hashicorp · sandrampeter · Jun 9, 2025 · May 28, 2025 · May 30, 2025 · Jun 4, 2025
@@ -83,6 +83,11 @@ locals {
             source = "/etc/tfe/ssl"
             target = "/etc/ssl/private/terraform-enterprise"
           },
+          {
+            type   = "bind"
+            source = "/etc/tfe/ssl/redis"
+            target = "/etc/ssl/private/terraform-enterprise/redis"
+          },
           {
             type   = "volume"
             source = "terraform-enterprise-cache"

@@ -13,6 +13,10 @@ locals {
     TFE_REDIS_SENTINEL_LEADER_NAME = var.redis_sentinel_leader_name
     TFE_REDIS_SENTINEL_PASSWORD    = var.redis_sentinel_password
     TFE_REDIS_SENTINEL_USERNAME    = var.redis_sentinel_user
+    TFE_REDIS_CA_CERT_PATH         = var.redis_ca_cert_path
+    TFE_REDIS_CLIENT_CERT_PATH     = var.redis_client_cert_path
+    TFE_REDIS_CLIENT_KEY_PATH      = var.redis_client_key_path
+    TFE_REDIS_USE_MTLS             = var.redis_use_mtls
   }
   redis_configuration = local.active_active ? local.redis : {}
 }
@@ -209,6 +209,25 @@ variable "redis_use_tls" {
   description = "Whether or not to use TLS to access Redis. Defaults to false if no value is given."
 }
 
+variable "redis_ca_cert_path" {
+  type        = string
+  description = "Path to a file containing the CA certificate for Redis TLS connections. Leave blank to not use a CA certificate for Redis TLS connections. Defaults to \"\" if no value is given."
+}
+variable "redis_client_cert_path" {
+  type        = string
+  description = "Path to a file containing the client certificate for Redis TLS connections. Leave blank to not use a client certificate for Redis TLS connections. Defaults to \"\" if no value is given."
+}
+
+variable "redis_client_key_path" {
+  type        = string
+  description = "Path to a file containing the client key for Redis TLS connections. Leave blank to not use a client key for Redis TLS connections. Defaults to \"\" if no value is given."
+}
+
+variable "redis_use_mtls" {
+  type        = bool
+  description = "Whether or not to use mutual TLS to access Redis. Defaults to false if no value is given."
+}
+
 variable "redis_user" {
   type        = string
   description = "Redis server user. Leave blank to not use a user when authenticating. Defaults to \"\" if no value is given."

@@ -22,6 +22,10 @@ locals {
     redis_use_tls = {
       value = var.redis_use_tls != null ? var.redis_use_tls ? "1" : "0" : null
     }
+
+    redis_use_mtls = {
+      value = var.redis_use_mtls != null ? var.redis_use_mtls ? "1" : "0" : null
+    }
   }
 
   redis_configuration = var.production_type == "active-active" ? local.redis_configs : {}

@@ -266,6 +266,30 @@ variable "redis_use_tls" {
   description = "Redis service requires TLS. If true, the external Redis instance will use port 6380, otherwise 6379."
 }
 
+variable "redis_use_mtls" {
+  default     = null
+  type        = bool
+  description = "Redis service requires mutual TLS authentication. If true, the external Redis instance will use TLS certs for authentication."
+}
+
+variable "redis_ca_cert_path" {
+  default     = null
+  type        = string
+  description = "(Required when redis_use_mtls is true) The path to the CA certificate file for the Redis instance."
+}
+
+variable "redis_client_cert_path" {
+  default     = null
+  type        = string
+  description = "(Required when redis_use_mtls is true) The path to the client certificate file for the Redis instance."
+}
+
+variable "redis_client_key_path" {
+  default     = null
+  type        = string
+  description = "(Required when redis_use_mtls is true) The path to the client key file for the Redis instance."
+}
+
 # ------------------------------------------------------
 # Mounted Disk
 # ------------------------------------------------------

@@ -7,6 +7,12 @@ locals {
   tls_bootstrap_cert_pathname = "${local.tls_bootstrap_path}/cert.pem"
   tls_bootstrap_key_pathname  = "${local.tls_bootstrap_path}/key.pem"
   tls_bootstrap_ca_pathname   = "${local.tls_bootstrap_path}/bundle.pem"
+
+  redis_bootstrap_path          = "/etc/tfe/ssl/redis"
+  redis_bootstrap_cert_pathname = "${local.redis_bootstrap_path}/cert.pem"
+  redis_bootstrap_key_pathname  = "${local.redis_bootstrap_path}/key.pem"
+  redis_bootstrap_ca_pathname   = "${local.redis_bootstrap_path}/cacert.pem"
+
   user_data_template = {
     aws = {
       ubuntu = {
@@ -62,10 +68,19 @@ locals {
       tls_bootstrap_ca_pathname   = local.tls_bootstrap_ca_pathname
       docker_compose              = var.docker_compose_yaml
       podman_kube_config          = var.podman_kube_yaml
-
+      
       ca_certificate_secret_id = var.ca_certificate_secret_id
       certificate_secret_id    = var.certificate_secret_id
       key_secret_id            = var.key_secret_id
+
+      enable_redis_mtls              = var.enable_redis_mtls
+      redis_ca_certificate_secret_id = var.redis_ca_certificate_secret_id
+      redis_certificate_secret_id    = var.redis_client_certificate_secret_id
+      redis_client_key_secret_id            = var.redis_client_key_secret_id
+
+      redis_bootstrap_cert_pathname = local.redis_bootstrap_cert_pathname
+      redis_bootstrap_key_pathname  = local.redis_bootstrap_key_pathname
+      redis_bootstrap_ca_pathname   = local.redis_bootstrap_ca_pathname
 
