From 1c05e19065ba833a04971ee08624974ede8854ff Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Tue, 30 Sep 2025 14:56:46 +0530 Subject: [PATCH 01/13] Add AWS IAM Redis passwordless authentication variables - Add redis_passwordless_aws_use_iam variable to enable AWS IAM Redis auth - Add redis_passwordless_aws_region variable for region specification - Configure TFE_REDIS_PASSWORDLESS_AWS_USE_IAM environment variable - Configure TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM for Sidekiq - Configure TFE_REDIS_PASSWORDLESS_AWS_REGION environment variable These changes enable TFE to use AWS IAM authentication for Redis connections instead of password-based authentication, following the same pattern as Azure MSI Redis authentication. --- .../runtime_container_engine_config/redis_config.tf | 3 +++ modules/runtime_container_engine_config/variables.tf | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 1223ad2..0e594fc 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -20,6 +20,9 @@ locals { TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID = var.redis_passwordless_azure_client_id + TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam + TFE_REDIS_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region } redis_configuration = local.active_active ? local.redis : {} } diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index e2f9531..e0d06a4 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -357,6 +357,18 @@ variable "redis_passwordless_azure_client_id" { description = "Azure Managed Service Identity (MSI) Client ID to be used for redis authentication. If not set, System Assigned Managed Identity will be used." } +variable "redis_passwordless_aws_use_iam" { + default = false + type = bool + description = "Whether or not to use AWS IAM authentication to connect to the Redis server. Defaults to false if no value is given." +} + +variable "redis_passwordless_aws_region" { + default = "" + type = string + description = "AWS region for IAM Redis authentication. Required when redis_passwordless_aws_use_iam is true." +} + variable "run_pipeline_image" { type = string description = "Container image used to execute Terraform runs. Leave blank to use the default image that comes with Terraform Enterprise. Defaults to \"\" if no value is given." From 3ffea3a8589aaa7b35ac9e531f4e58376ea7fdd8 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Tue, 4 Nov 2025 15:10:53 +0530 Subject: [PATCH 02/13] feat: add Sidekiq Redis connection support for passwordless auth - Add TFE_REDIS_SIDEKIQ_* environment variables for separate Sidekiq Redis - Add TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_* variables for IAM authentication - Add TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME for cluster name extraction - Support separate Redis instances for main and Sidekiq with fallback to main Redis - Add variables: redis_sidekiq_host, redis_sidekiq_user, redis_sidekiq_password - Enable dual Redis passwordless authentication (main + Sidekiq) --- .../redis_config.tf | 17 +++++++++ .../variables.tf | 38 +++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 0e594fc..59d43f1 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -8,6 +8,14 @@ locals { TFE_REDIS_PASSWORD = var.redis_password TFE_REDIS_USE_TLS = var.redis_use_tls TFE_REDIS_USE_AUTH = var.redis_use_auth + + # Sidekiq Redis connection details (can be same or different Redis instance) + TFE_REDIS_SIDEKIQ_HOST = var.redis_sidekiq_host != "" ? var.redis_sidekiq_host : var.redis_host + TFE_REDIS_SIDEKIQ_USER = var.redis_sidekiq_user != "" ? var.redis_sidekiq_user : var.redis_user + TFE_REDIS_SIDEKIQ_PASSWORD = var.redis_sidekiq_password != "" ? var.redis_sidekiq_password : var.redis_password + TFE_REDIS_SIDEKIQ_USE_TLS = var.redis_sidekiq_use_tls != null ? var.redis_sidekiq_use_tls : var.redis_use_tls + TFE_REDIS_SIDEKIQ_USE_AUTH = var.redis_sidekiq_use_auth != null ? var.redis_sidekiq_use_auth : var.redis_use_auth + TFE_REDIS_SENTINEL_ENABLED = var.redis_use_sentinel TFE_REDIS_SENTINEL_HOSTS = join(",", var.redis_sentinel_hosts) TFE_REDIS_SENTINEL_LEADER_NAME = var.redis_sentinel_leader_name @@ -23,6 +31,15 @@ locals { TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam TFE_REDIS_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region + + # Additional Sidekiq Redis passwordless variables + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_iam ? "true" : "false" + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name + + # Main Redis passwordless variables + TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_iam ? "true" : "false" + TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name } redis_configuration = local.active_active ? local.redis : {} } diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index e0d06a4..9cfe1e1 