Release Tests for AWS Redis passwordless authentication

fixtures/test_proxy/main.tf

@@ -85,7 +85,7 @@ resource "aws_instance" "proxy" {
 }
 
 module "test_proxy_init" {
-  source = "github.com/hashicorp/terraform-random-tfe-utility//fixtures/test_proxy_init?ref=main"
+  source = "github.com/hashicorp/terraform-random-tfe-utility//fixtures/test_proxy_init?ref=pravi/IND-5861"
 
   mitmproxy_ca_certificate_secret = var.mitmproxy_ca_certificate_secret != null ? var.mitmproxy_ca_certificate_secret : null
   mitmproxy_ca_private_key_secret = var.mitmproxy_ca_private_key_secret != null ? var.mitmproxy_ca_private_key_secret : null

main.tf

@@ -45,6 +45,9 @@ module "service_accounts" {
   postgres_client_key_secret_id         = var.postgres_client_key_secret_id
   postgres_ca_certificate_secret_id     = var.postgres_ca_certificate_secret_id
   vm_key_secret_id                      = var.vm_key_secret_id
+  redis_enable_iam_auth                 = var.redis_passwordless_aws_use_instance_profile
+  redis_replication_group_id            = var.redis_passwordless_aws_use_instance_profile ? local.redis.cluster_id : null
+  redis_iam_user_name                   = var.redis_passwordless_aws_use_instance_profile ? local.redis.iam_user : null
 }
 
 # -----------------------------------------------------------------------------
@@ -79,12 +82,10 @@ module "redis" {
   source = "./modules/redis"
   count  = local.enable_redis_module && var.enable_redis_sentinel == false || local.enable_redis_module && local.redis_mtls_enabled == false ? 1 : 0
 
-  active_active                = var.operational_mode == "active-active"
-  friendly_name_prefix         = var.friendly_name_prefix
-  network_id                   = local.network_id
-  network_private_subnet_cidrs = var.network_private_subnet_cidrs
-  network_subnets_private      = local.network_private_subnets
-  tfe_instance_sg              = module.vm.tfe_instance_sg
+  active_active           = var.operational_mode == "active-active"
+  friendly_name_prefix    = var.friendly_name_prefix
+  network_subnets_private = local.network_private_subnets
+  tfe_instance_sg         = module.vm.tfe_instance_sg
 
   cache_size           = var.redis_cache_size
   engine_version       = var.redis_engine_version
@@ -94,6 +95,7 @@ module "redis" {
   redis_encryption_in_transit = var.redis_encryption_in_transit
   redis_encryption_at_rest    = var.redis_encryption_at_rest
   redis_use_password_auth     = var.redis_use_password_auth
+  redis_enable_iam_auth       = var.redis_passwordless_aws_use_instance_profile
   redis_port                  = var.redis_encryption_in_transit ? "6380" : "6379"
 }
 
@@ -253,7 +255,7 @@ module "aurora_database" {
 # Docker Compose File Config for TFE on instance(s) using Flexible Deployment Options
 # ------------------------------------------------------------------------------------
 module "runtime_container_engine_config" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 0 : 1
 
   tfe_license = var.hc_license
@@ -312,21 +314,25 @@ module "runtime_container_engine_config" {
   s3_server_side_encryption_kms_key_id = local.kms_key_arn
   s3_use_instance_profile              = var.aws_access_key_id == null ? "1" : "0"
 
