From 74e1829fff137159ce530032e8176b8f4fc0776a Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Mon, 2 Jun 2025 18:38:03 -0400 Subject: [PATCH 01/27] add module for redis --- .gitignore | 1 + examples/standalone-redis/README.md | 55 ++++++++ examples/standalone-redis/data.tf | 18 +++ examples/standalone-redis/locals.tf | 7 + examples/standalone-redis/main.tf | 65 +++++++++ examples/standalone-redis/variables.tf | 58 ++++++++ examples/standalone-redis/versions.tf | 16 +++ locals.tf | 19 ++- main.tf | 41 +++++- .../redis-standalone-mtls/files/compose.yaml | 31 +++++ .../redis-standalone-mtls/files/redis-init.sh | 10 ++ .../redis-standalone-mtls/files/redis.conf | 0 modules/redis-standalone-mtls/files/script.sh | 64 +++++++++ modules/redis-standalone-mtls/locals.tf | 54 ++++++++ modules/redis-standalone-mtls/main.tf | 98 ++++++++++++++ modules/redis-standalone-mtls/networking.tf | 66 +++++++++ modules/redis-standalone-mtls/outputs.tf | 28 ++++ .../redis-standalone-mtls/security-group.tf | 55 ++++++++ modules/redis-standalone-mtls/variables.tf | 125 ++++++++++++++++++ modules/redis-standalone-mtls/versions.tf | 16 +++ variables.tf | 39 ++++++ 21 files changed, 863 insertions(+), 3 deletions(-) create mode 100644 examples/standalone-redis/README.md create mode 100644 examples/standalone-redis/data.tf create mode 100644 examples/standalone-redis/locals.tf create mode 100644 examples/standalone-redis/main.tf create mode 100644 examples/standalone-redis/variables.tf create mode 100644 examples/standalone-redis/versions.tf create mode 100644 modules/redis-standalone-mtls/files/compose.yaml create mode 100644 modules/redis-standalone-mtls/files/redis-init.sh create mode 100644 modules/redis-standalone-mtls/files/redis.conf create mode 100644 modules/redis-standalone-mtls/files/script.sh create mode 100644 modules/redis-standalone-mtls/locals.tf create mode 100644 modules/redis-standalone-mtls/main.tf create mode 100644 modules/redis-standalone-mtls/networking.tf create mode 100644 modules/redis-standalone-mtls/outputs.tf create mode 100644 modules/redis-standalone-mtls/security-group.tf create mode 100644 modules/redis-standalone-mtls/variables.tf create mode 100644 modules/redis-standalone-mtls/versions.tf diff --git a/.gitignore b/.gitignore index f87ff9f5..a4526b4d 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ # Local Working dir work backends.tf +*.pem \ No newline at end of file diff --git a/examples/standalone-redis/README.md b/examples/standalone-redis/README.md new file mode 100644 index 00000000..f68966f5 --- /dev/null +++ b/examples/standalone-redis/README.md @@ -0,0 +1,55 @@ +# Example: Standalone with mTLS Redis + +## About this example + +This example for Terraform Enterprise creates a TFE installation with the +following traits: + +- External mode +- a small VM machine type (m5.xlarge) +- Ubuntu as the VM image +- a publicly accessible HTTP load balancer with TLS termination +- an access key for accessing S3 +- Redis VM + +## Pre-requisites + +This test assumes the following resources already exist: + +- Valid DNS Zone managed in Route53 +- Valid AWS ACM certificate +- a TFE license on a filepath accessible by tests +- Valid TLS certs for Redis + +## How to Use This Module + +### Deployment + + 1. Read the entire [README.md](../../README.md) of the root module. + 2. Ensure account meets module prerequisites from above. + 3. Clone repository. + 4. Change directory into desired example folder. + 5. Create a local `terraform.auto.tfvars` file and instantiate the required inputs as required in the respective `./examples/standalone-redis/variables.tf` including the path to the license under the `license_file` variable value. + 6. Authenticate against the AWS provider. See [instructions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration). + 7. Initialize terraform and apply the module configurations using the commands below: + + NOTE: `terraform plan` will print out the execution plan which describes the actions Terraform will take in order to build your infrastructure to match the module configuration. If anything in the plan seems incorrect or dangerous, it is safe to abort here and not proceed to `terraform apply`. + + ``` + terraform init + terraform plan + terraform apply + ``` + +## Post-deployment Tasks + +The build should take approximately 10-15 minutes to deploy. Once the module has completed, give the platform another 10 minutes or so prior to attempting to interact with it in order for all containers to start up. + +Unless amended, this example will not create an initial admin user using the IACT, but it does output the URL for your convenience. Follow the advice in this document to create the initial admin user, and log into the system using this user in order to configure it for use. + +### Connecting to the TFE Application + +1. Navigate to the URL supplied via the `login_url` Terraform output. (It may take several minutes for this to be available after initial deployment. You may monitor the progress of cloud init if desired on one of the instances) +2. Enter a `username`, `email`, and `password` for the initial user. +3. Click `Create an account`. +4. After the initial user is created you may access the TFE Application normally using the URL supplied via `login_url` Terraform output. diff --git a/examples/standalone-redis/data.tf b/examples/standalone-redis/data.tf new file mode 100644 index 00000000..490f79ce --- /dev/null +++ b/examples/standalone-redis/data.tf @@ -0,0 +1,18 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} diff --git a/examples/standalone-redis/locals.tf b/examples/standalone-redis/locals.tf new file mode 100644 index 00000000..f6c45743 --- /dev/null +++ b/examples/standalone-redis/locals.tf @@ -0,0 +1,7 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +locals { + friendly_name_prefix = random_string.friendly_name.id + network_private_subnet_cidrs = ["10.0.32.0/20", "10.0.48.0/20", "10.0.112.0/20"] +} diff --git a/examples/standalone-redis/main.tf b/examples/standalone-redis/main.tf new file mode 100644 index 00000000..1b38e697 --- /dev/null +++ b/examples/standalone-redis/main.tf @@ -0,0 +1,65 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Random string to prepend resources +# ---------------------------------- +resource "random_string" "friendly_name" { + length = 4 + upper = false # Some AWS resources do not accept uppercase characters. + numeric = false + special = false +} + +# Store TFE License as secret +# --------------------------- +module "secrets" { + source = "../../fixtures/secrets" + tfe_license = { + name = "${local.friendly_name_prefix}-tfe-license" + path = var.license_file + } +} + +# Key Management Service +# ---------------------- +module "kms" { + source = "../../fixtures/kms" + key_alias = "${local.friendly_name_prefix}-key" +} + +# Standalone with redis mTLS +# -------------------------- +module "standalone_redis" { + source = "../../" + + acm_certificate_arn = var.acm_certificate_arn + domain_name = var.domain_name + distribution = "ubuntu" + friendly_name_prefix = local.friendly_name_prefix + tfe_license_secret_id = module.secrets.tfe_license_secret_id + + ami_id = data.aws_ami.ubuntu.id + bypass_preflight_checks = true + health_check_grace_period = 3000 + iact_subnet_list = ["0.0.0.0/0"] + iam_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"] + instance_type = "m5.4xlarge" + kms_key_arn = module.kms.key + load_balancing_scheme = "PUBLIC" + network_private_subnet_cidrs = local.network_private_subnet_cidrs + node_count = 1 + operational_mode = "external" + enable_redis_mtls = true + tfe_subdomain = local.friendly_name_prefix + vm_certificate_secret_id = var.certificate_pem_secret_id + vm_key_secret_id = var.private_key_pem_secret_id + ### for redis creation + redis_client_key_path = var.redis_client_key_path + redis_client_cert_path = var.redis_client_cert_path + redis_client_ca_path = var.redis_client_ca_path + + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id + redis_private_key_secret_id = var.redis_private_key_secret_id + redis_certificate_secret_id = var.redis_certificate_secret_id + +} diff --git a/examples/standalone-redis/variables.tf b/examples/standalone-redis/variables.tf new file mode 100644 index 00000000..e7ee7335 --- /dev/null +++ b/examples/standalone-redis/variables.tf @@ -0,0 +1,58 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +variable "acm_certificate_arn" { + type = string + description = "The ARN of an existing ACM certificate." +} + +variable "domain_name" { + type = string + description = "Domain for creating the Terraform Enterprise subdomain on." +} + +variable "license_file" { + type = string + description = "The local path to the Terraform Enterprise license." +} + +variable "redis_client_ca_path" { + type = string + default = "null" + description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe." +} +variable "redis_client_cert_path" { + type = string + default = "null" + description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe." +} +variable "redis_client_key_path" { + type = string + default = "null" + description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe." +} + +variable private_key_pem_secret_id { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." +} +variable "certificate_pem_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." +} + +variable redis_private_key_secret_id { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." +} + +variable "redis_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." +} + +variable "redis_ca_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." +} + diff --git a/examples/standalone-redis/versions.tf b/examples/standalone-redis/versions.tf new file mode 100644 index 00000000..4441331b --- /dev/null +++ b/examples/standalone-redis/versions.tf @@ -0,0 +1,16 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +terraform { + required_version = ">= 0.14" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.1" + } + } +} diff --git a/locals.tf b/locals.tf index c8774f8f..3ed84f8e 100644 --- a/locals.tf +++ b/locals.tf @@ -65,7 +65,24 @@ locals { aws_elasticache_subnet_group_name = null aws_security_group_redis = null } - ) : try( + ) : var.enable_redis_mtls ? try( + module.redis_mtls[0], + { + hostname = null + password = null + username = null + redis_port = null + use_password_auth = null + use_tls = null + sentinel_enabled = var.enable_redis_sentinel + sentinel_hosts = [] + sentinel_leader = null + sentinel_username = null + sentinel_password = null + aws_elasticache_subnet_group_name = null + aws_security_group_redis = null + } + ) : try( module.redis[0], { hostname = null diff --git a/main.tf b/main.tf index e8db1a89..c6dcbef1 100644 --- a/main.tf +++ b/main.tf @@ -115,6 +115,33 @@ module "redis_sentinel" { network_private_subnet_cidrs = local.network_private_subnet_cidrs } +# ----------------------------------------------------------------------------- +# Redis mTLS +# ----------------------------------------------------------------------------- + +module "redis_mtls" { + count = var.enable_redis_mtls ? 