Add AWS IAM Redis passwordless authentication support

- Add redis_enable_iam_auth variable for IAM authentication control
- Create ElastiCache IAM user and user group for passwordless access
- Configure replication group to use IAM authentication when enabled
- Add IAM policy for ElastiCache Connect permissions in service accounts
- Pass IAM authentication parameters to runtime container engine config
- Enable passwordless Redis authentication using AWS IAM roles

This allows TFE to connect to ElastiCache Redis using IAM authentication
instead of passwords, improving security and enabling passwordless workflows.

Author: raviharshicorp

main.tf

@@ -45,6 +45,7 @@ module "service_accounts" {
   postgres_client_key_secret_id         = var.postgres_client_key_secret_id
   postgres_ca_certificate_secret_id     = var.postgres_ca_certificate_secret_id
   vm_key_secret_id                      = var.vm_key_secret_id
+  redis_enable_iam_auth                 = var.redis_enable_iam_auth
 }
 
 # -----------------------------------------------------------------------------
@@ -94,6 +95,7 @@ module "redis" {
   redis_encryption_in_transit = var.redis_encryption_in_transit
   redis_encryption_at_rest    = var.redis_encryption_at_rest
   redis_use_password_auth     = var.redis_use_password_auth
+  redis_enable_iam_auth       = var.redis_enable_iam_auth
   redis_port                  = var.redis_encryption_in_transit ? "6380" : "6379"
 }
 
@@ -327,6 +329,8 @@ module "runtime_container_engine_config" {
   redis_ca_cert_path         = "/etc/ssl/private/terraform-enterprise/redis/cacert.pem"
   redis_client_cert_path     = "/etc/ssl/private/terraform-enterprise/redis/cert.pem"
   redis_client_key_path      = "/etc/ssl/private/terraform-enterprise/redis/key.pem"
+  redis_passwordless_aws_use_iam = var.redis_enable_iam_auth && !var.redis_use_password_auth
+  redis_passwordless_aws_region = var.redis_enable_iam_auth && !var.redis_use_password_auth ? data.aws_region.current.name : ""
 
 
   trusted_proxies = local.trusted_proxies

modules/redis/main.tf

@@ -3,6 +3,7 @@
 
 locals {
   redis_use_password_auth = var.redis_use_password_auth || var.redis_authentication_mode == "PASSWORD"
+  redis_use_iam_auth = var.redis_enable_iam_auth && !var.redis_use_password_auth
 }
 
 resource "random_id" "redis_password" {
@@ -63,6 +64,38 @@ resource "aws_elasticache_subnet_group" "tfe" {
   subnet_ids = var.network_subnets_private
 }
 
+# ElastiCache User for IAM authentication
+resource "aws_elasticache_user" "iam_user" {
+  count       = var.active_active && local.redis_use_iam_auth ? 1 : 0
+  user_id     = "${var.friendly_name_prefix}-iam-user"
+  user_name   = "${var.friendly_name_prefix}-iam-user"
+  
+  # For IAM authentication, we don't set passwords but use IAM policies
+  authentication_mode {
+    type = "iam"
+  }
+  
+  # Access string for Redis commands - allow all commands for TFE
+  access_string = "on ~* &* +@all"
+  engine        = "REDIS"
+  
+  tags = {
+    Name = "${var.friendly_name_prefix}-redis-iam-user"
+  }
+}
+
+# ElastiCache User Group for IAM authentication
+resource "aws_elasticache_user_group" "iam_group" {
+  count          = var.active_active && local.redis_use_iam_auth ? 1 : 0
+  engine         = "REDIS"
+  user_group_id  = "${var.friendly_name_prefix}-iam-group"
+  user_ids       = [aws_elasticache_user.iam_user[0].user_id]
+  
+  tags = {
+    Name = "${var.friendly_name_prefix}-redis-iam-group"
+  }
+}
+
 resource "aws_elasticache_replication_group" "redis" {
   count                = var.active_active ? 1 : 0
   node_type            = var.cache_size
@@ -88,4 +121,7 @@ resource "aws_elasticache_replication_group" "redis" {
 
   at_rest_encryption_enabled = var.redis_encryption_at_rest
   kms_key_id                 = var.redis_encryption_at_rest ? var.kms_key_arn : null
+  
+  # IAM authentication configuration
+  user_group_ids = local.redis_use_iam_auth ? [aws_elasticache_user_group.iam_group[0].user_group_id] : null
 }

modules/redis/variables.tf

@@ -82,3 +82,9 @@ variable "redis_use_password_auth" {
   type        = bool
   description = "Determine if a password is required for Redis."
 }
+
+variable "redis_enable_iam_auth" {
+  type        = bool
+  description = "Whether to enable IAM authentication for Redis. Used for passwordless authentication."
+  default     = false
+}

modules/service_accounts/main.tf

@@ -114,3 +114,34 @@ resource "aws_iam_policy" "kms_policy" {
     ]
   })
 }
+
+# Redis IAM authentication policy
+resource "aws_iam_role_policy_attachment" "redis_iam_policy" {
+  count = var.existing_iam_instance_profile_name == null && var.redis_enable_iam_auth ? 1 : 0
+
+  role       = local.iam_instance_role.name
+  policy_arn = aws_iam_policy.redis_iam_policy[0].arn
+}
+
+resource "aws_iam_policy" "redis_iam_policy" {
+  count = var.existing_iam_instance_profile_name == null && var.redis_enable_iam_auth ? 1 : 0
+
+  name = "${var.friendly_name_prefix}-redis-iam"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "elasticache:Connect"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "elasticache:Username" = "${var.friendly_name_prefix}-iam-user"
+          }
+        }
+      },
+    ]
+  })
+}

modules/service_accounts/variables.tf

@@ -98,3 +98,9 @@ variable "postgres_client_key_secret_id" {
   default     = null
   description = "The secrets manager secret ID of the Base64 & PEM encoded private key for postgres."
 }
+
+variable "redis_enable_iam_auth" {
+  type        = bool
+  description = "Whether to enable IAM authentication for Redis. Used for passwordless authentication."
+  default     = false
+}

variables.tf

@@ -208,6 +208,12 @@ variable "sentinel_leader" {
   description = "The name of the Redis Sentinel leader"
 }
 
+variable "redis_enable_iam_auth" {
+  type        = bool
+  description = "Whether to enable IAM authentication for Redis. Used for passwordless authentication."
+  default     = false
+}
+
 # Postgres
 # --------
 variable "db_name" {