Release Tests for AWS Redis passwordless authentication

fixtures/test_proxy/main.tf

@@ -85,7 +85,7 @@ resource "aws_instance" "proxy" {
 }
 
 module "test_proxy_init" {
-  source = "github.com/hashicorp/terraform-random-tfe-utility//fixtures/test_proxy_init?ref=main"
+  source = "github.com/hashicorp/terraform-random-tfe-utility//fixtures/test_proxy_init?ref=pravi/IND-5861"
 
   mitmproxy_ca_certificate_secret = var.mitmproxy_ca_certificate_secret != null ? var.mitmproxy_ca_certificate_secret : null
   mitmproxy_ca_private_key_secret = var.mitmproxy_ca_private_key_secret != null ? var.mitmproxy_ca_private_key_secret : null

main.tf

@@ -253,7 +253,7 @@ module "aurora_database" {
 # Docker Compose File Config for TFE on instance(s) using Flexible Deployment Options
 # ------------------------------------------------------------------------------------
 module "runtime_container_engine_config" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 0 : 1
 
   tfe_license = var.hc_license
@@ -312,21 +312,22 @@ module "runtime_container_engine_config" {
   s3_server_side_encryption_kms_key_id = local.kms_key_arn
   s3_use_instance_profile              = var.aws_access_key_id == null ? "1" : "0"
 
-  redis_host                 = local.redis.hostname
-  redis_user                 = local.redis.username
-  redis_password             = local.redis.password
-  redis_use_tls              = local.redis.use_tls
-  redis_use_auth             = local.redis.use_password_auth
-  redis_use_sentinel         = var.enable_redis_sentinel
-  redis_sentinel_hosts       = local.redis.sentinel_hosts
-  redis_sentinel_leader_name = local.redis.sentinel_leader
-  redis_sentinel_user        = local.redis.sentinel_username
-  redis_sentinel_password    = local.redis.sentinel_password
-  redis_use_mtls             = var.enable_redis_mtls
-  enable_sentinel_mtls       = var.enable_sentinel_mtls
-  redis_ca_cert_path         = "/etc/ssl/private/terraform-enterprise/redis/cacert.pem"
-  redis_client_cert_path     = "/etc/ssl/private/terraform-enterprise/redis/cert.pem"
-  redis_client_key_path      = "/etc/ssl/private/terraform-enterprise/redis/key.pem"
+  redis_host                     = local.redis.hostname
+  redis_user                     = local.redis.username
+  redis_password                 = local.redis.password
+  redis_use_tls                  = local.redis.use_tls
+  redis_use_auth                 = local.redis.use_password_auth
+  redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam
+  redis_use_sentinel             = var.enable_redis_sentinel
+  redis_sentinel_hosts           = local.redis.sentinel_hosts
+  redis_sentinel_leader_name     = local.redis.sentinel_leader
+  redis_sentinel_user            = local.redis.sentinel_username
+  redis_sentinel_password        = local.redis.sentinel_password
+  redis_use_mtls                 = var.enable_redis_mtls
+  enable_sentinel_mtls           = var.enable_sentinel_mtls
+  redis_ca_cert_path             = var.enable_redis_mtls || var.enable_sentinel_mtls ? "/etc/ssl/private/terraform-enterprise/redis/cacert.pem" : null
+  redis_client_cert_path         = var.enable_redis_mtls || var.enable_sentinel_mtls ? "/etc/ssl/private/terraform-enterprise/redis/cert.pem" : null
+  redis_client_key_path          = var.enable_redis_mtls || var.enable_sentinel_mtls ? "/etc/ssl/private/terraform-enterprise/redis/key.pem" : null
 
 
   trusted_proxies = local.trusted_proxies
@@ -343,7 +344,7 @@ module "runtime_container_engine_config" {
 # AWS cloud init used to install and configure TFE on instance(s) using Flexible Deployment Options
 # --------------------------------------------------------------------------------------------------
 module "tfe_init_fdo" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 0 : 1
 
   cloud             = "aws"
@@ -388,7 +389,7 @@ module "tfe_init_fdo" {
 # TFE and Replicated settings to pass to the tfe_init_replicated module for replicated deployment
 # --------------------------------------------------------------------------------------------
 module "settings" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/settings?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/settings?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 1 : 0
 
