https://pulumi.com logo
Join Slack
Powered by
I am trying to set up Elasticache/Redis with auth ...
# aws
g
I am trying to set up Elasticache/Redis with auth and encryption. Is that possible? I am using TypeScript I can't see any options for those in the type definition (or the online docs!)
b
yes it’s possible, they’re part of the parameter group https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/parametergroup/
g
Thanks for the reply. It's not obvious what the keys I need for parametergroup,
b
@gray-translator-86978 which language are you using?
g
I am using TypeScript.
b
they’re all in the replication group settings
g
OK, thanks. I will take a look. I'm not using replication groups fwiw.
It's not immediately clear to me how replication relates to client auth and encryption,
b
this is an aws thing, it’s only available on replication groups (ie multi node clusters) https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html
g
I don't think that's a true as I have the most vanilla Redis cluster (1 node, no replication) with auth and encryption.
b
how did you enable it?
g
Sorry - my bad
b
?
g
I am trying to ENABLE auth and encryption via pulumi.
(Sorry for the confusion)
b
Pulumi is just calling the AWS APIs. The SDK we generate comes from the AWS API. As far as I’m aware, the only way to enable encryption and auth for a redis elasticache is using a replication group. The fact that there’s a replication group doesn’t necessarily mean it’s not a one node cluster. I verified this by creating a redis cluster manually in the console (see screenshot) then looked at the configuration via the AWS CLI:
Copy code
aws elasticache describe-cache-clusters --cache-cluster-id lbriggs-single-001
{
    "CacheClusters": [
        {
            "CacheClusterId": "lbriggs-single-001",
            "ClientDownloadLandingPage": "<https://console.aws.amazon.com/elasticache/home#client-download>:",
            "CacheNodeType": "cache.t3.micro",
            "Engine": "redis",
            "EngineVersion": "6.2.6",
            "CacheClusterStatus": "creating",
            "NumCacheNodes": 1,
            "PreferredAvailabilityZone": "us-west-2a",
            "PreferredMaintenanceWindow": "thu:12:30-thu:13:30",
            "PendingModifiedValues": {},
            "CacheSecurityGroups": [],
            "CacheParameterGroup": {
                "CacheParameterGroupName": "default.redis6.x",
                "ParameterApplyStatus": "in-sync",
                "CacheNodeIdsToReboot": []
            },
            "CacheSubnetGroupName": "cachesubnets-69a1cf9",
            "AutoMinorVersionUpgrade": true,
            "ReplicationGroupId": "lbriggs-single",
            "SnapshotRetentionLimit": 1,
            "SnapshotWindow": "07:00-08:00",
            "AuthTokenEnabled": true,
            "AuthTokenLastModifiedDate": "2022-07-18T15:37:48.651000+00:00",
            "TransitEncryptionEnabled": true,
            "AtRestEncryptionEnabled": true,
            "ARN": "arn:aws:elasticache:us-west-2:616138583583:cluster:lbriggs-single-001",
            "ReplicationGroupLogDeliveryEnabled": false,
            "LogDeliveryConfigurations": []
        }
    ]
}
You can see behind the scenes it’s still created a replication group (see second screenshot) - so you just need to define your settings there
g
Thanks a lot. I will take a look
Though I am NOT using a replication group when I set up a vanilla redis cluster via the console
b
can you screenshot your redis cluster in the console? like the settings I posted above? or output the result of 
aws elasticache describe-cache-clusters
g
That was setup via Pulumi I lied, manualy
b
okay, you see 
ARN
in the third column?
see how it says “replicationgroup”
you might not have defined a replicationgroup, so one was created for you.
so when you keep saying “I’m not creating a replication group” that isn’t actually true, you are using a replication group. You just didn’t define one in the console, the AWS console hides it all from you. So if you want to set up a redis cluster with auth and encryption enabled, you need to define your own replication group
g
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import { ClusterArgs } from "@pulumi/aws/elasticache";

const config = new pulumi.Config();

const nodeType = "cache.t3.small";

const securityGroupIds = config.require(
  "securityGroupIds"
) as unknown as string[];
const subnetGroupName = config.require("subnetGroupName");

const params: ClusterArgs = {
  engine: "redis",
  nodeType,
  numCacheNodes: 1,
  parameterGroupName: "default.redis6.x",
  securityGroupIds,
  subnetGroupName,
};

new aws.elasticache.Cluster("example", params);
When I setup cluster manually, can set AUTH + encryption directly, no explicit replication
b
okay, I’m really not sure how better to explain this. is the screenshot I just posted showing you that there is a replication group not clear? You’re right there’s not explicit replication, but there IS a replication group
g
Thank you for your help - all working now
4 Views
Open in Slack
PreviousNext
Powered by