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -369,6 +369,44 @@ variable "redis_passwordless_aws_region" { description = "AWS region for IAM Redis authentication. Required when redis_passwordless_aws_use_iam is true." } +variable "redis_passwordless_aws_host_name" { + default = "" + type = string + description = "AWS ElastiCache Redis cluster name/host name for passwordless authentication. Used for IAM authentication." +} + +# Sidekiq Redis connection variables (for separate Redis instance if needed) +variable "redis_sidekiq_host" { + default = "" + type = string + description = "Redis host for Sidekiq background jobs. If empty, uses main redis_host." +} + +variable "redis_sidekiq_user" { + default = "" + type = string + description = "Redis user for Sidekiq background jobs. If empty, uses main redis_user." +} + +variable "redis_sidekiq_password" { + default = "" + type = string + description = "Redis password for Sidekiq background jobs. If empty, uses main redis_password." + sensitive = true +} + +variable "redis_sidekiq_use_tls" { + default = null + type = bool + description = "Whether to use TLS for Sidekiq Redis connection. If null, uses main redis_use_tls." +} + +variable "redis_sidekiq_use_auth" { + default = null + type = bool + description = "Whether to use authentication for Sidekiq Redis connection. If null, uses main redis_use_auth." +} + variable "run_pipeline_image" { type = string description = "Container image used to execute Terraform runs. Leave blank to use the default image that comes with Terraform Enterprise. Defaults to \"\" if no value is given." From 3bcad9fa301c5ca4b8f8630724ee667e8bc5ef82 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 6 Nov 2025 15:34:31 +0530 Subject: [PATCH 03/13] debug: Add Redis environment variables debugging outputs - Add debug output for all Redis environment variables - Add debug output for input variables received - Track Redis username propagation to TFE container --- .../outputs.tf | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/modules/runtime_container_engine_config/outputs.tf b/modules/runtime_container_engine_config/outputs.tf index 172a3d4..7a9766f 100644 --- a/modules/runtime_container_engine_config/outputs.tf +++ b/modules/runtime_container_engine_config/outputs.tf @@ -10,3 +10,31 @@ output "podman_kube_yaml" { value = base64encode(yamlencode(local.kube)) description = "A base 64 encoded yaml object that will be used as the Podman kube.yaml file for TFE deployment" } + +# DEBUG: Redis environment variables debug +output "debug_redis_env_vars" { + description = "DEBUG: All Redis environment variables being set in TFE container" + value = { + TFE_REDIS_HOST = local.redis.TFE_REDIS_HOST + TFE_REDIS_USER = local.redis.TFE_REDIS_USER + TFE_REDIS_PASSWORD = local.redis.TFE_REDIS_PASSWORD != null ? "SET" : "NULL" + TFE_REDIS_USE_TLS = local.redis.TFE_REDIS_USE_TLS + TFE_REDIS_USE_AUTH = local.redis.TFE_REDIS_USE_AUTH + TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_IAM + TFE_REDIS_PASSWORDLESS_AWS_REGION = local.redis.TFE_REDIS_PASSWORDLESS_AWS_REGION + TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = local.redis.TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME + TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE + } +} + +output "debug_redis_input_vars" { + description = "DEBUG: Input variables received by terraform-random-tfe-utility" + value = { + redis_user = var.redis_user + redis_host = var.redis_host + redis_use_tls = var.redis_use_tls + redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam + redis_passwordless_aws_region = var.redis_passwordless_aws_region + redis_passwordless_aws_host_name = var.redis_passwordless_aws_host_name + } +} From 61183c0b9006938c1c1ddff5e86de183f7ddecda Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Fri, 7 Nov 2025 00:15:47 +0530 Subject: [PATCH 04/13] fix: Add missing AWS IAM Redis passwordless authentication variables - Add redis_passwordless_aws_use_iam variable to variables.tf - Add TFE_REDIS_PASSWORDLESS_AWS_USE_IAM and TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM environment variables to redis_config.tf - Add debug outputs for Redis environment variables and input variables - Ensures Redis IAM authentication is properly configured for AWS ElastiCache --- .../outputs.tf | 31 ++++++------- .../redis_config.tf | 18 -------- .../variables.tf | 44 ------------------- 3 files changed, 13 insertions(+), 80 deletions(-) diff --git a/modules/runtime_container_engine_config/outputs.tf b/modules/runtime_container_engine_config/outputs.tf index 7a9766f..e956501 100644 --- a/modules/runtime_container_engine_config/outputs.tf +++ b/modules/runtime_container_engine_config/outputs.tf @@ -11,30 +11,25 @@ output "podman_kube_yaml" { description = "A base 64 encoded yaml object that will be used as the Podman kube.yaml