   # TFE Base Configuration
@@ -450,7 +451,7 @@ module "settings" {
 # AWS user data / cloud init used to install and configure TFE on instance(s)
 # -----------------------------------------------------------------------------
 module "tfe_init_replicated" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init_replicated?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init_replicated?ref=pravi/IND-5861"
   count  = var.is_replicated_deployment ? 1 : 0
 
   # TFE & Replicated Configuration data

modules/application_load_balancer/main.tf

@@ -111,9 +111,13 @@ resource "aws_lb_target_group" "tfe_tg_443" {
   vpc_id   = var.network_id
 
   health_check {
-    path     = "/_health_check"
-    protocol = "HTTPS"
-    matcher  = "200-399"
+    path                = "/_health_check"
+    protocol            = "HTTPS"
+    matcher             = "200-399"
+    timeout             = 15
+    interval            = 60
+    healthy_threshold   = 2
+    unhealthy_threshold = 10
   }
 }
 
@@ -140,9 +144,13 @@ resource "aws_lb_target_group" "tfe_tg_8800" {
   vpc_id   = var.network_id
 
   health_check {
-    path     = "/"
-    protocol = "HTTPS"
-    matcher  = "200-399"
+    path                = "/"
+    protocol            = "HTTPS"
+    matcher             = "200-399"
+    timeout             = 15
+    interval            = 60
+    healthy_threshold   = 2
+    unhealthy_threshold = 10
   }
 }
 
@@ -166,9 +174,13 @@ resource "aws_lb_target_group" "tfe_tg_admin_api" {
   vpc_id   = var.network_id
 
   health_check {
-    path     = "/api/v1/ping"
-    protocol = "HTTPS"
-    matcher  = "200-399,400,401,403"
+    path                = "/api/v1/ping"
+    protocol            = "HTTPS"
+    matcher             = "200-399,400,401,403"
+    timeout             = 15
+    interval            = 60
+    healthy_threshold   = 2
+    unhealthy_threshold = 10
   }
 }
 

modules/aurora_database_cluster/outputs.tf

@@ -27,3 +27,13 @@ output "parameters" {
   description = "PostgreSQL server parameters for the connection URI."
 }
 
+output "identifier" {
+  value       = aws_rds_cluster.aurora_postgresql.cluster_identifier
+  description = "The database identifier of the PostgreSQL Aurora cluster."
+}
+
+output "dbi_resource_id" {
+  value       = aws_rds_cluster.aurora_postgresql.cluster_resource_id
+  description = "The DBI resource ID of the PostgreSQL Aurora cluster for IAM authentication."
+}
+

modules/database/outputs.tf

@@ -13,14 +13,27 @@ output "name" {
 
 output "password" {
   value       = aws_db_instance.postgresql.password
-  description = "The password of the main PostgreSQL user."
+  description = "The password of the PostgreSQL master user. Required for creating IAM-enabled database users."
+  sensitive   = true
 }
 
 output "username" {
   value       = aws_db_instance.postgresql.username
   description = "The name of the main PostgreSQL user."
 }
 
+
+
+output "identifier" {
+  value       = aws_db_instance.postgresql.identifier
+  description = "The database identifier of the PostgreSQL RDS instance."
+}
+
+output "dbi_resource_id" {
+  value       = aws_db_instance.postgresql.resource_id
+  description = "The DBI resource ID of the PostgreSQL RDS instance for IAM authentication."
+}
+
 output "parameters" {
   value       = var.db_parameters
   description = "PostgreSQL server parameters for the connection URI."

modules/redis/main.tf

@@ -3,6 +3,7 @@
 
 locals {
   redis_use_password_auth = var.redis_use_password_auth || var.redis_authentication_mode == "PASSWORD"
+  redis_use_iam_auth      = var.redis_enable_iam_auth && !var.redis_use_password_auth
 }
 
 resource "random_id" "redis_password" {
@@ -63,6 +64,47 @@ resource "aws_elasticache_subnet_group" "tfe" {
   subnet_ids = var.network_subnets_private
 }
 
