hashicorp · raviharshicorp · Sep 30, 2025 · Nov 4, 2025 · Nov 6, 2025 · Nov 6, 2025
@@ -3,23 +3,31 @@
 
 locals {
   redis = {
-    TFE_REDIS_HOST                               = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null
-    TFE_REDIS_USER                               = var.redis_user
-    TFE_REDIS_PASSWORD                           = var.redis_password
-    TFE_REDIS_USE_TLS                            = var.redis_use_tls
-    TFE_REDIS_USE_AUTH                           = var.redis_use_auth
-    TFE_REDIS_SENTINEL_ENABLED                   = var.redis_use_sentinel
-    TFE_REDIS_SENTINEL_HOSTS                     = join(",", var.redis_sentinel_hosts)
-    TFE_REDIS_SENTINEL_LEADER_NAME               = var.redis_sentinel_leader_name
-    TFE_REDIS_SENTINEL_PASSWORD                  = var.redis_sentinel_password
-    TFE_REDIS_SENTINEL_USERNAME                  = var.redis_sentinel_user
-    TFE_REDIS_CA_CERT_PATH                       = var.redis_ca_cert_path
-    TFE_REDIS_CLIENT_CERT_PATH                   = var.redis_client_cert_path
-    TFE_REDIS_CLIENT_KEY_PATH                    = var.redis_client_key_path
-    TFE_REDIS_USE_MTLS                           = var.redis_use_mtls ? "true" : var.enable_sentinel_mtls ? "true" : "false"
-    TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI         = var.redis_passwordless_azure_use_msi
-    TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI = var.redis_passwordless_azure_use_msi
-    TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID       = var.redis_passwordless_azure_client_id
+    TFE_REDIS_HOST                                          = var.redis_use_tls != null ? var.redis_use_tls ? "${var.redis_host}:6380" : var.redis_host : null
+    TFE_REDIS_USER                                          = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user
+    TFE_REDIS_PASSWORD                                      = var.redis_passwordless_aws_use_instance_profile ? null : var.redis_password
+    TFE_REDIS_USE_TLS                                       = var.redis_use_tls
+    TFE_REDIS_USE_AUTH                                      = var.redis_use_auth
+    TFE_REDIS_SENTINEL_ENABLED                              = var.redis_use_sentinel
+    TFE_REDIS_SENTINEL_HOSTS                                = join(",", var.redis_sentinel_hosts)
+    TFE_REDIS_SENTINEL_LEADER_NAME                          = var.redis_sentinel_leader_name
+    TFE_REDIS_SENTINEL_PASSWORD                             = var.redis_sentinel_password
+    TFE_REDIS_SENTINEL_USERNAME                             = var.redis_sentinel_user
+    TFE_REDIS_CA_CERT_PATH                                  = var.redis_ca_cert_path
+    TFE_REDIS_CLIENT_CERT_PATH                              = var.redis_client_cert_path
+    TFE_REDIS_CLIENT_KEY_PATH                               = var.redis_client_key_path
+    TFE_REDIS_USE_MTLS                                      = var.redis_use_mtls ? "true" : var.enable_sentinel_mtls ? "true" : "false"
+    TFE_REDIS_PASSWORDLESS_AZURE_USE_MSI                    = var.redis_passwordless_azure_use_msi
+    TFE_REDIS_SIDEKIQ_PASSWORDLESS_AZURE_USE_MSI            = var.redis_passwordless_azure_use_msi
+    TFE_REDIS_PASSWORDLESS_AZURE_CLIENT_ID                  = var.redis_passwordless_azure_client_id
+    TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE         = var.redis_passwordless_aws_use_instance_profile
+    TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE = var.redis_passwordless_aws_use_instance_profile
+    TFE_REDIS_PASSWORDLESS_AWS_REGION                       = var.redis_passwordless_aws_region
+    TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_REGION               = var.redis_passwordless_aws_region
+    TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME                    = var.redis_passwordless_aws_host_name
+    TFE_REDIS_SIDEKIQ_PASSWORDLESS_AWS_HOST_NAME            = var.redis_passwordless_aws_host_name
+    TFE_REDIS_SIDEKIQ_USER                                  = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user
-    TFE_REDIS_SIDEKIQ_USER                                  = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user
+    TFE_REDIS_SIDEKIQ_USER                                  = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user
+    # TFE_REDIS_SIDEKIQ_USE_TLS is set to var.redis_use_tls to ensure Sidekiq uses TLS if required.
+    # This variable was added to fix missing Sidekiq TLS configuration; it is unrelated to AWS IAM authentication.
-    TFE_REDIS_SIDEKIQ_USER                                  = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user
+    TFE_REDIS_SIDEKIQ_USER                                  = var.redis_passwordless_aws_use_instance_profile ? var.redis_passwordless_aws_iam_user : var.redis_user
+    # TFE_REDIS_SIDEKIQ_USE_TLS is set to var.redis_use_tls to ensure Sidekiq uses TLS if required.
+    # This variable was added to fix missing Sidekiq TLS configuration; it is unrelated to AWS IAM authentication.
+    TFE_REDIS_SIDEKIQ_USE_TLS                               = var.redis_use_tls
   }
   redis_configuration = local.active_active ? local.redis : {}
 }
@@ -369,6 +369,30 @@ variable "redis_passwordless_azure_client_id" {
   description = "Azure Managed Service Identity (MSI) Client ID to be used for redis authentication. If not set, System Assigned Managed Identity will be used."
 }
 
+variable "redis_passwordless_aws_use_instance_profile" {
+  type        = bool
+  description = "Boolean to use AWS instance profile for Redis IAM authentication."
+  default     = false
+}
+
+variable "redis_passwordless_aws_region" {
+  type        = string
+  description = "AWS Region of the AWS ElastiCache resource for Redis passwordless authentication."
+  default     = null
+}
+
+variable "redis_passwordless_aws_host_name" {
+  type        = string
+  description = "The name of the Redis instance on AWS for passwordless authentication."
+  default     = null
+}
+
+variable "redis_passwordless_aws_iam_user" {
+  type        = string
+  description = "The IAM username for Redis IAM authentication."
+  default     = null
+}
+
 variable "run_pipeline_image" {
   type        = string
   description = "Container image used to execute Terraform runs. Leave blank to use the default image that comes with Terraform Enterprise. Defaults to \"\" if no value is given."