From 3077275e7a6e83285a7daf5d1f21ddd00356d329 Mon Sep 17 00:00:00 2001
From: Martin Burke <66889764+burmek@users.noreply.github.com>
Date: Fri, 6 Oct 2023 14:58:52 -0400
Subject: [PATCH] Enable the use of elasticache/redis auth token

---
 README.md                              |  2 ++
 main.tf                                | 12 +++++++-----
 modules/comet_elasticache/README.md    |  4 +++-
 modules/comet_elasticache/main.tf      | 24 ++++++++++++++----------
 modules/comet_elasticache/variables.tf | 11 +++++++++++
 terraform.tfvars                       |  3 +++
 variables.tf                           | 12 ++++++++++++
 7 files changed, 52 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 20d5564..cf52b5c 100644
--- a/README.md
+++ b/README.md
@@ -89,11 +89,13 @@ terraform {
 | <a name="input_eks_mng_name"></a> [eks\_mng\_name](#input\_eks\_mng\_name) | Name for the EKS managed nodegroup | `string` | `"mng"` | no |
 | <a name="input_eks_node_types"></a> [eks\_node\_types](#input\_eks\_node\_types) | Node instance types for EKS managed node group | `list(string)` | <pre>[<br>  "m5.4xlarge"<br>]</pre> | no |
 | <a name="input_elasticache_allow_from_sg"></a> [elasticache\_allow\_from\_sg](#input\_elasticache\_allow\_from\_sg) | Security group from which to allow connections to ElastiCache, to use when provisioning with existing compute | `string` | `null` | no |
+| <a name="input_elasticache_auth_token"></a> [elasticache\_auth\_token](#input\_elasticache\_auth\_token) | Auth token for ElastiCache | `string` | `null` | no |
 | <a name="input_elasticache_engine"></a> [elasticache\_engine](#input\_elasticache\_engine) | Engine type for ElastiCache cluster | `string` | `"redis"` | no |
 | <a name="input_elasticache_engine_version"></a> [elasticache\_engine\_version](#input\_elasticache\_engine\_version) | Version number for ElastiCache engine | `string` | `"5.0.6"` | no |
 | <a name="input_elasticache_instance_type"></a> [elasticache\_instance\_type](#input\_elasticache\_instance\_type) | ElastiCache instance type | `string` | `"cache.r4.xlarge"` | no |
 | <a name="input_elasticache_num_cache_nodes"></a> [elasticache\_num\_cache\_nodes](#input\_elasticache\_num\_cache\_nodes) | Number of nodes in the ElastiCache cluster | `number` | `1` | no |
 | <a name="input_elasticache_param_group_name"></a> [elasticache\_param\_group\_name](#input\_elasticache\_param\_group\_name) | Name for the ElastiCache cluster parameter group | `string` | `"default.redis5.0"` | no |
+| <a name="input_elasticache_transit_encryption"></a> [elasticache\_transit\_encryption](#input\_elasticache\_transit\_encryption) | Enable transit encryption for ElastiCache | `bool` | `false` | no |
 | <a name="input_enable_ec2"></a> [enable\_ec2](#input\_enable\_ec2) | Toggles the comet\_ec2 module, to provision EC2 resources for running Comet | `bool` | n/a | yes |
 | <a name="input_enable_ec2_alb"></a> [enable\_ec2\_alb](#input\_enable\_ec2\_alb) | Toggles the comet\_ec2\_alb module, to provision an ALB in front of the EC2 instance | `bool` | n/a | yes |
 | <a name="input_enable_eks"></a> [enable\_eks](#input\_enable\_eks) | Toggles the comet\_eks module, to provision EKS resources for running Comet | `bool` | n/a | yes |
diff --git a/main.tf b/main.tf
index af892b4..64f7e71 100644
--- a/main.tf
+++ b/main.tf
@@ -84,11 +84,13 @@ module "comet_elasticache" {
   elasticache_allow_from_sg = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : (
     var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : (
   var.elasticache_allow_from_sg))
-  elasticache_engine           = var.elasticache_engine
-  elasticache_engine_version   = var.elasticache_engine_version
-  elasticache_instance_type    = var.elasticache_instance_type
-  elasticache_param_group_name = var.elasticache_param_group_name
-  elasticache_num_cache_nodes  = var.elasticache_num_cache_nodes
+  elasticache_engine             = var.elasticache_engine
+  elasticache_engine_version     = var.elasticache_engine_version
+  elasticache_instance_type      = var.elasticache_instance_type
+  elasticache_param_group_name   = var.elasticache_param_group_name
+  elasticache_num_cache_nodes    = var.elasticache_num_cache_nodes
+  elasticache_transit_encryption = var.elasticache_transit_encryption
+  elasticache_auth_token         = var.elasticache_auth_token
 }
 
