Parameterizing the values of Encryption at rest and trasit (#6)

Co-authored-by: Navfarm <navfarm.sph.com.sg> Co-authored-by: Paul Yeoh <pyeoh@sph.com.sg>
SPHTech-Platform · Dec 26, 2024 · 801b721 · 801b721
1 parent ea1db15
commit 801b721
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -42,6 +42,7 @@ No modules.
 | <a name="input_alarm_ecpu_threshold_percent"></a> [alarm\_ecpu\_threshold\_percent](#input\_alarm\_ecpu\_threshold\_percent) | ECPU threshold alarm level for elasticache serverless | `number` | `75` | no |
 | <a name="input_alarm_memory_threshold_bytes"></a> [alarm\_memory\_threshold\_bytes](#input\_alarm\_memory\_threshold\_bytes) | Alarm memory threshold bytes | `number` | `10000000` | no |
 | <a name="input_apply_immediately"></a> [apply\_immediately](#input\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window | `bool` | `true` | no |
+| <a name="input_at_rest_encryption_enabled"></a> [at\_rest\_encryption\_enabled](#input\_at\_rest\_encryption\_enabled) | Specifies whether the encryption at rest is enabled | `bool` | `true` | no |
 | <a name="input_auth_token"></a> [auth\_token](#input\_auth\_token) | Password used to access a password protected server. Can be specified only if `transit_encryption_enabled = true` | `string` | `null` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | Cluster ID | `string` | `null` | no |
 | <a name="input_cluster_mode_enabled"></a> [cluster\_mode\_enabled](#input\_cluster\_mode\_enabled) | Set to false to diable cluster module | `bool` | `false` | no |
@@ -74,6 +75,7 @@ No modules.
 | <a name="input_subnet_group_name"></a> [subnet\_group\_name](#input\_subnet\_group\_name) | Subnet group name for the ElastiCache instance | `string` | `""` | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | AWS subnet ids | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (\_e.g.\_ map("BusinessUnit","ABC") | `map(string)` | `{}` | no |
+| <a name="input_transit_encryption_enabled"></a> [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Specifies whether the encryption at transit is enabled | `bool` | `true` | no |
 | <a name="input_use_serverless"></a> [use\_serverless](#input\_use\_serverless) | Use serverless ElastiCache service | `bool` | `false` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -57,16 +57,16 @@ resource "aws_elasticache_replication_group" "this" {
   security_group_ids   = var.security_groups
 
   multi_az_enabled           = var.replication_enabled ? true : false
-  at_rest_encryption_enabled = true
-  transit_encryption_enabled = true
+  at_rest_encryption_enabled = var.at_rest_encryption_enabled
+  transit_encryption_enabled = var.transit_encryption_enabled
   automatic_failover_enabled = var.replication_enabled ? true : false
 
   notification_topic_arn = var.notification_topic_arn
 
   apply_immediately = var.apply_immediately
 
-  auth_token = var.auth_token
-  kms_key_id = var.kms_key_id
+  auth_token = var.transit_encryption_enabled ? var.auth_token : null
+  kms_key_id = var.at_rest_encryption_enabled ? var.kms_key_id : null
 
   num_node_groups         = var.cluster_mode_enabled ? var.num_node_groups : null
   replicas_per_node_group = var.cluster_mode_enabled ? var.replicas_per_node_group : null

diff --git a/variables.tf b/variables.tf
@@ -178,12 +178,24 @@ variable "snapshot_retention_limit" {
   default     = 5
 }
 
+variable "transit_encryption_enabled" {
+  description = "Whether to enable encryption in transit"
+  type        = string
+  default     = true
+}
+
 variable "auth_token" {
   description = "Password used to access a password protected server. Can be specified only if `transit_encryption_enabled = true`"
   type        = string
   default     = null
 }
 
+variable "at_rest_encryption_enabled" {
+  description = "Whether to enable encryption at rest"
+  type        = string
+  default     = true
+}
+
 variable "kms_key_id" {
   description = "The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. Can be specified only if `at_rest_encryption_enabled = true`"
   type        = string