Skip to content

feat: transit_encryption_mode #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 10, 2025
Merged

feat: transit_encryption_mode #47

merged 4 commits into from
Sep 10, 2025

Conversation

milldr
Copy link
Contributor

@milldr milldr commented Sep 9, 2025
edited by coderabbitai bot
Loading

what

  • Add output for transit encryption mode in Redis cluster
  • Fix TFLint warnings

why

  • When "Encryption in transit" is enabled for Redis, the transit_encryption_mode must also be set.

references

.

Summary by CodeRabbit

  • New Features

    • Surfaces TLS in‑transit encryption mode for Redis clusters via a new top‑level variable and outputs.

  • Refactor

    • Simplified internal token handling for Redis clusters.
    • Added explicit typing for a module variable to improve validation.
    • Removed an unnecessary provider requirement from the Redis module.
    • Bumped Redis module version to a newer release.

  • Chores

    • Updated repository ignore rules to exclude account-map directories.

@milldr milldr added the minor New features that do not break anything label Sep 9, 2025
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 9, 2025
edited
Loading

Walkthrough

Adds gitignore rule for account-map/. Introduces transit_encryption_mode variable at root and passes it into the Redis module, exposes matching outputs at module and root, changes auth_token retrieval to use one(...), sets kms_alias_name_ssm type, and removes the aws provider from the Redis module's required_providers.

Changes

Cohort / File(s) Summary of Changes
Repository ignore rules
\.gitignore		 Add rule to ignore any account-map/ directory.
Redis cluster module: variables
src/modules/redis_cluster/variables.tf		 Add transit_encryption_mode string field to cluster_attributes object; add type = string to kms_alias_name_ssm variable.
Redis cluster module: module call & logic
src/modules/redis_cluster/main.tf		 Pass transit_encryption_mode = var.cluster_attributes.transit_encryption_mode into module "redis"; change auth_token expression to local.auth_token_enabled ? one(random_password.auth_token[*].result) : null; bump module version from 1.9.2 to 1.10.0.
Redis cluster module: outputs
src/modules/redis_cluster/outputs.tf		 Add output transit_encryption_mode = module.redis.transit_encryption_mode (described as TLS in-transit encryption mode).
Redis cluster module: versions
src/modules/redis_cluster/versions.tf		 Remove aws provider declaration from terraform.required_providers (keep random).
Root module: inputs
src/variables.tf, src/main.tf		 Add root-level variable variable "transit_encryption_mode" { type = string; default = null; ... }; include transit_encryption_mode = var.transit_encryption_mode in local.cluster_attributes.
Root module: outputs
src/outputs.tf		 Add root output transit_encryption_mode using local.enabled ? try(module.redis_clusters[keys(var.redis_clusters)[0]].transit_encryption_mode, null) : null.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Root as Root Module
  participant RedisMod as Redis Cluster Module
  Note over Root: Root stores var.transit_encryption_mode and local.enabled

  User->>Root: request output transit_encryption_mode
  alt local.enabled == true
    Root->>RedisMod: read transit_encryption_mode from first redis cluster (try(...))
    RedisMod-->>Root: returns transit_encryption_mode (or null)
    Root-->>User: returns value
  else local.enabled == false
    Root-->>User: null
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks (3 passed)

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The current title directly references the primary change of exposing the transit_encryption_mode feature and is concise without extraneous details, so it accurately summarizes the pull request’s main objective.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.

Poem

I hop through HCL with eager feet,
Added modes so TLS is neat.
One token plucked, outputs in view,
Ignored a map — no files to chew.
A rabbit nods: infra true 🐇✨

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/expose-transit-encryption-mode

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mergify mergify bot requested review from a team September 9, 2025 19:28
coderabbitai[bot]
coderabbitai bot reviewed Sep 9, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
src/modules/redis_cluster/main.tf (1)

11-47: Wire through transit_encryption_mode to actually support the PR rationale.

Right now we only expose the mode as an output; there’s no way to set it. Please plumb an input into the child module so users can set preferred/required when transit encryption is enabled. AWS added this in provider v5.47.0 and requires a two-step migration (preferred then required). (github.com, docs.aws.amazon.com)

Add this line inside module "redis":

# inside module "redis"
transit_encryption_mode = var.cluster_attributes.transit_encryption_mode

And add the attribute to cluster_attributes (see variables.tf comment).

src/modules/redis_cluster/variables.tf (1)

53-74: Add optional transit_encryption_mode to cluster_attributes with value validation.

