Release Tests for AWS Redis passwordless authentication #380
+263
−111
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add redis_enable_iam_auth variable for IAM authentication control - Create ElastiCache IAM user and user group for passwordless access - Configure replication group to use IAM authentication when enabled - Add IAM policy for ElastiCache Connect permissions in service accounts - Pass IAM authentication parameters to runtime container engine config - Enable passwordless Redis authentication using AWS IAM roles This allows TFE to connect to ElastiCache Redis using IAM authentication instead of passwords, improving security and enabling passwordless workflows.
…D-5861 branch for Redis passwordless authentication
|
|
vmacdougal-hc
previously approved these changes
Oct 30, 2025
- Add redis_passwordless_aws_host_name to runtime configuration - Extract Redis cluster name from local.redis.hostname for IAM auth - Support Redis passwordless authentication with host name for ElastiCache
- Create aws_elasticache_user.default_user explicitly for user group requirement - AWS ElastiCache requires 'default' user to exist in every user group - Update user_group references to use created default_user instead of string 'default' - Add proper dependencies for user creation order - Fix ElastiCache user group creation error for IAM authentication Resolves: DefaultUserRequired: Redis user group needs to contain a user with the user name default
- Set default user access_string to +@ALL for full Redis command access - Ensure default user has same level of access as IAM user - Add clarifying comments about AWS requirement for default user - This ensures the user group functions properly with both users
- Change authentication mode from 'no-password' to 'no-password-required' - AWS provider expects 'no-password-required' as valid type - This resolves the validation error in terraform plan Error was: expected type to be one of ["password" "no-password-required" "iam"], got no-password
- Remove aws_elasticache_user.default_user resource - AWS ElastiCache has a built-in 'default' user that already exists - Reference the built-in default user directly in user_ids: ['default', iam_user_id] - Remove default_user dependencies since it's not created by Terraform - This resolves: UserAlreadyExists: User default already exists The user group now correctly includes both required users: 1. Built-in AWS 'default' user (referenced by string) 2. Our custom IAM user (created by Terraform)
- AWS ElastiCache requires encryption-in-transit for user group based access control - Update transit_encryption_enabled to enable when IAM auth is used - Formula: transit_encryption_enabled = var.redis_encryption_in_transit || local.redis_use_iam_auth - This ensures IAM authentication works while preserving user's encryption choice Resolves: User group based access control requires encryption-in-transit to be enabled on the replication group
- Add Redis module debug outputs for IAM user creation - Add main module debug outputs for Redis configuration chain - Track username propagation from Redis module to TFE container - Debug Redis environment variables in terraform-random-tfe-utility
- Only set CA certificate paths when mTLS is explicitly enabled - For Redis IAM authentication, ElastiCache uses AWS managed certificates - Setting ca_cert_path to null allows TLS without requiring custom CA certs - Resolves startup check failure: open /etc/ssl/private/terraform-enterprise/redis/cacert.pem: no such file or directory
- Remove postgres-passwordless module reference that was causing test failures - Redis passwordless test should ONLY configure Redis IAM auth, not PostgreSQL - Fixed module count logic to not trigger postgres_passwordless module - Removed postgres_enable_iam_auth variables that were incorrectly added - This resolves the 'modules/postgres-passwordless: no such file' error
- Update all terraform-random-tfe-utility module references to pravi/IND-5861 - Ensures Redis passwordless variables are available across all modules
- Add redis_passwordless_aws_use_iam variable to variables.tf - Pass redis_passwordless_aws_use_iam to runtime_container_engine_config module - Enables AWS IAM authentication for Redis passwordless access via ElastiCache
…m in debug outputs - Fix undefined variable reference in debug outputs causing Terraform plan failure - Use correct variable name redis_passwordless_aws_use_iam instead of redis_enable_iam_auth - Resolves 'Reference to undeclared input variable' error in release test
- Fix corrupted file structure in tests/standalone-vault/main.tf where copyright header was replaced with module code - Restore proper copyright header: '# Copyright (c) HashiCorp, Inc.' and '# SPDX-License-Identifier: MPL-2.0' - Update hcp_vault module reference to use pravi/IND-5861 branch instead of main - Apply terraform fmt to fix alignment and formatting issues in main.tf, modules/redis/main.tf, and outputs.tf - Resolves 'Argument or block definition required' terraform fmt error
- Change redis_passwordless_aws_use_iam to redis_passwordless_aws_use_instance_profile - Update all references in main.tf, variables.tf, and outputs.tf - Variable name now matches TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE This aligns with the official TFE configuration reference documentation and resolves PR review feedback about incorrect configuration variables.
- Add redis_passwordless_aws_region variable to support TFE_REDIS_PASSWORDLESS_AWS_REGION - Add redis_passwordless_aws_host_name mapping using existing redis hostname - Update main.tf to pass AWS region and hostname to runtime configuration - Fix terraform formatting alignment for CI compliance - Complete Redis passwordless IAM authentication implementation per TFE docs
- Add redis_enable_iam_auth parameter to Redis module call - Fix Redis module username output to return IAM username when IAM auth enabled - This resolves 'redis user must be set when using AWS instance profile' error - Redis IAM user is already created but wasn't being passed to TFE configuration
Critical fix: The redis_enable_iam_auth parameter was not being passed to the service_accounts module, which prevented the elasticache:Connect IAM policy from being created. This policy is required for TFE instances to connect to Redis using IAM authentication with the created IAM user.
