The subdomain to use for the CNAME record. If not provided then the CNAME record will use var.name. | `string` | `""` | no |
| <aname="input_egress_cidr_blocks"></a>[egress\_cidr\_blocks](#input\_egress\_cidr\_blocks) | DEPRECATED: Use `allow_all_egress` and `additional_security_group_rules` instead.<br>Historical description: Outbound traffic address.<br>Historical default: ["0.0.0.0/0"] | `list(any)` | `null` | no |
| <aname="input_elasticache_subnet_group_name"></a>[elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no |
| <aname="input_elasticache_subnet_group_name"></a>[elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no |
| <aname="input_enabled"></a>[enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <aname="input_enabled"></a>[enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <aname="input_engine_version"></a>[engine\_version](#input\_engine\_version) | Redis engine version | `string` | `"4.0.10"` | no |
| <aname="input_engine_version"></a>[engine\_version](#input\_engine\_version) | Redis engine version | `string` | `"4.0.10"` | no |
| <aname="input_environment"></a>[environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <aname="input_environment"></a>[environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <aname="input_existing_security_groups"></a>[existing\_security\_groups](#input\_existing\_security\_groups) | DEPRECATED: Use `associated_security_group_ids` instead.<br>Historical description: List of existing Security Group IDs to place the cluster into.<br>Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster. | `list(string)` | `[]` | no |
| <aname="input_family"></a>[family](#input\_family) | Redis family | `string` | `"redis4.0"` | no |
| <aname="input_family"></a>[family](#input\_family) | Redis family | `string` | `"redis4.0"` | no |
| <aname="input_final_snapshot_identifier"></a>[final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no |
| <aname="input_final_snapshot_identifier"></a>[final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made. | `string` | `null` | no |
| <aname="input_id_length_limit"></a>[id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
| <aname="input_id_length_limit"></a>[id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
...
@@ -77,11 +85,11 @@
...
@@ -77,11 +85,11 @@
| <aname="input_port"></a>[port](#input\_port) | Redis port | `number` | `6379` | no |
| <aname="input_port"></a>[port](#input\_port) | Redis port | `number` | `6379` | no |
| <aname="input_regex_replace_chars"></a>[regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <aname="input_regex_replace_chars"></a>[regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <aname="input_replication_group_id"></a>[replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints: <br>A name must contain from 1 to 20 alphanumeric characters or hyphens. <br> The first character must be a letter. <br> A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no |
| <aname="input_replication_group_id"></a>[replication\_group\_id](#input\_replication\_group\_id) | Replication group ID with the following constraints: <br>A name must contain from 1 to 20 alphanumeric characters or hyphens. <br> The first character must be a letter. <br> A name cannot end with a hyphen or contain two consecutive hyphens. | `string` | `""` | no |
| <aname="input_security_group_description"></a>[security\_group\_description](#input\_security\_group\_description) | The Security Group description. | `string` | `"ElastiCache Security Group"` | no |
| <aname="input_security_group_create_before_destroy"></a>[security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.<br>We only recommend setting this `false` if you are upgrading this module and need to keep<br>the existing security group from being replaced.<br>Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no |
| <aname="input_security_group_enabled"></a>[security\_group\_enabled](#input\_security\_group\_enabled) | Whether to create default Security Group for ElastiCache. | `bool` | `true` | no |
| <aname="input_security_group_create_timeout"></a>[security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no |
| <aname="input_security_group_rules"></a>[security\_group\_rules](#input\_security\_group\_rules) | A list of maps of Security Group rules. <br>The values of map is fully complated with `aws_security_group_rule` resource. <br>To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | <pre>[<br> {<br> "cidr_blocks": [<br> "0.0.0.0/0"<br> ],<br> "description": "Allow all outbound traffic",<br> "from_port": 0,<br> "protocol": "-1",<br> "to_port": 65535,<br> "type": "egress"<br> }<br>]</pre> | no |
| <aname="input_security_group_delete_timeout"></a>[security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion. | `string` | `"15m"` | no |
| <aname="input_security_group_use_name_prefix"></a>[security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Whether to create a default Security Group with unique name beginning with the normalized prefix. | `bool` | `false` | no |
| <aname="input_security_group_description"></a>[security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.<br>Warning: Changing the description causes the security group to be replaced.<br>Set this to `null` to maintain parity with releases <= `0.34.0`. | `string` | `"Security group for Elasticache Redis"` | no |
| <aname="input_security_groups"></a>[security\_groups](#input\_security\_groups) | A list of Security Group IDs to associate with ElastiCache. | `list(string)` | `[]` | no |
| <aname="input_security_group_name"></a>[security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.<br>If not provided, will be derived from the `null-label.context` passed in.<br>If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no |
| <aname="input_snapshot_arns"></a>[snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no |
