feat!: update redis replication group to use new aws provider (#613)

* feat: update redis replication group to use new aws provider * remove * remove lock file * update tests * initial fix * fix: add elasticache parameter group and defaults * fix: autogenerate the token * fix: be consistent with whether local.name is used or not --------- Co-authored-by: kuannie1 <[email protected]>
chanzuckerberg · Aug 20, 2024 · eca5fd0 · eca5fd0
1 parent 7891044
commit eca5fd0
Show file tree

Hide file tree

Showing 5 changed files with 106 additions and 81 deletions.
diff --git a/aws-redis-replication-group/README.md b/aws-redis-replication-group/README.md
@@ -6,48 +6,53 @@ a replication group with the given parameters.
 <!-- START -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_sg"></a> [sg](#module\_sg) | terraform-aws-modules/security-group/aws | 4.3.0 |
+| <a name="module_sg"></a> [sg](#module\_sg) | terraform-aws-modules/security-group/aws | 5.1.2 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_elasticache_parameter_group.redis_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_parameter_group) | resource |
 | [aws_elasticache_replication_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group) | resource |
 | [aws_elasticache_subnet_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
+| [random_password.redis_db](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_apply_immediately"></a> [apply\_immediately](#input\_apply\_immediately) | Whether changes should be applied immediately or during the next maintenance window. | `bool` | `true` | no |
-| <a name="input_at_rest_encryption_enabled"></a> [at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Whether to enable encryption at rest. Default: false. | `bool` | `false` | no |
-| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | Availability zone in which this instance should run. | `list(string)` | `null` | no |
-| <a name="input_engine_version"></a> [engine\_version](#input\_engine\_version) | The version of Redis to run. See [supported versions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html) | `string` | `"5.0.5"` | no |
-| <a name="input_env"></a> [env](#input\_env) | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | `string` | n/a | yes |
+| <a name="input_at_rest_encryption_enabled"></a> [at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Whether to enable encryption at rest. Default: true. | `bool` | `true` | no |
+| <a name="input_description"></a> [description](#input\_description) | A user-created description for the replication group. | `string` | n/a | yes |
+| <a name="input_engine_version"></a> [engine\_version](#input\_engine\_version) | The version of Redis to run. See [supported versions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html) | `string` | `"7.0"` | no |
 | <a name="input_ingress_security_group_ids"></a> [ingress\_security\_group\_ids](#input\_ingress\_security\_group\_ids) | Source security groups which should be able to contact this instance. | `list(string)` | n/a | yes |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The type of instance to run. See [supported node types](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html) | `string` | `"cache.m5.large"` | no |
-| <a name="input_number_cache_clusters"></a> [number\_cache\_clusters](#input\_number\_cache\_clusters) | Number of cache clusters. Default 1. | `number` | `1` | no |
-| <a name="input_owner"></a> [owner](#input\_owner) | Owner for tagging and naming. See [doc](../README.md#consistent-tagging). | `string` | n/a | yes |
+| <a name="input_number_cache_clusters"></a> [number\_cache\_clusters](#input\_number\_cache\_clusters) | Number of cache clusters. Default 2 because if Multi-AZ is enabled, the number of nodes needs to be exactly 2 to avoid sharding across different nodes. | `number` | `2` | no |
+| <a name="input_parameter_group_family"></a> [parameter\_group\_family](#input\_parameter\_group\_family) | The cluster's parameter group family. Redis options [here](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.Redis.html) | `string` | `"redis7"` | no |
 | <a name="input_parameter_group_name"></a> [parameter\_group\_name](#input\_parameter\_group\_name) | Parameter group to use for this Redis cache. | `string` | `"default.redis5.0"` | no |
+| <a name="input_parameters"></a> [parameters](#input\_parameters) | Redis database parameters in name-value pairs. Use the parameter group family to find parameters [here](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.Redis.html) | `list(map(any))` | `[]` | no |
 | <a name="input_port"></a> [port](#input\_port) | Port to host Redis on. | `number` | `6379` | no |
-| <a name="input_project"></a> [project](#input\_project) | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | n/a | yes |
-| <a name="input_replication_group_description"></a> [replication\_group\_description](#input\_replication\_group\_description) | A user-created description for the replication group. | `string` | n/a | yes |
+| <a name="input_preferred_cache_cluster_azs"></a> [preferred\_cache\_cluster\_azs](#input\_preferred\_cache\_cluster\_azs) | Availability zone in which this instance should run. | `list(string)` | `null` | no |
 | <a name="input_resource_name"></a> [resource\_name](#input\_resource\_name) | If not set, name will be [var.project]-[var.env]-[var.name]. | `string` | `""` | no |
-| <a name="input_service"></a> [service](#input\_service) | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | `string` | `"redis"` | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnets to which this EC instance should be attached. They should probably be private. | `list(string)` | n/a | yes |
-| <a name="input_transit_encryption_enabled"></a> [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Whether to enable encryption in transit. Default: false. | `bool` | `false` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply | `object({ project : string, env : string, service : string, owner : string, managedBy : string })` | n/a | yes |
+| <a name="input_transit_encryption_enabled"></a> [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Whether to enable encryption in transit. Default: true. | `bool` | `true` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC where the cache will be deployed. | `string` | n/a | yes |
 