 module "comet_rds" {
diff --git a/modules/comet_elasticache/README.md b/modules/comet_elasticache/README.md
index 4187425..57822bc 100644
--- a/modules/comet_elasticache/README.md
+++ b/modules/comet_elasticache/README.md
@@ -16,7 +16,7 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_elasticache_cluster.comet-ml-ec-redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster) | resource |
+| [aws_elasticache_replication_group.comet-ml-ec-redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group) | resource |
 | [aws_elasticache_subnet_group.comet-ml-ec-subnet-group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
 | [aws_security_group.redis_inbound_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_vpc_security_group_ingress_rule.redis_port_inbound_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
@@ -26,12 +26,14 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_elasticache_allow_from_sg"></a> [elasticache\_allow\_from\_sg](#input\_elasticache\_allow\_from\_sg) | Security group from which connections to ElastiCache will be allowed | `string` | n/a | yes |
+| <a name="input_elasticache_auth_token"></a> [elasticache\_auth\_token](#input\_elasticache\_auth\_token) | Auth token for ElastiCache | `string` | `null` | no |
 | <a name="input_elasticache_engine"></a> [elasticache\_engine](#input\_elasticache\_engine) | Engine type for Elasticache cluster | `string` | n/a | yes |
 | <a name="input_elasticache_engine_version"></a> [elasticache\_engine\_version](#input\_elasticache\_engine\_version) | Version number for Elasticache engine | `string` | n/a | yes |
 | <a name="input_elasticache_instance_type"></a> [elasticache\_instance\_type](#input\_elasticache\_instance\_type) | Elasticache instance type | `string` | n/a | yes |
 | <a name="input_elasticache_num_cache_nodes"></a> [elasticache\_num\_cache\_nodes](#input\_elasticache\_num\_cache\_nodes) | Number of nodes in the Elasticache cluster | `number` | n/a | yes |
 | <a name="input_elasticache_param_group_name"></a> [elasticache\_param\_group\_name](#input\_elasticache\_param\_group\_name) | Name for the Elasticache cluster parameter group | `string` | n/a | yes |
 | <a name="input_elasticache_private_subnets"></a> [elasticache\_private\_subnets](#input\_elasticache\_private\_subnets) | IDs of private subnets within the VPC | `list(string)` | n/a | yes |
+| <a name="input_elasticache_transit_encryption"></a> [elasticache\_transit\_encryption](#input\_elasticache\_transit\_encryption) | Enable transit encryption for ElastiCache | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Deployment environment, i.e. dev/stage/prod, etc | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC that will contain the provisioned resources | `string` | n/a | yes |
 
diff --git a/modules/comet_elasticache/main.tf b/modules/comet_elasticache/main.tf
index f231e17..c75865c 100644
--- a/modules/comet_elasticache/main.tf
+++ b/modules/comet_elasticache/main.tf
@@ -7,16 +7,20 @@ locals {
   }
 }
 
-resource "aws_elasticache_cluster" "comet-ml-ec-redis" {
-  cluster_id           = "cometml-ec-redis-${var.environment}"
-  engine               = var.elasticache_engine
-  node_type            = var.elasticache_instance_type
-  num_cache_nodes      = var.elasticache_num_cache_nodes
-  parameter_group_name = var.elasticache_param_group_name
-  engine_version       = var.elasticache_engine_version
-  port                 = local.redis_port
-  subnet_group_name    = aws_elasticache_subnet_group.comet-ml-ec-subnet-group.name
-  security_group_ids   = [aws_security_group.redis_inbound_sg.id]
+resource "aws_elasticache_replication_group" "comet-ml-ec-redis" {
+  engine                     = var.elasticache_engine
+  engine_version             = var.elasticache_engine_version
+  transit_encryption_enabled = var.elasticache_transit_encryption
+  auth_token                 = var.elasticache_auth_token
+  automatic_failover_enabled = false
+  replication_group_id       = "cometml-ec-redis-${var.environment}"
+  node_type                  = var.elasticache_instance_type
+  num_cache_clusters         = var.elasticache_num_cache_nodes
+  parameter_group_name       = var.elasticache_param_group_name
+  port                       = local.redis_port
+  subnet_group_name          = aws_elasticache_subnet_group.comet-ml-ec-subnet-group.name
+  security_group_ids         = [aws_security_group.redis_inbound_sg.id]
+  description                = "Redis for CometML"
 }
 
 resource "aws_elasticache_subnet_group" "comet-ml-ec-subnet-group" {
diff --git a/modules/comet_elasticache/variables.tf b/modules/comet_elasticache/variables.tf
index e381ad6..33dd9ef 100644
--- a/modules/comet_elasticache/variables.tf
+++ b/modules/comet_elasticache/variables.tf
@@ -41,4 +41,15 @@ variable "elasticache_param_group_name" {
 variable "elasticache_num_cache_nodes" {
   description = "Number of nodes in the Elasticache cluster"
   type        = number
+}
+
+variable "elasticache_transit_encryption" {
+  description = "Enable transit encryption for ElastiCache"
+  type        = bool
+}
+
+variable "elasticache_auth_token" {
+  description = "Auth token for ElastiCache"
+  type        = string
+  default     = null
 }
\ No newline at end of file
diff --git a/terraform.tfvars b/terraform.tfvars
index 90234d2..8e2dede 100644
--- a/terraform.tfvars
+++ b/terraform.tfvars
@@ -55,6 +55,9 @@ ssl_certificate_arn = null
 #### comet_elasticache ####
 # If setting enable_elasticache with existing compute, set the variable below to specify an SG that connections will be allowed from
 elasticache_allow_from_sg = "sg-012345abcdefghijkl"
+## Set the following to enable the auth token for Redis
+#elasticache_transit_encryption = true
+#elasticache_auth_token = "your-cometml-redis-token"
 
 #### comet_rds ####
 # If setting enable_rds, specify the root password for RDS below, or leave null and enter at the prompt during apply
diff --git a/variables.tf b/variables.tf
index 91c4494..2a5c92b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -230,6 +230,18 @@ variable "elasticache_num_cache_nodes" {
   default     = 1
 }
 
+variable "elasticache_transit_encryption" {
+  description = "Enable transit encryption for ElastiCache"
+  type        = bool
+  default     = false
+}
+
+variable "elasticache_auth_token" {
+  description = "Auth token for ElastiCache"
+  type        = string
+  default     = null
+}
+
 #### comet_rds ####
 variable "rds_allow_from_sg" {
   description = "Security group from which to allow connections to RDS, to use when provisioning with existing compute"