Feat/valkey elasticache (#76)

* feat: introducing valkey elasticache

* feat: add argument to control auth_token update strategy

* add new outputs for valkey, update existing output names and their descriptions

* tf-check: fix unsupported attribute redis_endpoint

* update tf-check github-actions for valkey example

Author: h1manshu98

.github/workflows/tf-checks.yml

@@ -17,3 +17,7 @@ jobs:
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
       working_directory: './examples/redis-cluster/'
+  valkey:
+    uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
+    with:
+      working_directory: './examples/valkey/'

examples/redis-cluster/outputs.tf

@@ -9,7 +9,7 @@ output "tags" {
 }
 
 output "redis_endpoint" {
-  value       = module.redis-cluster[*].redis_endpoint
+  value       = module.redis-cluster[*].elasticache_endpoint
   description = "Redis endpoint address."
 }
 

examples/redis/outputs.tf

@@ -9,7 +9,7 @@ output "tags" {
 }
 
 output "redis_endpoint" {
-  value       = module.redis.redis_endpoint
+  value       = module.redis.elasticache_endpoint
   description = "Redis endpoint address."
 }
 

examples/valkey/example.tf

@@ -0,0 +1,106 @@
+####----------------------------------------------------------------------------------
+## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS.
+####----------------------------------------------------------------------------------
+provider "aws" {
+  region = local.region
+}
+locals {
+  name        = "valkey"
+  environment = "test"
+  region      = "us-east-1"
+}
+####----------------------------------------------------------------------------------
+## A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center.
+####----------------------------------------------------------------------------------
+module "vpc" {
+  source  = "clouddrove/vpc/aws"
+  version = "2.0.0"
+
+  name        = "${local.name}-vpc"
+  environment = local.environment
+  cidr_block  = "10.0.0.0/16"
+}
+
+####----------------------------------------------------------------------------------
+## A subnet is a range of IP addresses in your VPC.
+####----------------------------------------------------------------------------------
+module "subnets" {
+  source  = "clouddrove/subnet/aws"
+  version = "2.0.0"
+
+  name               = "${local.name}-subnets"
+  environment        = local.environment
+  availability_zones = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  vpc_id             = module.vpc.vpc_id
+  type               = "public"
+  igw_id             = module.vpc.igw_id
+  cidr_block         = module.vpc.vpc_cidr_block
+  ipv6_cidr_block    = module.vpc.ipv6_cidr_block
+}
+
+##----------------------------------------------------------------------------------
+## VALKEY MODULE CALL
+##----------------------------------------------------------------------------------
+module "secrets_manager" {
+  source  = "clouddrove/secrets-manager/aws"
+  version = "2.0.0"
+
+  name        = local.name
+  environment = local.environment
+
+  unmanaged = true
+  secrets = [
+    {
+      name                    = "aws/elasticache/auth-tokens"
+      description             = "Elasticache AUTH Token"
+      recovery_window_in_days = 7
+      secret_string           = "{ \"auth_token\": \"UseSomethingSecure*1234\"}" # -- The Secret can be changed with any DUMMY_VALUE after `terraform apply`. Terraform will not show any changes for `secret_string` in future plans.
+    }
+  ]
+}
+
+data "aws_secretsmanager_secret" "auth_token" {
+  depends_on = [module.secrets_manager]
+  name       = "aws/elasticache/auth-tokens"
+}
+
+data "aws_secretsmanager_secret_version" "auth_token" {
+  secret_id = data.aws_secretsmanager_secret.auth_token.id
+}
+
+##----------------------------------------------------------------------------------
+## VALKEY MODULE CALL
+##----------------------------------------------------------------------------------
+module "valkey" {
+  source = "./../../"
+
+  name        = local.name
+  environment = local.environment
+
+  vpc_id                   = module.vpc.vpc_id
+  allowed_ip               = [module.vpc.vpc_cidr_block]
+  allowed_ports            = [6379]
+  subnet_ids               = concat(module.subnets.private_subnet_id, module.subnets.public_subnet_id)
+  subnet_group_description = "${local.environment}-${local.name} subnet group."
+  availability_zones       = ["${local.region}a", "${local.region}c"]
+
+  cluster_replication_enabled = true
+  replication_group = {
+    engine                        = "valkey"
+    engine_version                = "8.1"
+    parameter_group_name          = "default.valkey8"
+    port                          = 6379
+    num_cache_clusters            = 2
+    apply_immediately             = true
+    node_type                     = "cache.t3.micro"
+    replication_group_description = "${local.environment}-${local.name} replication group."
+    maintenance_window            = "sat:03:30-sat:04:30"
+  }
+  az_mode                    = "single-az"
+  kms_key_id                 = null  # -- AWS Owned KMS Key
+  auto_generate_auth_token   = false # -- To Provide your own auth_token
+  auth_token                 = jsondecode(data.aws_secretsmanager_secret_version.auth_token.secret_string)["auth_token"]
+  auth_token_update_strategy = "SET"
+  sg_ids                     = [module.vpc.vpc_default_security_group_id]
+
+}