 ## Outputs

diff --git a/aws-redis-replication-group/main.tf b/aws-redis-replication-group/main.tf
@@ -1,23 +1,14 @@
 locals {
-  name = "${var.project}-${var.env}-${var.service}"
-
-  tags = {
-    managedBy = "terraform"
-    Name      = "${var.project}-${var.env}-${var.service}"
-    project   = var.project
-    env       = var.env
-    service   = var.service
-    owner     = var.owner
-  }
+  name = "${var.tags.project}-${var.tags.env}-${var.tags.service}"
 }
 
 module "sg" {
   source      = "terraform-aws-modules/security-group/aws"
-  version     = "4.3.0"
-  name        = local.name
+  version     = "5.1.2"
+  name        = var.resource_name != "" ? var.resource_name : local.name
   description = "Allow traffic to Redis."
   vpc_id      = var.vpc_id
-  tags        = local.tags
+  tags        = var.tags
 
   ingress_with_source_security_group_id = [
     for sg in var.ingress_security_group_ids : {
@@ -37,20 +28,40 @@ resource "aws_elasticache_subnet_group" "default" {
   subnet_ids = var.subnets
 }
 
+resource "aws_elasticache_parameter_group" "redis_parameter_group" {
+  name   = var.resource_name != "" ? var.resource_name : local.name
+  family = var.parameter_group_family
+
+  dynamic "parameter" {
+    for_each = var.parameters
+
+    content {
+      name  = parameter.value.name
+      value = parameter.value.value
+    }
+  }
+}
+
+resource "random_password" "redis_db" {
+  length  = 32
+  special = false
+}
+
 resource "aws_elasticache_replication_group" "default" {
-  replication_group_id          = var.resource_name != "" ? var.resource_name : local.name
-  replication_group_description = var.replication_group_description
-  engine                        = "redis"
-  engine_version                = var.engine_version
-  node_type                     = var.instance_type
-  port                          = var.port
-  number_cache_clusters         = var.number_cache_clusters
-  parameter_group_name          = var.parameter_group_name
-  subnet_group_name             = aws_elasticache_subnet_group.default.name
-  security_group_ids            = [module.sg.security_group_id]
-  apply_immediately             = var.apply_immediately
-  at_rest_encryption_enabled    = var.at_rest_encryption_enabled
-  transit_encryption_enabled    = var.transit_encryption_enabled
-  availability_zones            = var.availability_zones
-  tags                          = local.tags
+  replication_group_id        = var.resource_name != "" ? var.resource_name : local.name
+  description                 = var.description
+  engine                      = "redis"
+  engine_version              = var.engine_version
+  node_type                   = var.instance_type
+  port                        = var.port
+  num_cache_clusters          = var.number_cache_clusters
+  parameter_group_name        = aws_elasticache_parameter_group.redis_parameter_group.name
+  subnet_group_name           = aws_elasticache_subnet_group.default.name
+  security_group_ids          = [module.sg.security_group_id]
+  apply_immediately           = var.apply_immediately
+  at_rest_encryption_enabled  = var.at_rest_encryption_enabled
+  transit_encryption_enabled  = var.transit_encryption_enabled
+  preferred_cache_cluster_azs = var.preferred_cache_cluster_azs
+  auth_token                  = random_password.redis_db.result
+  tags                        = var.tags
 }
diff --git a/aws-redis-replication-group/module_test.go b/aws-redis-replication-group/module_test.go
@@ -33,19 +33,22 @@ func TestAWSRedisReplicationGroup(t *testing.T) {
 
