Azure NoOps Redis Cache Overlay Module

This Overlay terraform module can create a Redis Cache and manage related parameters (Threat protection, Redis Cache FW Rules, Private Endpoints, etc.) to be used in a SCCA compliant Network.

SCCA Compliance

This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.

For more information, please read the SCCA documentation.

Contributing

If you want to contribute to this repository, feel free to to contribute to our Terraform module.

More details are available in the CONTRIBUTING.md file.

Resources Used

• Redis Cache
• Private Endpoints
• Private DNS zone for privatelink A records
• Azure Reource Locks

Overlay Module Usage

# Azurerm Provider configuration
provider "azurerm" {
  features {}
}

resource "random_id" "prefix" {
  byte_length = 8
}

#---------------------------------------------------------
# Azure Region Lookup
#----------------------------------------------------------
module "mod_azure_region_lookup" {
  source  = "azurenoops/overlays-azregions-lookup/azurerm"
  version = "~> 1.0.0"

  azure_region = "eastus"
}

#---------------------------------------------------------
# Resource Group Creation
#----------------------------------------------------------
module "mod_redis_rg" {
  source  = "azurenoops/overlays-resource-group/azurerm"
  version = "~> 1.0.1"

  location                = module.mod_azure_region_lookup.location_cli
  use_location_short_name = true # Use the short location name in the resource group name
  org_name                = "anoa"
  environment             = "dev"
  workload_name           = "dev-cache-test"
  custom_rg_name          = null

  // Tags
  add_tags = merge({}, {
    DeployedBy = format("AzureNoOpsTF [%s]", terraform.workspace)
  }) # Tags to be applied to all resources
}

resource "azurerm_virtual_network" "test" {
  address_space       = ["10.52.0.0/16"]
  location            = module.mod_redis_rg.resource_group_location
  name                = "${random_id.prefix.hex}-vnet"
  resource_group_name = module.mod_redis_rg.resource_group_name
}

resource "azurerm_subnet" "test" {
  address_prefixes                          = ["10.52.0.0/24"]
  name                                      = "${random_id.prefix.hex}-snet"
  resource_group_name                       = module.mod_redis_rg.resource_group_name
  virtual_network_name                      = azurerm_virtual_network.test.name
  private_endpoint_network_policies_enabled = true
}

module "mod_redis" {
  depends_on = [
    module.mod_redis_rg
  ]
  source  = "azurenoops/overlays-redis/azurerm"
  version = "~> 1.0.0"

  # By default, this module will create a resource group and 
  # provide a name for an existing resource group. If you wish 
  # to use an existing resource group, change the option 
  # to "create_redis_resource_group = false." The location of the group 
  # will remain the same if you use the current resource.
  create_redis_resource_group = false
  custom_resource_group_name  = module.mod_redis_rg.resource_group_name
  location                    = module.mod_redis_rg.resource_group_location
  environment                 = "public"
  deploy_environment          = "dev"
  org_name                    = "anoa"
  workload_name               = "dev-cache-test"

  # Configuration to provision a Standard Redis Cache
  # Specify `shared_count` to create on the Redis Cluster
  cluster_shard_count = 3

  # MEMORY MANAGEMENT
  # Azure Cache for Redis instances are configured with the following default Redis configuration values:
  redis_configuration = {
    maxmemory_reserved = 2
    maxmemory_delta    = 2
    maxmemory_policy   = "allkeys-lru"
  }

  # Nodes are patched one at a time to prevent data loss. Basic caches will have data loss.
  # Clustered caches are patched one shard at a time. 
  # The Patch Window lasts for 5 hours from the `start_hour_utc`
  patch_schedules = [
    {
      day_of_week    = "Saturday"
      start_hour_utc = 10
    }
  ]

  # Creating Private Endpoint requires, VNet name to create a Private Endpoint
  # By default this will create a `privatelink.redis.cache.windows.net` DNS zone. if created in commercial cloud
  # To use existing subnet, specify `existing_subnet_id` with valid subnet id. 
  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
  # Private endpoints doesn't work If not using `existing_subnet_id` to create redis inside a specified VNet.
  enable_private_endpoint = true
  existing_subnet_id      = azurerm_subnet.test.id
  virtual_network_name    = azurerm_virtual_network.test.name
  #  existing_private_dns_zone     = "demo.example.com"

