I am trying to set up Elasticache/Redis with auth ...
# aws
I am trying to set up Elasticache/Redis with auth and encryption. Is that possible? I am using TypeScript I can't see any options for those in the type definition (or the online docs!)
yes it’s possible, they’re part of the parameter group https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/parametergroup/
Thanks for the reply. It's not obvious what the keys I need for parametergroup,
@gray-translator-86978 which language are you using?
I am using TypeScript.
they’re all in the replication group settings
OK, thanks. I will take a look. I'm not using replication groups fwiw.
It's not immediately clear to me how replication relates to client auth and encryption,
this is an aws thing, it’s only available on replication groups (ie multi node clusters) https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html
I don't think that's a true as I have the most vanilla Redis cluster (1 node, no replication) with auth and encryption.
how did you enable it?
Sorry - my bad
I am trying to ENABLE auth and encryption via pulumi.
(Sorry for the confusion)
Pulumi is just calling the AWS APIs. The SDK we generate comes from the AWS API. As far as I’m aware, the only way to enable encryption and auth for a redis elasticache is using a replication group. The fact that there’s a replication group doesn’t necessarily mean it’s not a one node cluster. I verified this by creating a redis cluster manually in the console (see screenshot) then looked at the configuration via the AWS CLI:
Copy code
aws elasticache describe-cache-clusters --cache-cluster-id lbriggs-single-001
    "CacheClusters": [
            "CacheClusterId": "lbriggs-single-001",
            "ClientDownloadLandingPage": "<https://console.aws.amazon.com/elasticache/home#client-download>:",
            "CacheNodeType": "cache.t3.micro",
            "Engine": "redis",
            "EngineVersion": "6.2.6",
            "CacheClusterStatus": "creating",
            "NumCacheNodes": 1,
            "PreferredAvailabilityZone": "us-west-2a",
            "PreferredMaintenanceWindow": "thu:12:30-thu:13:30",
            "PendingModifiedValues": {},
            "CacheSecurityGroups": [],
            "CacheParameterGroup": {
                "CacheParameterGroupName": "default.redis6.x",
                "ParameterApplyStatus": "in-sync",
                "CacheNodeIdsToReboot": []
            "CacheSubnetGroupName": "cachesubnets-69a1cf9",
            "AutoMinorVersionUpgrade": true,
            "ReplicationGroupId": "lbriggs-single",
            "SnapshotRetentionLimit": 1,
            "SnapshotWindow": "07:00-08:00",
            "AuthTokenEnabled": true,
            "AuthTokenLastModifiedDate": "2022-07-18T15:37:48.651000+00:00",
            "TransitEncryptionEnabled": true,
            "AtRestEncryptionEnabled": true,
            "ARN": "arn:aws:elasticache:us-west-2:616138583583:cluster:lbriggs-single-001",
            "ReplicationGroupLogDeliveryEnabled": false,
            "LogDeliveryConfigurations": []
You can see behind the scenes it’s still created a replication group (see second screenshot) - so you just need to define your settings there
Thanks a lot. I will take a look
Though I am NOT using a replication group when I set up a vanilla redis cluster via the console
can you screenshot your redis cluster in the console? like the settings I posted above? or output the result of
aws elasticache describe-cache-clusters
That was setup via Pulumi I lied, manualy
okay, you see
in the third column?
see how it says “replicationgroup”
you might not have defined a replicationgroup, so one was created for you.
so when you keep saying “I’m not creating a replication group” that isn’t actually true, you are using a replication group. You just didn’t define one in the console, the AWS console hides it all from you. So if you want to set up a redis cluster with auth and encryption enabled, you need to define your own replication group
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import { ClusterArgs } from "@pulumi/aws/elasticache";

const config = new pulumi.Config();

const nodeType = "cache.t3.small";

const securityGroupIds = config.require(
) as unknown as string[];
const subnetGroupName = config.require("subnetGroupName");

const params: ClusterArgs = {
  engine: "redis",
  numCacheNodes: 1,
  parameterGroupName: "default.redis6.x",

new aws.elasticache.Cluster("example", params);
When I setup cluster manually, can set AUTH + encryption directly, no explicit replication
okay, I’m really not sure how better to explain this. is the screenshot I just posted showing you that there is a replication group not clear? You’re right there’s not explicit replication, but there IS a replication group
Thank you for your help - all working now