By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I configure RBAC Elasticache?

1

I have an ElastiCache resource which I have set up using Terraform resource aws_elasticache_cluster. I would also like to configure authentication so that clients will need to provide username and password to connect. There are no such properties in the aws_elasticache_cluster resource and I’m not sure how to set this up directly in the console either. Would be grateful for some pointers on the right documentation.

Thanks in advance

Topics
Database
Tags
Amazon ElastiCache
Language
English
rePost-User-8562029
asked a year ago609 views
1 Answer
1

Documentation on applying RBAC to Amazon ElastiCache for Redis: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html#rbac-using Terraform Resources documentation: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_user_group_association

High-level terraform example (untested)

resource "aws_elasticache_user" "default" {
  user_id       = "defaultUserID"
  user_name     = "default"
  access_string = "on ~app::* -@all +@read +@hash +@bitmap +@geo -setbit -bitfield -hset -hsetnx -hmset -hincrby -hincrbyfloat -hdel -bitop -geoadd -georadius -georadiusbymember"
  engine        = "REDIS"
  passwords     = ["password123456789"]
}

resource "aws_elasticache_user_group" "example" {
  engine        = "REDIS"
  user_group_id = "userGroupId"
  user_ids      = [aws_elasticache_user.default.user_id]

  lifecycle {
    ignore_changes = [user_ids]
  }
}

resource "aws_elasticache_user" "example" {
  user_id       = "exampleUserID"
  user_name     = "exampleuser"
  access_string = "on ~app::* -@all +@read +@hash +@bitmap +@geo -setbit -bitfield -hset -hsetnx -hmset -hincrby -hincrbyfloat -hdel -bitop -geoadd -georadius -georadiusbymember"
  engine        = "REDIS"
  passwords     = ["password123456789"]
}

resource "aws_elasticache_user_group_association" "example" {
  user_group_id = aws_elasticache_user_group.example.user_group_id
  user_id       = aws_elasticache_user.example.user_id
}

resource "aws_elasticache_replication_group" "example" {
  automatic_failover_enabled  = true
  preferred_cache_cluster_azs = ["us-west-2a", "us-west-2b"]
  replication_group_id        = "tf-rep-group-1"
  description                 = "example description"
  node_type                   = "cache.m4.large"
  num_cache_clusters          = 2
  parameter_group_name        = "default.redis3.2"
  port                        = 6379
  #this should be a reference to the aws_elasticache_user_group user_group_id
  user_group_ids = [aws_elasticache_user_group.example.id]


  lifecycle {
    ignore_changes = [num_cache_clusters]
  }
}

resource "aws_elasticache_cluster" "replica" {
  count = 1

  cluster_id           = "tf-rep-group-1-${count.index}"
  replication_group_id = aws_elasticache_replication_group.example.id
}
profile pictureAWS
Austin M
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content