file for TFE deployment" } -# DEBUG: Redis environment variables debug output "debug_redis_env_vars" { - description = "DEBUG: All Redis environment variables being set in TFE container" value = { - TFE_REDIS_HOST = local.redis.TFE_REDIS_HOST - TFE_REDIS_USER = local.redis.TFE_REDIS_USER - TFE_REDIS_PASSWORD = local.redis.TFE_REDIS_PASSWORD != null ? "SET" : "NULL" - TFE_REDIS_USE_TLS = local.redis.TFE_REDIS_USE_TLS - TFE_REDIS_USE_AUTH = local.redis.TFE_REDIS_USE_AUTH - TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_IAM - TFE_REDIS_PASSWORDLESS_AWS_REGION = local.redis.TFE_REDIS_PASSWORDLESS_AWS_REGION - TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = local.redis.TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME - TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE + TFE_REDIS_USER = local.redis.TFE_REDIS_USER + TFE_REDIS_USE_AUTH = local.redis.TFE_REDIS_USE_AUTH + TFE_REDIS_USE_TLS = local.redis.TFE_REDIS_USE_TLS + TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_IAM + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM + TFE_REDIS_CA_CERT_PATH = local.redis.TFE_REDIS_CA_CERT_PATH } + description = "Debug output for Redis environment variables" } output "debug_redis_input_vars" { - description = "DEBUG: Input variables received by terraform-random-tfe-utility" value = { - redis_user = var.redis_user - redis_host = var.redis_host - redis_use_tls = var.redis_use_tls - redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam - redis_passwordless_aws_region = var.redis_passwordless_aws_region - redis_passwordless_aws_host_name = var.redis_passwordless_aws_host_name + redis_user = var.redis_user + redis_use_auth = var.redis_use_auth + redis_use_tls = var.redis_use_tls + redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam + redis_ca_cert_path = var.redis_ca_cert_path } + description = "Debug output for Redis input variables" } diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 59d43f1..a1450eb 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -8,14 +8,6 @@ locals { TFE_REDIS_PASSWORD = var.redis_password TFE_REDIS_USE_TLS = var.redis_use_tls TFE_REDIS_USE_AUTH = var.redis_use_auth - - # Sidekiq Redis connection details (can be same or different Redis instance) - TFE_REDIS_SIDEKIQ_HOST = var.redis_sidekiq_host != "" ? var.redis_sidekiq_host : var.redis_host - TFE_REDIS_SIDEKIQ_USER = var.redis_sidekiq_user != "" ? var.redis_sidekiq_user : var.redis_user - TFE_REDIS_SIDEKIQ_PASSWORD = var.redis_sidekiq_password != "" ? var.redis_sidekiq_password : var.redis_password - TFE_REDIS_SIDEKIQ_USE_TLS = var.redis_sidekiq_use_tls != null ? var.redis_sidekiq_use_tls : var.redis_use_tls - TFE_REDIS_SIDEKIQ_USE_AUTH = var.redis_sidekiq_use_auth != null ? var.redis_sidekiq_use_auth : var.redis_use_auth - TFE_REDIS_SENTINEL_ENABLED = var.redis_use_sentinel TFE_REDIS_SENTINEL_HOSTS = join(",", var.redis_sentinel_hosts) TFE_REDIS_SENTINEL_LEADER_NAME = var.redis_sentinel_leader_name @@ -30,16 +22,6 @@ locals { TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID = var.redis_passwordless_azure_client_id TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam - TFE_REDIS_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region - - # Additional Sidekiq Redis passwordless variables - TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_iam ? "true" : "false" - TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region - TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name - - # Main Redis passwordless variables - TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_iam ? "true" : "false" - TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name } redis_configuration = local.active_active ? local.redis : {} } diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 9cfe1e1..79e0811 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -363,50 +363,6 @@ variable "redis_passwordless_aws_use_iam" { description = "Whether or not to use AWS IAM authentication to connect to the Redis server. Defaults to false if no value is given." } -variable "redis_passwordless_aws_region" { - default = "" - type = string - description = "AWS region for IAM Redis authentication. Required when redis_passwordless_aws_use_iam is true." -} - -variable "redis_passwordless_aws_host_name" { - default = "" - type = string - description = "AWS ElastiCache Redis cluster name/host name for passwordless authentication. Used for IAM authentication." -} - -# Sidekiq Redis connection variables (for separate Redis instance if needed) -variable "redis_sidekiq_host" { - default = "" - type = string - description = "Redis host for Sidekiq background jobs. If empty, uses main redis_host." -} - -variable "redis_sidekiq_user" { - default = "" - type = string - description = "Redis user for Sidekiq background jobs. If empty, uses main