Needed to actually configure the mode (preferred/required) when in-transit encryption is enabled. (github.com)

Add the attribute to the object type (keeping it optional to avoid breaking callers):

variable "cluster_attributes" {
  type = object({
    availability_zones              = list(string)
    vpc_id                          = string
    additional_security_group_rules = list(any)
    allowed_security_groups         = list(string)
    allow_all_egress                = bool
    subnets                         = list(string)
    family                          = string
    port                            = number
    zone_id                         = string
    multi_az_enabled                = bool
    at_rest_encryption_enabled      = bool
    transit_encryption_enabled      = bool
    apply_immediately               = bool
    automatic_failover_enabled      = bool
    auto_minor_version_upgrade      = bool
    auth_token_enabled              = bool
    snapshot_retention_limit        = number
    transit_encryption_mode         = optional(string) # "preferred" | "required"
  })
  description = "Cluster attributes"

  validation {
    condition     = try(var.cluster_attributes.transit_encryption_mode == null || contains(["preferred","required"], lower(var.cluster_attributes.transit_encryption_mode)), true)
    error_message = "transit_encryption_mode must be null, \"preferred\", or \"required\"."
  }
}
🧹 Nitpick comments (2)
.gitignore (1)

79-79: Scope the ignore rule to repo root (if intended).

If you only mean to ignore the top-level directory, prefix with a slash; otherwise this also ignores any nested account-map/ dirs.

-account-map/
+/account-map/
src/outputs.tf (1)

11-14: Expose modes for all clusters (optional).

Current pattern returns only the first cluster’s mode. Consider returning a map keyed by cluster for multi-cluster users. (Keep existing output for backward compatibility if needed.)

# Alternative/additional output
output "transit_encryption_modes" {
  description = "TLS in-transit encryption mode per Redis cluster"
  value       = local.enabled ? { for name, mod in module.redis_clusters : name => try(mod.transit_encryption_mode, null) } : {}
}

Also ensure the child module actually exports transit_encryption_mode as an output to prevent plan errors. (github.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a65d3c and fc1b162.

📒 Files selected for processing (6)
  • .gitignore (1 hunks)
  • src/modules/redis_cluster/main.tf (1 hunks)
  • src/modules/redis_cluster/outputs.tf (1 hunks)
  • src/modules/redis_cluster/variables.tf (1 hunks)
  • src/modules/redis_cluster/versions.tf (0 hunks)
  • src/outputs.tf (1 hunks)
💤 Files with no reviewable changes (1)
  • src/modules/redis_cluster/versions.tf
🧰 Additional context used
📓 Path-based instructions (2)
src/@(main|variables|outputs|providers|versions|context).tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component as the source of truth under src/ with files: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

  • src/outputs.tf
**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

**/*.tf: Use 2-space indentation for Terraform files
In Terraform, use lower_snake_case for variables and locals; keep resource/data source names descriptive and aligned with Cloud Posse null-label patterns
Do not commit formatting violations; run terraform fmt -recursive
Adhere to TFLint rules defined in .tflint.hcl

Files:

  • src/outputs.tf
  • src/modules/redis_cluster/variables.tf
  • src/modules/redis_cluster/outputs.tf
  • src/modules/redis_cluster/main.tf
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Summary
🔇 Additional comments (4)
src/modules/redis_cluster/main.tf (2)

8-8: Direct indexing over splat/join is correct.

This resolves the TFLint warning and avoids unnecessary allocations. LGTM.

41-44: Compatibility note: provider and engine constraints.

Ensure the component enforces aws provider >= 5.47.0 and document that transit_encryption_mode only applies to Redis OSS 7+ for modify operations. Otherwise applies may fail on older engines. (github.com, docs.aws.amazon.com)

src/modules/redis_cluster/variables.tf (1)

91-91: Typing looks good.

Explicit string type for kms_alias_name_ssm is fine; SSM supports alias names for KMS key_id.

src/modules/redis_cluster/outputs.tf (1)

31-34: Verify upstream output exists in v1.9.2.

