Release test for AWS IAM Redis passwordless #189
+49
−17
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add redis_passwordless_aws_use_iam variable to enable AWS IAM Redis auth - Add redis_passwordless_aws_region variable for region specification - Configure TFE_REDIS_PASSWORDLESS_AWS_USE_IAM environment variable - Configure TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM for Sidekiq - Configure TFE_REDIS_PASSWORDLESS_AWS_REGION environment variable These changes enable TFE to use AWS IAM authentication for Redis connections instead of password-based authentication, following the same pattern as Azure MSI Redis authentication.
|
|
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
- Add TFE_REDIS_SIDEKIQ_* environment variables for separate Sidekiq Redis - Add TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_* variables for IAM authentication - Add TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME for cluster name extraction - Support separate Redis instances for main and Sidekiq with fallback to main Redis - Add variables: redis_sidekiq_host, redis_sidekiq_user, redis_sidekiq_password - Enable dual Redis passwordless authentication (main + Sidekiq)
- Add debug output for all Redis environment variables - Add debug output for input variables received - Track Redis username propagation to TFE container
- Add redis_passwordless_aws_use_iam variable to variables.tf - Add TFE_REDIS_PASSWORDLESS_AWS_USE_IAM and TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM environment variables to redis_config.tf - Add debug outputs for Redis environment variables and input variables - Ensures Redis IAM authentication is properly configured for AWS ElastiCache
…_config - Fix alignment and indentation in debug_redis_env_vars and debug_redis_input_vars outputs - Standardize spacing to align equals signs consistently with terraform formatting standards - Resolves terraform fmt check failure in CI pipeline
…m-tfe-utility into pravi/IND-5861
| TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi | ||
| TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi | ||
| TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID = var.redis_passwordless_azure_client_id | ||
| TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam |
Contributor
There was a problem hiding this comment.
This is incorrect
config values - https://developer.hashicorp.com/terraform/enterprise/deploy/reference/configuration#tfe_redis_passwordless_aws_use_instance_profile
ajmera-naman
requested changes
Nov 13, 2025
Contributor
ajmera-naman
left a comment
ajmera-naman
left a comment
There was a problem hiding this comment.
Configuration seems incorrect
kkavish
reviewed
Nov 17, 2025
…pport - Change redis_passwordless_aws_use_iam to redis_passwordless_aws_use_instance_profile - Add database_passwordless_aws_use_instance_profile and database_passwordless_aws_region variables - Remove debug outputs as requested in PR review - Variables now match TFE documentation exactly Addresses PR review comments: - Configuration now uses correct TFE environment variable names - Database AWS IAM authentication support added - Debug outputs removed for cleaner module interface
- Remove database_passwordless_aws_use_instance_profile variable - Remove database_passwordless_aws_region variable - Remove TFE_DATABASE_PASSWORDLESS_AWS_* environment variables PostgreSQL AWS IAM authentication is out of scope for this Redis passwordless authentication feature. These variables were incorrectly added during the variable name fix and should not be included. Focus remains purely on Redis passwordless authentication with correct variable names matching TFE documentation.
…ables - Add redis_passwordless_aws_region and redis_passwordless_aws_host_name variables - Add corresponding TFE environment variables for Redis AWS region and hostname - Add Sidekiq variants for both region and hostname - Apply terraform formatting alignment for consistency - Complete Redis passwordless authentication implementation
- Added TFE_REDIS_SIDEKIQ_USER (set to redis_user for IAM authentication) - Added TFE_REDIS_SIDEKIQ_USE_TLS (set to redis_use_tls value) These variables are required by the official TFE documentation for Redis IAM authentication.
- Use 'default' username when redis_passwordless_aws_use_instance_profile=true - Set password to null for IAM authentication (TFE generates tokens dynamically) - Apply same fix for both TFE_REDIS_USER and TFE_REDIS_SIDEKIQ_USER
- Use redis_passwordless_aws_iam_user instead of hardcoded 'default' - Add redis_passwordless_aws_iam_user variable - Apply to both TFE_REDIS_USER and TFE_REDIS_SIDEKIQ_USER This enables proper testing of custom ElastiCache IAM users per AWS documentation instead of relying on the 'default' user which bypasses IAM validation.
This will confirm that: 1. Redis IAM authentication mechanism is working 2. The issue is specifically with custom IAM user configuration Once confirmed working, we'll know the problem is the ElastiCache user group doesn't properly include the custom IAM user 'fitg-iam-user'.
Now that IAM policy is fixed with explicit resource ARNs, we can test the custom IAM user authentication properly.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes enable TFE to use AWS IAM authentication for Redis connections instead of password-based authentication.
Background
Added a spec for testing AWS redis passwordless
Part of AWS redis passwordless release test
Related PRs
terraform-enterprise # https://github.com/hashicorp/terraform-enterprise/pull/3149
terraform-aws-terraform-enterprise: hashicorp/terraform-aws-terraform-enterprise#380
ptfedev-infra: https://github.com/hashicorp/ptfedev-infra/pull/885
How has this been tested?
CI/CD: https://github.com/hashicorp/terraform-enterprise/actions/runs/19529721862/job/55909640280
JIRA
Screenshots