-  redis_host                 = local.redis.hostname
-  redis_user                 = local.redis.username
-  redis_password             = local.redis.password
-  redis_use_tls              = local.redis.use_tls
-  redis_use_auth             = local.redis.use_password_auth
-  redis_use_sentinel         = var.enable_redis_sentinel
-  redis_sentinel_hosts       = local.redis.sentinel_hosts
-  redis_sentinel_leader_name = local.redis.sentinel_leader
-  redis_sentinel_user        = local.redis.sentinel_username
-  redis_sentinel_password    = local.redis.sentinel_password
-  redis_use_mtls             = var.enable_redis_mtls
-  enable_sentinel_mtls       = var.enable_sentinel_mtls
-  redis_ca_cert_path         = "/etc/ssl/private/terraform-enterprise/redis/cacert.pem"
-  redis_client_cert_path     = "/etc/ssl/private/terraform-enterprise/redis/cert.pem"
-  redis_client_key_path      = "/etc/ssl/private/terraform-enterprise/redis/key.pem"
+  redis_host                                  = local.redis.hostname
+  redis_user                                  = local.redis.username
+  redis_password                              = local.redis.password
+  redis_use_tls                               = local.redis.use_tls
+  redis_use_auth                              = var.redis_passwordless_aws_use_instance_profile ? false : local.redis.use_password_auth
+  redis_passwordless_aws_use_instance_profile = var.redis_passwordless_aws_use_instance_profile && !var.redis_use_password_auth
+  redis_passwordless_aws_region               = var.redis_passwordless_aws_region
+  redis_passwordless_aws_host_name            = var.redis_passwordless_aws_use_instance_profile && !var.redis_use_password_auth ? local.redis.cluster_id : local.redis.hostname
+  redis_passwordless_aws_iam_user             = var.redis_passwordless_aws_use_instance_profile && !var.redis_use_password_auth ? local.redis.iam_user : null
+  redis_use_sentinel                          = var.enable_redis_sentinel
+  redis_sentinel_hosts                        = local.redis.sentinel_hosts
+  redis_sentinel_leader_name                  = local.redis.sentinel_leader
+  redis_sentinel_user                         = local.redis.sentinel_username
+  redis_sentinel_password                     = local.redis.sentinel_password
+  redis_use_mtls                              = var.enable_redis_mtls
+  enable_sentinel_mtls                        = var.enable_sentinel_mtls
+  redis_ca_cert_path                          = var.enable_redis_mtls || var.enable_sentinel_mtls ? "/etc/ssl/private/terraform-enterprise/redis/cacert.pem" : null
+  redis_client_cert_path                      = var.enable_redis_mtls || var.enable_sentinel_mtls ? "/etc/ssl/private/terraform-enterprise/redis/cert.pem" : null
+  redis_client_key_path                       = var.enable_redis_mtls || var.enable_sentinel_mtls ? "/etc/ssl/private/terraform-enterprise/redis/key.pem" : null
 
 
   trusted_proxies = local.trusted_proxies
@@ -343,7 +349,7 @@ module "runtime_container_engine_config" {
 # AWS cloud init used to install and configure TFE on instance(s) using Flexible Deployment Options
 # --------------------------------------------------------------------------------------------------
 module "tfe_init_fdo" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 0 : 1
 
   cloud             = "aws"
@@ -388,7 +394,7 @@ module "tfe_init_fdo" {
 # TFE and Replicated settings to pass to the tfe_init_replicated module for replicated deployment
 # --------------------------------------------------------------------------------------------
 module "settings" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/settings?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/settings?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 1 : 0
 
   # TFE Base Configuration
@@ -450,7 +456,7 @@ module "settings" {
 # AWS user data / cloud init used to install and configure TFE on instance(s)
 # -----------------------------------------------------------------------------
 module "tfe_init_replicated" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init_replicated?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init_replicated?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 1 : 0
 
   # TFE & Replicated Configuration data
@@ -540,6 +546,7 @@ module "vm" {
   network_private_subnet_cidrs             = local.network_private_subnet_cidrs
   node_count                               = var.node_count
   user_data_base64                         = var.is_replicated_deployment ? module.tfe_init_replicated[0].tfe_userdata_base64_encoded : module.tfe_init_fdo[0].tfe_userdata_base64_encoded
+  existing_security_group_id               = var.existing_vm_security_group_id
 }
 
 module "edb" {

modules/database/outputs.tf

@@ -14,6 +14,7 @@ output "name" {
 output "password" {
   value       = aws_db_instance.postgresql.password
   description = "The password of the main PostgreSQL user."
+  sensitive   = true
 }
 
 output "username" {

modules/redis/main.tf

@@ -1,66 +1,67 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+# Redis module - simplified to reuse TFE security group instead of creating separate ones
 locals {
   redis_use_password_auth = var.redis_use_password_auth || var.redis_authentication_mode == "PASSWORD"
+  redis_use_iam_auth      = var.redis_enable_iam_auth && !var.redis_use_password_auth
 }
 
 resource "random_id" "redis_password" {
   count       = var.active_active && local.redis_use_password_auth ? 1 : 0
   byte_length = 16
 }
 
-resource "aws_security_group" "redis" {
-  count       = var.active_active ? 1 : 0
-  description = "The security group of the Redis deployment for TFE."
-  name        = "${var.friendly_name_prefix}-tfe-redis"
-  vpc_id      = var.network_id
+resource "aws_elasticache_subnet_group" "tfe" {
+  count      = var.active_active ? 1 : 0
+  name       = "${var.friendly_name_prefix}-tfe-redis"
+  subnet_ids = var.network_subnets_private
 }
 