This forwards module.redis.transit_encryption_mode; confirm the Cloud Posse module exposes an output with that exact name in v1.9.2, or this will fail at plan time. The module added the input in v1.4.0; output availability isn’t clearly documented. (github.com)

If not present upstream, fallback to outputting the configured value:

-output "transit_encryption_mode" {
-  value       = module.redis.transit_encryption_mode
-  description = "TLS in-transit encryption mode for Redis cluster"
-}
+output "transit_encryption_mode" {
+  value       = var.cluster_attributes.transit_encryption_mode
+  description = "TLS in-transit encryption mode for Redis cluster"
+}

@milldr
Copy link
Contributor Author

milldr commented Sep 9, 2025

/terratest

RoseSecurity
RoseSecurity reviewed Sep 9, 2025
View reviewed changes
@mergify mergify bot requested a review from a team September 9, 2025 20:08
@mergify mergify bot added the needs-test Needs testing label Sep 9, 2025
@milldr
Copy link
Contributor Author

milldr commented Sep 9, 2025

/terratest

coderabbitai[bot]
coderabbitai bot reviewed Sep 9, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
src/modules/redis_cluster/outputs.tf (1)

31-34: Good addition; consider guarding with try() for robustness and consistency.

If cluster_attributes.transit_encryption_mode is not always set, accessing it will fail when local.enabled is true. Using try() mirrors the pattern used at the root output and avoids hard failures while still yielding null when absent.

Apply this diff:

 output "transit_encryption_mode" {
-  value       = local.enabled ? var.cluster_attributes.transit_encryption_mode : null
+  value       = local.enabled ? try(var.cluster_attributes.transit_encryption_mode, null) : null
   description = "TLS in-transit encryption mode for Redis cluster"
 }
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc1b162 and 4955b0d.

📒 Files selected for processing (2)
  • src/modules/redis_cluster/main.tf (1 hunks)
  • src/modules/redis_cluster/outputs.tf (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/modules/redis_cluster/main.tf
🧰 Additional context used
📓 Path-based instructions (1)
**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

**/*.tf: Use 2-space indentation for Terraform files
In Terraform, use lower_snake_case for variables and locals; keep resource/data source names descriptive and aligned with Cloud Posse null-label patterns
Do not commit formatting violations; run terraform fmt -recursive
Adhere to TFLint rules defined in .tflint.hcl

Files:

  • src/modules/redis_cluster/outputs.tf
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Summary

@milldr milldr changed the title feat: transit_encryption_mode output feat: transit_encryption_mode Sep 10, 2025
@milldr
Copy link
Contributor Author

milldr commented Sep 10, 2025

/terratest

coderabbitai[bot]
coderabbitai bot reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (4)
src/variables.tf (1)

53-57: Validate allowed values and couple to transit_encryption_enabled

Prevent config drift and invalid plans by validating the mode and only allowing it when TLS is enabled.

Apply:

 variable "transit_encryption_mode" {
   type        = string
   default     = null
   description = "Transit encryption mode. Valid values are 'preferred' and 'required'"
+  validation {
+    condition     = var.transit_encryption_mode == null || contains(["preferred", "required"], lower(var.transit_encryption_mode))
+    error_message = "transit_encryption_mode must be null, 'preferred', or 'required'."
+  }
+  validation {
+    condition     = var.transit_encryption_enabled || var.transit_encryption_mode == null
+    error_message = "Set transit_encryption_mode only when transit_encryption_enabled = true."
+  }
 }
src/modules/redis_cluster/variables.tf (1)

67-67: Make attribute optional to accept null cleanly

This avoids type noise when the root passes null and keeps the schema future-proof.

-    transit_encryption_mode         = string
+    transit_encryption_mode         = optional(string)

If the repo pins Terraform < 0.15, optional() may not be available. Confirm TF version before applying.

src/main.tf (1)

49-51: Prefer explicit default to avoid provider/API default drift

Set “preferred” when TLS is enabled and mode unset; otherwise pass null. This matches AWS defaults while being explicit.

-    transit_encryption_enabled       = var.transit_encryption_enabled
-    transit_encryption_mode          = var.transit_encryption_mode
+    transit_encryption_enabled       = var.transit_encryption_enabled
+    transit_encryption_mode          = var.transit_encryption_enabled ? coalesce(var.transit_encryption_mode, "preferred") : null
src/modules/redis_cluster/outputs.tf (1)

31-34: Align output gating with existing outputs

Other outputs aren’t gated by local.enabled; keep consistent unless there’s a specific reason.

-output "transit_encryption_mode" {
-  value       = local.enabled ? module.redis.transit_encryption_mode : null
-  description = "TLS in-transit encryption mode for Redis cluster"
-}
+output "transit_encryption_mode" {
+  value       = module.redis.transit_encryption_mode
+  description = "TLS in-transit encryption mode for Redis cluster"
+}

If module.redis is conditionally created elsewhere, keep the guard; otherwise, consider removing it here or adding guards to all outputs for consistency.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4955b0d and 7a32f10.

