Skip to content

README.md

Latest commit

 

History

History
71 lines (56 loc) · 4.82 KB

README.md

File metadata and controls

71 lines (56 loc) · 4.82 KB

ElastiCache Redis Auth Token

Automatically rotates the auth token for a replication group or cluster.

The database details and initial token will be written to an AWS Secrets Manager secret. Once created, the secret will automatically rotate itself using a Lambda function.

This uses the ROTATE strategy when updating the token, meaning that the previous token will remain valid until rotated again. This prevents downtime when the token is changed.

Requirements

Name Version
terraform >= 1.6.2
aws ~> 5.0

Providers

Name Version
aws ~> 5.0

Modules

Name Source Version
rotation github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function v0.8.0
secret github.com/thoughtbot/terraform-aws-secrets//secret v0.8.0
security_group ../../security-group n/a

Resources

Name Type
aws_iam_policy.describe_database resource
aws_iam_role_policy_attachment.access_admin_login resource
aws_elasticache_replication_group.this data source
aws_iam_policy_document.describe_database data source

Inputs

Name Description Type Default Required
admin_principals Principals allowed to peform admin actions (default: current account) list(string) null no
initial_auth_token Inital auth token passed when the group was created string n/a yes
read_principals Principals allowed to read the secret (default: current account) list(string) null no
replica_regions List of regions to replicate the secret to 
list(object({
    region     = string
    kms_key_id = optional(string)
  }))
 [] no
replication_group_id ID of the group for which the auth token will be managed string n/a yes
secret_name Override the name for this secret string null no
security_group_ids Security groups to attach to the rotation function list(string) [] no
subnet_ids Subnets in which the rotation function should run list(string) n/a yes
tags Tags to be applied to created resources map(string) {} no
trust_tags Tags required on principals accessing the secret map(string) {} no
vpc_id VPC in which the rotation function should run string n/a yes

Outputs

Name Description
environment_variables Environment variables set by this rotation function
kms_key_arn ID of the KMS key used to encrypt the secret
policy_json Required IAM policies
rotation_role_arn ARN of the IAM role allowed to rotate this secret
rotation_role_name Name of the IAM role allowed to rotate this secret
secret_arn ARN of the secrets manager secret containing credentials
secret_name Name of the secrets manager secret containing credentials