1 : 0 + source = "./modules/redis-standalone-mtls" + # This module is used to deploy a Redis instance with mTLS enabled. + + domain_name = var.domain_name + redis_client_ca_path = var.redis_client_ca_path + redis_client_cert_path = var.redis_client_cert_path + redis_client_key_path = var.redis_client_key_path + redis_authentication_mode = "NONE" # mTLS does not use password authentication + aws_iam_instance_profile = module.service_accounts.iam_instance_profile.name + asg_tags = var.asg_tags + ec2_launch_template_tag_specifications = var.ec2_launch_template_tag_specifications + friendly_name_prefix = var.friendly_name_prefix + health_check_grace_period = var.health_check_grace_period + health_check_type = var.health_check_type + instance_type = var.instance_type + key_name = var.key_name + network_id = local.network_id + network_subnets_private = local.network_private_subnets + network_private_subnet_cidrs = local.network_private_subnet_cidrs +} + # ----------------------------------------------------------------------------- # AWS PostreSQL Database # ----------------------------------------------------------------------------- @@ -170,7 +197,7 @@ module "aurora_database" { # Docker Compose File Config for TFE on instance(s) using Flexible Deployment Options # ------------------------------------------------------------------------------------ module "runtime_container_engine_config" { - source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=main" + source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=redis-standalone" count = var.is_replicated_deployment ? 0 : 1 tfe_license = var.hc_license @@ -228,6 +255,11 @@ module "runtime_container_engine_config" { redis_sentinel_leader_name = local.redis.sentinel_leader redis_sentinel_user = local.redis.sentinel_username redis_sentinel_password = local.redis.sentinel_password + redis_use_mtls = var.enable_redis_mtls + redis_ca_cert_path = "/etc/ssl/private/terraform-enterprise/redis/ca_cert.pem" + redis_client_cert_path = "/etc/ssl/private/terraform-enterprise/redis/cert.pem" + redis_client_key_path = "/etc/ssl/private/terraform-enterprise/redis/key.pem" + trusted_proxies = local.trusted_proxies @@ -243,7 +275,7 @@ module "runtime_container_engine_config" { # AWS cloud init used to install and configure TFE on instance(s) using Flexible Deployment Options # -------------------------------------------------------------------------------------------------- module "tfe_init_fdo" { - source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=main" + source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=redis-standalone" count = var.is_replicated_deployment ? 0 : 1 cloud = "aws" @@ -258,6 +290,11 @@ module "tfe_init_fdo" { ca_certificate_secret_id = var.ca_certificate_secret_id == null ? null : var.ca_certificate_secret_id certificate_secret_id = var.vm_certificate_secret_id == null ? null : var.vm_certificate_secret_id key_secret_id = var.vm_key_secret_id == null ? null : var.vm_key_secret_id + + redis_use_mtls = var.enable_redis_mtls + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id == null ? null : var.redis_ca_certificate_secret_id + redis_certificate_secret_id = var.redis_certificate_secret_id == null ? null : var.redis_certificate_secret_id + redis_key_secret_id = var.redis_key_secret_id == null ? null : var.redis_key_secret_id proxy_ip = var.proxy_ip != null ? var.proxy_ip : null proxy_port = var.proxy_ip != null ? var.proxy_port : null diff --git a/modules/redis-standalone-mtls/files/compose.yaml b/modules/redis-standalone-mtls/files/compose.yaml new file mode 100644 index 00000000..b4b71548 --- /dev/null +++ b/modules/redis-standalone-mtls/files/compose.yaml @@ -0,0 +1,31 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Description: This file contains the docker-compose configuration for the redis OSS module. +services: + redis: + image: redis:7 + entrypoint: ["/opt/redis/init.sh"] + command: [ + "redis-server", + # disable all ports + "--port", "0", + "--tls-port 6379", + "--tls-cert-file", "/certs/fullchain.pem", + "--tls-key-file", "/certs/privkey.pem", + "--tls-ca-cert-file", "/certs/isrgrootx1.pem", + "--tls-auth-clients", "yes" + ] + ports: + - "${redis_port+1}:${redis_port}" + volumes: + - $${REDIS_CONF}:/opt/redis/redis.conf + - $${REDIS_INIT}:/opt/redis/init.sh + # For Redis TLS certificates. + - $${FULLCHAIN}:/certs/fullchain.pem + - $${PRIVKEY}:/certs/privkey.pem + - $${ISRGROOTX1}:/certs/isrgrootx1.pem + + + + diff --git a/modules/redis-standalone-mtls/files/redis-init.sh b/modules/redis-standalone-mtls/files/redis-init.sh new file mode 100644 index 00000000..ab7fb5fb --- /dev/null +++ b/modules/redis-standalone-mtls/files/redis-init.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +echo "Running redis pre-entrypoint init script" + +mkdir -p /etc/redis +cp /opt/redis/redis.conf /etc/redis/redis.conf + +exec "$@" diff --git a/modules/redis-standalone-mtls/files/redis.conf b/modules/redis-standalone-mtls/files/redis.conf new file mode 100644 index 00000000..e69de29b diff --git a/modules/redis-standalone-mtls/files/script.sh b/modules/redis-standalone-mtls/files/script.sh new file mode 100644 index 00000000..8c534fc4 --- /dev/null +++ b/modules/redis-standalone-mtls/files/script.sh @@ -0,0 +1,64 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +set -eu pipefail + +function retry { + local retries=$1 + shift + + local count=0 + until "$@"; do + exit=$? + wait=$((2 ** $count)) + count=$(($count + 1)) + if [ $count -lt $retries ]; then + echo "Retry $count/$retries exited $exit, retrying in $wait seconds..." + sleep $wait + else + echo "Retry $count/$retries exited $exit, no more retries left." + return $exit + fi + done + return 0 + +} + + +curl --noproxy '*' --fail --silent --show-error --location https://download.docker.com/linux/ubuntu/gpg \ + | gpg --dearmor --output /usr/share/keyrings/docker-archive-keyring.gpg +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \ + https://download.docker.com/linux/ubuntu $(lsb_release --codename --short) stable" \ + | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +retry 10 apt-get --assume-yes update +retry 10 apt-get --assume-yes install docker-ce docker-ce-cli containerd.io redis-tools +retry 10 apt-get --assume-yes autoremove + +tfe_dir="/etc/redis" +mkdir -p $tfe_dir +get_linux_ip() { + ip addr show | awk '/inet / && !/127.0.0.1/ {print $2}' | cut -d/ -f1 | head -n 1 +} +export HOST_IP=$(get_linux_ip) +export REDIS_CONF=$tfe_dir/redis.conf +export REDIS_INIT=$tfe_dir/redis-init.sh +export FULLCHAIN=$tfe_dir/fullchain.pem +export PRIVKEY=$tfe_dir/privkey.pem +export ISRGROOTX1=$tfe_dir/isrgrootx1.pem +echo ${compose} | base64 -d > $tfe_dir/compose.yaml +echo ${redis_conf} | base64 -d > $REDIS_CONF +echo ${redis_init} | base64 -d > $REDIS_INIT +echo ${fullchain} | base64 -d > $FULLCHAIN +echo ${privkey} | base64 -d > $PRIVKEY +echo ${isrgrootx1} | base64 -d > $ISRGROOTX1 +# echo ${fullchain} | base64 -d > $FULLCHAIN +# echo ${privkey} | base64 -d > $PRIVKEY +# echo ${isrgrootx1} | base64 -d > $ISRGROOTX1 +chmod a+r $REDIS_CONF +chmod a+x $REDIS_INIT +chmod a+r $FULLCHAIN +chmod a+r $PRIVKEY +chmod a+r $ISRGROOTX1 +docker compose -f $tfe_dir/compose.yaml up -d diff --git a/modules/redis-standalone-mtls/locals.tf b/modules/redis-standalone-mtls/locals.tf new file mode 100644 index 00000000..513f3344 --- /dev/null +++ b/modules/redis-standalone-mtls/locals.tf @@ -0,0 +1,54 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +locals { + redis_user_data_template = "${path.module}/files/script.sh" + redis_user_data = templatefile(local.redis_user_data_template, { + redis_init = base64encode(file(local.redis_init_path)) + fullchain = file(var.redis_client_cert_path) + privkey = file(var.redis_client_key_path) + isrgrootx1 = file(var.redis_client_ca_path) + redis_conf = base64encode(templatefile(local.redis_conf_path, { + })) + compose = base64encode(templatefile(local.compose_path, { + redis_port = var.redis_port + })) + }) + compose_path = "${path.module}/files/compose.yaml" + redis_conf_path = "${path.module}/files/redis.conf" + redis_init_path = "${path.module}/files/redis-init.sh" + tags = concat( + [ + { + key = "Name" + value = "${var.friendly_name_prefix}-tfe" + propagate_at_launch = true + }, + ], + [ + for k, v in var.asg_tags : { + key = k + value = v + propagate_at_launch = true + } + ] + ) + default_health_check_grace_period = 1500 + health_check_grace_period = var.health_check_grace_period != null ? var.health_check_grace_period : local.default_health_check_grace_period +} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} diff --git a/modules/redis-standalone-mtls/main.tf b/modules/redis-standalone-mtls/main.tf new file mode 100644 index 00000000..0eba38fa --- /dev/null +++ b/modules/redis-standalone-mtls/main.tf @@ -0,0 +1,98 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +# Launch Template for Redis +# ------------------------- + +resource "random_password" "redis_password" { + count = contains(["USER_AND_PASSWORD", "PASSWORD"], var.redis_authentication_mode) ? 1 : 0 + length = 16 + special = true + override_special = "#$%&*()-_=+[]{}<>:?" +} + +resource "random_pet" "redis_username" { + count = var.redis_authentication_mode == "USER_AND_PASSWORD" ? 1 : 0 +} + +resource "aws_launch_template" "redis" { + name_prefix = "${var.friendly_name_prefix}-redis" + image_id = data.aws_ami.ubuntu.id + instance_type = var.instance_type + user_data = base64encode(local.redis_user_data) + key_name = var.key_name + vpc_security_group_ids = [aws_security_group.redis_inbound_allow.id, aws_security_group.redis_outbound_allow.id] + + dynamic "tag_specifications" { + for_each = var.ec2_launch_template_tag_specifications + + content { + resource_type = tag_specifications.value["resource_type"] + tags = tag_specifications.value["tags"] + } + } + + iam_instance_profile { + name = var.aws_iam_instance_profile + } + + metadata_options { + http_endpoint = "enabled" + http_put_response_hop_limit = 2 + http_tokens = "required" + } + + block_device_mappings { + device_name = "/dev/sda1" + ebs { + encrypted = true + volume_type = "gp2" + volume_size = 50 + delete_on_termination = true + } + } + + lifecycle { + create_before_destroy = true + } +} + +# Autoscaling Group for Redis +# --------------------------- + +resource "aws_autoscaling_group" "redis" { + name = "${var.friendly_name_prefix}-redis-asg" + min_size = 1 + max_size = 1 + desired_capacity = 1 + vpc_zone_identifier = var.network_subnets_private + target_group_arns = concat( + [for tg in aws_lb_target_group.redis_tg : tg.arn], + [for tg in aws_lb_target_group.redis_tg : tg.arn] + ) + + # Increases grace period for any AMI that is not the default Ubuntu + # since RHEL has longer startup time + health_check_grace_period = local.health_check_grace_period + health_check_type = var.health_check_type + + launch_template { + id = aws_launch_template.redis.id + version = "$Latest" + } + + dynamic "tag" { + for_each = local.tags + + content { + key = tag.value["key"] + value = tag.value["value"] + propagate_at_launch = tag.value["propagate_at_launch"] + } + } + + lifecycle { + create_before_destroy = true + } +} diff --git a/modules/redis-standalone-mtls/networking.tf b/modules/redis-standalone-mtls/networking.tf new file mode 100644 index 00000000..f4eae69a --- /dev/null +++ b/modules/redis-standalone-mtls/networking.tf @@ -0,0 +1,66 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +## DNS Record for Redis Load Balancer +# ----------------------------------- +data "aws_route53_zone" "tfe" { + name = var.domain_name + private_zone = false +} + +resource "aws_route53_record" "redis" { + zone_id = data.aws_route53_zone.tfe.zone_id + name = "${var.friendly_name_prefix}-redis" + type = "A" + + alias { + name = aws_lb.redis_lb.dns_name + zone_id = aws_lb.redis_lb.zone_id + evaluate_target_health = true + } +} + +# Network Load Balancer for Redis cluster +# --------------------------------------- + +resource "aws_lb" "redis_lb" { + name = "${var.friendly_name_prefix}-redis-nlb" + internal = true + load_balancer_type = "network" + subnets = var.network_subnets_private + enable_cross_zone_load_balancing = true + security_groups = [ + aws_security_group.redis_outbound_allow.id, + aws_security_group.redis_inbound_allow.id, + ] +} + +# Network Load Balancer Listener and Target Group for Redis +# --------------------------------------------------------- + +resource "aws_lb_listener" "redis_listener_redis" { + count = 4 + load_balancer_arn = aws_lb.redis_lb.arn + port = (var.redis_port + count.index) + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.redis_tg[count.index].arn + } +} + +resource "aws_lb_target_group" "redis_tg" { + count = 4 + name = "${var.friendly_name_prefix}-redis-tg-${var.redis_port + count.index}" + port = (var.redis_port + count.index) + protocol = "TCP" + vpc_id = var.network_id + + health_check { + protocol = "TCP" + } +} + + + diff --git a/modules/redis-standalone-mtls/outputs.tf b/modules/redis-standalone-mtls/outputs.tf new file mode 100644 index 00000000..6476e061 --- /dev/null +++ b/modules/redis-standalone-mtls/outputs.tf @@ -0,0 +1,28 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +output "hostname" { + value = ["${aws_route53_record.redis.fqdn}:${var.redis_port}"] + description = "The host/port combinations for available Redis endpoint." +} + + +output "redis_port" { + value = null + description = "The port number on which the Redis Elasticache replication group accepts connections." +} + +output "use_password_auth" { + value = false + description = "A boolean which indicates if password authentication is required by the Redis server." +} + +output "use_tls" { + value = false + description = "A boolean which indicates if transit encryption is required by Redis server." +} + +output "use_mtls" { + value = true + description = "A boolean which indicates if mTLS is required by Redis server." +} diff --git a/modules/redis-standalone-mtls/security-group.tf b/modules/redis-standalone-mtls/security-group.tf new file mode 100644 index 00000000..4aeb5a30 --- /dev/null +++ b/modules/redis-standalone-mtls/security-group.tf @@ -0,0 +1,55 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Allow inbound from Redis instances to TFE VPC + +resource "aws_security_group" "redis_inbound_allow" { + name = "${var.friendly_name_prefix}-redis-inbound-allow" + vpc_id = var.network_id +} + +resource "aws_security_group_rule" "redis" { + security_group_id = aws_security_group.redis_inbound_allow.id + type = "ingress" + from_port = var.redis_port + to_port = (var.redis_port) + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_security_group_rule" "ssh_inbound" { + + security_group_id = aws_security_group.redis_inbound_allow.id + type = "ingress" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.network_private_subnet_cidrs +} + +resource "aws_security_group_rule" "redis_inbound" { + security_group_id = aws_security_group.redis_inbound_allow.id + type = "ingress" + from_port = 0 + to_port = 0 + protocol = "-1" + self = true +} + + +# Allow all traffic outbound from Redis instances to www +resource "aws_security_group" "redis_outbound_allow" { + name = "${var.friendly_name_prefix}-redis-outbound-allow" + vpc_id = var.network_id +} + +resource "aws_security_group_rule" "redis_sentinel_outbound" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + description = "Allow all traffic outbound from Redis Sentinel instances to TFE" + + security_group_id = aws_security_group.redis_outbound_allow.id +} diff --git a/modules/redis-standalone-mtls/variables.tf b/modules/redis-standalone-mtls/variables.tf new file mode 100644 index 00000000..f8da90b0 --- /dev/null +++ b/modules/redis-standalone-mtls/variables.tf @@ -0,0 +1,125 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# VM Configuration +# ---------------- + +variable "aws_iam_instance_profile" { + description = "The name of the IAM instance profile to be associated with the TFE EC2 instance(s)." + type = string +} + +variable "friendly_name_prefix" { + type = string + description = "(Required) Friendly name prefix used for tagging and naming AWS resources." +} + +variable "health_check_grace_period" { + default = null + description = "The health grace period aws provides to allow for an instance to pass it's health check." + type = number +} + +variable "health_check_type" { + description = "Type of health check to perform on the instance." + type = string + default = "ELB" + + validation { + condition = contains(["ELB", "EC2"], var.health_check_type) + error_message = "Must be one of [ELB, EC2]." + } +} + +variable "instance_type" { + default = "m5.xlarge" + description = "The instance type of EC2 instance(s) to create." + type = string +} + +variable "network_id" { + description = "The identity of the VPC in which the security group attached to the TFE EC2 instance will be delpoyed." + type = string +} + +variable "network_subnets_private" { + description = "A list of the identities of the private subnetworks in which the EC2 autoscaling group will be deployed." + type = list(string) +} + +variable "asg_tags" { + type = map(string) + description = "(Optional) Map of tags only used for the autoscaling group. If you are using the AWS provider's default_tags, please note that it tags every taggable resource except for the autoscaling group, therefore this variable may be used to duplicate the key/value pairs in the default_tags if you wish." + default = {} +} + +variable "network_private_subnet_cidrs" { + type = list(string) + description = "(Optional) List of private subnet CIDR ranges to create in VPC." + default = ["10.0.32.0/20", "10.0.48.0/20"] +} + +variable "key_name" { + default = null + description = "The name of the key pair to be used for SSH access to the EC2 instance(s)." + type = string +} + +variable "ec2_launch_template_tag_specifications" { + description = "(Optional) List of tag specifications to apply to the launch template." + type = list(object({ + resource_type = string + tags = map(string) + })) + default = [] +} + + +# Domain Installation +# ------------------- + +variable "domain_name" { + description = "The name of the Route 53 Hosted Zone in which a record will be created." + type = string +} + +# Redis Variables +# ---------------- + +variable "redis_port" { + description = "The base port for redis isntances" + type = number + default = 6379 +} + +variable "redis_authentication_mode" { + description = "The authentincation mode for redis server instances. Must be one of [USER_AND_PASSWORD, PASSWORD, NONE]." + type = string + default = "NONE" + validation { + condition = contains(["USER_AND_PASSWORD", "PASSWORD", "NONE"], var.redis_authentication_mode) + error_message = "Must be one of [USER_AND_PASSWORD, PASSWORD, NONE]." + } +} + +variable "redis_use_password_auth" { + description = "A boolean which indicates if password authentication is required by the Redis" + type = bool + default = false +} + +variable "redis_client_ca_path" { + description = "The CA certificate to be used for TLS encryption in Redis." + type = string +} + +variable "redis_client_cert_path" { + description = "The full chain certificate to be used for TLS encryption in Redis." + type = string +} + +variable "redis_client_key_path" { + description = "The private key to be used for TLS encryption in Redis." + type = string +} + \ No newline at end of file diff --git a/modules/redis-standalone-mtls/versions.tf b/modules/redis-standalone-mtls/versions.tf new file mode 100644 index 00000000..4441331b --- /dev/null +++ b/modules/redis-standalone-mtls/versions.tf @@ -0,0 +1,16 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +terraform { + required_version = ">= 0.14" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.1" + } + } +} diff --git a/variables.tf b/variables.tf index 7a9e32a6..9d50da24 100644 --- a/variables.tf +++ b/variables.tf @@ -116,6 +116,45 @@ variable "enable_redis_sentinel" { default = false } +variable "enable_redis_mtls" { + type = bool + description = "Enable Redis mTLS." + default = false +} + +variable "redis_client_cert_path" { + type = string + default = false + description = "Redis client cert file" +} + +variable "redis_client_key_path" { + type = string + default = false + description = "Redis client key file" +} + +variable "redis_client_ca_path" { + type = string + default = false + description = "Redis client CA file" +} + +variable redis_private_key_secret_id { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." +} + +variable "redis_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." +} + +variable "redis_ca_certificate_secret_id" { + type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." +} + variable "redis_cache_size" { type = string default = "cache.m4.large" From bf57cd692695213c8b5bdb95cd36e7a3d243136c Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Mon, 2 Jun 2025 19:01:50 -0400 Subject: [PATCH 02/27] update --- main.tf | 4 ++-- variables.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index c6dcbef1..dc663cec 100644 --- a/main.tf +++ b/main.tf @@ -293,8 +293,8 @@ module "tfe_init_fdo" { redis_use_mtls = var.enable_redis_mtls redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id == null ? null : var.redis_ca_certificate_secret_id - redis_certificate_secret_id = var.redis_certificate_secret_id == null ? null : var.redis_certificate_secret_id - redis_key_secret_id = var.redis_key_secret_id == null ? null : var.redis_key_secret_id + redis_client_certificate_secret_id = var.redis_client_certificate_secret_id == null ? null : var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id == null ? null : var.redis_client_key_secret_id proxy_ip = var.proxy_ip != null ? var.proxy_ip : null proxy_port = var.proxy_ip != null ? var.proxy_port : null diff --git a/variables.tf b/variables.tf index 9d50da24..49399ff4 100644 --- a/variables.tf +++ b/variables.tf @@ -140,12 +140,12 @@ variable "redis_client_ca_path" { description = "Redis client CA file" } -variable redis_private_key_secret_id { +variable redis_client_private_key_secret_id { type = string description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." } -variable "redis_certificate_secret_id" { +variable "redis_client_certificate_secret_id" { type = string description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." } From 8114e36f53f24247a6d3786a1d5ff882953e2aa8 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Tue, 3 Jun 2025 09:49:28 -0400 Subject: [PATCH 03/27] update enable_redis_mtls --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index dc663cec..159e6ab7 100644 --- a/main.tf +++ b/main.tf @@ -291,7 +291,7 @@ module "tfe_init_fdo" { certificate_secret_id = var.vm_certificate_secret_id == null ? null : var.vm_certificate_secret_id key_secret_id = var.vm_key_secret_id == null ? null : var.vm_key_secret_id - redis_use_mtls = var.enable_redis_mtls + enable_redis_mtls = var.enable_redis_mtls redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id == null ? null : var.redis_ca_certificate_secret_id redis_client_certificate_secret_id = var.redis_client_certificate_secret_id == null ? null : var.redis_client_certificate_secret_id