examples/valkey/outputs.tf

@@ -0,0 +1,45 @@
+### ---------- aws_elasticache_replication_group --------------------
+output "valkey_elasticache_arn" {
+  description = "ARN of the created ElastiCache Replication Group."
+  value       = module.valkey.elasticache_arn
+}
+
+output "valkey_elasticache_engine_version" {
+  description = "Running version of the cache engine."
+  value       = module.valkey.elasticache_engine_version
+}
+
+output "valkey_elasticache_cluster_enabled" {
+  description = "Indicates if cluster mode is enabled."
+  value       = module.valkey.elasticache_cluster_enabled
+}
+
+output "valkey_elasticache_configuration_endpoint_address" {
+  description = "Address of the replication group configuration endpoint when cluster mode is enabled."
+  value       = module.valkey.elasticache_configuration_endpoint_address
+}
+
+output "valkey_elasticache_id" {
+  description = "ID of the ElastiCache Replication Group."
+  value       = module.valkey.id
+}
+
+output "valkey_elasticache_member_clusters" {
+  description = "Identifiers of all the nodes that are part of this replication group."
+  value       = module.valkey.elasticache_member_clusters
+}
+
+output "valkey_elasticache_primary_endpoint_address" {
+  description = "Address of the endpoint for the primary node in the replication group, if cluster mode is disabled."
+  value       = module.valkey.elasticache_endpoint
+}
+
+output "valkey_elasticache_reader_endpoint_address" {
+  description = "Address of the endpoint for the reader node in the replication group, if cluster mode is disabled."
+  value       = module.valkey.elasticache_reader_endpoint_address
+}
+
+output "valkey_elasticache_tags_all" {
+  description = "Map of tags assigned to the resource, including inherited ones."
+  value       = module.valkey.elasticache_tags_all
+}

examples/valkey/versions.tf

@@ -0,0 +1,11 @@
+# Terraform version
+terraform {
+  required_version = ">= 1.6.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.31.0"
+    }
+  }
+}

main.tf

@@ -142,7 +142,7 @@ resource "aws_elasticache_subnet_group" "default" {
 ##----------------------------------------------------------------------------------
 
 resource "random_password" "auth_token" {
-  count   = var.enable && var.auth_token_enable && var.auth_token == null ? 1 : 0
+  count   = var.enable && var.auth_token_enable && var.auto_generate_auth_token ? 1 : 0
   length  = var.length
   special = var.special
 }
@@ -178,11 +178,12 @@ resource "aws_elasticache_replication_group" "cluster" {
   multi_az_enabled           = lookup(var.replication_group, "multi_az_enabled", false)
   network_type               = var.network_type
 