📒 Files selected for processing (5)
  • src/main.tf (1 hunks)
  • src/modules/redis_cluster/main.tf (2 hunks)
  • src/modules/redis_cluster/outputs.tf (1 hunks)
  • src/modules/redis_cluster/variables.tf (2 hunks)
  • src/variables.tf (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/modules/redis_cluster/main.tf
🧰 Additional context used
📓 Path-based instructions (2)
src/@(main|variables|outputs|providers|versions|context).tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component as the source of truth under src/ with files: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

  • src/variables.tf
  • src/main.tf
**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

**/*.tf: Use 2-space indentation for Terraform files
In Terraform, use lower_snake_case for variables and locals; keep resource/data source names descriptive and aligned with Cloud Posse null-label patterns
Do not commit formatting violations; run terraform fmt -recursive
Adhere to TFLint rules defined in .tflint.hcl

Files:

  • src/variables.tf
  • src/main.tf
  • src/modules/redis_cluster/variables.tf
  • src/modules/redis_cluster/outputs.tf
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Summary
🔇 Additional comments (1)
src/modules/redis_cluster/variables.tf (1)

92-95: LGTM: explicit type for kms_alias_name_ssm

Explicit typing improves validation without behavior change.

goruha
goruha requested changes Sep 10, 2025
View reviewed changes
goruha
goruha requested changes Sep 10, 2025
View reviewed changes
@milldr @goruha
Update src/modules/redis_cluster/outputs.tf
4701ff2 
Co-authored-by: Igor Rodionov  <goruha@gmail.com>
@milldr milldr added this pull request to the merge queue Sep 10, 2025
@mergify mergify bot requested a review from a team September 10, 2025 14:27
@milldr
Copy link
Contributor Author

milldr commented Sep 10, 2025

/terratest

coderabbitai[bot]
coderabbitai bot reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (1)
src/modules/redis_cluster/outputs.tf (1)

31-34: LGTM: Output correctly wired to nested module.

Exposes transit_encryption_mode via module.redis.transit_encryption_mode as suggested previously. No issues.

🧹 Nitpick comments (1)
src/modules/redis_cluster/outputs.tf (1)

31-34: Consider consistent naming with existing outputs.

Most outputs in this file use the cluster_ prefix. For consistency, consider renaming to cluster_transit_encryption_mode. If you do, update any downstream references accordingly.

-output "transit_encryption_mode" {
+output "cluster_transit_encryption_mode" {
   value       = module.redis.transit_encryption_mode
   description = "TLS in-transit encryption mode for Redis cluster"
 }

If you prefer the current name for external API stability, keep it as-is and optionally add an alias output to maintain both.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7a32f10 and 4701ff2.

📒 Files selected for processing (1)
  • src/modules/redis_cluster/outputs.tf (1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

**/*.tf: Use 2-space indentation for Terraform files
In Terraform, use lower_snake_case for variables and locals; keep resource/data source names descriptive and aligned with Cloud Posse null-label patterns
Do not commit formatting violations; run terraform fmt -recursive
Adhere to TFLint rules defined in .tflint.hcl

Files:

  • src/modules/redis_cluster/outputs.tf
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Summary
🔇 Additional comments (2)
src/modules/redis_cluster/outputs.tf (2)

30-30: No action: formatting-only change.

Whitespace aligns with terraform fmt.

31-34: Confirm upstream support for transit_encryption_mode: ensure the external module cloudposse/elasticache-redis/aws v1.10.0 defines an output named transit_encryption_mode; if it doesn’t, add or update that output upstream or adjust your wrapper accordingly.

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Sep 10, 2025
@milldr milldr added this pull request to the merge queue Sep 10, 2025
@milldr milldr removed the needs-test Needs testing label Sep 10, 2025
Merged via the queue into main with commit cde2c4d Sep 10, 2025
20 checks passed
@milldr milldr deleted the feature/expose-transit-encryption-mode branch September 10, 2025 18:09
@github-actions GitHub Actions
Copy link

These changes were released in v1.537.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@goruha goruha goruha approved these changes

@RoseSecurity RoseSecurity RoseSecurity approved these changes

Assignees
No one assigned
Labels
minor New features that do not break anything
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@milldr @goruha @RoseSecurity