redis_client_key_secret_id = var.redis_client_key_secret_id == null ? null : var.redis_client_key_secret_id From 07905a9d7f05ab9372cc68c8792980af5ca2539b Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Tue, 3 Jun 2025 10:47:21 -0400 Subject: [PATCH 04/27] var name --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 49399ff4..5999afbf 100644 --- a/variables.tf +++ b/variables.tf @@ -140,7 +140,7 @@ variable "redis_client_ca_path" { description = "Redis client CA file" } -variable redis_client_private_key_secret_id { +variable redis_client_key_secret_id { type = string description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." } From 423684a9b94c0ddc683693048704b13835eb8479 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Tue, 3 Jun 2025 12:03:14 -0400 Subject: [PATCH 05/27] update --- examples/standalone-redis/README.md | 55 ------------------ examples/standalone-redis/data.tf | 18 ------ examples/standalone-redis/locals.tf | 7 --- examples/standalone-redis/main.tf | 65 ---------------------- examples/standalone-redis/variables.tf | 58 ------------------- examples/standalone-redis/versions.tf | 16 ------ main.tf | 6 +- modules/redis-standalone-mtls/locals.tf | 6 +- modules/redis-standalone-mtls/variables.tf | 6 +- variables.tf | 18 ++++++ 10 files changed, 27 insertions(+), 228 deletions(-) delete mode 100644 examples/standalone-redis/README.md delete mode 100644 examples/standalone-redis/data.tf delete mode 100644 examples/standalone-redis/locals.tf delete mode 100644 examples/standalone-redis/main.tf delete mode 100644 examples/standalone-redis/variables.tf delete mode 100644 examples/standalone-redis/versions.tf diff --git a/examples/standalone-redis/README.md b/examples/standalone-redis/README.md deleted file mode 100644 index f68966f5..00000000 --- a/examples/standalone-redis/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# Example: Standalone with mTLS Redis - -## About this example - -This example for Terraform Enterprise creates a TFE installation with the -following traits: - -- External mode -- a small VM machine type (m5.xlarge) -- Ubuntu as the VM image -- a publicly accessible HTTP load balancer with TLS termination -- an access key for accessing S3 -- Redis VM - -## Pre-requisites - -This test assumes the following resources already exist: - -- Valid DNS Zone managed in Route53 -- Valid AWS ACM certificate -- a TFE license on a filepath accessible by tests -- Valid TLS certs for Redis - -## How to Use This Module - -### Deployment - - 1. Read the entire [README.md](../../README.md) of the root module. - 2. Ensure account meets module prerequisites from above. - 3. Clone repository. - 4. Change directory into desired example folder. - 5. Create a local `terraform.auto.tfvars` file and instantiate the required inputs as required in the respective `./examples/standalone-redis/variables.tf` including the path to the license under the `license_file` variable value. - 6. Authenticate against the AWS provider. See [instructions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration). - 7. Initialize terraform and apply the module configurations using the commands below: - - NOTE: `terraform plan` will print out the execution plan which describes the actions Terraform will take in order to build your infrastructure to match the module configuration. If anything in the plan seems incorrect or dangerous, it is safe to abort here and not proceed to `terraform apply`. - - ``` - terraform init - terraform plan - terraform apply - ``` - -## Post-deployment Tasks - -The build should take approximately 10-15 minutes to deploy. Once the module has completed, give the platform another 10 minutes or so prior to attempting to interact with it in order for all containers to start up. - -Unless amended, this example will not create an initial admin user using the IACT, but it does output the URL for your convenience. Follow the advice in this document to create the initial admin user, and log into the system using this user in order to configure it for use. - -### Connecting to the TFE Application - -1. Navigate to the URL supplied via the `login_url` Terraform output. (It may take several minutes for this to be available after initial deployment. You may monitor the progress of cloud init if desired on one of the instances) -2. Enter a `username`, `email`, and `password` for the initial user. -3. Click `Create an account`. -4. After the initial user is created you may access the TFE Application normally using the URL supplied via `login_url` Terraform output. diff --git a/examples/standalone-redis/data.tf b/examples/standalone-redis/data.tf deleted file mode 100644 index 490f79ce..00000000 --- a/examples/standalone-redis/data.tf +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -data "aws_ami" "ubuntu" { - most_recent = true - - filter { - name = "name" - values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] - } - - filter { - name = "virtualization-type" - values = ["hvm"] - } - - owners = ["099720109477"] # Canonical -} diff --git a/examples/standalone-redis/locals.tf b/examples/standalone-redis/locals.tf deleted file mode 100644 index f6c45743..00000000 --- a/examples/standalone-redis/locals.tf +++ /dev/null @@ -1,7 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -locals { - friendly_name_prefix = random_string.friendly_name.id - network_private_subnet_cidrs = ["10.0.32.0/20", "10.0.48.0/20", "10.0.112.0/20"] -} diff --git a/examples/standalone-redis/main.tf b/examples/standalone-redis/main.tf deleted file mode 100644 index 1b38e697..00000000 --- a/examples/standalone-redis/main.tf +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -# Random string to prepend resources -# ---------------------------------- -resource "random_string" "friendly_name" { - length = 4 - upper = false # Some AWS resources do not accept uppercase characters. - numeric = false - special = false -} - -# Store TFE License as secret -# --------------------------- -module "secrets" { - source = "../../fixtures/secrets" - tfe_license = { - name = "${local.friendly_name_prefix}-tfe-license" - path = var.license_file - } -} - -# Key Management Service -# ---------------------- -module "kms" { - source = "../../fixtures/kms" - key_alias = "${local.friendly_name_prefix}-key" -} - -# Standalone with redis mTLS -# -------------------------- -module "standalone_redis" { - source = "../../" - - acm_certificate_arn = var.acm_certificate_arn - domain_name = var.domain_name - distribution = "ubuntu" - friendly_name_prefix = local.friendly_name_prefix - tfe_license_secret_id = module.secrets.tfe_license_secret_id - - ami_id = data.aws_ami.ubuntu.id - bypass_preflight_checks = true - health_check_grace_period = 3000 - iact_subnet_list = ["0.0.0.0/0"] - iam_role_policy_arns = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"] - instance_type = "m5.4xlarge" - kms_key_arn = module.kms.key - load_balancing_scheme = "PUBLIC" - network_private_subnet_cidrs = local.network_private_subnet_cidrs - node_count = 1 - operational_mode = "external" - enable_redis_mtls = true - tfe_subdomain = local.friendly_name_prefix - vm_certificate_secret_id = var.certificate_pem_secret_id - vm_key_secret_id = var.private_key_pem_secret_id - ### for redis creation - redis_client_key_path = var.redis_client_key_path - redis_client_cert_path = var.redis_client_cert_path - redis_client_ca_path = var.redis_client_ca_path - - redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id - redis_private_key_secret_id = var.redis_private_key_secret_id - redis_certificate_secret_id = var.redis_certificate_secret_id - -} diff --git a/examples/standalone-redis/variables.tf b/examples/standalone-redis/variables.tf deleted file mode 100644 index e7ee7335..00000000 --- a/examples/standalone-redis/variables.tf +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -variable "acm_certificate_arn" { - type = string - description = "The ARN of an existing ACM certificate." -} - -variable "domain_name" { - type = string - description = "Domain for creating the Terraform Enterprise subdomain on." -} - -variable "license_file" { - type = string - description = "The local path to the Terraform Enterprise license." -} - -variable "redis_client_ca_path" { - type = string - default = "null" - description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe." -} -variable "redis_client_cert_path" { - type = string - default = "null" - description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe." -} -variable "redis_client_key_path" { - type = string - default = "null" - description = "The secrets manager secret ID of the Base64 & PEM encoded TLS certificate for tfe." -} - -variable private_key_pem_secret_id { - type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." -} -variable "certificate_pem_secret_id" { - type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." -} - -variable redis_private_key_secret_id { - type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." -} - -variable "redis_certificate_secret_id" { - type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." -} - -variable "redis_ca_certificate_secret_id" { - type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." -} - diff --git a/examples/standalone-redis/versions.tf b/examples/standalone-redis/versions.tf deleted file mode 100644 index 4441331b..00000000 --- a/examples/standalone-redis/versions.tf +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -terraform { - required_version = ">= 0.14" - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - random = { - source = "hashicorp/random" - version = "~> 3.1" - } - } -} diff --git a/main.tf b/main.tf index 159e6ab7..4fb0d732 100644 --- a/main.tf +++ b/main.tf @@ -125,9 +125,9 @@ module "redis_mtls" { # This module is used to deploy a Redis instance with mTLS enabled. domain_name = var.domain_name - redis_client_ca_path = var.redis_client_ca_path - redis_client_cert_path = var.redis_client_cert_path - redis_client_key_path = var.redis_client_key_path + redis_client_ca = var.redis_client_ca + redis_client_cert = var.redis_client_cert + redis_client_key = var.redis_client_key redis_authentication_mode = "NONE" # mTLS does not use password authentication aws_iam_instance_profile = module.service_accounts.iam_instance_profile.name asg_tags = var.asg_tags diff --git a/modules/redis-standalone-mtls/locals.tf b/modules/redis-standalone-mtls/locals.tf index 513f3344..c3d9ba14 100644 --- a/modules/redis-standalone-mtls/locals.tf +++ b/modules/redis-standalone-mtls/locals.tf @@ -5,9 +5,9 @@ locals { redis_user_data_template = "${path.module}/files/script.sh" redis_user_data = templatefile(local.redis_user_data_template, { redis_init = base64encode(file(local.redis_init_path)) - fullchain = file(var.redis_client_cert_path) - privkey = file(var.redis_client_key_path) - isrgrootx1 = file(var.redis_client_ca_path) + fullchain = var.redis_client_cert + privkey = var.redis_client_key + isrgrootx1 = var.redis_client_ca redis_conf = base64encode(templatefile(local.redis_conf_path, { })) compose = base64encode(templatefile(local.compose_path, { diff --git a/modules/redis-standalone-mtls/variables.tf b/modules/redis-standalone-mtls/variables.tf index f8da90b0..4ceab187 100644 --- a/modules/redis-standalone-mtls/variables.tf +++ b/modules/redis-standalone-mtls/variables.tf @@ -108,17 +108,17 @@ variable "redis_use_password_auth" { default = false } -variable "redis_client_ca_path" { +variable "redis_client_ca" { description = "The CA certificate to be used for TLS encryption in Redis." type = string } -variable "redis_client_cert_path" { +variable "redis_client_cert" { description = "The full chain certificate to be used for TLS encryption in Redis." type = string } -variable "redis_client_key_path" { +variable "redis_client_key" { description = "The private key to be used for TLS encryption in Redis." type = string } diff --git a/variables.tf b/variables.tf index 5999afbf..bafe05fa 100644 --- a/variables.tf +++ b/variables.tf @@ -140,6 +140,24 @@ variable "redis_client_ca_path" { description = "Redis client CA file" } +variable "redis_client_cert" { + type = string + default = false + description = "Redis client cert file" +} + +variable "redis_client_key" { + type = string + default = false + description = "Redis client key file" +} + +variable "redis_client_ca" { + type = string + default = false + description = "Redis client CA file" +} + variable redis_client_key_secret_id { type = string description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." From 35bac3fa006815cffe3616d9bc5c7a82347682cc Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Tue, 3 Jun 2025 22:47:49 -0400 Subject: [PATCH 06/27] fix output --- locals.tf | 17 +++------ modules/redis-standalone-mtls/outputs.tf | 45 ++++++++++++++++++++++-- modules/redis/outputs.tf | 37 +++++++++---------- 3 files changed, 66 insertions(+), 33 deletions(-) diff --git a/locals.tf b/locals.tf index 3ed84f8e..d47629fe 100644 --- a/locals.tf +++ b/locals.tf @@ -47,10 +47,7 @@ locals { } } ) - - redis = var.enable_redis_sentinel ? try( - module.redis_sentinel[0], - { + redis_sentinel= { hostname = null password = null username = null @@ -65,9 +62,7 @@ locals { aws_elasticache_subnet_group_name = null aws_security_group_redis = null } - ) : var.enable_redis_mtls ? try( - module.redis_mtls[0], - { + redis_mtls = { hostname = null password = null username = null @@ -82,9 +77,7 @@ locals { aws_elasticache_subnet_group_name = null aws_security_group_redis = null } - ) : try( - module.redis[0], - { + redis_default = { hostname = null password = null username = null @@ -99,9 +92,9 @@ locals { aws_elasticache_subnet_group_name = null aws_security_group_redis = null } - ) +redis = var.enable_redis_sentinel ? try(module.redis_sentinel[0], local.redis_sentinel) : var.enable_redis_mtls ? try(module.redis_mtls[0], local.redis_mtls) : try(module.redis[0], local.redis_default) - no_proxy = concat([ +no_proxy = concat([ "127.0.0.1", "169.254.169.254", "secretsmanager.${data.aws_region.current.name}.amazonaws.com", diff --git a/modules/redis-standalone-mtls/outputs.tf b/modules/redis-standalone-mtls/outputs.tf index 6476e061..37ae4d50 100644 --- a/modules/redis-standalone-mtls/outputs.tf +++ b/modules/redis-standalone-mtls/outputs.tf @@ -6,6 +6,15 @@ output "hostname" { description = "The host/port combinations for available Redis endpoint." } +output "password" { + value = "" + description = "The password which is required to authenticate to Redis server." +} + +output "username" { + value = "" + description = "The username which is required to authenticate to Redis server." +} output "redis_port" { value = null @@ -13,7 +22,7 @@ output "redis_port" { } output "use_password_auth" { - value = false + value = var.redis_use_password_auth description = "A boolean which indicates if password authentication is required by the Redis server." } @@ -22,7 +31,37 @@ output "use_tls" { description = "A boolean which indicates if transit encryption is required by Redis server." } -output "use_mtls" { +output "sentinel_enabled" { value = true - description = "A boolean which indicates if mTLS is required by Redis server." + description = "sentinel is enabled" +} + +output "sentinel_hosts" { + value = "" + description = "The host/port combinations for available Redis sentinel endpoints." +} + +output "sentinel_leader" { + value = "" + description = "The name of the Redis Sentinel leader" +} + +output "sentinel_username" { + value = "" + description = "the username to authenticate to Redis sentinel" +} + +output "sentinel_password" { + value = "" + description = "the password to authenticate to Redis sentinel" +} + +output "aws_elasticache_subnet_group_name" { + value = "" + description = "The name of the subnetwork group in which the Redis Elasticache replication group is deployed." +} + +output "aws_security_group_redis" { + value = "" + description = "The identity of the security group attached to the Redis Elasticache replication group." } diff --git a/modules/redis/outputs.tf b/modules/redis/outputs.tf index 3a998d50..312c3c04 100644 --- a/modules/redis/outputs.tf +++ b/modules/redis/outputs.tf @@ -1,66 +1,67 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 + output "hostname" { - value = var.active_active ? aws_elasticache_replication_group.redis[0].primary_endpoint_address : "" + value = null description = "The IP address of the primary node in the Redis Elasticache replication group." } output "password" { - value = try(random_id.redis_password[0].hex, "") - description = "The password which is required to create connections with the Redis Elasticache replication group." + value = local.redis_password + description = "The password which is required to authenticate to Redis server." } output "username" { - value = null - description = "The username which is required to create connections with the Redis Elasticache replication group. Defaults to null to maintain the output interface with the redis-sentinel module." + value = local.redis_username + description = "The username which is required to authenticate to Redis server." } output "redis_port" { - value = var.active_active ? aws_elasticache_replication_group.redis[0].port : "" + value = null description = "The port number on which the Redis Elasticache replication group accepts connections." } output "use_password_auth" { - value = var.active_active && local.redis_use_password_auth ? true : false - description = "A boolean which indicates if password authentication is required by the Redis Elasticache replication group." + value = var.redis_use_password_auth + description = "A boolean which indicates if password authentication is required by the Redis server." } output "use_tls" { - value = var.active_active ? aws_elasticache_replication_group.redis[0].transit_encryption_enabled : false - description = "A boolean which indicates if transit encryption is required by the Redis Elasticache replication group." + value = false + description = "A boolean which indicates if transit encryption is required by Redis server." } output "sentinel_enabled" { - value = false - description = "sentinel is not enabled" + value = true + description = "sentinel is enabled" } output "sentinel_hosts" { - value = [] + value = ["${aws_route53_record.sentinel.fqdn}:${var.redis_sentinel_port}"] description = "The host/port combinations for available Redis sentinel endpoints." } output "sentinel_leader" { - value = null + value = var.redis_sentinel_leader_name description = "The name of the Redis Sentinel leader" } output "sentinel_username" { - value = null + value = local.sentinel_username description = "the username to authenticate to Redis sentinel" } output "sentinel_password" { - value = null + value = local.sentinel_password description = "the password to authenticate to Redis sentinel" } output "aws_elasticache_subnet_group_name" { - value = var.active_active ? aws_elasticache_subnet_group.tfe[0].name : "" + value = "" description = "The name of the subnetwork group in which the Redis Elasticache replication group is deployed." } output "aws_security_group_redis" { - value = var.active_active ? aws_security_group.redis[0].id : "" + value = "" description = "The identity of the security group attached to the Redis Elasticache replication group." } From 192776475c74cff2e7a699be7b2f8d8855d0b01d Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Tue, 3 Jun 2025 22:58:51 -0400 Subject: [PATCH 07/27] revert --- modules/redis/outputs.tf | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/modules/redis/outputs.tf b/modules/redis/outputs.tf index 312c3c04..3a998d50 100644 --- a/modules/redis/outputs.tf +++ b/modules/redis/outputs.tf @@ -1,67 +1,66 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 - output "hostname" { - value = null + value = var.active_active ? aws_elasticache_replication_group.redis[0].primary_endpoint_address : "" description = "The IP address of the primary node in the Redis Elasticache replication group." } output "password" { - value = local.redis_password - description = "The password which is required to authenticate to Redis server." + value = try(random_id.redis_password[0].hex, "") + description = "The password which is required to create connections with the Redis Elasticache replication group." } output "username" { - value = local.redis_username - description = "The username which is required to authenticate to Redis server." + value = null + description = "The username which is required to create connections with the Redis Elasticache replication group. Defaults to null to maintain the output interface with the redis-sentinel module." } output "redis_port" { - value = null + value = var.active_active ? aws_elasticache_replication_group.redis[0].port : "" description = "The port number on which the Redis Elasticache replication group accepts connections." } output "use_password_auth" { - value = var.redis_use_password_auth - description = "A boolean which indicates if password authentication is required by the Redis server." + value = var.active_active && local.redis_use_password_auth ? true : false + description = "A boolean which indicates if password authentication is required by the Redis Elasticache replication group." } output "use_tls" { - value = false - description = "A boolean which indicates if transit encryption is required by Redis server." + value = var.active_active ? aws_elasticache_replication_group.redis[0].transit_encryption_enabled : false + description = "A boolean which indicates if transit encryption is required by the Redis Elasticache replication group." } output "sentinel_enabled" { - value = true - description = "sentinel is enabled" + value = false + description = "sentinel is not enabled" } output "sentinel_hosts" { - value = ["${aws_route53_record.sentinel.fqdn}:${var.redis_sentinel_port}"] + value = [] description = "The host/port combinations for available Redis sentinel endpoints." } output "sentinel_leader" { - value = var.redis_sentinel_leader_name + value = null description = "The name of the Redis Sentinel leader" } output "sentinel_username" { - value = local.sentinel_username + value = null description = "the username to authenticate to Redis sentinel" } output "sentinel_password" { - value = local.sentinel_password + value = null description = "the password to authenticate to Redis sentinel" } output "aws_elasticache_subnet_group_name" { - value = "" + value = var.active_active ? aws_elasticache_subnet_group.tfe[0].name : "" description = "The name of the subnetwork group in which the Redis Elasticache replication group is deployed." } output "aws_security_group_redis" { - value = "" + value = var.active_active ? aws_security_group.redis[0].id : "" description = "The identity of the security group attached to the Redis Elasticache replication group." } From 2f4a8262942a7d4704ce660c32b94607ec4fa3a6 