-  auth_token         = var.auth_token_enable ? (var.auth_token == null ? random_password.auth_token[0].result : var.auth_token) : ""
-  kms_key_id         = var.kms_key_id == "" ? join("", aws_kms_key.default[*].arn) : var.kms_key_id
-  tags               = module.labels.tags
-  num_cache_clusters = lookup(var.replication_group, "num_cache_clusters", 1)
-  user_group_ids     = var.user_group_ids
+  auth_token                 = var.auth_token_enable ? (var.auto_generate_auth_token ? random_password.auth_token[0].result : var.auth_token) : ""
+  auth_token_update_strategy = var.auth_token_enable ? var.auth_token_update_strategy : null
+  kms_key_id                 = var.kms_key_id == "" ? join("", aws_kms_key.default[*].arn) : var.kms_key_id
+  tags                       = module.labels.tags
+  num_cache_clusters         = lookup(var.replication_group, "num_cache_clusters", 1)
+  user_group_ids             = var.user_group_ids
 
   dynamic "log_delivery_configuration" {
     for_each = var.log_delivery_configuration
@@ -241,20 +242,20 @@ resource "aws_route53_record" "elasticache" {
 ## Below resource will create ssm-parameter resource for redis and memcached with auth-token.
 ##----------------------------------------------------------------------------------
 resource "aws_ssm_parameter" "secret" {
-  count = var.enable && var.auth_token_enable ? 1 : 0
+  count = var.enable && var.enable_aws_ssm_parameter && var.auth_token_enable ? 1 : 0
 
   name        = format("/%s/%s/auth-token", var.environment, var.name)
   description = var.ssm_parameter_description
   type        = var.ssm_parameter_type
-  value       = var.auth_token == null ? random_password.auth_token[0].result : var.auth_token
+  value       = var.auto_generate_auth_token ? random_password.auth_token[0].result : var.auth_token
   key_id      = var.kms_key_id == "" ? join("", aws_kms_key.default[*].arn) : var.kms_key_id
 }
 
 ##----------------------------------------------------------------------------------
 ## Below resource will create ssm-parameter resource for redis with endpoint.
 ##----------------------------------------------------------------------------------
 resource "aws_ssm_parameter" "secret-endpoint" {
-  count = var.enable && var.ssm_parameter_endpoint_enabled ? 1 : 0
+  count = var.enable && var.enable_aws_ssm_parameter && var.ssm_parameter_endpoint_enabled ? 1 : 0
 
   name        = format("/%s/%s/endpoint", var.environment, var.name)
   description = var.ssm_parameter_description
@@ -280,7 +281,7 @@ resource "aws_route53_record" "memcached_route_53" {
 ## Below resource will create ssm-parameter resource for memcached with endpoint.
 ##----------------------------------------------------------------------------------
 resource "aws_ssm_parameter" "memcached_secret-endpoint" {
-  count = var.enable && var.memcached_ssm_parameter_endpoint_enabled ? 1 : 0
+  count = var.enable && var.enable_aws_ssm_parameter && var.memcached_ssm_parameter_endpoint_enabled ? 1 : 0
 
   name        = format("/%s/%s/memcached-endpoint", var.environment, var.name)
   description = var.ssm_parameter_description

outputs.tf

@@ -2,7 +2,7 @@
 # Description : Terraform module to create Elasticache Cluster and replica for Redis.
 output "id" {
   value       = var.cluster_enabled ? "" : (var.cluster_replication_enabled ? join("", aws_elasticache_replication_group.cluster[*].id) : join("", aws_elasticache_replication_group.cluster[*].id))
-  description = "Redis cluster id."
+  description = "Elasticache cluster id."
 }
 
 output "port" {
@@ -16,14 +16,14 @@ output "tags" {
   description = "A mapping of tags to assign to the resource."
 }
 
-output "redis_endpoint" {
+output "elasticache_endpoint" {
   value       = var.cluster_replication_enabled ? "" : (var.cluster_replication_enabled ? join("", aws_elasticache_replication_group.cluster[*].primary_endpoint_address) : join("", aws_elasticache_cluster.default[*].configuration_endpoint))
-  description = "Redis endpoint address."
+  description = "Elasticache endpoint address."
 }
 
