Merge pull request #7 from geekcell/optional-kms

feat: refactor encryption and param groups

Author: Ic3w0lf

README.md

@@ -58,23 +58,35 @@ difference it can make in your AWS setup!
 |------|-------------|------|---------|:--------:|
 | <a name="input_apply_immediately"></a> [apply\_immediately](#input\_apply\_immediately) | Specifies whether any modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
 | <a name="input_at_rest_encryption_enabled"></a> [at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Whether to enable encryption at rest. | `bool` | `true` | no |
+| <a name="input_auth_token_length"></a> [auth\_token\_length](#input\_auth\_token\_length) | The length of the generated auth token. | `number` | `24` | no |
+| <a name="input_auth_token_special_characters"></a> [auth\_token\_special\_characters](#input\_auth\_token\_special\_characters) | Whether to include special characters in the generated auth token. | `bool` | `false` | no |
 | <a name="input_auto_minor_version_upgrade"></a> [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. | `string` | `false` | no |
 | <a name="input_data_tearing_enabled"></a> [data\_tearing\_enabled](#input\_data\_tearing\_enabled) | Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description of the all resources. | `string` | `"Managed by Terraform"` | no |
-| <a name="input_destination_type"></a> [destination\_type](#input\_destination\_type) | For CloudWatch Logs use `cloudwatch-logs` or for Kinesis Data Firehose use `kinesis-firehose`. | `string` | `"cloudwatch-logs"` | no |
-| <a name="input_elasticache_event_recipients"></a> [elasticache\_event\_recipients](#input\_elasticache\_event\_recipients) | Recipients of the elasticache events. | `list(string)` | `[]` | no |
+| <a name="input_enable_customer_managed_kms"></a> [enable\_customer\_managed\_kms](#input\_enable\_customer\_managed\_kms) | If enabled, will create a customer managed KMS key for at-rest encryption. | `bool` | `false` | no |
+| <a name="input_enable_sns_sse_encryption"></a> [enable\_sns\_sse\_encryption](#input\_enable\_sns\_sse\_encryption) | Enable SSE Encryption for SNS Topic. | `bool` | `true` | no |
 | <a name="input_engine"></a> [engine](#input\_engine) | Name of the cache engine to be used for the clusters in this replication group. | `string` | `"redis"` | no |
 | <a name="input_engine_version"></a> [engine\_version](#input\_engine\_version) | The version number of the cache engine to be used for the cache clusters in this replication group. | `string` | `"7.0"` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the AWS KMS to encrypt data at rest. Uses the AWS service managed encryption if not specified. | `string` | `null` | no |
+| <a name="input_log_destination_type"></a> [log\_destination\_type](#input\_log\_destination\_type) | For CloudWatch Logs use `cloudwatch-logs` or for Kinesis Data Firehose use `kinesis-firehose`. Only 'cloudwatch-logs' supported at the moment. | `string` | `"cloudwatch-logs"` | no |
+| <a name="input_log_enable_customer_managed_kms"></a> [log\_enable\_customer\_managed\_kms](#input\_log\_enable\_customer\_managed\_kms) | Whether to enable customer managed KMS key for CloudWatch Logs encryption. | `bool` | `false` | no |
 | <a name="input_log_format"></a> [log\_format](#input\_log\_format) | Valid values are `json` or `text`. | `string` | `"text"` | no |
+| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The number of days log events are kept in CloudWatch Logs. | `number` | `30` | no |
+| <a name="input_log_skip_destroy"></a> [log\_skip\_destroy](#input\_log\_skip\_destroy) | Whether to skip the deletion of the log groups when deleting the log group resources. | `bool` | `false` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Type of logs, slow-log and engine-log | `list(string)` | <pre>[<br>  "slow-log",<br>  "engine-log"<br>]</pre> | no |
 | <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window) | Specifies the weekly time range for when maintenance on the cache cluster is performed. | `string` | `"Mon:00:00-Mon:03:00"` | no |
 | <a name="input_node_type"></a> [node\_type](#input\_node\_type) | The cluster identifier. If omitted, Terraform will assign a random, unique identifier. | `string` | n/a | yes |
 | <a name="input_num_cache_clusters"></a> [num\_cache\_clusters](#input\_num\_cache\_clusters) | Number of cache clusters (primary and replicas) this replication group will have. If Multi-AZ is enabled, the value of this parameter must be at least 2 | `number` | n/a | yes |
+| <a name="input_parameter_group_family"></a> [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the ElastiCache parameter group. Defaults to engine and engine\_version. | `string` | `null` | no |
+| <a name="input_parameter_group_name"></a> [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the ElastiCache parameter group. Defaults to the cluster name. | `string` | `null` | no |
+| <a name="input_parameters"></a> [parameters](#input\_parameters) | Set custom parameters via a parameter group. | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | `[]` | no |
 | <a name="input_port"></a> [port](#input\_port) | Port number on which each of the cache nodes will accept connections. | `number` | `6379` | no |
 | <a name="input_replication_group_id"></a> [replication\_group\_id](#input\_replication\_group\_id) | ID of the replication group to which this cluster should belong. | `string` | n/a | yes |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | A list of security group IDs to associate with this replication group. | `list(string)` | n/a | yes |
 | <a name="input_snapshot_retention_limit"></a> [snapshot\_retention\_limit](#input\_snapshot\_retention\_limit) | Number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. | `number` | `7` | no |
 | <a name="input_snapshot_window"></a> [snapshot\_window](#input\_snapshot\_window) | Daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. | `string` | `"03:30-05:30"` | no |
+| <a name="input_sns_event_recipients"></a> [sns\_event\_recipients](#input\_sns\_event\_recipients) | Recipients of the ElastiCache SNS event topic. Should be a list of E-Mails. | `list(string)` | `[]` | no |
+| <a name="input_sns_kms_master_key_id"></a> [sns\_kms\_master\_key\_id](#input\_sns\_kms\_master\_key\_id) | The ID of an AWS KMS key for the SNS topic. | `string` | `"alias/aws/sns"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to all resources. | `map(string)` | `{}` | no |
 | <a name="input_transit_encryption_enabled"></a> [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Whether to enable encryption in transit. | `bool` | `true` | no |
 | <a name="input_vpc_subnet_group_name"></a> [vpc\_subnet\_group\_name](#input\_vpc\_subnet\_group\_name) | Subnet group name for the Elasticache cluster. | `string` | n/a | yes |
@@ -83,6 +95,7 @@ difference it can make in your AWS setup!
 