The TFE_REDIS_USE_AUTH environment variable must be true when using either password auth OR IAM auth. Previously it was only set to true for password auth, causing 'WRONGPASS invalid username-password pair' errors for IAM authentication. Now redis_use_auth = password_auth OR iam_auth, which correctly enables authentication for both modes.
…auth TFE validates that passwordless authentication and AUTH cannot be enabled simultaneously. When using IAM authentication: - TFE_REDIS_USE_AUTH should be FALSE (not true) - TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE should be TRUE - Authentication happens via IAM user and instance profile This is similar to PostgreSQL passwordless auth where we disable traditional authentication when using IAM.
The ElastiCache user group for IAM authentication should only contain IAM users, not the built-in 'default' user which is for password-based authentication. Having both can cause authentication conflicts. This should resolve the WRONGPASS error for IAM authentication.
Fixes duplicate variable definition in Redis module variables.tf
- redis_encryption_in_transit - redis_encryption_at_rest - redis_use_password_auth These variables are required by the Redis module main.tf configuration.
AWS requires the 'default' user in all ElastiCache user groups. When using IAM authentication: - User group contains both 'default' and IAM users - Default user is disabled (no-password, access off) - IAM user is enabled for authentication - Clients authenticate using IAM user, not default This resolves the error: 'Redis user group needs to contain a user with the user name default.'
- Remove custom default_disabled user resource - Let AWS manage the built-in default user automatically - Follow official AWS ElastiCache IAM documentation pattern - Fixes authentication type validation errors
The issue was that when using IAM authentication (redis_passwordless_aws_use_instance_profile=true), we were incorrectly setting TFE_REDIS_USE_AUTH=false. Even with IAM authentication, TFE still needs TFE_REDIS_USE_AUTH=true to enable authentication (it just uses IAM tokens instead of passwords). This fixes the 'WRONGPASS invalid username-password pair' error.
For AWS IAM authentication, TFE_REDIS_USE_AUTH should be false, not true. The documentation confirms this - AWS IAM authentication doesn't use traditional AUTH. Need to investigate the actual issue with ElastiCache user configuration.
- Ensure Redis security group explicitly allows TFE instance security group - This should fix the security group mismatch causing Redis connection failures - Forces Terraform to refresh security group rules on next apply
- Add support for existing_vm_security_group_id to eliminate dynamic SG issues - Reduce default node_count from 2 to 1 to cut EC2 costs in half - Simplify Redis module to reuse TFE security group instead of creating separate one - Make VM security group creation conditional when existing SG provided - Update all security group rules to handle conditional logic properly This addresses the recurring Redis IAM authentication failures caused by security group ID mismatches between EC2 and Redis resources, while also significantly reducing infrastructure costs for release tests.
- Remove malformed cidr_blocks line that was left after security group cleanup - Fix Terraform formatting in variables.tf - Ensure Redis module has valid syntax structure This fixes the 'Unsupported argument' and 'Argument or block definition required' errors that were causing the release test to fail during terraform validation.
Force fresh commit to ensure CI picks up the syntax fix. The previous syntax error (orphaned cidr_blocks line) has been removed.
- Update aws_security_group_redis output to use var.tfe_instance_sg - Remove reference to deleted aws_security_group.redis resource - This fixes 'Reference to undeclared resource' error in terraform plan ERROR WAS: aws_security_group.redis[0].id referenced but resource was removed FIX: Use var.tfe_instance_sg (the shared TFE security group) instead
- Add 'default' username to elasticache:Username condition - Allow both AWS-managed default user and custom IAM user - Fixes WRONGPASS error when using custom IAM user authentication
- Add iam_user output from Redis module - Pass redis_passwordless_aws_iam_user parameter to runtime config - Use custom IAM user instead of 'default' for proper AWS IAM testing - Add redis_passwordless_aws_iam_user variable to runtime config This ensures we test the actual custom ElastiCache IAM user per AWS documentation instead of using the 'default' user which bypasses true IAM authentication validation.
Root cause: IAM policy was using Resource='*' with StringEquals condition, but AWS documentation requires explicit resource ARNs for ElastiCache users. Changes: - Update IAM policy to use explicit ARNs for replication group and users - Add required variables for building resource ARNs - Add data sources for region and account ID - Pass Redis module outputs to service_accounts module This follows the AWS documentation pattern: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth-iam.html
Use var.redis_passwordless_aws_use_instance_profile condition instead of local.redis.enabled which doesn't exist
- Remove debug outputs from main outputs.tf - Remove unnecessary EC2 cost reduction comments - Remove unused variables from Redis module (network_id, network_private_subnet_cidrs) - Update Redis module call to remove unused parameters - Remove debug test script files - Run terraform fmt for consistent formatting This cleanup addresses lint warnings and follows Terraform best practices.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
Release Tests for AWS Redis passwordless authentication.
Infra related variables are defined here.
Will updated the reference to main before merging this PR.
Related PR terraform-enterprise # https://github.com/hashicorp/terraform-enterprise/pull/3149
How Has This Been Tested
CI/CD: https://github.com/hashicorp/terraform-enterprise/actions/runs/19529721862/job/55909640280
Screenshots