| <aname="input_snapshot_arns"></a>[snapshot\_arns](#input\_snapshot\_arns) | A single-element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. Example: arn:aws:s3:::my\_bucket/snapshot1.rdb | `list(string)` | `[]` | no |
| <aname="input_snapshot_name"></a>[snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no |
| <aname="input_snapshot_name"></a>[snapshot\_name](#input\_snapshot\_name) | The name of a snapshot from which to restore data into the new node group. Changing the snapshot\_name forces a new resource. | `string` | `null` | no |
| <aname="input_snapshot_retention_limit"></a>[snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no |
| <aname="input_snapshot_retention_limit"></a>[snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `0` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
| <aname="input_tenant"></a>[tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
| <aname="input_tenant"></a>[tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
| <aname="input_transit_encryption_enabled"></a>[transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Whether to enable encryption in transit. If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis | `bool` | `true` | no |
| <aname="input_transit_encryption_enabled"></a>[transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.<br>If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis. | `bool` | `true` | no |
| <aname="input_use_existing_security_groups"></a>[use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | DEPRECATED: Use `create_security_group` instead.<br>Historical description: Flag to enable/disable creation of Security Group in the module.<br>Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.<br>Historical default: `false` | `bool` | `null` | no |
| <aname="input_zone_id"></a>[zone\_id](#input\_zone\_id) | Route53 DNS Zone ID | `string` | `""` | no |
| <aname="input_zone_id"></a>[zone\_id](#input\_zone\_id) | Route53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.<br>If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.<br>Can also be a plain string, but that use is DEPRECATED because of Terraform issues. | `any` | `[]` | no |
| <aname="output_arn"></a>[arn](#output\_arn) | Elasticache Replication Group ARN |
| <aname="output_cluster_enabled"></a>[cluster\_enabled](#output\_cluster\_enabled) | Indicates if cluster mode is enabled |
| <aname="output_endpoint"></a>[endpoint](#output\_endpoint) | Redis primary or configuration endpoint, whichever is appropriate for the given cluster mode |
| <aname="output_engine_version_actual"></a>[engine\_version\_actual](#output\_engine\_version\_actual) | The running version of the cache engine |
| <aname="output_id"></a>[id](#output\_id) | Redis cluster ID |
| <aname="output_id"></a>[id](#output\_id) | Redis cluster ID |
| <aname="output_member_clusters"></a>[member\_clusters](#output\_member\_clusters) | Redis cluster members |
| <aname="output_member_clusters"></a>[member\_clusters](#output\_member\_clusters) | Redis cluster members |
| <aname="output_port"></a>[port](#output\_port) | Redis port |
| <aname="output_port"></a>[port](#output\_port) | Redis port |
| <aname="output_security_group_arn"></a>[security\_group\_arn](#output\_security\_group\_arn) | Redis Security Group ARN |
| <aname="output_reader_endpoint_address"></a>[reader\_endpoint\_address](#output\_reader\_endpoint\_address) | The address of the endpoint for the reader node in the replication group, if the cluster mode is disabled. |
| <aname="output_security_group_id"></a>[security\_group\_id](#output\_security\_group\_id) | Redis Security Group ID |
| <aname="output_security_group_id"></a>[security\_group\_id](#output\_security\_group\_id) | The ID of the created security group |
| <aname="output_security_group_name"></a>[security\_group\_name](#output\_security\_group\_name) | Redis Security Group name |
| <aname="output_security_group_name"></a>[security\_group\_name](#output\_security\_group\_name) | The name of the created security group |
Historical description: Flag to enable/disable creation of Security Group in the module.
Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the cluster into.
Historical default: `false`
EOT
default=null
}
variable"existing_security_groups"{
type=list(string)
default=[]
description=<<-EOT
DEPRECATED: Use `associated_security_group_ids` instead.
Historical description: List of existing Security Group IDs to place the cluster into.
Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the cluster.
EOT
}
variable"allowed_security_groups"{
type=list(string)
default=[]
description=<<-EOT
DEPRECATED: Use `allowed_security_group_ids` instead.
EOT
}
variable"allowed_cidr_blocks"{
type=list(string)
default=[]
description=<<-EOT
DEPRECATED: Use `additional_security_group_rules` instead.
Historical description: List of CIDR blocks that are allowed ingress to the cluster's Security Group created in the module
EOT
}
variable"egress_cidr_blocks"{
type=list(any)
default=null
description=<<-EOT
DEPRECATED: Use `allow_all_egress` and `additional_security_group_rules` instead.
Historical description: Outbound traffic address.
Historical default: ["0.0.0.0/0"]
EOT
}
locals{
# Use the legacy egress rule unless:
# - var.egress_cidr_blocks is null, which means use the default, which is allow all egress
# - var.allow_all_egress is true, which explicitly means allow all egress
# - var.egress_cidr_blocks is exactly ["0.0.0.0/0"], which we interpret to mean "allow all egress"
description="Whether to enable encryption in transit. If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis"
description=<<-EOT
Set `true` to enable encryption in transit. Forced `true` if `var.auth_token` is set.
If this is enabled, use the [following guide](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html#connect-tls) to access redis.