-output "redis_arn" {
+output "elasticache_arn" {
   value       = var.enable && length(aws_elasticache_replication_group.cluster) > 0 ? aws_elasticache_replication_group.cluster[0].arn : length(aws_elasticache_replication_group.cluster) > 0 ? aws_elasticache_replication_group.cluster[0].arn : null
-  description = "Redis arn"
+  description = "Elasticache arn"
 }
 
 output "memcached_endpoint" {
@@ -61,7 +61,55 @@ output "Memcached_ssm_name" {
 }
 
 output "auth_token" {
-  value       = var.enable && var.auth_token_enable ? random_password.auth_token[0].result : null
+  value       = var.enable && var.auth_token_enable && var.auto_generate_auth_token ? random_password.auth_token[0].result : null
   sensitive   = true
   description = "Auth token generated value"
 }
+
+### ---------- aws_elasticache_cluster ------------------------------
+output "elasticache_engine_version_actual" {
+  value       = try(aws_elasticache_cluster.default[0].engine_version_actual, null)
+  description = "Running version of the cache engine"
+}
+
+output "elasticache_cache_nodes" {
+  value       = try(aws_elasticache_cluster.default[0].cache_nodes, [])
+  description = "List of node objects"
+}
+
+output "elasticache_cluster_address" {
+  value       = try(aws_elasticache_cluster.default[0].cluster_address, null)
+  description = "(Memcached only) DNS name of the cache cluster"
+}
+
+### ---------- aws_elasticache_replication_group --------------------
+
+output "elasticache_engine_version" {
+  description = "Running version of the cache engine."
+  value       = try(aws_elasticache_replication_group.cluster[0].engine_version_actual, null)
+}
+
+output "elasticache_cluster_enabled" {
+  description = "Indicates if cluster mode is enabled."
+  value       = try(aws_elasticache_replication_group.cluster[0].cluster_enabled, null)
+}
+
+output "elasticache_configuration_endpoint_address" {
+  description = "Address of the replication group configuration endpoint when cluster mode is enabled."
+  value       = try(aws_elasticache_replication_group.cluster[0].configuration_endpoint_address, null)
+}
+
+output "elasticache_member_clusters" {
+  description = "Identifiers of all the nodes that are part of this replication group."
+  value       = try([for c in aws_elasticache_replication_group.cluster[0].member_clusters : c], null)
+}
+
+output "elasticache_reader_endpoint_address" {
+  description = "Address of the endpoint for the reader node in the replication group, if cluster mode is disabled."
+  value       = try(aws_elasticache_replication_group.cluster[0].reader_endpoint_address, null)
+}
+
+output "elasticache_tags_all" {
+  description = "Map of tags assigned to the resource, including inherited ones."
+  value       = try(aws_elasticache_replication_group.cluster[0].tags_all, null)
+}

variables.tf

@@ -93,12 +93,24 @@ variable "auth_token_enable" {
   description = "Flag to specify whether to create auth token (password) protected cluster. Can be specified only if transit_encryption_enabled = true."
 }
 
+variable "auto_generate_auth_token" {
+  type        = bool
+  default     = true
+  description = "Whether to automatically generate the authentication token using Terraform. If set to false, you must provide your own token via the 'auth_token' variable."
+}
+
 variable "auth_token" {
   type        = string
   default     = null
   description = "The password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. Find auto generated auth_token in terraform.tfstate or in AWS SSM Parameter Store."
 }
 
+variable "auth_token_update_strategy" {
+  type        = string
+  default     = null
+  description = "(Optional) Strategy to use when updating the auth_token. Valid values are SET, ROTATE, and DELETE. Required if auth_token is set. Defaults to ROTATE"
+}
+
 variable "cluster_replication_enabled" {
   type        = bool
   default     = false
@@ -297,6 +309,11 @@ variable "route53" {
 }
 
 ###------------------------------- ssm_parameter----------------------------
+variable "enable_aws_ssm_parameter" {
+  description = "Whether to create the AWS SSM parameter for the auth token"
+  type        = bool
+  default     = false
+}
 
 variable "ssm_parameter_endpoint_enabled" {
   type        = bool