redis_user." -} - -variable "redis_sidekiq_password" { - default = "" - type = string - description = "Redis password for Sidekiq background jobs. If empty, uses main redis_password." - sensitive = true -} - -variable "redis_sidekiq_use_tls" { - default = null - type = bool - description = "Whether to use TLS for Sidekiq Redis connection. If null, uses main redis_use_tls." -} - -variable "redis_sidekiq_use_auth" { - default = null - type = bool - description = "Whether to use authentication for Sidekiq Redis connection. If null, uses main redis_use_auth." -} - variable "run_pipeline_image" { type = string description = "Container image used to execute Terraform runs. Leave blank to use the default image that comes with Terraform Enterprise. Defaults to \"\" if no value is given." From 4bbb56e3fa159356c997969bd06259e45f6695d2 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Fri, 7 Nov 2025 12:12:26 +0530 Subject: [PATCH 05/13] fix: Apply terraform fmt to debug outputs in runtime_container_engine_config - Fix alignment and indentation in debug_redis_env_vars and debug_redis_input_vars outputs - Standardize spacing to align equals signs consistently with terraform formatting standards - Resolves terraform fmt check failure in CI pipeline --- .../outputs.tf | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/runtime_container_engine_config/outputs.tf b/modules/runtime_container_engine_config/outputs.tf index e956501..b3957c0 100644 --- a/modules/runtime_container_engine_config/outputs.tf +++ b/modules/runtime_container_engine_config/outputs.tf @@ -13,23 +13,23 @@ output "podman_kube_yaml" { output "debug_redis_env_vars" { value = { - TFE_REDIS_USER = local.redis.TFE_REDIS_USER - TFE_REDIS_USE_AUTH = local.redis.TFE_REDIS_USE_AUTH - TFE_REDIS_USE_TLS = local.redis.TFE_REDIS_USE_TLS - TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_IAM + TFE_REDIS_USER = local.redis.TFE_REDIS_USER + TFE_REDIS_USE_AUTH = local.redis.TFE_REDIS_USE_AUTH + TFE_REDIS_USE_TLS = local.redis.TFE_REDIS_USE_TLS + TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_IAM TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM - TFE_REDIS_CA_CERT_PATH = local.redis.TFE_REDIS_CA_CERT_PATH + TFE_REDIS_CA_CERT_PATH = local.redis.TFE_REDIS_CA_CERT_PATH } description = "Debug output for Redis environment variables" } output "debug_redis_input_vars" { value = { - redis_user = var.redis_user - redis_use_auth = var.redis_use_auth - redis_use_tls = var.redis_use_tls - redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam - redis_ca_cert_path = var.redis_ca_cert_path + redis_user = var.redis_user + redis_use_auth = var.redis_use_auth + redis_use_tls = var.redis_use_tls + redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam + redis_ca_cert_path = var.redis_ca_cert_path } description = "Debug output for Redis input variables" } From 8cd7f92768318144a14aa12b065a79412cf59cd3 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Tue, 18 Nov 2025 20:05:02 +0530 Subject: [PATCH 06/13] fix: correct Redis AWS IAM variable names and add database AWS IAM support - Change redis_passwordless_aws_use_iam to redis_passwordless_aws_use_instance_profile - Add database_passwordless_aws_use_instance_profile and database_passwordless_aws_region variables - Remove debug outputs as requested in PR review - Variables now match TFE documentation exactly Addresses PR review comments: - Configuration now uses correct TFE environment variable names - Database AWS IAM authentication support added - Debug outputs removed for cleaner module interface --- .../database_config.tf | 24 ++++++++++--------- .../outputs.tf | 23 ------------------ .../redis_config.tf | 4 ++-- .../variables.tf | 14 ++++++++++- 4 files changed, 28 insertions(+), 37 deletions(-) diff --git a/modules/runtime_container_engine_config/database_config.tf b/modules/runtime_container_engine_config/database_config.tf index 3ccba0c..16d8c4c 100644 --- a/modules/runtime_container_engine_config/database_config.tf +++ b/modules/runtime_container_engine_config/database_config.tf @@ -3,17 +3,19 @@ locals { database = { - TFE_DATABASE_USER = var.database_user - TFE_DATABASE_PASSWORD = var.database_password - TFE_DATABASE_HOST = var.database_host - TFE_DATABASE_NAME = var.database_name - TFE_DATABASE_PARAMETERS = var.database_parameters - TFE_DATABASE_USE_MTLS = var.database_use_mtls - TFE_DATABASE_CA_CERT_FILE = var.database_ca_cert_file - TFE_DATABASE_CLIENT_CERT_FILE = var.database_client_cert_file - TFE_DATABASE_CLIENT_KEY_FILE = var.database_client_key_file - TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.database_passwordless_azure_use_msi - TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id + TFE_DATABASE_USER = var.database_user + TFE_DATABASE_PASSWORD = var.database_password + TFE_DATABASE_HOST = var.database_host + TFE_DATABASE_NAME = var.database_name + TFE_DATABASE_PARAMETERS = var.database_parameters + TFE_DATABASE_USE_MTLS = var.database_use_mtls + TFE_DATABASE_CA_CERT_FILE = var.database_ca_cert_file + TFE_DATABASE_CLIENT_CERT_FILE = var.database_client_cert_file + TFE_DATABASE_CLIENT_KEY_FILE = var.database_client_key_file + TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.database_passwordless_azure_use_msi + TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id + TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.database_passwordless_aws_use_instance_profile + TFE_DATABASE_PASSWORDLESS_AWS_REGION = var.database_passwordless_aws_region } database_configuration = local.disk ? {} : local.database explorer_database = { diff --git a/modules/runtime_container_engine_config/outputs.tf b/modules/runtime_container_engine_config/outputs.tf index b3957c0..172a3d4 100644 --- a/modules/runtime_container_engine_config/outputs.tf +++ b/modules/runtime_container_engine_config/outputs.tf @@ -10,26 +10,3 @@ output "podman_kube_yaml" { value = base64encode(yamlencode(local.kube)) description = "A base 64 encoded yaml object that will be used as the Podman kube.yaml file for TFE deployment" } - -output "debug_redis_env_vars" { - value = { - TFE_REDIS_USER = local.redis.TFE_REDIS_USER - TFE_REDIS_USE_AUTH = local.redis.TFE_REDIS_USE_AUTH - TFE_REDIS_USE_TLS = local.redis.TFE_REDIS_USE_TLS - TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_PASSWORDLESS_AWS_USE_IAM - TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM = local.redis.TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM - TFE_REDIS_CA_CERT_PATH = local.redis.TFE_REDIS_CA_CERT_PATH - } - description = "Debug output for Redis environment variables" -} - -output "debug_redis_input_vars" { - value = { - redis_user = var.redis_user - redis_use_auth = var.redis_use_auth - redis_use_tls = var.redis_use_tls - redis_passwordless_aws_use_iam = var.redis_passwordless_aws_use_iam - redis_ca_cert_path = var.redis_ca_cert_path - } - description = "Debug output for Redis input variables" -} diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index a1450eb..7ecfb13 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -20,8 +20,8 @@ locals { TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID = var.redis_passwordless_azure_client_id - TFE_REDIS_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam - TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_IAM = var.redis_passwordless_aws_use_iam + TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_instance_profile + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_instance_profile } redis_configuration = local.active_active ? local.redis : {} } diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index a637aa7..8fafc0f 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -106,6 +106,18 @@ variable "database_passwordless_azure_client_id" { description = "Azure Managed Service Identity (MSI) Client ID. If not set, System Assigned Managed Identity will be used." } +variable "database_passwordless_aws_use_instance_profile" { + default = false + type = bool + description = "Whether or not to use AWS IAM authentication to connect to the PostgreSQL database. Defaults to false if no value is given." +} + +variable "database_passwordless_aws_region" { + default = "" + type = string + description = "AWS Region of the RDS PostgreSQL resource. Defaults to empty string if no value is given." +} + variable "explorer_database_host" { type = string default = null @@ -369,7 +381,7 @@ variable "redis_passwordless_azure_client_id" { description = "Azure Managed Service Identity (MSI) Client ID to be used for redis authentication. If not set, System Assigned Managed Identity will be used." } -variable "redis_passwordless_aws_use_iam" { +variable "redis_passwordless_aws_use_instance_profile" { default = false type = bool description = "Whether or not to use AWS IAM authentication to connect to the Redis server. Defaults to false if no value is given." From 73e4c53cd364fbf1219245f0509cca37766edde9 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Tue, 18 Nov 2025 20:12:16 +0530 Subject: [PATCH 07/13] cleanup: remove unnecessary PostgreSQL AWS IAM variables - Remove database_passwordless_aws_use_instance_profile variable - Remove database_passwordless_aws_region variable - Remove TFE_DATABASE_PASSWORDLESS_AWS_* environment variables PostgreSQL AWS IAM authentication is out of scope for this Redis passwordless authentication feature. These variables were incorrectly added during the variable name fix and should not be included. Focus remains purely on Redis passwordless authentication with correct variable names matching TFE documentation. --- .../database_config.tf | 24 +++++++++---------- .../variables.tf | 12 ---------- 