aws-elasticache: In-transit encryption is not supported for Redis?

[adworacz]

Describe the bug

When attempting to create a Redis elasticache cluster that enables in-transit encryption, we receive the following error:

Encryption feature is not supported for engine REDIS. (Service: AmazonElastiCache; Status Code: 400; Error Code: InvalidParameterCombination; Request ID: 34376205-8f3f-43e6-8fff-c7ca185ad835; Proxy: null

This doesn't make any sense though, as the public documentation clearly states that encryption is supported:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-transitencryptionenabled

This parameter is valid only if the Engine parameter is redis,

In addition, we are using VPC, per the documentation.

Here's our code that should enable easy reproduction:

    const redisSubnetGroup = new CfnSubnetGroup(this, 'APICacheSubnetGroup', {
      description: 'Subnet group for API cache',
      subnetIds: props.vpc.privateSubnets.map((subnet) => subnet.subnetId),
    })

    const redisSecurityGroup = new SecurityGroup(this, 'APICacheSecurityGroup', {
      vpc: props.vpc,
      description: 'Security group for API cache',
    })

    const redis = new CfnCacheCluster(this, 'APICache', {
      numCacheNodes: 1,
      engine: 'redis',
      // https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html
      // https://aws.amazon.com/elasticache/pricing/
      cacheNodeType: 'cache.m7g.large',
      cacheSubnetGroupName: redisSubnetGroup.ref,
      vpcSecurityGroupIds: [redisSecurityGroup.securityGroupId],
      transitEncryptionEnabled: true,
    })

Expected Behavior

I am able to create a Redis Elasticache instance with transit encryption enabled.

Current Behavior

An error occurs (see description)

Reproduction Steps

Use the CDK code in the description to deploy a Redis cluster.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.92.0 (build bf62e55)

Framework Version

No response

Node.js Version

18

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

[adworacz]

The workaround seems to be using a CfnReplicationGroup instead.

Something like:

    const redis = new CfnReplicationGroup(this, 'APICacheV2', {
      engine: 'redis',
      replicationGroupDescription: 'Cache for the API',
      cacheNodeType: 'cache.t4g.micro',
      cacheSubnetGroupName: redisSubnetGroup.ref,
      securityGroupIds: [redisSecurityGroup.securityGroupId],

      transitEncryptionEnabled: true,

      // As minimal of a cache cluster as I can make.
      clusterMode: 'Disabled',
      numCacheClusters: 1,
      automaticFailoverEnabled: false,
    })

[indrora]

Yup, this looks like an oversight somewhere.

This parameter is valid only if the Engine parameter is redis, the EngineVersion parameter is 3.2.6 or 4.x onward, and the cluster is being created in an Amazon VPC.

There's a few other checks that have to be made as well here.

[adworacz]

Agreed. I also realized that I included the link to the ReplicationGroup documentation instead of the CacheCluster documentation in my OP. I've fixed this.

Here's the current documentation for CacheCluster + in-transit encryption: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-transitencryptionenabled

It doesn't mention any stipulations at all, which is rather surprising given the stipulations that exist on ReplicationGroup.

[manojkarrolla]

I think I have a similar issue when trying to create ElastiCache with TerraForm
It seems like it is working fine with same configuration via console but doesn't work through cli

Error: creating ElastiCache Cache Cluster (lab-redis): InvalidParameterCombination: Encryption feature is not supported for engine REDIS.
│       status code: 400, request id: 1a3d764c-90a2-4a25-9a1d-cf90883fd006

[adworacz]

Yeah, I'm starting to wonder if this isn't a CDK issue at all, and is in fact an underlying "service doesn't meet documentation" issue.

[uncaught]

CloudFormation template has this, too, so not an SDK problem.

The "encryption at rest" feature is also missing entirely.

[tomaszczechowski]

looks like the issue is still opened, I just ran into the same using Terraform

[arminanton]

For the encryption in transit, using the properties from here works fine, and for the encryption at rest, you can use auto-generated KMS managed by AWS doing atRestEncryptionEnabled set to true, or you can specify a KMS using its arn at kmsKeyId along that other property.

Example:

  // this = your stack if within its declaration, otherwise change it to its instantiated obj

  // Redis Security Group
  const redisSecurityGroup = new ec2.SecurityGroup(this, `${serviceName}-redis-sg`, {
    securityGroupName: `${serviceName}-redis-security-group`,
    description: `Security group for ${serviceName} Redis cluster`,
    allowAllOutbound: true,
    vpc: this.vpc, // your vpc object or variable
  });
  this.exportValue(redisSecurityGroup.securityGroupId, { name: `${serviceName}-redis-security-group-id` });

  // Elasticache Subnet Group
  const redisSubnetGroup = new elasticache.CfnSubnetGroup(this, `${serviceName}-redis-subnet`, {
    cacheSubnetGroupName: `${serviceName}-redis-subnet-group`,
    description: `Subnet group for ${serviceName} Redis cluster`,
    subnetIds: this.vpc.privateSubnets.map(subnet => subnet.subnetId),
  });

  // Redis Replication Group - Elasticache
  const redisCluster = new elasticache.CfnReplicationGroup(this, `${serviceName}-redis-cluster`, {
    replicationGroupId: `${serviceName}`,
    replicationGroupDescription: `Redis cluster for ${serviceName} application`,
    cacheNodeType: redisInstance, // 'cache.r7g.2xlarge'
    engine: 'redis',
    engineVersion: engineVersion, // '7.1'
    cacheParameterGroupName: paramGroup, // 'default.redis7.cluster.on' (you may use existing ones or create new ones)
    numNodeGroups: numShards, // 1
    replicasPerNodeGroup: nodesPerShard, // 2 (this will create 1 shard with 3 nodes, being 1 as replica, auto managed as it is clusted mode on)
    automaticFailoverEnabled: true,
    securityGroupIds: [redisSecurityGroup.securityGroupId],
    cacheSubnetGroupName: redisSubnetGroup.cacheSubnetGroupName,
    port: 6379,
    multiAzEnabled: true,
    autoMinorVersionUpgrade: true,
    atRestEncryptionEnabled: true,
    transitEncryptionEnabled: true, // comment out to disable encryption in transit
    transitEncryptionMode: 'required', // options of 'preferred' or 'required'
    // kmsKeyId, // provide the KMS key id here, e.g.  "arn:aws:kms:${region}:${accountId}:key/${hashId}"
    clusterMode: 'enabled',
    preferredMaintenanceWindow: 'tue:07:00-tue:08:00', // same as (00:00am PST = 03:00 EST)
  });
  redisCluster.cfnOptions.updatePolicy = {
    useOnlineResharding: true
  }
  // Set DeletionPolicy to Retain
  redisCluster.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);

  // Create Redis only after the Redis Security Group is created
  redisCluster.node.addDependency(redisSubnetGroup);