       proxy_ip   = var.proxy_ip
       proxy_port = var.proxy_port

@@ -53,6 +53,15 @@ echo $certificate_data_b64 | base64 --decode > ${tls_bootstrap_cert_pathname}
 echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapCert configuration" | tee -a $log_pathname
 %{ endif ~}
 
+%{ if enable_redis_mtls == true ~}
+echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure RedisCertBootstrap" | tee -a $log_pathname
+redis_certificate_data_b64=$(get_base64_secrets ${redis_certificate_secret_id})
+mkdir -p $(dirname ${redis_bootstrap_cert_pathname})
+echo $redis_certificate_data_b64 | base64 --decode > ${redis_bootstrap_cert_pathname}
+%{ else ~}
+echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping RedisCertBootstrap configuration" | tee -a $log_pathname
+%{ endif ~}
+
 %{ if key_secret_id != null ~}
 echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure TlsBootstrapKey" | tee -a $log_pathname
 key_data_b64=$(get_base64_secrets ${key_secret_id})
@@ -62,6 +71,17 @@ chmod 0600 ${tls_bootstrap_key_pathname}
 %{ else ~}
 echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapKey configuration" | tee -a $log_pathname
 %{ endif ~}
+
+%{ if redis_client_key_secret_id != null ~}
+echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure RedisKeyBootstrap" | tee -a $log_pathname
+redis_key_data_b64=$(get_base64_secrets ${redis_client_key_secret_id})
+mkdir -p $(dirname ${redis_bootstrap_key_pathname})
+echo $redis_key_data_b64 | base64 --decode > ${redis_bootstrap_key_pathname}
+chmod 0600 ${redis_bootstrap_key_pathname}
+%{ else ~}
+echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping TlsBootstrapKey configuration" | tee -a $log_pathname
+%{ endif ~}
+
 ca_certificate_directory="/dev/null"
 ca_certificate_directory=/usr/local/share/ca-certificates/extra
 ca_cert_filepath="$ca_certificate_directory/tfe-ca-certificate.crt"
@@ -74,6 +94,15 @@ echo $ca_certificate_data_b64 | base64 --decode > $ca_cert_filepath
 echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping CA certificate configuration" | tee -a $log_pathname
 %{ endif ~}
 
+%{ if redis_ca_certificate_secret_id != null ~}
+echo "[$(date +"%FT%T")] [Terraform Enterprise] Configure Redis CA cert" | tee -a $log_pathname
+redis_ca_certificate_data_b64=$(get_base64_secrets ${redis_ca_certificate_secret_id})
+mkdir -p $(dirname ${redis_bootstrap_ca_pathname})
+echo $redis_ca_certificate_data_b64 | base64 --decode > ${redis_bootstrap_ca_pathname}
+%{ else ~}
+echo "[$(date +"%FT%T")] [Terraform Enterprise] Skipping Redis CA certificate configuration" | tee -a $log_pathname
+%{ endif ~}
+
 if [ -f "$ca_cert_filepath" ]
 then
 	update-ca-certificates

@@ -1,6 +1,12 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+variable "enable_redis_mtls" {
+  default     = false
+  type        = bool
+  description = "Should Redis mTLS be enabled? This requires the redis_ca_certificate_secret_id, redis_client_key_secret_id and redis_client_certificate_secret_id variables to be set."
+}
+
 variable "ca_certificate_secret_id" {
   default     = null
   type        = string
@@ -13,6 +19,18 @@ variable "certificate_secret_id" {
   description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for the TFE instance(s)."
 }
 
+variable "redis_ca_certificate_secret_id" {
+  default     = null
+  type        = string
+  description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate of a certificate authority (CA) to be trusted by the TFE instance(s)."
+}
+
+variable "redis_client_certificate_secret_id" {
+  default     = null
+  type        = string
+  description = "A secret ID which contains the Base64 encoded version of a PEM encoded public certificate for the TFE instance(s)."
+}
+
 variable "cloud" {
   default     = null
   type        = string
@@ -89,7 +107,6 @@ variable "key_secret_id" {
   description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the TFE instance(s)."
 }
 
-
 variable "operational_mode" {
   default     = null
   description = "A special string to control the operational mode of Terraform Enterprise. Valid values are: 'external' for External Services mode; 'disk' for Mounted Disk mode; 'active-active' for Active/Active mode."
@@ -112,6 +129,12 @@ variable "proxy_port" {
   description = "Port that the proxy server will use"
 }
 
+variable "redis_client_key_secret_id" {
+  default     = null
+  type        = string
+  description = "A secret ID which contains the Base64 encoded version of a PEM encoded private key for the TFE instance(s)."
+}
+
 variable "registry" {
   default     = null
   type        = string