+# ElastiCache User for IAM authentication
+resource "aws_elasticache_user" "iam_user" {
+  count     = var.active_active && local.redis_use_iam_auth ? 1 : 0
+  user_id   = "${var.friendly_name_prefix}-iam-user"
+  user_name = "${var.friendly_name_prefix}-iam-user"
+
+  # For IAM authentication, we don't set passwords but use IAM policies
+  authentication_mode {
+    type = "iam"
+  }
+
+  # Access string for Redis commands - IAM auth compatible
+  # Use default access string for TFE with IAM authentication
+  access_string = "on ~* &* +@all"
+  engine        = "REDIS"
+
+  tags = {
+    Name = "${var.friendly_name_prefix}-redis-iam-user"
+  }
+}
+
+# ElastiCache User Group for IAM authentication
+# Note: AWS ElastiCache has a built-in "default" user that must be included in user groups
+resource "aws_elasticache_user_group" "iam_group" {
+  count         = var.active_active && local.redis_use_iam_auth ? 1 : 0
+  engine        = "REDIS"
+  user_group_id = "${var.friendly_name_prefix}-iam-group"
+  user_ids = [
+    "default", # Built-in AWS ElastiCache default user
+    aws_elasticache_user.iam_user[0].user_id
+  ]
+
+  tags = {
+    Name = "${var.friendly_name_prefix}-redis-iam-group"
+  }
+
+  depends_on = [
+    aws_elasticache_user.iam_user
+  ]
+}
+
 resource "aws_elasticache_replication_group" "redis" {
   count                = var.active_active ? 1 : 0
   node_type            = var.cache_size
@@ -83,9 +125,20 @@ resource "aws_elasticache_replication_group" "redis" {
 
   # Password used to access a password protected server.
   # Can be specified only if transit_encryption_enabled = true.
-  auth_token                 = var.redis_encryption_in_transit && local.redis_use_password_auth ? random_id.redis_password[0].hex : null
-  transit_encryption_enabled = var.redis_encryption_in_transit
+  auth_token = var.redis_encryption_in_transit && local.redis_use_password_auth ? random_id.redis_password[0].hex : null
+
+  # Transit encryption is required when using user groups (IAM authentication)
+  transit_encryption_enabled = var.redis_encryption_in_transit || local.redis_use_iam_auth
 
   at_rest_encryption_enabled = var.redis_encryption_at_rest
   kms_key_id                 = var.redis_encryption_at_rest ? var.kms_key_arn : null
+
+  # IAM authentication configuration
+  user_group_ids = local.redis_use_iam_auth ? [aws_elasticache_user_group.iam_group[0].user_group_id] : null
+
+  # Ensure proper dependency ordering for IAM authentication
+  depends_on = [
+    aws_elasticache_user_group.iam_group,
+    aws_elasticache_user.iam_user
+  ]
 }

modules/redis/outputs.tf

@@ -6,13 +6,29 @@ output "hostname" {
 }
 
 output "password" {
-  value       = try(random_id.redis_password[0].hex, "")
-  description = "The password which is required to create connections with the Redis Elasticache replication group."
+  value       = try(random_id.redis_password[0].hex, null)
+  description = "The password which is required to create connections with the Redis Elasticache replication group. Returns null when using IAM authentication."
 }
 
 output "username" {
-  value       = null
-  description = "The username which is required to create connections with the Redis Elasticache replication group. Defaults to null to maintain the output interface with the redis-sentinel module."
+  value       = try(aws_elasticache_user.iam_user[0].user_name, null)
+  description = "The username which is required to create connections with the Redis Elasticache replication group. Returns IAM username when IAM auth is enabled, otherwise null to maintain the output interface with the redis-sentinel module."
+}
+
+# DEBUG: Redis IAM username debug
+output "debug_redis_iam_auth_enabled" {
+  value       = local.redis_use_iam_auth
+  description = "DEBUG: Whether Redis IAM auth is enabled"
+}
+
+output "debug_redis_iam_user_name" {
+  value       = try(aws_elasticache_user.iam_user[0].user_name, "NOT_CREATED")
+  description = "DEBUG: The actual Redis IAM username created"
+}
+
+output "debug_redis_iam_user_id" {
+  value       = try(aws_elasticache_user.iam_user[0].user_id, "NOT_CREATED")
+  description = "DEBUG: The actual Redis IAM user ID created"
 }
 