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Tue, 3 Jun 2025 23:37:18 -0400 Subject: [PATCH 08/27] update --- locals.tf | 32 +------------------------------- 1 file changed, 1 insertion(+), 31 deletions(-) diff --git a/locals.tf b/locals.tf index d47629fe..afc95816 100644 --- a/locals.tf +++ b/locals.tf @@ -47,36 +47,6 @@ locals { } } ) - redis_sentinel= { - hostname = null - password = null - username = null - redis_port = null - use_password_auth = null - use_tls = null - sentinel_enabled = var.enable_redis_sentinel - sentinel_hosts = [] - sentinel_leader = null - sentinel_username = null - sentinel_password = null - aws_elasticache_subnet_group_name = null - aws_security_group_redis = null - } - redis_mtls = { - hostname = null - password = null - username = null - redis_port = null - use_password_auth = null - use_tls = null - sentinel_enabled = var.enable_redis_sentinel - sentinel_hosts = [] - sentinel_leader = null - sentinel_username = null - sentinel_password = null - aws_elasticache_subnet_group_name = null - aws_security_group_redis = null - } redis_default = { hostname = null password = null @@ -92,7 +62,7 @@ locals { aws_elasticache_subnet_group_name = null aws_security_group_redis = null } -redis = var.enable_redis_sentinel ? try(module.redis_sentinel[0], local.redis_sentinel) : var.enable_redis_mtls ? try(module.redis_mtls[0], local.redis_mtls) : try(module.redis[0], local.redis_default) +redis = var.enable_redis_sentinel ? module.redis_sentinel[0] : var.enable_redis_mtls ? module.redis_mtls[0] : try(module.redis[0], local.redis_default) no_proxy = concat([ "127.0.0.1", From 1dc3d03ee465f8197ce171efbe15b21faccc668b Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Tue, 3 Jun 2025 23:58:58 -0400 Subject: [PATCH 09/27] output --- modules/redis-standalone-mtls/outputs.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/redis-standalone-mtls/outputs.tf b/modules/redis-standalone-mtls/outputs.tf index 37ae4d50..5ce4582d 100644 --- a/modules/redis-standalone-mtls/outputs.tf +++ b/modules/redis-standalone-mtls/outputs.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 output "hostname" { - value = ["${aws_route53_record.redis.fqdn}:${var.redis_port}"] + value = "${aws_route53_record.redis.fqdn}:${var.redis_port}" description = "The host/port combinations for available Redis endpoint." } @@ -12,7 +12,7 @@ output "password" { } output "username" { - value = "" + value = null description = "The username which is required to authenticate to Redis server." } @@ -32,27 +32,27 @@ output "use_tls" { } output "sentinel_enabled" { - value = true + value = false description = "sentinel is enabled" } output "sentinel_hosts" { - value = "" + value = [] description = "The host/port combinations for available Redis sentinel endpoints." } output "sentinel_leader" { - value = "" + value = null description = "The name of the Redis Sentinel leader" } output "sentinel_username" { - value = "" + value = null description = "the username to authenticate to Redis sentinel" } output "sentinel_password" { - value = "" + value = null description = "the password to authenticate to Redis sentinel" } From 0399bfea3e1ec3c45078e0f678b1158af58dec90 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 11:26:10 -0400 Subject: [PATCH 10/27] update --- .../redis-standalone-mtls/files/compose.yaml | 2 -- .../redis-standalone-mtls/files/redis-init.sh | 10 ---------- .../redis-standalone-mtls/files/redis.conf | 0 modules/redis-standalone-mtls/files/script.sh | 20 +++++-------------- modules/redis-standalone-mtls/locals.tf | 5 ----- 5 files changed, 5 insertions(+), 32 deletions(-) delete mode 100644 modules/redis-standalone-mtls/files/redis-init.sh delete mode 100644 modules/redis-standalone-mtls/files/redis.conf diff --git a/modules/redis-standalone-mtls/files/compose.yaml b/modules/redis-standalone-mtls/files/compose.yaml index b4b71548..60812277 100644 --- a/modules/redis-standalone-mtls/files/compose.yaml +++ b/modules/redis-standalone-mtls/files/compose.yaml @@ -19,8 +19,6 @@ services: ports: - "${redis_port+1}:${redis_port}" volumes: - - $${REDIS_CONF}:/opt/redis/redis.conf - - $${REDIS_INIT}:/opt/redis/init.sh # For Redis TLS certificates. - $${FULLCHAIN}:/certs/fullchain.pem - $${PRIVKEY}:/certs/privkey.pem diff --git a/modules/redis-standalone-mtls/files/redis-init.sh b/modules/redis-standalone-mtls/files/redis-init.sh deleted file mode 100644 index ab7fb5fb..00000000 --- a/modules/redis-standalone-mtls/files/redis-init.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -echo "Running redis pre-entrypoint init script" - -mkdir -p /etc/redis -cp /opt/redis/redis.conf /etc/redis/redis.conf - -exec "$@" diff --git a/modules/redis-standalone-mtls/files/redis.conf b/modules/redis-standalone-mtls/files/redis.conf deleted file mode 100644 index e69de29b..00000000 diff --git a/modules/redis-standalone-mtls/files/script.sh b/modules/redis-standalone-mtls/files/script.sh index 8c534fc4..d6e59a2c 100644 --- a/modules/redis-standalone-mtls/files/script.sh +++ b/modules/redis-standalone-mtls/files/script.sh @@ -25,7 +25,6 @@ function retry { } - curl --noproxy '*' --fail --silent --show-error --location https://download.docker.com/linux/ubuntu/gpg \ | gpg --dearmor --output /usr/share/keyrings/docker-archive-keyring.gpg echo \ @@ -38,27 +37,18 @@ retry 10 apt-get --assume-yes autoremove tfe_dir="/etc/redis" mkdir -p $tfe_dir -get_linux_ip() { - ip addr show | awk '/inet / && !/127.0.0.1/ {print $2}' | cut -d/ -f1 | head -n 1 -} -export HOST_IP=$(get_linux_ip) -export REDIS_CONF=$tfe_dir/redis.conf -export REDIS_INIT=$tfe_dir/redis-init.sh + export FULLCHAIN=$tfe_dir/fullchain.pem export PRIVKEY=$tfe_dir/privkey.pem export ISRGROOTX1=$tfe_dir/isrgrootx1.pem echo ${compose} | base64 -d > $tfe_dir/compose.yaml -echo ${redis_conf} | base64 -d > $REDIS_CONF -echo ${redis_init} | base64 -d > $REDIS_INIT + + echo ${fullchain} | base64 -d > $FULLCHAIN echo ${privkey} | base64 -d > $PRIVKEY echo ${isrgrootx1} | base64 -d > $ISRGROOTX1 -# echo ${fullchain} | base64 -d > $FULLCHAIN -# echo ${privkey} | base64 -d > $PRIVKEY -# echo ${isrgrootx1} | base64 -d > $ISRGROOTX1 -chmod a+r $REDIS_CONF -chmod a+x $REDIS_INIT + chmod a+r $FULLCHAIN chmod a+r $PRIVKEY chmod a+r $ISRGROOTX1 -docker compose -f $tfe_dir/compose.yaml up -d +docker compose -f $tfe_dir/compose.yaml up -d \ No newline at end of file diff --git a/modules/redis-standalone-mtls/locals.tf b/modules/redis-standalone-mtls/locals.tf index c3d9ba14..4020ce6a 100644 --- a/modules/redis-standalone-mtls/locals.tf +++ b/modules/redis-standalone-mtls/locals.tf @@ -4,19 +4,14 @@ locals { redis_user_data_template = "${path.module}/files/script.sh" redis_user_data = templatefile(local.redis_user_data_template, { - redis_init = base64encode(file(local.redis_init_path)) fullchain = var.redis_client_cert privkey = var.redis_client_key isrgrootx1 = var.redis_client_ca - redis_conf = base64encode(templatefile(local.redis_conf_path, { - })) compose = base64encode(templatefile(local.compose_path, { redis_port = var.redis_port })) }) compose_path = "${path.module}/files/compose.yaml" - redis_conf_path = "${path.module}/files/redis.conf" - redis_init_path = "${path.module}/files/redis-init.sh" tags = concat( [ { From b2a00a6cae5f7e50ad967bd7e6a31d49330fe5e6 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 12:36:04 -0400 Subject: [PATCH 11/27] update --- modules/redis-standalone-mtls/files/compose.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/redis-standalone-mtls/files/compose.yaml b/modules/redis-standalone-mtls/files/compose.yaml index 60812277..1d5bfb20 100644 --- a/modules/redis-standalone-mtls/files/compose.yaml +++ b/modules/redis-standalone-mtls/files/compose.yaml @@ -5,7 +5,6 @@ services: redis: image: redis:7 - entrypoint: ["/opt/redis/init.sh"] command: [ "redis-server", # disable all ports @@ -17,7 +16,7 @@ services: "--tls-auth-clients", "yes" ] ports: - - "${redis_port+1}:${redis_port}" + - "${redis_port}:${redis_port}" volumes: # For Redis TLS certificates. - $${FULLCHAIN}:/certs/fullchain.pem From 345dd982422adfb4df62e5d6ae654963449ee973 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 14:10:34 -0400 Subject: [PATCH 12/27] update tg --- modules/redis-standalone-mtls/networking.tf | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/redis-standalone-mtls/networking.tf b/modules/redis-standalone-mtls/networking.tf index f4eae69a..b382f9ba 100644 --- a/modules/redis-standalone-mtls/networking.tf +++ b/modules/redis-standalone-mtls/networking.tf @@ -39,21 +39,20 @@ resource "aws_lb" "redis_lb" { # --------------------------------------------------------- resource "aws_lb_listener" "redis_listener_redis" { - count = 4 load_balancer_arn = aws_lb.redis_lb.arn - port = (var.redis_port + count.index) + port = (var.redis_port) protocol = "TCP" default_action { type = "forward" - target_group_arn = aws_lb_target_group.redis_tg[count.index].arn + target_group_arn = aws_lb_target_group.redis_tg.arn } } resource "aws_lb_target_group" "redis_tg" { count = 4 - name = "${var.friendly_name_prefix}-redis-tg-${var.redis_port + count.index}" - port = (var.redis_port + count.index) + name = "${var.friendly_name_prefix}-redis-tg-${var.redis_port}" + port = (var.redis_port) protocol = "TCP" vpc_id = var.network_id From ad04cd57856db1228cfbcf20735014554551d115 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 14:17:38 -0400 Subject: [PATCH 13/27] count -removed --- modules/redis-standalone-mtls/networking.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/redis-standalone-mtls/networking.tf b/modules/redis-standalone-mtls/networking.tf index b382f9ba..d5d3a315 100644 --- a/modules/redis-standalone-mtls/networking.tf +++ b/modules/redis-standalone-mtls/networking.tf @@ -50,7 +50,6 @@ resource "aws_lb_listener" "redis_listener_redis" { } resource "aws_lb_target_group" "redis_tg" { - count = 4 name = "${var.friendly_name_prefix}-redis-tg-${var.redis_port}" port = (var.redis_port) protocol = "TCP" From 7ac0dcd567bd82fa88b44081cab4d4322dc25267 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 14:22:22 -0400 Subject: [PATCH 14/27] update --- modules/redis-standalone-mtls/main.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/redis-standalone-mtls/main.tf b/modules/redis-standalone-mtls/main.tf index 0eba38fa..5ab97f6d 100644 --- a/modules/redis-standalone-mtls/main.tf +++ b/modules/redis-standalone-mtls/main.tf @@ -67,10 +67,7 @@ resource "aws_autoscaling_group" "redis" { max_size = 1 desired_capacity = 1 vpc_zone_identifier = var.network_subnets_private - target_group_arns = concat( - [for tg in aws_lb_target_group.redis_tg : tg.arn], - [for tg in aws_lb_target_group.redis_tg : tg.arn] - ) + target_group_arns = aws_lb_target_group.redis_tg.tg.arn # Increases grace period for any AMI that is not the default Ubuntu # since RHEL has longer startup time From b64dad4b64ed213d0820e41e4102686b70394311 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 14:53:12 -0400 Subject: [PATCH 15/27] update --- modules/redis-standalone-mtls/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/redis-standalone-mtls/main.tf b/modules/redis-standalone-mtls/main.tf index 5ab97f6d..7409e560 100644 --- a/modules/redis-standalone-mtls/main.tf +++ b/modules/redis-standalone-mtls/main.tf @@ -67,7 +67,7 @@ resource "aws_autoscaling_group" "redis" { max_size = 1 desired_capacity = 1 vpc_zone_identifier = var.network_subnets_private - target_group_arns = aws_lb_target_group.redis_tg.tg.arn + target_group_arns = aws_lb_target_group.redis_tg.arn # Increases grace period for any AMI that is not the default Ubuntu # since RHEL has longer startup time From 7453f263a2b585df1195fbb302b2998da611d0f9 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 15:01:17 -0400 Subject: [PATCH 16/27] make list --- modules/redis-standalone-mtls/networking.