Add terraform modules for ElastiCache Redis RBAC (#4)

Author: posquit0

examples/elasticache-redis-with-users/main.tf

@@ -0,0 +1,97 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+
+###################################################
+# ElastiCache Redis Cluster
+###################################################
+
+module "cluster" {
+  source = "../../modules/elasticache-redis-cluster"
+  # source  = "tedilabs/db/aws//modules/elasticache-redis-cluster"
+  # version = "~> 0.2.0"
+
+  name        = "example-redis-single"
+  description = "Managed by Terraform."
+
+  redis_version      = "6.2"
+  node_instance_type = "cache.t4g.micro"
+  node_size          = 1
+
+  user_groups = [module.user_group.id]
+
+  encryption_in_transit = {
+    enabled = true
+  }
+
+  tags = {
+    "project" = "terraform-aws-db-examples"
+  }
+}
+
+
+###################################################
+# Redis User Groups on ElastiCache
+###################################################
+
+module "user_group" {
+  source = "../../modules/elasticache-redis-user-group"
+  # source  = "tedilabs/db/aws//modules/elasticache-redis-user-group"
+  # version = "~> 0.2.0"
+
+  name         = "example"
+  default_user = module.user["example-default"].id
+  users        = [module.user["example-admin"].id]
+
+  tags = {
+    "project" = "terraform-aws-db-examples"
+  }
+}
+
+
+###################################################
+# Redis Users on ElastiCache
+###################################################
+
+locals {
+  users = [
+    {
+      id   = "example-default"
+      name = "default"
+
+      access_string     = "on ~* -@all +@read"
+      password_required = false
+    },
+    {
+      id   = "example-admin"
+      name = "admin"
+
+      access_string     = "on ~* +@all"
+      password_required = true
+      passwords         = ["MyPassWord!Q@W#E", "MyPassW0rd!@QW#$ER"]
+    },
+  ]
+}
+
+module "user" {
+  source = "../../modules/elasticache-redis-user"
+  # source  = "tedilabs/db/aws//modules/elasticache-redis-user"
+  # version = "~> 0.2.0"
+
+  for_each = {
+    for user in try(local.users, []) :
+    user.id => user
+  }
+
+  id   = each.key
+  name = each.value.name
+
+  access_string     = try(each.value.access_string, null)
+  password_required = try(each.value.password_required, true)
+  passwords         = try(each.value.passwords, [])
+
+  tags = {
+    "project" = "terraform-aws-db-examples"
+  }
+}

examples/elasticache-redis-with-users/outputs.tf

@@ -0,0 +1,11 @@
+output "cluster" {
+  value = module.cluster
+}
+
+output "user_group" {
+  value = module.user_group
+}
+
+output "users" {
+  value = module.user
+}

examples/elasticache-redis-with-users/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}

modules/elasticache-redis-user-group/README.md

@@ -0,0 +1,57 @@
+# elasticache-redis-user-group
+
+This module creates following resources.
+
+- `aws_elasticache_user_group`
+- `aws_elasticache_user_group_association` (optional)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.30 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.34.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_elasticache_user_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_user_group) | resource |
+| [aws_elasticache_user_group_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_user_group_association) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_default_user"></a> [default\_user](#input\_default\_user) | (Optional) The ID of default user. The user group needs to contain a user with the user name default. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | (Required) The name of the ElastiCache user group. It can have up to 40 characters, and must begin with a letter. It should not end with a hyphen or contain two consecutive hyphens. Valid characters: A-Z, a-z, 0-9, and - (hyphen). | `string` | n/a | yes |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
+| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+| <a name="input_users"></a> [users](#input\_users) | (Optional) The list of user IDs that belong to the user group. | `set(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the ElastiCache user group. |
+| <a name="output_default_user"></a> [default\_user](#output\_default\_user) | The ID of default user. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the ElastiCache user group. |
+| <a name="output_name"></a> [name](#output\_name) | The name of the ElastiCache user group. |
+| <a name="output_users"></a> [users](#output\_users) | The list of user IDs that belong to the user group. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/elasticache-redis-user-group/main.tf