 			return tftest.Options(tftest.DefaultRegion,
 				map[string]interface{}{
-					"project": project,
-					"env":     env,
-					"service": service,
-					"owner":   owner,
-
-					"availability_zones":         []string{az},
-					"subnets":                    privateSubnets,
-					"ingress_security_group_ids": []string{sg},
-					"vpc_id":                     vpc,
-
-					"replication_group_description": replication_group_description,
-					"transit_encryption_enabled":    transit_encryption_enabled,
-					"at_rest_encryption_enabled":    at_rest_encryption_enabled,
+					"tags": map[string]string{
+						"project":   project,
+						"env":       env,
+						"service":   service,
+						"owner":     owner,
+						"managedBy": "terraform",
+					},
+
+					"preferred_cache_cluster_azs": []string{az},
+					"subnets":                     privateSubnets,
+					"ingress_security_group_ids":  []string{sg},
+					"vpc_id":                      vpc,
+
+					"description":                replication_group_description,
+					"transit_encryption_enabled": transit_encryption_enabled,
+					"at_rest_encryption_enabled": at_rest_encryption_enabled,
 				},
 			)
 		},

diff --git a/aws-redis-replication-group/variables.tf b/aws-redis-replication-group/variables.tf
@@ -1,30 +1,15 @@
-variable "project" {
-  type        = string
-  description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
-}
-
-variable "env" {
-  type        = string
-  description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)."
-}
-
-variable "service" {
-  type        = string
-  description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)"
-  default     = "redis"
-}
 
-variable "owner" {
-  type        = string
-  description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)."
+variable "tags" {
+  type        = object({ project : string, env : string, service : string, owner : string, managedBy : string })
+  description = "Tags to apply"
 }
 
 variable "subnets" {
   type        = list(string)
   description = "List of subnets to which this EC instance should be attached. They should probably be private."
 }
 
-variable "availability_zones" {
+variable "preferred_cache_cluster_azs" {
   type        = list(string)
   description = "Availability zone in which this instance should run."
   default     = null
@@ -56,7 +41,7 @@ variable "parameter_group_name" {
 variable "engine_version" {
   type        = string
   description = "The version of Redis to run. See [supported versions](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html)"
-  default     = "5.0.5"
+  default     = "7.0"
 }
 
 variable "apply_immediately" {
@@ -80,23 +65,35 @@ variable "vpc_id" {
 
 variable "number_cache_clusters" {
   type        = number
-  description = "Number of cache clusters. Default 1."
-  default     = 1
+  description = "Number of cache clusters. Default 2 because if Multi-AZ is enabled, the number of nodes needs to be exactly 2 to avoid sharding across different nodes."
+  default     = 2
 }
 
 variable "at_rest_encryption_enabled" {
   type        = bool
-  description = "Whether to enable encryption at rest. Default: false."
-  default     = false
+  description = "Whether to enable encryption at rest. Default: true."
+  default     = true
 }
 
 variable "transit_encryption_enabled" {
   type        = bool
-  description = "Whether to enable encryption in transit. Default: false."
-  default     = false
+  description = "Whether to enable encryption in transit. Default: true."
+  default     = true
 }
 
-variable "replication_group_description" {
+variable "description" {
   type        = string
   description = "A user-created description for the replication group."
 }
+
+variable "parameter_group_family" {
+  type        = string
+  description = "The cluster's parameter group family. Redis options [here](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.Redis.html)"
+  default     = "redis7"
+}
+
+variable "parameters" {
+  type        = list(map(any))
+  default     = []
+  description = "Redis database parameters in name-value pairs. Use the parameter group family to find parameters [here](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.Redis.html)"
+}
diff --git a/aws-redis-replication-group/versions.tf b/aws-redis-replication-group/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}