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/redis-standalone-mtls/networking.tf b/modules/redis-standalone-mtls/networking.tf index d5d3a315..6b025486 100644 --- a/modules/redis-standalone-mtls/networking.tf +++ b/modules/redis-standalone-mtls/networking.tf @@ -45,7 +45,7 @@ resource "aws_lb_listener" "redis_listener_redis" { default_action { type = "forward" - target_group_arn = aws_lb_target_group.redis_tg.arn + target_group_arn = [aws_lb_target_group.redis_tg.arn] } } From 2dcc38ab989a61e04ab2ba18b5811e12df18bec7 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 15:13:38 -0400 Subject: [PATCH 17/27] update --- modules/redis-standalone-mtls/main.tf | 2 +- modules/redis-standalone-mtls/networking.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/redis-standalone-mtls/main.tf b/modules/redis-standalone-mtls/main.tf index 7409e560..b0fdf615 100644 --- a/modules/redis-standalone-mtls/main.tf +++ b/modules/redis-standalone-mtls/main.tf @@ -67,7 +67,7 @@ resource "aws_autoscaling_group" "redis" { max_size = 1 desired_capacity = 1 vpc_zone_identifier = var.network_subnets_private - target_group_arns = aws_lb_target_group.redis_tg.arn + target_group_arns = [aws_lb_target_group.redis_tg.arn] # Increases grace period for any AMI that is not the default Ubuntu # since RHEL has longer startup time diff --git a/modules/redis-standalone-mtls/networking.tf b/modules/redis-standalone-mtls/networking.tf index 6b025486..d5d3a315 100644 --- a/modules/redis-standalone-mtls/networking.tf +++ b/modules/redis-standalone-mtls/networking.tf @@ -45,7 +45,7 @@ resource "aws_lb_listener" "redis_listener_redis" { default_action { type = "forward" - target_group_arn = [aws_lb_target_group.redis_tg.arn] + target_group_arn = aws_lb_target_group.redis_tg.arn } } From 24583d32806ca952b906a5ed29f3d460035e9665 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 16:44:32 -0400 Subject: [PATCH 18/27] add certs access --- main.tf | 3 +++ modules/service_accounts/locals.tf | 5 ++++- modules/service_accounts/variables.tf | 18 ++++++++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4fb0d732..1fcd8cfa 100644 --- a/main.tf +++ b/main.tf @@ -38,6 +38,9 @@ module "service_accounts" { tfe_license_secret_id = var.tfe_license_secret_id kms_key_arn = local.kms_key_arn vm_certificate_secret_id = var.vm_certificate_secret_id + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id + redis_client_certificate_secret_id = var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id vm_key_secret_id = var.vm_key_secret_id } diff --git a/modules/service_accounts/locals.tf b/modules/service_accounts/locals.tf index 2d503b7a..eadfc8c3 100644 --- a/modules/service_accounts/locals.tf +++ b/modules/service_accounts/locals.tf @@ -6,7 +6,10 @@ locals { var.ca_certificate_secret_id, var.tfe_license_secret_id, var.vm_certificate_secret_id, - var.vm_key_secret_id + var.vm_key_secret_id, + var.redis_ca_certificate_secret_id, + var.redis_client_certificate_secret_id, + var.redis_client_key_secret_id ] : secret if secret != null] iam_instance_role = try(data.aws_iam_role.existing_instance_role[0], aws_iam_role.instance_role[0]) diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf index 08b87916..4916eb3e 100644 --- a/modules/service_accounts/variables.tf +++ b/modules/service_accounts/variables.tf @@ -61,4 +61,22 @@ variable "vm_key_secret_id" { A Secrets Manager secret ARN which contains the Base64 encoded version of a PEM encoded private key for the Virtual Machine Scale Set. EOD +} + +variable redis_client_key_secret_id { + type = string + default = null + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for redis." +} + +variable "redis_client_certificate_secret_id" { + type = string + default = null + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." +} + +variable "redis_ca_certificate_secret_id" { + type = string + default = null + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." } \ No newline at end of file From dd5843c394d9904088bcc0453d378a44012b506d Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Wed, 4 Jun 2025 17:36:48 -0400 Subject: [PATCH 19/27] update --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 1fcd8cfa..40ceb79d 100644 --- a/main.tf +++ b/main.tf @@ -259,7 +259,7 @@ module "runtime_container_engine_config" { redis_sentinel_user = local.redis.sentinel_username redis_sentinel_password = local.redis.sentinel_password redis_use_mtls = var.enable_redis_mtls - redis_ca_cert_path = "/etc/ssl/private/terraform-enterprise/redis/ca_cert.pem" + redis_ca_cert_path = "/etc/ssl/private/terraform-enterprise/redis/cacert.pem" redis_client_cert_path = "/etc/ssl/private/terraform-enterprise/redis/cert.pem" redis_client_key_path = "/etc/ssl/private/terraform-enterprise/redis/key.pem" From 60b1bfdb4e0e022f8607288d39173eb5ba308668 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Thu, 5 Jun 2025 12:14:41 -0400 Subject: [PATCH 20/27] update --- modules/redis-standalone-mtls/files/script.sh | 19 +++++++++++++++++++ modules/redis-standalone-mtls/locals.tf | 6 +++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/modules/redis-standalone-mtls/files/script.sh b/modules/redis-standalone-mtls/files/script.sh index d6e59a2c..a2da4515 100644 --- a/modules/redis-standalone-mtls/files/script.sh +++ b/modules/redis-standalone-mtls/files/script.sh @@ -4,6 +4,14 @@ set -eu pipefail +function get_base64_secrets { + local secret_id=$1 + # OS: Agnostic + # Description: Pull the Base 64 encoded secrets from AWS Secrets Manager + + /usr/local/bin/aws secretsmanager get-secret-value --secret-id $secret_id | jq --raw-output '.SecretBinary,.SecretString | select(. != null)' +} + function retry { local retries=$1 shift @@ -35,6 +43,14 @@ retry 10 apt-get --assume-yes update retry 10 apt-get --assume-yes install docker-ce docker-ce-cli containerd.io redis-tools retry 10 apt-get --assume-yes autoremove + +echo "[$(date +"%FT%T")] [Terraform Enterprise] Install AWS CLI" +curl --noproxy '*' "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m | grep -q "arm\|aarch" && echo "aarch64" || echo "x86_64").zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install +rm -f ./awscliv2.zip +rm -rf ./aws + tfe_dir="/etc/redis" mkdir -p $tfe_dir @@ -43,6 +59,9 @@ export PRIVKEY=$tfe_dir/privkey.pem export ISRGROOTX1=$tfe_dir/isrgrootx1.pem echo ${compose} | base64 -d > $tfe_dir/compose.yaml +fullchain=$(get_base64_secrets ${redis_client_cert}) +privkey=$(get_base64_secrets ${redis_client_key}) +isrgrootx1=$(get_base64_secrets ${redis_client_ca}) echo ${fullchain} | base64 -d > $FULLCHAIN echo ${privkey} | base64 -d > $PRIVKEY diff --git a/modules/redis-standalone-mtls/locals.tf b/modules/redis-standalone-mtls/locals.tf index 4020ce6a..f822fb11 100644 --- a/modules/redis-standalone-mtls/locals.tf +++ b/modules/redis-standalone-mtls/locals.tf @@ -4,9 +4,9 @@ locals { redis_user_data_template = "${path.module}/files/script.sh" redis_user_data = templatefile(local.redis_user_data_template, { - fullchain = var.redis_client_cert - privkey = var.redis_client_key - isrgrootx1 = var.redis_client_ca + redis_client_cert = var.redis_client_cert + redis_client_key = var.redis_client_key + redis_client_ca = var.redis_client_ca compose = base64encode(templatefile(local.compose_path, { redis_port = var.redis_port })) From 3aae05de3a055b99d68ae5959abc2d9e8a965cf1 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Thu, 5 Jun 2025 12:22:31 -0400 Subject: [PATCH 21/27] update --- modules/redis-standalone-mtls/files/script.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/redis-standalone-mtls/files/script.sh b/modules/redis-standalone-mtls/files/script.sh index a2da4515..a3432bb9 100644 --- a/modules/redis-standalone-mtls/files/script.sh +++ b/modules/redis-standalone-mtls/files/script.sh @@ -63,9 +63,9 @@ fullchain=$(get_base64_secrets ${redis_client_cert}) privkey=$(get_base64_secrets ${redis_client_key}) isrgrootx1=$(get_base64_secrets ${redis_client_ca}) -echo ${fullchain} | base64 -d > $FULLCHAIN -echo ${privkey} | base64 -d > $PRIVKEY -echo ${isrgrootx1} | base64 -d > $ISRGROOTX1 +echo $fullchain | base64 -d > $FULLCHAIN +echo $privkey | base64 -d > $PRIVKEY +echo $isrgrootx1 | base64 -d > $ISRGROOTX1 chmod a+r $FULLCHAIN chmod a+r $PRIVKEY From f396e75761167116ff835c5cdf727de1b8bea82a Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Thu, 5 Jun 2025 12:30:28 -0400 Subject: [PATCH 22/27] update --- modules/redis-standalone-mtls/files/script.sh | 10 +++------- modules/redis-standalone-mtls/locals.tf | 4 ++-- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/modules/redis-standalone-mtls/files/script.sh b/modules/redis-standalone-mtls/files/script.sh index a3432bb9..d2a54dec 100644 --- a/modules/redis-standalone-mtls/files/script.sh +++ b/modules/redis-standalone-mtls/files/script.sh @@ -59,13 +59,9 @@ export PRIVKEY=$tfe_dir/privkey.pem export ISRGROOTX1=$tfe_dir/isrgrootx1.pem echo ${compose} | base64 -d > $tfe_dir/compose.yaml -fullchain=$(get_base64_secrets ${redis_client_cert}) -privkey=$(get_base64_secrets ${redis_client_key}) -isrgrootx1=$(get_base64_secrets ${redis_client_ca}) - -echo $fullchain | base64 -d > $FULLCHAIN -echo $privkey | base64 -d > $PRIVKEY -echo $isrgrootx1 | base64 -d > $ISRGROOTX1 +echo $(get_base64_secrets ${redis_client_cert}) | base64 -d > $FULLCHAIN +echo $(get_base64_secrets ${redis_client_key}) | base64 -d > $PRIVKEY +echo $(get_base64_secrets ${redis_client_ca}) | base64 -d > $ISRGROOTX1 chmod a+r $FULLCHAIN chmod a+r $PRIVKEY diff --git a/modules/redis-standalone-mtls/locals.tf b/modules/redis-standalone-mtls/locals.tf index f822fb11..57c26d47 100644 --- a/modules/redis-standalone-mtls/locals.tf +++ b/modules/redis-standalone-mtls/locals.tf @@ -5,8 +5,8 @@ locals { redis_user_data_template = "${path.module}/files/script.sh" redis_user_data = templatefile(local.redis_user_data_template, { redis_client_cert = var.redis_client_cert - redis_client_key = var.redis_client_key - redis_client_ca = var.redis_client_ca + redis_client_key = var.redis_client_key + redis_client_ca = var.redis_client_ca compose = base64encode(templatefile(local.compose_path, { redis_port = var.redis_port })) From 6e4d8be30ba7806452581e57723d0b89f3c6ade5 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Thu, 5 Jun 2025 17:12:17 -0400 Subject: [PATCH 23/27] install unzip and jq --- modules/redis-standalone-mtls/files/script.