-resource "aws_security_group_rule" "redis_tfe_ingress" {
-  count                    = var.active_active ? 1 : 0
-  security_group_id        = aws_security_group.redis[0].id
-  type                     = "ingress"
-  from_port                = var.redis_port
-  to_port                  = var.redis_port
-  protocol                 = "tcp"
-  source_security_group_id = var.tfe_instance_sg
-}
+# Note: For IAM authentication, we let AWS manage the built-in "default" user
+# We don't explicitly manage it since it's needed for IAM authentication with username "default"
 
-resource "aws_security_group_rule" "redis_tfe_egress" {
-  count                    = var.active_active ? 1 : 0
-  security_group_id        = aws_security_group.redis[0].id
-  type                     = "egress"
-  from_port                = 0
-  to_port                  = 0
-  protocol                 = "-1"
-  source_security_group_id = var.tfe_instance_sg
-}
+# ElastiCache User for IAM authentication
+resource "aws_elasticache_user" "iam_user" {
+  count     = var.active_active && local.redis_use_iam_auth ? 1 : 0
+  user_id   = "${var.friendly_name_prefix}-iam-user"
+  user_name = "${var.friendly_name_prefix}-iam-user"
 
-resource "aws_security_group_rule" "redis_ingress" {
-  count             = var.active_active ? 1 : 0
-  security_group_id = aws_security_group.redis[0].id
-  type              = "ingress"
-  from_port         = var.redis_port
-  to_port           = var.redis_port
-  protocol          = "tcp"
-  cidr_blocks       = var.network_private_subnet_cidrs
-}
+  # For IAM authentication, we don't set passwords but use IAM policies
+  authentication_mode {
+    type = "iam"
+  }
+
+  # Access string for Redis commands - IAM auth compatible
+  # Use default access string for TFE with IAM authentication
+  access_string = "on ~* &* +@all"
+  engine        = "REDIS"
+
+  tags = {
+    Name = "${var.friendly_name_prefix}-redis-iam-user"
+  }
 
-resource "aws_security_group_rule" "redis_egress" {
-  count             = var.active_active ? 1 : 0
-  security_group_id = aws_security_group.redis[0].id
-  type              = "egress"
-  from_port         = var.redis_port
-  to_port           = var.redis_port
-  protocol          = "tcp"
-  cidr_blocks       = var.network_private_subnet_cidrs
 }
 
-resource "aws_elasticache_subnet_group" "tfe" {
-  count      = var.active_active ? 1 : 0
-  name       = "${var.friendly_name_prefix}-tfe-redis"
-  subnet_ids = var.network_subnets_private
+# ElastiCache User Group for IAM authentication
+# AWS requires the "default" user to be included in all user groups
+# We include both "default" (for IAM auth) and our custom IAM user
+resource "aws_elasticache_user_group" "iam_group" {
+  count         = var.active_active && local.redis_use_iam_auth ? 1 : 0
+  engine        = "REDIS"
+  user_group_id = "${var.friendly_name_prefix}-iam-group"
+  user_ids = [
+    "default", # AWS-managed default user for IAM authentication
+    aws_elasticache_user.iam_user[0].user_id
+  ]
+
+  tags = {
+    Name = "${var.friendly_name_prefix}-redis-iam-group"
+  }
+
+  depends_on = [
+    aws_elasticache_user.iam_user
+  ]
 }
 
 resource "aws_elasticache_replication_group" "redis" {
@@ -77,15 +78,27 @@ resource "aws_elasticache_replication_group" "redis" {
   engine_version             = var.engine_version
   parameter_group_name       = var.parameter_group_name
   port                       = var.redis_port
-  security_group_ids         = [aws_security_group.redis[0].id]
+  security_group_ids         = [var.tfe_instance_sg] # Reuse TFE security group instead of creating separate one
   snapshot_retention_limit   = 0
   subnet_group_name          = aws_elasticache_subnet_group.tfe[0].name
 