 | Name | Description |
 |------|-------------|
+| <a name="output_auth_token"></a> [auth\_token](#output\_auth\_token) | The generate auth token used to access the Redis cluster. |
 | <a name="output_primary_endpoint_address"></a> [primary\_endpoint\_address](#output\_primary\_endpoint\_address) | Address of the endpoint for the primary node in the replication group, if the cluster mode is disabled. |
 | <a name="output_reader_endpoint_address"></a> [reader\_endpoint\_address](#output\_reader\_endpoint\_address) | Address of the endpoint for the reader node in the replication group, if the cluster mode is disabled. |
 
@@ -96,7 +109,7 @@ difference it can make in your AWS setup!
 ## Resources
 
 - resource.aws_elasticache_replication_group.redis (main.tf#20)
-- resource.random_password.main_password (main.tf#118)
+- resource.random_password.main_password (main.tf#85)
 
 # Examples
 ### Basic Example

main.tf

@@ -18,7 +18,6 @@
  * difference it can make in your AWS setup!
  */
 resource "aws_elasticache_replication_group" "redis" {
-
   # Naming
   replication_group_id = var.replication_group_id
   description          = var.description
@@ -33,7 +32,7 @@ resource "aws_elasticache_replication_group" "redis" {
   num_cache_clusters   = var.num_cache_clusters
 
   # Parameters
-  parameter_group_name = module.elasticache_parameter_group.name
+  parameter_group_name = length(var.parameters) > 0 ? module.elasticache_parameter_group[0].name : null
 
   # Auto failover
   automatic_failover_enabled = var.num_cache_clusters >= 2 ? true : false
@@ -42,8 +41,9 @@ resource "aws_elasticache_replication_group" "redis" {
   multi_az_enabled = var.num_cache_clusters >= 2 ? true : false
 
