feat: Allow configuring transit_encryption_mode

cloudposse · May 23, 2024 · 4b6fc5f · 4b6fc5f
1 parent caabd7e
commit 4b6fc5f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -155,6 +155,7 @@ resource "aws_elasticache_replication_group" "default" {
   engine_version             = var.engine_version
   at_rest_encryption_enabled = var.at_rest_encryption_enabled
   transit_encryption_enabled = var.transit_encryption_enabled
+  transit_encryption_mode    = var.transit_encryption_mode
   kms_key_id                 = var.at_rest_encryption_enabled ? var.kms_key_id : null
   snapshot_name              = var.snapshot_name
   snapshot_arns              = var.snapshot_arns

diff --git a/variables.tf b/variables.tf
@@ -75,6 +75,19 @@ variable "transit_encryption_enabled" {
     EOT
 }
 
+variable "transit_encryption_mode" {
+  type        = string
+  default     = "preferred"
+  description = <<-EOT
+    A setting that enables clients to migrate to in-transit encryption with no downtime. Valid values are `preferred` and `required`. When enabling encryption on an existing replication group, this must first be set to `preferred` before setting it to `required` in a subsequent apply. See the TransitEncryptionMode field in the [CreateReplicationGroup](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateReplicationGroup.html) API documentation for additional details."
+    EOT
+
+  validation {
+    condition     = lower(var.transit_encryption_mode) == "preferred" || lower(var.transit_encryption_mode) == "required"
+    error_message = "The transit_encryption_mode must be either `preferred` (Default) or `required`"
+  }
+}
+
 variable "notification_topic_arn" {
   type        = string
   default     = ""