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/redis-standalone-mtls/files/script.sh b/modules/redis-standalone-mtls/files/script.sh index d2a54dec..2b5473ed 100644 --- a/modules/redis-standalone-mtls/files/script.sh +++ b/modules/redis-standalone-mtls/files/script.sh @@ -40,7 +40,7 @@ echo \ https://download.docker.com/linux/ubuntu $(lsb_release --codename --short) stable" \ | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null retry 10 apt-get --assume-yes update -retry 10 apt-get --assume-yes install docker-ce docker-ce-cli containerd.io redis-tools +retry 10 apt-get --assume-yes install docker-ce docker-ce-cli containerd.io redis-tools unzip jq retry 10 apt-get --assume-yes autoremove From da0e57d6a7cba7957a8615f42294ca0438165a0d Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Fri, 6 Jun 2025 10:53:23 -0400 Subject: [PATCH 24/27] fmt --- locals.tf | 34 ++++++++-------- main.tf | 21 +++++----- modules/redis-standalone-mtls/locals.tf | 8 ++-- modules/redis-standalone-mtls/main.tf | 2 +- modules/redis-standalone-mtls/variables.tf | 14 +++---- modules/service_accounts/variables.tf | 2 +- variables.tf | 45 +++------------------- 7 files changed, 47 insertions(+), 79 deletions(-) diff --git a/locals.tf b/locals.tf index afc95816..aee83988 100644 --- a/locals.tf +++ b/locals.tf @@ -47,24 +47,24 @@ locals { } } ) - redis_default = { - hostname = null - password = null - username = null - redis_port = null - use_password_auth = null - use_tls = null - sentinel_enabled = var.enable_redis_sentinel - sentinel_hosts = [] - sentinel_leader = null - sentinel_username = null - sentinel_password = null - aws_elasticache_subnet_group_name = null - aws_security_group_redis = null - } -redis = var.enable_redis_sentinel ? module.redis_sentinel[0] : var.enable_redis_mtls ? module.redis_mtls[0] : try(module.redis[0], local.redis_default) + redis_default = { + hostname = null + password = null + username = null + redis_port = null + use_password_auth = null + use_tls = null + sentinel_enabled = var.enable_redis_sentinel + sentinel_hosts = [] + sentinel_leader = null + sentinel_username = null + sentinel_password = null + aws_elasticache_subnet_group_name = null + aws_security_group_redis = null + } + redis = var.enable_redis_sentinel ? module.redis_sentinel[0] : var.enable_redis_mtls ? module.redis_mtls[0] : try(module.redis[0], local.redis_default) -no_proxy = concat([ + no_proxy = concat([ "127.0.0.1", "169.254.169.254", "secretsmanager.${data.aws_region.current.name}.amazonaws.com", diff --git a/main.tf b/main.tf index 40ceb79d..1a79ab72 100644 --- a/main.tf +++ b/main.tf @@ -127,11 +127,12 @@ module "redis_mtls" { source = "./modules/redis-standalone-mtls" # This module is used to deploy a Redis instance with mTLS enabled. - domain_name = var.domain_name - redis_client_ca = var.redis_client_ca - redis_client_cert = var.redis_client_cert - redis_client_key = var.redis_client_key - redis_authentication_mode = "NONE" # mTLS does not use password authentication + domain_name = var.domain_name + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id + redis_client_certificate_secret_id = var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id + # mTLS does not use password authentication + redis_authentication_mode = "NONE" aws_iam_instance_profile = module.service_accounts.iam_instance_profile.name asg_tags = var.asg_tags ec2_launch_template_tag_specifications = var.ec2_launch_template_tag_specifications @@ -293,11 +294,11 @@ module "tfe_init_fdo" { ca_certificate_secret_id = var.ca_certificate_secret_id == null ? null : var.ca_certificate_secret_id certificate_secret_id = var.vm_certificate_secret_id == null ? null : var.vm_certificate_secret_id key_secret_id = var.vm_key_secret_id == null ? null : var.vm_key_secret_id - - enable_redis_mtls = var.enable_redis_mtls - redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id == null ? null : var.redis_ca_certificate_secret_id - redis_client_certificate_secret_id = var.redis_client_certificate_secret_id == null ? null : var.redis_client_certificate_secret_id - redis_client_key_secret_id = var.redis_client_key_secret_id == null ? null : var.redis_client_key_secret_id + + enable_redis_mtls = var.enable_redis_mtls + redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id == null ? null : var.redis_ca_certificate_secret_id + redis_client_certificate_secret_id = var.redis_client_certificate_secret_id == null ? null : var.redis_client_certificate_secret_id + redis_client_key_secret_id = var.redis_client_key_secret_id == null ? null : var.redis_client_key_secret_id proxy_ip = var.proxy_ip != null ? var.proxy_ip : null proxy_port = var.proxy_ip != null ? var.proxy_port : null diff --git a/modules/redis-standalone-mtls/locals.tf b/modules/redis-standalone-mtls/locals.tf index 57c26d47..c2255987 100644 --- a/modules/redis-standalone-mtls/locals.tf +++ b/modules/redis-standalone-mtls/locals.tf @@ -4,14 +4,14 @@ locals { redis_user_data_template = "${path.module}/files/script.sh" redis_user_data = templatefile(local.redis_user_data_template, { - redis_client_cert = var.redis_client_cert - redis_client_key = var.redis_client_key - redis_client_ca = var.redis_client_ca + redis_client_cert = var.redis_client_certificate_secret_id + redis_client_key = var.redis_client_key_secret_id + redis_client_ca = var.redis_ca_certificate_secret_id compose = base64encode(templatefile(local.compose_path, { redis_port = var.redis_port })) }) - compose_path = "${path.module}/files/compose.yaml" + compose_path = "${path.module}/files/compose.yaml" tags = concat( [ { diff --git a/modules/redis-standalone-mtls/main.tf b/modules/redis-standalone-mtls/main.tf index b0fdf615..60b55af4 100644 --- a/modules/redis-standalone-mtls/main.tf +++ b/modules/redis-standalone-mtls/main.tf @@ -67,7 +67,7 @@ resource "aws_autoscaling_group" "redis" { max_size = 1 desired_capacity = 1 vpc_zone_identifier = var.network_subnets_private - target_group_arns = [aws_lb_target_group.redis_tg.arn] + target_group_arns = [aws_lb_target_group.redis_tg.arn] # Increases grace period for any AMI that is not the default Ubuntu # since RHEL has longer startup time diff --git a/modules/redis-standalone-mtls/variables.tf b/modules/redis-standalone-mtls/variables.tf index 4ceab187..e2e674d6 100644 --- a/modules/redis-standalone-mtls/variables.tf +++ b/modules/redis-standalone-mtls/variables.tf @@ -108,18 +108,18 @@ variable "redis_use_password_auth" { default = false } -variable "redis_client_ca" { - description = "The CA certificate to be used for TLS encryption in Redis." +variable "redis_client_key_secret_id" { type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for redis." } -variable "redis_client_cert" { - description = "The full chain certificate to be used for TLS encryption in Redis." +variable "redis_client_certificate_secret_id" { type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." } -variable "redis_client_key" { - description = "The private key to be used for TLS encryption in Redis." +variable "redis_ca_certificate_secret_id" { type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." } - \ No newline at end of file + \ No newline at end of file diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf index 4916eb3e..c2b57c88 100644 --- a/modules/service_accounts/variables.tf +++ b/modules/service_accounts/variables.tf @@ -63,7 +63,7 @@ variable "vm_key_secret_id" { EOD } -variable redis_client_key_secret_id { +variable "redis_client_key_secret_id" { type = string default = null description = "The secrets manager secret ID of the Base64 & PEM encoded private key for redis." diff --git a/variables.tf b/variables.tf index bafe05fa..ac8d0123 100644 --- a/variables.tf +++ b/variables.tf @@ -122,55 +122,22 @@ variable "enable_redis_mtls" { default = false } -variable "redis_client_cert_path" { +variable "redis_client_key_secret_id" { type = string + description = "The secrets manager secret ID of the Base64 & PEM encoded private key for redis." default = false - description = "Redis client cert file" -} - -variable "redis_client_key_path" { - type = string - default = false - description = "Redis client key file" -} - -variable "redis_client_ca_path" { - type = string - default = false - description = "Redis client CA file" -} - -variable "redis_client_cert" { - type = string - default = false - description = "Redis client cert file" -} - -variable "redis_client_key" { - type = string - default = false - description = "Redis client key file" -} - -variable "redis_client_ca" { - type = string - default = false - description = "Redis client CA file" -} - -variable redis_client_key_secret_id { - type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded private key for tfe." } variable "redis_client_certificate_secret_id" { type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." + default = false } variable "redis_ca_certificate_secret_id" { type = string - description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for tfe." + description = "The secrets manager secret ID of the Base64 & PEM encoded certificate for redis." + default = false } variable "redis_cache_size" { From 9fb7df3b526cc3fc8319b115a7b4c4a5e33c05e9 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Fri, 6 Jun 2025 15:54:18 -0400 Subject: [PATCH 25/27] not required when mtls is enabled --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 26f11693..0bb213de 100644 --- a/main.tf +++ b/main.tf @@ -74,7 +74,7 @@ module "networking" { # ----------------------------------------------------------------------------- module "redis" { source = "./modules/redis" - count = local.enable_redis_module && var.enable_redis_sentinel == false ? 1 : 0 + count = local.enable_redis_module && var.enable_redis_sentinel == false || var.enable_redis_mtls == false ? 1 : 0 active_active = var.operational_mode == "active-active" friendly_name_prefix = var.friendly_name_prefix From b90f8189acd0253d7827789142f085737a5a4139 Mon Sep 17 00:00:00 2001 From: sandrampeter Date: Fri, 6 Jun 2025 16:54:58 -0400 Subject: [PATCH 26/27] disable elasticache --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 0bb213de..ebd801de 100644 --- a/main.tf +++ b/main.tf @@ -74,7 +74,7 @@ module "networking" { # ----------------------------------------------------------------------------- module "redis" { source = "./modules/redis" - count = local.enable_redis_module && var.enable_redis_sentinel == false || var.enable_redis_mtls == false ? 1 : 0 + count = local.enable_redis_module && var.enable_redis_sentinel == false || local.enable_redis_module && var.enable_redis_mtls == false ? 1 : 0 active_active = var.operational_mode == "active-active" friendly_name_prefix = var.friendly_name_prefix From d42a85a5932de390264dc379c457daa07b22c9aa Mon Sep 17 00:00:00 2001 From: Sandra Maria Peter <83961684+sandrampeter@users.noreply.github.com> Date: Mon, 9 Jun 2025 16:36:26 -0400 Subject: [PATCH 27/27] Update branch to main --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index ebd801de..727f3a72 100644 --- a/main.tf +++ b/main.tf @@ -201,7 +201,7 @@ module "aurora_database" { # Docker Compose File Config for TFE on instance(s) using Flexible Deployment Options # ------------------------------------------------------------------------------------ module "runtime_container_engine_config" { - source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=redis-standalone" + source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/runtime_container_engine_config?ref=main" count = var.is_replicated_deployment ? 0 : 1 tfe_license = var.hc_license @@ -280,7 +280,7 @@ module "runtime_container_engine_config" { # AWS cloud init used to install and configure TFE on instance(s) using Flexible Deployment Options # -------------------------------------------------------------------------------------------------- module "tfe_init_fdo" { - source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=redis-standalone" + source = "git::https://github.com/hashicorp/terraform-random-tfe-utility//modules/tfe_init?ref=main" count = var.is_replicated_deployment ? 0 : 1 cloud = "aws"