   # Password used to access a password protected server.
   # Can be specified only if transit_encryption_enabled = true.
-  auth_token                 = var.redis_encryption_in_transit && local.redis_use_password_auth ? random_id.redis_password[0].hex : null
+  # For IAM authentication, auth_token must be null to force IAM-only authentication
+  auth_token = var.redis_encryption_in_transit && local.redis_use_password_auth ? random_id.redis_password[0].hex : null
+
+  # Transit encryption is required when using user groups (IAM authentication)
   transit_encryption_enabled = var.redis_encryption_in_transit
 
   at_rest_encryption_enabled = var.redis_encryption_at_rest
   kms_key_id                 = var.redis_encryption_at_rest ? var.kms_key_arn : null
+
+  # IAM authentication configuration
+  user_group_ids = local.redis_use_iam_auth ? [aws_elasticache_user_group.iam_group[0].user_group_id] : null
+
+  # Ensure proper dependency ordering for IAM authentication
+  depends_on = [
+    aws_elasticache_user_group.iam_group,
+    aws_elasticache_user.iam_user
+  ]
 }

modules/redis/outputs.tf

@@ -11,8 +11,8 @@ output "password" {
 }
 
 output "username" {
-  value       = null
-  description = "The username which is required to create connections with the Redis Elasticache replication group. Defaults to null to maintain the output interface with the redis-sentinel module."
+  value       = local.redis_use_iam_auth ? aws_elasticache_user.iam_user[0].user_name : null
+  description = "The username which is required to create connections with the Redis Elasticache replication group. Returns IAM username for IAM authentication, null for password authentication."
 }
 
 output "redis_port" {
@@ -61,6 +61,16 @@ output "aws_elasticache_subnet_group_name" {
 }
 
 output "aws_security_group_redis" {
-  value       = var.active_active ? aws_security_group.redis[0].id : ""
-  description = "The identity of the security group attached to the Redis Elasticache replication group."
+  value       = var.active_active ? var.tfe_instance_sg : ""
+  description = "The identity of the security group used by Redis Elasticache replication group (shared with TFE instances)."
+}
+
+output "cluster_id" {
+  value       = var.active_active ? aws_elasticache_replication_group.redis[0].replication_group_id : ""
+  description = "The Redis cluster ID for IAM authentication."
+}
+
+output "iam_user" {
+  value       = local.redis_use_iam_auth ? aws_elasticache_user.iam_user[0].user_name : null
+  description = "The custom IAM user for Redis IAM authentication."
 }

modules/redis/variables.tf

@@ -16,11 +16,6 @@ variable "tfe_instance_sg" {
   type        = string
 }
 
-variable "network_id" {
-  description = "The identity of the VPC in which the security group attached to the Redis Elasticache replication group will be deployed."
-  type        = string
-}
-
 variable "network_subnets_private" {
   description = "A list of the identities of the private subnetworks in which the Redis Elasticache replication group will be deployed."
   type        = list(string)
@@ -31,11 +26,6 @@ variable "friendly_name_prefix" {
   description = "(Required) Friendly name prefix used for tagging and naming AWS resources."
 }
 
-variable "network_private_subnet_cidrs" {
-  type        = list(string)
-  description = "(Optional) List of private subnet CIDR ranges to create in VPC."
-}
-
 variable "redis_port" {
   type        = number
   description = "Set port for Redis. Defaults to 6379 default port"
@@ -67,6 +57,12 @@ variable "parameter_group_name" {
   description = "Redis parameter group name."
 }
 
+variable "redis_enable_iam_auth" {
+  type        = bool
+  description = "Enable IAM authentication for Redis ElastiCache."
+  default     = false
+}
+
 # Security
 variable "redis_encryption_in_transit" {
   type        = bool

modules/service_accounts/main.tf

@@ -1,6 +1,9 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
 resource "aws_iam_instance_profile" "tfe" {
   count = var.existing_iam_instance_profile_name == null ? 1 : 0
 
@@ -114,3 +117,32 @@ resource "aws_iam_policy" "kms_policy" {
     ]
   })
 }
+
+# Redis IAM authentication policy
+resource "aws_iam_role_policy_attachment" "redis_iam_policy" {
+  count = var.existing_iam_instance_profile_name == null && var.redis_enable_iam_auth ? 1 : 0
+
+  role       = local.iam_instance_role.name
+  policy_arn = aws_iam_policy.redis_iam_policy[0].arn
+}
+
+resource "aws_iam_policy" "redis_iam_policy" {
+  count = var.existing_iam_instance_profile_name == null && var.redis_enable_iam_auth ? 1 : 0
+
+  name = "${var.friendly_name_prefix}-redis-iam"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "elasticache:Connect"
+        ]
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:elasticache:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:replicationgroup:${var.redis_replication_group_id}",
+          "arn:aws:elasticache:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:user:${var.redis_iam_user_name}"
+        ]
+      },
+    ]
+  })
+}