diff --git a/.gitignore b/.gitignore index f87ff9f5..a4526b4d 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ # Local Working dir work backends.tf +*.pem \ No newline at end of file diff --git a/locals.tf b/locals.tf index c8774f8f..aee83988 100644 --- a/locals.tf +++ b/locals.tf @@ -47,42 +47,22 @@ locals { } } ) - - redis = var.enable_redis_sentinel ? try( - module.redis_sentinel[0], - { - hostname = null - password = null - username = null - redis_port = null - use_password_auth = null - use_tls = null - sentinel_enabled = var.enable_redis_sentinel - sentinel_hosts = [] - sentinel_leader = null - sentinel_username = null - sentinel_password = null - aws_elasticache_subnet_group_name = null - aws_security_group_redis = null - } - ) : try( - module.redis[0], - { - hostname = null - password = null - username = null - redis_port = null - use_password_auth = null - use_tls = null - sentinel_enabled = var.enable_redis_sentinel - sentinel_hosts = [] - sentinel_leader = null - sentinel_username = null - sentinel_password = null - aws_elasticache_subnet_group_name = null - aws_security_group_redis = null - } - ) + redis_default = { + hostname = null + password = null + username = null + redis_port = null + use_password_auth = null + use_tls = null + sentinel_enabled = var.enable_redis_sentinel + sentinel_hosts = [] + sentinel_leader = null + sentinel_username = null + sentinel_password = null + aws_elasticache_subnet_group_name = null + aws_security_group_redis = null + } + redis = var.enable_redis_sentinel ? module.redis_sentinel[0] : var.enable_redis_mtls ? module.redis_mtls[0] : try(module.redis[0], local.redis_default) no_proxy = concat([ "127.0.0.1", diff --git a/main.tf b/main.tf index 70e96ff7..727f3a72 100644 --- a/main.tf +++ b/main.tf @@ -38,6 +38,9 @@ module "service_accounts" { tfe_license_secret_id = var.tfe_license_secret_id kms_key_arn = local.kms_key_arn vm_certificate_secret_id = var.vm_certificate_secret_id + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id + redis_client_certificate_secret_id = var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id vm_key_secret_id = var.vm_key_secret_id } @@ -71,7 +74,7 @@ module "networking" { # ----------------------------------------------------------------------------- module "redis" { source = "./modules/redis" - count = local.enable_redis_module && var.enable_redis_sentinel == false ? 1 : 0 + count = local.enable_redis_module && var.enable_redis_sentinel == false || local.enable_redis_module && var.enable_redis_mtls == false ? 1 : 0 active_active = var.operational_mode == "active-active" friendly_name_prefix = var.friendly_name_prefix @@ -115,6 +118,34 @@ module "redis_sentinel" { network_private_subnet_cidrs = local.network_private_subnet_cidrs } +# ----------------------------------------------------------------------------- +# Redis mTLS +# ----------------------------------------------------------------------------- + +module "redis_mtls" { + count = var.enable_redis_mtls ? 1 : 0 + source = "./modules/redis-standalone-mtls" + # This module is used to deploy a Redis instance with mTLS enabled. + + domain_name = var.domain_name + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id + redis_client_certificate_secret_id = var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id + # mTLS does not use password authentication + redis_authentication_mode = "NONE" + aws_iam_instance_profile = module.service_accounts.iam_instance_profile.name + asg_tags = var.asg_tags + ec2_launch_template_tag_specifications = var.ec2_launch_template_tag_specifications + friendly_name_prefix = var.friendly_name_prefix + health_check_grace_period = var.health_check_grace_period + health_check_type = var.health_check_type + instance_type = var.instance_type + key_name = var.key_name + network_id = local.network_id + network_subnets_private = local.network_private_subnets + network_private_subnet_cidrs = local.network_private_subnet_cidrs +} + # ----------------------------------------------------------------------------- # AWS PostreSQL Database # ----------------------------------------------------------------------------- @@ -229,6 +260,11 @@ module "runtime_container_engine_config" { redis_sentinel_leader_name = local.redis.sentinel_leader redis_sentinel_user = local.redis.sentinel_username redis_sentinel_password = local.redis.sentinel_password + redis_use_mtls = var.enable_redis_mtls + redis_ca_cert_path = "/etc/ssl/private/terraform-enterprise/redis/cacert.pem" + redis_client_cert_path = "/etc/ssl/private/terraform-enterprise/redis/cert.pem" + redis_client_key_path = "/etc/ssl/private/terraform-enterprise/redis/key.pem" + trusted_proxies = local.trusted_proxies @@ -260,6 +296,11 @@ module "tfe_init_fdo" { certificate_secret_id = var.vm_certificate_secret_id == null ? null : var.vm_certificate_secret_id key_secret_id = var.vm_key_secret_id == null ? null : var.vm_key_secret_id + enable_redis_mtls = var.enable_redis_mtls + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id == null ? null : var.redis_ca_certificate_secret_id + redis_client_certificate_secret_id = var.redis_client_certificate_secret_id == null ? null : var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id == null ? null : var.redis_client_key_secret_id + proxy_ip = var.proxy_ip != null ? var.proxy_ip : null proxy_port = var.proxy_ip != null ? var.proxy_port : null extra_no_proxy = var.proxy_ip != null ? local.no_proxy : null diff --git a/modules/redis-standalone-mtls/files/compose.yaml b/modules/redis-standalone-mtls/files/compose.yaml new file mode 100644 index 00000000..1d5bfb20 --- /dev/null +++ b/modules/redis-standalone-mtls/files/compose.yaml @@ -0,0 +1,28 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Description: This file contains the docker-compose configuration for the redis OSS module. +services: + redis: + image: redis:7 + command: [ + "redis-server", + # disable all ports + "--port", "0", + "--tls-port 6379", + "--tls-cert-file", "/certs/fullchain.pem", + "--tls-key-file", "/certs/privkey.pem", + "--tls-ca-cert-file", "/certs/isrgrootx1.pem", + "--tls-auth-clients", "yes" + ] + ports: + - "${redis_port}:${redis_port}" + volumes: + # For Redis TLS certificates. + - $${FULLCHAIN}:/certs/fullchain.pem + - $${PRIVKEY}:/certs/privkey.pem + - $${ISRGROOTX1}:/certs/isrgrootx1.pem + + + + diff --git a/modules/redis-standalone-mtls/files/script.sh b/modules/redis-standalone-mtls/files/script.sh new file mode 100644 index 00000000..2b5473ed --- /dev/null +++ b/modules/redis-standalone-mtls/files/script.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +set -eu pipefail + +function get_base64_secrets { + local secret_id=$1 + # OS: Agnostic + # Description: Pull the Base 64 encoded secrets from AWS Secrets Manager + + /usr/local/bin/aws secretsmanager get-secret-value --secret-id $secret_id | jq --raw-output '.SecretBinary,.SecretString | select(. != null)' +} + +function retry { + local retries=$1 + shift + + local count=0 + until "$@"; do + exit=$? + wait=$((2 ** $count)) + count=$(($count + 1)) + if [ $count -lt $retries ]; then + echo "Retry $count/$retries exited $exit, retrying in $wait seconds..." + sleep $wait + else + echo "Retry $count/$retries exited $exit, no more retries left." + return $exit + fi + done + return 0 + +} + +curl --noproxy '*' --fail --silent --show-error --location https://download.docker.com/linux/ubuntu/gpg \ + | gpg --dearmor --output /usr/share/keyrings/docker-archive-keyring.gpg +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \ + https://download.docker.com/linux/ubuntu $(lsb_release --codename --short) stable" \ + | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +retry 10 apt-get --assume-yes update +retry 10 apt-get --assume-yes install docker-ce docker-ce-cli containerd.io redis-tools unzip jq +retry 10 apt-get --assume-yes autoremove + + +echo "[$(date +"%FT%T")] [Terraform Enterprise] Install AWS CLI" +curl --noproxy '*' "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m | grep -q "arm\|aarch" && echo "aarch64" || echo "x86_64").zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install +rm -f ./awscliv2.zip +rm -rf ./aws + +tfe_dir="/etc/redis" +mkdir -p $tfe_dir + +export FULLCHAIN=$tfe_dir/fullchain.pem +export PRIVKEY=$tfe_dir/privkey.pem +export ISRGROOTX1=$tfe_dir/isrgrootx1.pem +echo ${compose} | base64 -d > $tfe_dir/compose.yaml + +echo $(get_base64_secrets ${redis_client_cert}) | base64 -d > $FULLCHAIN +echo $(get_base64_secrets ${redis_client_key}) | base64 -d > $PRIVKEY +echo $(get_base64_secrets ${redis_client_ca}) | base64 -d > $ISRGROOTX1 + +chmod a+r $FULLCHAIN +chmod a+r $PRIVKEY +chmod a+r $ISRGROOTX1 +docker compose -f $tfe_dir/compose.yaml up -d \ No newline at end of file diff --git a/modules/redis-standalone-mtls/locals.tf b/modules/redis-standalone-mtls/locals.tf new file mode 100644 index 00000000..c2255987 --- /dev/null +++ b/modules/redis-standalone-mtls/locals.tf @@ -0,0 +1,49 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +locals { + redis_user_data_template = "${path.module}/files/script.sh" + redis_user_data = templatefile(local.redis_user_data_template, { + redis_client_cert = var.redis_client_certificate_secret_id + redis_client_key = var.redis_client_key_secret_id + redis_client_ca = var.redis_ca_certificate_secret_id + compose = base64encode(templatefile(local.compose_path, { + redis_port = var.redis_port + })) + }) + compose_path = "${path.module}/files/compose.yaml" + tags = concat( + [ + { + key = "Name" + value = "${var.friendly_name_prefix}-tfe" + propagate_at_launch = true + }, + ], + [ + for k, v in var.asg_tags : { + key = k + value = v + propagate_at_launch = true + } + ] + ) + default_health_check_grace_period = 1500 + health_check_grace_period = var.health_check_grace_period != null ? var.health_check_grace_period : local.default_health_check_grace_period +} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} diff --git a/modules/redis-standalone-mtls/main.tf b/modules/redis-standalone-mtls/main.tf new file mode 100644 index 00000000..60b55af4 --- /dev/null +++ b/modules/redis-standalone-mtls/main.tf @@ -0,0 +1,95 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +# Launch Template for Redis +# ------------------------- + +resource "random_password" "redis_password" { + count = contains(["USER_AND_PASSWORD", "PASSWORD"], var.redis_authentication_mode) ? 1 : 0 + length = 16 + special = true + override_special = "#$%&*()-_=+[]{}<>:?" +} + +resource "random_pet" "redis_username" { + count = var.redis_authentication_mode == "USER_AND_PASSWORD" ? 1 : 0 +} + +resource "aws_launch_template" "redis" { + name_prefix = "${var.friendly_name_prefix}-redis" + image_id = data.aws_ami.ubuntu.id + instance_type = var.instance_type + user_data = base64encode(local.redis_user_data) + key_name = var.key_name + vpc_security_group_ids = [aws_security_group.redis_inbound_allow.id, aws_security_group.redis_outbound_allow.id] + + dynamic "tag_specifications" { + for_each = var.ec2_launch_template_tag_specifications + + content { + resource_type = tag_specifications.value["resource_type"] + tags = tag_specifications.value["tags"] + } + } + + iam_instance_profile { + name = var.aws_iam_instance_profile + } + + metadata_options { + http_endpoint = "enabled" + http_put_response_hop_limit = 2 + http_tokens = "required" + } + + block_device_mappings { + device_name = "/dev/sda1" + ebs { + encrypted = true + volume_type = "gp2" + volume_size = 50 + delete_on_termination = true + } + } + + lifecycle { + create_before_destroy = true + } +} + +# Autoscaling Group for Redis +# --------------------------- + +resource "aws_autoscaling_group" "redis" { + name = "${var.friendly_name_prefix}-redis-asg" + min_size = 1 + max_size = 1 + desired_capacity = 1 + vpc_zone_identifier = var.network_subnets_private + target_group_arns = [aws_lb_target_group.redis_tg.arn] + + # Increases grace period for any AMI that is not the default Ubuntu + # since RHEL has longer startup time + health_check_grace_period = local.health_check_grace_period + health_check_type = var.health_check_type + + launch_template { + id = aws_launch_template.redis.id + version = "$Latest" + } + + dynamic "tag" { + for_each = local.tags + + content { + key = tag.value["key"] + value = tag.value["value"] + propagate_at_launch = tag.value["propagate_at_launch"] + } + } + + lifecycle { + create_before_destroy = true + } +} diff --git a/modules/redis-standalone-mtls/networking.tf b/modules/redis-standalone-mtls/networking.tf new file mode 100644 index 00000000..d5d3a315 --- /dev/null +++ b/modules/redis-standalone-mtls/networking.tf @@ -0,0 +1,64 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +## DNS Record for Redis Load Balancer +# ----------------------------------- +data "aws_route53_zone" "tfe" { + name = var.domain_name + private_zone = false +} + +resource "aws_route53_record" "redis" { + zone_id = data.aws_route53_zone.tfe.zone_id + name = "${var.friendly_name_prefix}-redis" + type = "A" + + alias { + name = aws_lb.redis_lb.dns_name + zone_id = aws_lb.redis_lb.zone_id + evaluate_target_health = true + } +} + +# Network Load Balancer for Redis cluster +# --------------------------------------- + +resource "aws_lb" "redis_lb" { + name = "${var.friendly_name_prefix}-redis-nlb" + internal = true + load_balancer_type = "network" + subnets = var.network_subnets_private + enable_cross_zone_load_balancing = true + security_groups = [ + aws_security_group.redis_outbound_allow.id, + aws_security_group.redis_inbound_allow.id, + ] +} + +# Network Load Balancer Listener and Target Group for Redis +# --------------------------------------------------------- + +resource "aws_lb_listener" "redis_listener_redis" { + load_balancer_arn = aws_lb.redis_lb.arn + port = (var.redis_port) + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.redis_tg.arn + } +} + +resource "aws_lb_target_group" "redis_tg" { + name = "${var.friendly_name_prefix}-redis-tg-${var.redis_port}" + port = (var.redis_port) + protocol = "TCP" + vpc_id = var.network_id + + health_check { + protocol = "TCP" + } +} + + + diff --git a/modules/redis-standalone-mtls/outputs.tf b/modules/redis-standalone-mtls/outputs.tf new file mode 100644 index 00000000..5ce4582d --- /dev/null +++ b/modules/redis-standalone-mtls/outputs.tf @@ -0,0 +1,67 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +output "hostname" { + value = "${aws_route53_record.redis.fqdn}:${var.redis_port}" + description = "The host/port combinations for available Redis endpoint." +} + +output "password" { + value = "" + description = "The password which is required to authenticate to Redis server." +} + +output "username" { + value = null + description = "The username which is required to authenticate to Redis server." +} + +output "redis_port" { + value = null + description = "The port number on which the Redis Elasticache replication group accepts connections." +} + +output "use_password_auth" { + value = var.redis_use_password_auth + description = "A boolean which indicates if password authentication is required by the Redis server." +} + +output "use_tls" { + value = false + description = "A boolean which indicates if transit encryption is required by Redis server." +} + +output "sentinel_enabled" { + value = false + description = "sentinel is enabled" +} + +output "sentinel_hosts" { + value = [] + description = "The host/port combinations for available Redis sentinel endpoints." +} + +output "sentinel_leader" { + value = null + description = "The name of the Redis Sentinel leader" +} + +output "sentinel_username" { + value = null + description = "the username to authenticate to Redis sentinel" +} + +output "sentinel_password" { + value = null + description = "the password to authenticate to Redis sentinel" +} + +output "aws_elasticache_subnet_group_name" { + value = "" + description = "The name of the subnetwork group in which the Redis Elasticache replication group is deployed." +} + +output "aws_security_group_redis" { + value = "" + description = "The identity of the security group attached to the Redis Elasticache replication group." +} diff --git a/modules/redis-standalone-mtls/security-group.tf b/modules/redis-standalone-mtls/security-group.tf new file mode 100644 index 00000000..4aeb5a30 --- /dev/null +++ b/modules/redis-standalone-mtls/security-group.tf @@ -0,0 +1,55 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Allow inbound from Redis instances to TFE VPC + +resource "aws_security_group" "redis_inbound_allow" { + name = "${var.friendly_name_prefix}-redis-inbound-allow" + vpc_id = var.network_id +} + +resource "aws_security_group_rule" "redis" { + security_group_id = aws_security_group.redis_inbound_allow.id + type = "ingress" + from_port = var.redis_port + to_port = (var.redis_port) + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_security_group_rule" "ssh_inbound" { + + security_group_id = aws_security_group.redis_inbound_allow.id + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_security_group_rule" "redis_inbound" { + security_group_id = aws_security_group.redis_inbound_allow.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + self = true +} + + +# Allow all traffic outbound from Redis instances to www +resource "aws_security_group" "redis_outbound_allow" { + name = "${var.friendly_name_prefix}-redis-outbound-allow" + vpc_id = var.network_id +} + +resource "aws_security_group_rule" "redis_sentinel_outbound" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow all traffic outbound from Redis Sentinel instances to TFE" + + security_group_id = aws_security_group.redis_outbound_allow.id +} diff --git a/modules/redis-standalone-mtls/variables.tf b/modules/redis-standalone-mtls/variables.tf new file mode 100644 index 00000000..e2e674d6 --- /dev/null +++ b/modules/redis-standalone-mtls/variables.tf @@ -0,0 +1,125 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# VM Configuration +# ---------------- + +variable "aws_iam_instance_profile" { + description = "The name of the IAM instance profile to be associated with the TFE EC2 instance(s)." + type = string +} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "health_check_grace_period" { + default = null + description = "The health grace period aws provides to allow for an instance to pass it's health check." + type = number +} + +variable "health_check_type" { + description = "Type of health check to perform on the instance." + type = string + default = "ELB" + + validation { + condition = contains(["ELB", "EC2"], var.health_check_type) + error_message = "Must be one of [ELB, EC2]." + } +} + +variable "instance_type" { + default = "m5.xlarge" + description = "The instance type of EC2 instance(s) to create." + type = string +} + +variable "network_id" { + description = "The identity of the VPC in which the security group attached to the TFE EC2 instance will be delpoyed." + type = string +} + +variable "network_subnets_private" { + description = "A list of the identities of