   # Encryption
-  at_rest_encryption_enabled = var.at_rest_encryption_enabled
   transit_encryption_enabled = var.transit_encryption_enabled
+  at_rest_encryption_enabled = var.at_rest_encryption_enabled
+  kms_key_id                 = var.enable_customer_managed_kms ? module.kms[0].key_arn : var.kms_key_id
 
   # Network
   port               = var.port
@@ -63,42 +63,60 @@ resource "aws_elasticache_replication_group" "redis" {
   # Token
   auth_token = random_password.main_password.result
 
-  # KMS
-  kms_key_id = module.kms.key_arn
-
   # SNS Notification
   notification_topic_arn = module.sns.arn
 
+  # Log Delivery
   dynamic "log_delivery_configuration" {
     for_each = var.log_type
+
     content {
       destination      = module.cloudwatch_log_group[log_delivery_configuration.value].name
-      destination_type = var.destination_type
-      log_format       = var.log_format
-      log_type         = log_delivery_configuration.value
+      destination_type = var.log_destination_type
+
+      log_format = var.log_format
+      log_type   = log_delivery_configuration.value
     }
   }
 
   tags = var.tags
 }
 
+resource "random_password" "main_password" {
+  length  = var.auth_token_length
+  special = var.auth_token_special_characters
+}
+
 module "elasticache_parameter_group" {
+  count = length(var.parameters) > 0 ? 1 : 0
+
   source = "./modules/elasticache_parameter_group/"
 
-  name = var.replication_group_id
+  name       = coalesce(var.parameter_group_name, var.replication_group_id)
+  family     = coalesce(var.parameter_group_family, "${var.engine}${var.engine_version}")
+  parameters = var.parameters
+
+  tags = var.tags
 }
 
 module "cloudwatch_log_group" {
-  for_each = toset(var.log_type)
+  for_each = var.log_destination_type == "cloudwatch-logs" ? toset(var.log_type) : []
 
   source  = "geekcell/cloudwatch-log-group/aws"
-  version = ">= 1.0.0, < 2.0.0"
+  version = ">= 2.0.0, < 3.0.0"
 
   name = "/elasticache-${var.engine}/cluster/${var.replication_group_id}/log/${each.key}"
+
+  retention_in_days           = var.log_retention_in_days
+  skip_destroy                = var.log_skip_destroy
+  enable_customer_managed_kms = var.log_enable_customer_managed_kms
+
   tags = var.tags
 }
 
 module "kms" {
+  count = var.enable_customer_managed_kms ? 1 : 0
+
   source  = "geekcell/kms/aws"
   version = ">= 1.0.0, < 2.0.0"
 
@@ -110,12 +128,11 @@ module "sns" {
   source  = "geekcell/sns-email-notification/aws"
   version = ">= 1.0.0, < 2.0.0"
 
-  name            = var.replication_group_id
-  email_addresses = var.elasticache_event_recipients
-  tags            = var.tags
-}
+  name            = "${var.replication_group_id}-elasticache"
+  email_addresses = var.sns_event_recipients
 
-resource "random_password" "main_password" {
-  length  = 24
-  special = false
+  enable_sns_sse_encryption = var.enable_sns_sse_encryption
+  sns_kms_master_key_id     = var.sns_kms_master_key_id
+
+  tags = var.tags
 }

modules/elasticache_parameter_group/main.tf

@@ -10,4 +10,6 @@ resource "aws_elasticache_parameter_group" "main" {
       value = parameter.value.value
     }
   }
+
+  tags = var.tags
 }

modules/elasticache_parameter_group/variables.tf

@@ -10,15 +10,16 @@ variable "name" {
 }
 
 variable "parameters" {
-  default = [
-    {
-      name  = "maxmemory-policy"
-      value = "volatile-lru"
-    }
-  ]
+  default     = []
   description = "The name and Values of the Elasticache parameters."
   type = list(object({
     name  = string
     value = string
   }))
 }
+
+variable "tags" {
+  default     = {}
+  description = "A mapping of tags to assign to all resources."
+  type        = map(string)
+}

outputs.tf

@@ -7,3 +7,9 @@ output "reader_endpoint_address" {
   value       = aws_elasticache_replication_group.redis.reader_endpoint_address
   description = "Address of the endpoint for the reader node in the replication group, if the cluster mode is disabled."
 }
+
+output "auth_token" {
+  value       = random_password.main_password.result
+  description = "The generate auth token used to access the Redis cluster."
+  sensitive   = true
+}

variables.tf

@@ -18,6 +18,18 @@ variable "at_rest_encryption_enabled" {
   type        = bool
 }
 
