Search code examples
amazon-web-servicesterraform-provider-awsaws-security-group

how to apply security groups to aws_elasticache_replication_group

My terraform script is as follow: eveything in VPC

resource "aws_security_group" "cacheSecurityGroup" {
  name   = "${var.devname}-${var.namespace}-${var.stage}-RedisCache-SecurityGroup"
  vpc_id = var.vpc.vpc_id
  tags   = var.default_tags
  ingress {
    protocol         = "tcp"
    from_port        = 6379
    to_port          = 6379
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  egress {
    protocol         = "-1"
    from_port        = 0
    to_port          = 0
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }
}

resource "aws_elasticache_parameter_group" "usagemonitorCacheParameterGroup" {
  name    = "${var.devname}${var.namespace}${var.stage}-usagemonitor-cache-parameterGroup"
  family  = "redis6.x"
}

resource "aws_elasticache_subnet_group" "redis_subnet_group" {
  name       = "${var.devname}${var.namespace}${var.stage}-usagemonitor-cache-subnetGroup"
  subnet_ids = var.vpc.database_subnets
}

resource "aws_elasticache_replication_group" "replication_group_usagemonitor" {
  replication_group_id          = "${var.devname}${var.namespace}${var.stage}-usagemonitor-cache"
  replication_group_description = "Replication group for Usagemonitor"
  node_type                     = "cache.t2.micro"
  number_cache_clusters         = 2
  parameter_group_name          = aws_elasticache_parameter_group.usagemonitorCacheParameterGroup.name
  subnet_group_name             = aws_elasticache_subnet_group.redis_subnet_group.name
  #security_group_names          = [aws_elasticache_security_group.bar.name]
  automatic_failover_enabled    = true
  at_rest_encryption_enabled    = true
  port                          = 6379
}

if i uncomment the line

#security_group_names          = [aws_elasticache_security_group.bar.name]

am getting i get following error:

Error: Error creating Elasticache Replication Group: InvalidParameterCombination: Use of cache security groups is not permitted along with cache subnet group and/or security group Ids.
    status code: 400, request id: 4e70e86d-b868-45b3-a1d2-88ab652dc85e

i read that we dont have to use aws_elasticache_security_group if all resources are inside VPC. What the correct way to assign security groups to aws_elasticache_replication_group ??? usinf subnets??? how ???

Solution

  • I do something like this, I believe this is the best way to assign required configuration:

    resource "aws_security_group" "redis" {
  name_prefix = "${var.name_prefix}-redis-"
  vpc_id      = var.vpc_id

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_elasticache_replication_group" "redis" {
  ...
  engine = "redis"
  subnet_group_name    = aws_elasticache_subnet_group.redis.name
  security_group_ids   = concat(var.security_group_ids, [aws_security_group.redis.id])
}

    Your subnet group basically includes all private or public subnets from your VPC where the elasticache replication group is going to be created.

    In general, use security group ids instead of names.

    I have written a terraform module that definitely works and if you interested it is available under with examples https://github.com/umotif-public/terraform-aws-elasticache-redis.