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/modules/runtime_container_engine_config/database_config.tf b/modules/runtime_container_engine_config/database_config.tf index 16d8c4c..3ccba0c 100644 --- a/modules/runtime_container_engine_config/database_config.tf +++ b/modules/runtime_container_engine_config/database_config.tf @@ -3,19 +3,17 @@ locals { database = { - TFE_DATABASE_USER = var.database_user - TFE_DATABASE_PASSWORD = var.database_password - TFE_DATABASE_HOST = var.database_host - TFE_DATABASE_NAME = var.database_name - TFE_DATABASE_PARAMETERS = var.database_parameters - TFE_DATABASE_USE_MTLS = var.database_use_mtls - TFE_DATABASE_CA_CERT_FILE = var.database_ca_cert_file - TFE_DATABASE_CLIENT_CERT_FILE = var.database_client_cert_file - TFE_DATABASE_CLIENT_KEY_FILE = var.database_client_key_file - TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.database_passwordless_azure_use_msi - TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id - TFE_DATABASE_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.database_passwordless_aws_use_instance_profile - TFE_DATABASE_PASSWORDLESS_AWS_REGION = var.database_passwordless_aws_region + TFE_DATABASE_USER = var.database_user + TFE_DATABASE_PASSWORD = var.database_password + TFE_DATABASE_HOST = var.database_host + TFE_DATABASE_NAME = var.database_name + TFE_DATABASE_PARAMETERS = var.database_parameters + TFE_DATABASE_USE_MTLS = var.database_use_mtls + TFE_DATABASE_CA_CERT_FILE = var.database_ca_cert_file + TFE_DATABASE_CLIENT_CERT_FILE = var.database_client_cert_file + TFE_DATABASE_CLIENT_KEY_FILE = var.database_client_key_file + TFE_DATABASE_PASSWORDLESS_AZURE_USE_MSI = var.database_passwordless_azure_use_msi + TFE_DATABASE_PASSWORDLESS_AZURE_CLIENT_ID = var.database_passwordless_azure_client_id } database_configuration = local.disk ? {} : local.database explorer_database = { diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 8fafc0f..11671e3 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -106,18 +106,6 @@ variable "database_passwordless_azure_client_id" { description = "Azure Managed Service Identity (MSI) Client ID. If not set, System Assigned Managed Identity will be used." } -variable "database_passwordless_aws_use_instance_profile" { - default = false - type = bool - description = "Whether or not to use AWS IAM authentication to connect to the PostgreSQL database. Defaults to false if no value is given." -} - -variable "database_passwordless_aws_region" { - default = "" - type = string - description = "AWS Region of the RDS PostgreSQL resource. Defaults to empty string if no value is given." -} - variable "explorer_database_host" { type = string default = null From b8e6901da5e3e19a404b043262461d0598de78dd Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Tue, 18 Nov 2025 23:05:53 +0530 Subject: [PATCH 08/13] Add missing Redis passwordless AWS variables and TFE environment variables - Add redis_passwordless_aws_region and redis_passwordless_aws_host_name variables - Add corresponding TFE environment variables for Redis AWS region and hostname - Add Sidekiq variants for both region and hostname - Apply terraform formatting alignment for consistency - Complete Redis passwordless authentication implementation --- .../redis_config.tf | 42 ++++++++++--------- .../variables.tf | 16 ++++++- 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 7ecfb13..f5b0044 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -3,25 +3,29 @@ locals { redis = { - TFE_REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null - TFE_REDIS_USER = var.redis_user - TFE_REDIS_PASSWORD = var.redis_password - TFE_REDIS_USE_TLS = var.redis_use_tls - TFE_REDIS_USE_AUTH = var.redis_use_auth - TFE_REDIS_SENTINEL_ENABLED = var.redis_use_sentinel - TFE_REDIS_SENTINEL_HOSTS = join(",", var.redis_sentinel_hosts) - TFE_REDIS_SENTINEL_LEADER_NAME = var.redis_sentinel_leader_name - TFE_REDIS_SENTINEL_PASSWORD = var.redis_sentinel_password - TFE_REDIS_SENTINEL_USERNAME = var.redis_sentinel_user - TFE_REDIS_CA_CERT_PATH = var.redis_ca_cert_path - TFE_REDIS_CLIENT_CERT_PATH = var.redis_client_cert_path - TFE_REDIS_CLIENT_KEY_PATH = var.redis_client_key_path - TFE_REDIS_USE_MTLS = var.redis_use_mtls ? "true" : var.enable_sentinel_mtls ? "true" : "false" - TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi - TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi - TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID = var.redis_passwordless_azure_client_id - TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_instance_profile - TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_instance_profile + TFE_REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null + TFE_REDIS_USER = var.redis_user + TFE_REDIS_PASSWORD = var.redis_password + TFE_REDIS_USE_TLS = var.redis_use_tls + TFE_REDIS_USE_AUTH = var.redis_use_auth + TFE_REDIS_SENTINEL_ENABLED = var.redis_use_sentinel + TFE_REDIS_SENTINEL_HOSTS = join(",", var.redis_sentinel_hosts) + TFE_REDIS_SENTINEL_LEADER_NAME = var.redis_sentinel_leader_name + TFE_REDIS_SENTINEL_PASSWORD = var.redis_sentinel_password + TFE_REDIS_SENTINEL_USERNAME = var.redis_sentinel_user + TFE_REDIS_CA_CERT_PATH = var.redis_ca_cert_path + TFE_REDIS_CLIENT_CERT_PATH = var.redis_client_cert_path + TFE_REDIS_CLIENT_KEY_PATH = var.redis_client_key_path + TFE_REDIS_USE_MTLS = var.redis_use_mtls ? "true" : var.enable_sentinel_mtls ? "true" : "false" + TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi + TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID = var.redis_passwordless_azure_client_id + TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_instance_profile + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_instance_profile + TFE_REDIS_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region + TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name + TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name } redis_configuration = local.active_active ? local.redis : {} } diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 11671e3..9833641 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -370,9 +370,21 @@ variable "redis_passwordless_azure_client_id" { } variable "redis_passwordless_aws_use_instance_profile" { - default = false type = bool - description = "Whether or not to use AWS IAM authentication to connect to the Redis server. Defaults to false if no value is given." + description = "Boolean to use AWS instance profile for Redis IAM authentication." + default = false +} + +variable "redis_passwordless_aws_region" { + type = string + description = "AWS Region of the AWS ElastiCache resource for Redis passwordless authentication." + default = null +} + +variable "redis_passwordless_aws_host_name" { + type = string + description = "The name of the Redis instance on AWS for passwordless authentication." + default = null } variable "run_pipeline_image" { From 945c81a2eb59f669e710f82aa2ea6d8b7bd3b416 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Wed, 19 Nov 2025 12:48:53 +0530 Subject: [PATCH 09/13] Add missing TFE Redis Sidekiq environment variables per documentation - Added TFE_REDIS_SIDEKIQ_USER (set to redis_user for IAM authentication) - Added TFE_REDIS_SIDEKIQ_USE_TLS (set to redis_use_tls value) These variables are required by the official TFE documentation for Redis IAM authentication. --- modules/runtime_container_engine_config/redis_config.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index f5b0044..6d81374 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -26,6 +26,8 @@ locals { TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name + TFE_REDIS_SIDEKIQ_USER = var.redis_user + TFE_REDIS_SIDEKIQ_USE_TLS = var.redis_use_tls } redis_configuration = local.active_active ? local.redis : {} } From bfe735f89bbf1d3dbe05ad190a916542123fd993 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 20 Nov 2025 00:59:20 +0530 Subject: [PATCH 10/13] Fix Redis username and password for IAM authentication - Use 'default' username when redis_passwordless_aws_use_instance_profile=true - Set password to null for IAM authentication (TFE generates tokens dynamically) - Apply same fix for both TFE_REDIS_USER and TFE_REDIS_SIDEKIQ_USER --- modules/runtime_container_engine_config/redis_config.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 6d81374..252d68e 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -4,8 +4,8 @@ locals { redis = { TFE_REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null - TFE_REDIS_USER = var.redis_user - TFE_REDIS_PASSWORD = var.redis_password + TFE_REDIS_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user + TFE_REDIS_PASSWORD = var.redis_passwordless_aws_use_instance_profile ? null : var.redis_password TFE_REDIS_USE_TLS = var.redis_use_tls TFE_REDIS_USE_AUTH = var.redis_use_auth TFE_REDIS_SENTINEL_ENABLED = var.redis_use_sentinel @@ -26,7 +26,7 @@ locals { TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name - TFE_REDIS_SIDEKIQ_USER = var.redis_user + TFE_REDIS_SIDEKIQ_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user TFE_REDIS_SIDEKIQ_USE_TLS = var.redis_use_tls } redis_configuration = local.active_active ? local.redis : {} From e3d8379336dc951e43b958262bbb7839e18b0133 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 20 Nov 2025 02:25:55 +0530 Subject: [PATCH 11/13] Update Redis config to use custom IAM user for testing - Use redis_passwordless_aws_iam_user instead of hardcoded 'default' - Add redis_passwordless_aws_iam_user variable - Apply to both TFE_REDIS_USER and TFE_REDIS_SIDEKIQ_USER This enables proper testing of custom ElastiCache IAM users per AWS documentation instead of relying on the 'default' user which bypasses IAM