 output "redis_port" {

modules/redis/variables.tf

@@ -82,3 +82,9 @@ variable "redis_use_password_auth" {
   type        = bool
   description = "Determine if a password is required for Redis."
 }
+
+variable "redis_enable_iam_auth" {
+  type        = bool
+  description = "Whether to enable IAM authentication for Redis. Used for passwordless authentication."
+  default     = false
+}

modules/service_accounts/main.tf

@@ -114,3 +114,34 @@ resource "aws_iam_policy" "kms_policy" {
     ]
   })
 }
+
+# Redis IAM authentication policy
+resource "aws_iam_role_policy_attachment" "redis_iam_policy" {
+  count = var.existing_iam_instance_profile_name == null && var.redis_enable_iam_auth ? 1 : 0
+
+  role       = local.iam_instance_role.name
+  policy_arn = aws_iam_policy.redis_iam_policy[0].arn
+}
+
+resource "aws_iam_policy" "redis_iam_policy" {
+  count = var.existing_iam_instance_profile_name == null && var.redis_enable_iam_auth ? 1 : 0
+
+  name = "${var.friendly_name_prefix}-redis-iam"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "elasticache:Connect"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "elasticache:Username" = "${var.friendly_name_prefix}-iam-user"
+          }
+        }
+      },
+    ]
+  })
+}

modules/service_accounts/variables.tf

@@ -98,3 +98,9 @@ variable "postgres_client_key_secret_id" {
   default     = null
   description = "The secrets manager secret ID of the Base64 & PEM encoded private key for postgres."
 }
+
+variable "redis_enable_iam_auth" {
+  type        = bool
+  description = "Whether to enable IAM authentication for Redis. Used for passwordless authentication."
+  default     = false
+}

outputs.tf

@@ -90,3 +90,35 @@ output "s3_bucket" {
   value       = local.object_storage.s3_bucket
   description = "S3 bucket name"
 }
+
+# DEBUG: Redis configuration debug outputs
+output "debug_redis_config" {
+  value = {
+    redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam
+    redis_use_password_auth        = var.redis_use_password_auth
+    redis_hostname                 = local.redis.hostname
+    redis_username                 = local.redis.username
+    redis_password_set             = local.redis.password != null ? "YES" : "NO"
+    redis_use_tls                  = local.redis.use_tls
+    redis_iam_auth_condition       = var.redis_passwordless_aws_use_iam && !var.redis_use_password_auth
+  }
+  description = "DEBUG: Complete Redis configuration for troubleshooting"
+}
+
+output "debug_redis_username_chain" {
+  value = {
+    raw_redis_username    = local.redis.username
+    redis_user_var_passed = var.redis_passwordless_aws_use_iam && !var.redis_use_password_auth ? local.redis.hostname : ""
+    friendly_name_prefix  = var.friendly_name_prefix
+  }
+  description = "DEBUG: Redis username propagation chain"
+}
+
+output "debug_module_values" {
+  value = {
+    redis_passwordless_aws_use_iam   = var.redis_passwordless_aws_use_iam && !var.redis_use_password_auth
+    redis_passwordless_aws_region    = var.redis_passwordless_aws_use_iam && !var.redis_use_password_auth ? data.aws_region.current.name : ""
+    redis_passwordless_aws_host_name = var.redis_passwordless_aws_use_iam && !var.redis_use_password_auth ? local.redis.hostname : ""
+  }
+  description = "DEBUG: Values passed to terraform-random-tfe-utility module"
+}

tests/standalone-vault/main.tf

@@ -28,7 +28,7 @@ module "kms" {
 }
 
 module "hcp_vault" {
-  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//fixtures/test_hcp_vault?ref=main"
+  source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//fixtures/test_hcp_vault?ref=pravi/IND-5861"
 
   hcp_vault_cluster_id              = local.test_name
   hcp_vault_cluster_hvn_id          = "team-tfe-dev-hvn"