+variable "kms_key_id" {
+  description = "The ARN of the AWS KMS to encrypt data at rest. Uses the AWS service managed encryption if not specified."
+  default     = null
+  type        = string
+}
+
+variable "enable_customer_managed_kms" {
+  description = "If enabled, will create a customer managed KMS key for at-rest encryption."
+  default     = false
+  type        = bool
+}
+
 variable "auto_minor_version_upgrade" {
   default     = false
   description = "Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window."
@@ -36,12 +48,6 @@ variable "description" {
   type        = string
 }
 
-variable "elasticache_event_recipients" {
-  default     = []
-  description = "Recipients of the elasticache events."
-  type        = list(string)
-}
-
 variable "engine" {
   default     = "redis"
   description = " Name of the cache engine to be used for the clusters in this replication group."
@@ -109,10 +115,45 @@ variable "vpc_subnet_group_name" {
   type        = string
 }
 
-# Cloudwatch log group delivery
-variable "destination_type" {
+# Auth Token
+variable "auth_token_length" {
+  description = "The length of the generated auth token."
+  default     = 24
+  type        = number
+}
+
+variable "auth_token_special_characters" {
+  description = "Whether to include special characters in the generated auth token."
+  default     = false
+  type        = bool
+}
+
+# Parameter Group
+variable "parameter_group_name" {
+  description = "The name of the ElastiCache parameter group. Defaults to the cluster name."
+  default     = null
+  type        = string
+}
+
+variable "parameter_group_family" {
+  description = "The family of the ElastiCache parameter group. Defaults to engine and engine_version."
+  default     = null
+  type        = string
+}
+
+variable "parameters" {
+  description = "Set custom parameters via a parameter group."
+  default     = []
+  type = list(object({
+    name  = string
+    value = string
+  }))
+}
+
+# Logging
+variable "log_destination_type" {
   default     = "cloudwatch-logs"
-  description = "For CloudWatch Logs use `cloudwatch-logs` or for Kinesis Data Firehose use `kinesis-firehose`."
+  description = "For CloudWatch Logs use `cloudwatch-logs` or for Kinesis Data Firehose use `kinesis-firehose`. Only 'cloudwatch-logs' supported at the moment."
   type        = string
 }
 
@@ -126,10 +167,48 @@ variable "log_type" {
   default     = ["slow-log", "engine-log"]
   type        = list(string)
   description = "Type of logs, slow-log and engine-log"
+
   validation {
     condition = alltrue([
       for type in var.log_type : contains(["slow-log", "engine-log"], type)
     ])
-    error_message = "The log_type allowed are only slow-log and engine-log."
+    error_message = "The allowed log types are 'slow-log' and 'engine-log'."
   }
 }
+
+variable "log_retention_in_days" {
+  description = "The number of days log events are kept in CloudWatch Logs."
+  default     = 30
+  type        = number
+}
+
+variable "log_skip_destroy" {
+  description = "Whether to skip the deletion of the log groups when deleting the log group resources."
+  default     = false
+  type        = bool
+}
+
+variable "log_enable_customer_managed_kms" {
+  description = "Whether to enable customer managed KMS key for CloudWatch Logs encryption."
+  default     = false
+  type        = bool
+}
+
+# SNS Topic
+variable "enable_sns_sse_encryption" {
+  description = "Enable SSE Encryption for SNS Topic."
+  default     = true
+  type        = bool
+}
+
+variable "sns_kms_master_key_id" {
+  description = "The ID of an AWS KMS key for the SNS topic."
+  default     = "alias/aws/sns"
+  type        = string
+}
+
+variable "sns_event_recipients" {
+  default     = []
+  description = "Recipients of the ElastiCache SNS event topic. Should be a list of E-Mails."
+  type        = list(string)
+}