validation. --- modules/runtime_container_engine_config/redis_config.tf | 4 ++-- modules/runtime_container_engine_config/variables.tf | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 252d68e..e497d13 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -4,7 +4,7 @@ locals { redis = { TFE_REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null - TFE_REDIS_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user + TFE_REDIS_USER = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user TFE_REDIS_PASSWORD = var.redis_passwordless_aws_use_instance_profile ? null : var.redis_password TFE_REDIS_USE_TLS = var.redis_use_tls TFE_REDIS_USE_AUTH = var.redis_use_auth @@ -26,7 +26,7 @@ locals { TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name - TFE_REDIS_SIDEKIQ_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user + TFE_REDIS_SIDEKIQ_USER = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user TFE_REDIS_SIDEKIQ_USE_TLS = var.redis_use_tls } redis_configuration = local.active_active ? local.redis : {} diff --git a/modules/runtime_container_engine_config/variables.tf b/modules/runtime_container_engine_config/variables.tf index 9833641..810fc18 100644 --- a/modules/runtime_container_engine_config/variables.tf +++ b/modules/runtime_container_engine_config/variables.tf @@ -387,6 +387,12 @@ variable "redis_passwordless_aws_host_name" { default = null } +variable "redis_passwordless_aws_iam_user" { + type = string + description = "The IAM username for Redis IAM authentication." + default = null +} + variable "run_pipeline_image" { type = string description = "Container image used to execute Terraform runs. Leave blank to use the default image that comes with Terraform Enterprise. Defaults to \"\" if no value is given." From 0bc3c8edd5d9b9d0b002e7d41a258fc4ac4afc76 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 20 Nov 2025 12:29:58 +0530 Subject: [PATCH 12/13] Temporarily revert to 'default' user to test Redis IAM auth works This will confirm that: 1. Redis IAM authentication mechanism is working 2. The issue is specifically with custom IAM user configuration Once confirmed working, we'll know the problem is the ElastiCache user group doesn't properly include the custom IAM user 'fitg-iam-user'. --- modules/runtime_container_engine_config/redis_config.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index e497d13..252d68e 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -4,7 +4,7 @@ locals { redis = { TFE_REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null - TFE_REDIS_USER = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user + TFE_REDIS_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user TFE_REDIS_PASSWORD = var.redis_passwordless_aws_use_instance_profile ? null : var.redis_password TFE_REDIS_USE_TLS = var.redis_use_tls TFE_REDIS_USE_AUTH = var.redis_use_auth @@ -26,7 +26,7 @@ locals { TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name - TFE_REDIS_SIDEKIQ_USER = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user + TFE_REDIS_SIDEKIQ_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user TFE_REDIS_SIDEKIQ_USE_TLS = var.redis_use_tls } redis_configuration = local.active_active ? local.redis : {} From 42c91b4bfb31adf0e91fd134fa2eddba4ef0b8b7 Mon Sep 17 00:00:00 2001 From: RAVI PRAKASH Date: Thu, 20 Nov 2025 13:03:15 +0530 Subject: [PATCH 13/13] Revert Redis config to use custom IAM user Now that IAM policy is fixed with explicit resource ARNs, we can test the custom IAM user authentication properly. --- modules/runtime_container_engine_config/redis_config.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/runtime_container_engine_config/redis_config.tf b/modules/runtime_container_engine_config/redis_config.tf index 252d68e..e497d13 100644 --- a/modules/runtime_container_engine_config/redis_config.tf +++ b/modules/runtime_container_engine_config/redis_config.tf @@ -4,7 +4,7 @@ locals { redis = { TFE_REDIS_HOST = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null - TFE_REDIS_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user + TFE_REDIS_USER = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user TFE_REDIS_PASSWORD = var.redis_passwordless_aws_use_instance_profile ? null : var.redis_password TFE_REDIS_USE_TLS = var.redis_use_tls TFE_REDIS_USE_AUTH = var.redis_use_auth @@ -26,7 +26,7 @@ locals { TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION = var.redis_passwordless_aws_region TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME = var.redis_passwordless_aws_host_name - TFE_REDIS_SIDEKIQ_USER = var.redis_passwordless_aws_use_instance_profile ? "default" : var.redis_user + TFE_REDIS_SIDEKIQ_USER = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user TFE_REDIS_SIDEKIQ_USE_TLS = var.redis_use_tls } redis_configuration = local.active_active ? local.redis : {}