the private subnetworks in which the EC2 autoscaling group will be deployed." + type = list(string) +} + +variable "asg_tags" { + type = map(string) + description = "(Optional) Map of tags only used for the autoscaling group. If you are using the AWS provider's default_tags, please note that it tags every taggable resource except for the autoscaling group, therefore this variable may be used to duplicate the key/value pairs in the default_tags if you wish." + default = {} +} + +variable "network_private_subnet_cidrs" { + type = list(string) + description = "(Optional) List of private subnet CIDR ranges to create in VPC." + default = ["10.0.32.0/20", "10.0.48.0/20"] +} + +variable "key_name" { + default = null + description = "The name of the key pair to be used for SSH access to the EC2 instance(s)." + type = string +} + +variable "ec2_launch_template_tag_specifications" { + description = "(Optional) List of tag specifications to apply to the launch template." + type = list(object({ + resource_type = string + tags = map(string) + })) + default = [] +} + + +# Domain Installation +# ------------------- + +variable "domain_name" { + description = "The name of the Route 53 Hosted Zone in which a record will be created." + type = string +} + +# Redis Variables +# ---------------- + +variable "redis_port" { + description = "The base port for redis isntances" + type = number + default = 6379 +} + +variable "redis_authentication_mode" { + description = "The authentincation mode for redis server instances. Must be one of [USER_AND_PASSWORD, PASSWORD, NONE]." + type = string + default = "NONE" + validation { + condition = contains(["USER_AND_PASSWORD", "PASSWORD", "NONE"], var.redis_authentication_mode) + error_message = "Must be one of [USER_AND_PASSWORD, PASSWORD, NONE]." + } +} + +variable "redis_use_password_auth" { + description = "A boolean which indicates if password authentication is required by the Redis" + type = bool + default = false +} + +variable "redis_client_key_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for redis." +} + +variable "redis_client_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." +} + +variable "redis_ca_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." +} + \ No newline at end of file diff --git a/modules/redis-standalone-mtls/versions.tf b/modules/redis-standalone-mtls/versions.tf new file mode 100644 index 00000000..4441331b --- /dev/null +++ b/modules/redis-standalone-mtls/versions.tf @@ -0,0 +1,16 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +terraform { + required_version = ">= 0.14" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.1" + } + } +} diff --git a/modules/service_accounts/locals.tf b/modules/service_accounts/locals.tf index 2d503b7a..eadfc8c3 100644 --- a/modules/service_accounts/locals.tf +++ b/modules/service_accounts/locals.tf @@ -6,7 +6,10 @@ locals { var.ca_certificate_secret_id, var.tfe_license_secret_id, var.vm_certificate_secret_id, - var.vm_key_secret_id + var.vm_key_secret_id, + var.redis_ca_certificate_secret_id, + var.redis_client_certificate_secret_id, + var.redis_client_key_secret_id ] : secret if secret != null] iam_instance_role = try(data.aws_iam_role.existing_instance_role[0], aws_iam_role.instance_role[0]) diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf index 08b87916..c2b57c88 100644 --- a/modules/service_accounts/variables.tf +++ b/modules/service_accounts/variables.tf @@ -61,4 +61,22 @@ variable "vm_key_secret_id" { A Secrets Manager secret ARN which contains the Base64 encoded version of a PEM encoded private key for the Virtual Machine Scale Set. EOD +} + +variable "redis_client_key_secret_id" { + type = string + default = null + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for redis." +} + +variable "redis_client_certificate_secret_id" { + type = string + default = null + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." +} + +variable "redis_ca_certificate_secret_id" { + type = string + default = null + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." } \ No newline at end of file diff --git a/variables.tf b/variables.tf index fbb2706b..db4db66d 100644 --- a/variables.tf +++ b/variables.tf @@ -116,6 +116,30 @@ variable "enable_redis_sentinel" { default = false } +variable "enable_redis_mtls" { + type = bool + description = "Enable Redis mTLS." + default = false +} + +variable "redis_client_key_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for redis." + default = false +} + +variable "redis_client_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." + default = false +} + +variable "redis_ca_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." + default = false +} + variable "redis_cache_size" { type = string default = "cache.m4.large"