@@ -0,0 +1,37 @@
+locals {
+  metadata = {
+    package = "terraform-aws-db"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+
+###################################################
+# User Group of ElastiCache for Redis
+###################################################
+
+resource "aws_elasticache_user_group" "this" {
+  engine        = "REDIS"
+  user_group_id = var.name
+  user_ids      = [var.default_user]
+
+  lifecycle {
+    ignore_changes = [user_ids]
+  }
+}
+
+resource "aws_elasticache_user_group_association" "this" {
+  for_each = var.users
+
+  user_group_id = aws_elasticache_user_group.this.user_group_id
+  user_id       = each.value
+}

modules/elasticache-redis-user-group/outputs.tf

@@ -0,0 +1,24 @@
+output "id" {
+  description = "The ID of the ElastiCache user group."
+  value       = aws_elasticache_user_group.this.id
+}
+
+output "arn" {
+  description = "The ARN of the ElastiCache user group."
+  value       = aws_elasticache_user_group.this.arn
+}
+
+output "name" {
+  description = "The name of the ElastiCache user group."
+  value       = aws_elasticache_user_group.this.user_group_id
+}
+
+output "default_user" {
+  description = "The ID of default user."
+  value       = var.default_user
+}
+
+output "users" {
+  description = "The list of user IDs that belong to the user group."
+  value       = values(aws_elasticache_user_group_association.this).*.user_id
+}

modules/elasticache-redis-user-group/resource-group.tf

@@ -0,0 +1,31 @@
+locals {
+  resource_group_name = (var.resource_group_name != ""
+    ? var.resource_group_name
+    : join(".", [
+      local.metadata.package,
+      local.metadata.module,
+      replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+    ])
+  )
+}
+
+
+module "resource_group" {
+  source  = "tedilabs/misc/aws//modules/resource-group"
+  version = "~> 0.10.0"
+
+  count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0
+
+  name        = local.resource_group_name
+  description = var.resource_group_description
+
+  query = {
+    resource_tags = local.module_tags
+  }
+
+  module_tags_enabled = false
+  tags = merge(
+    local.module_tags,
+    var.tags,
+  )
+}

modules/elasticache-redis-user-group/variables.tf

@@ -0,0 +1,58 @@
+variable "name" {
+  description = "(Required) The name of the ElastiCache user group. It can have up to 40 characters, and must begin with a letter. It should not end with a hyphen or contain two consecutive hyphens. Valid characters: A-Z, a-z, 0-9, and - (hyphen)."
+  type        = string
+  nullable    = false
+}
+
+variable "default_user" {
+  description = "(Optional) The ID of default user. The user group needs to contain a user with the user name default."
+  type        = string
+  nullable    = false
+}
+
+variable "users" {
+  description = "(Optional) The list of user IDs that belong to the user group."
+  type        = set(string)
+  default     = []
+  nullable    = false
+}
+
+variable "tags" {
+  description = "(Optional) A map of tags to add to all resources."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "module_tags_enabled" {
+  description = "(Optional) Whether to create AWS Resource Tags for the module informations."
+  type        = bool
+  default     = true
+  nullable    = false
+}
+
+
+###################################################
+# Resource Group
+###################################################
+
+variable "resource_group_enabled" {
+  description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module."
+  type        = bool
+  default     = true
+  nullable    = false
+}
+
+variable "resource_group_name" {
+  description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`."
+  type        = string
+  default     = ""
+  nullable    = false
+}
+
+variable "resource_group_description" {
+  description = "(Optional) The description of Resource Group."
+  type        = string
+  default     = "Managed by Terraform."
+  nullable    = false
+}

modules/elasticache-redis-user-group/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.30"
+    }
+  }
+}