  # Tags for Azure Resources
  add_tags = merge({}, {
    DeployedBy = format("AzureNoOpsTF [%s]", terraform.workspace)
  }) # Tags to be applied to all resources
}

Requirements

Name	Version
terraform	>= 1.3
azurenoopsutils	~> 1.0.4
azurerm	~> 3.22

Providers

Name	Version
azurenoopsutils	~> 1.0.4
azurerm	~> 3.22

Modules

Name	Source	Version
mod_azure_region_lookup	azurenoops/overlays-azregions-lookup/azurerm	~> 1.0.0

Resources

Name	Type
azurerm_management_lock.redis_level_lock	resource
azurerm_management_lock.storage_account_level_lock	resource
azurerm_private_dns_a_record.a_rec	resource
azurerm_private_dns_a_record.a_rec_redis	resource
azurerm_private_dns_zone.dns_zone	resource
azurerm_private_dns_zone_virtual_network_link.vnet_link	resource
azurerm_private_endpoint.pep	resource
azurerm_redis_cache.redis	resource
azurerm_redis_firewall_rule.redis_fw_rule	resource
azurerm_storage_account.redis_storage	resource
azurenoopsutils_resource_name.data_storage	data source
azurenoopsutils_resource_name.redis	data source
azurenoopsutils_resource_name.redis_fw_rule	data source
azurerm_private_endpoint_connection.pip	data source
azurerm_redis_cache.redis	data source
azurerm_resource_group.rgrp	data source
azurerm_subnet.existing_snet	data source
azurerm_virtual_network.vnet	data source

Inputs

Name	Description	Type	Default	Required
add_tags	Map of custom tags.	map(string)	{}	no
allow_auto_registration	Allow auto registration of the network hosts to private DNS.	bool	false	no
allow_non_ssl_connections	Activate non SSL port (6779) for Redis connection	bool	false	no
authorized_cidrs	Map of authorized cidrs	map(string)	{}	no
capacity	Redis size: (Basic/Standard: 1,2,3,4,5,6) (Premium: 1,2,3,4) https://docs.microsoft.com/fr-fr/azure/redis-cache/cache-how-to-premium-clustering	number	2	no
cluster_shard_count	Number of cluster shards desired	number	3	no
custom_name	Custom name of Redis Server	string	""	no
custom_resource_group_name	The name of the resource group in which the resources will be created. If not provided, a new resource group will be created with the name 'rg-<org_name>--<workload_name>'	string	null	no
data_persistence_enabled	"true" to enable data persistence.	bool	true	no
data_persistence_frequency_in_minutes	Data persistence snapshot frequency in minutes.	number	60	no
data_persistence_max_snapshot_count	Max number of data persistence snapshots.	number	null	no
data_persistence_storage_account_replication	Replication type for the Storage Account used for data persistence.	string	"LRS"	no
data_persistence_storage_account_tier	Replication type for the Storage Account used for data persistence.	string	"Premium"	no
data_persistence_storage_custom_name	Custom name for the Storage Account used for Redis data persistence.	string	""	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
deploy_environment	The environment to deploy. It defaults to dev.	string	"dev"	no
enable_private_endpoint	Manages a Private Endpoint to Azure Container Registry. Default is false.	bool	false	no
enable_resource_locks	(Optional) Enable resource locks	bool	false	no
environment	The Terraform backend environment e.g. public or usgovernment	string	null	no
existing_private_dns_zone	Name of the existing private DNS zone	any	null	no
existing_resource_group_name	Name of the existing resource group	any	null	no
existing_subnet_name	The name of the existing subnet	any	null	no
location	The location/region to keep all your network resources. To get the list of all locations with table format from azure cli, run 'az account list-locations -o table'	string	n/a	yes
lock_level	(Optional) id locks are enabled, Specifies the Level to be used for this Lock.	string	"CanNotDelete"	no
minimum_tls_version	The minimum TLS version	string	"1.2"	no
name_prefix	Optional prefix for the generated name	string	""	no
name_suffix	Optional suffix for the generated name	string	""	no
org_name	A name for the organization. It defaults to anoa.	string	"anoa"	no
patch_schedules	A list of Patch Schedule, Azure Cache for Redis patch schedule is used to install important software updates in specified time window.	list(object({ day_of_week = string start_hour_utc = optional(string) maintenance_window = optional(string) }))	[]	no
private_static_ip_address	The Static IP Address to assign to the Redis Cache when hosted inside the Virtual Network. Changing this forces a new resource to be created.	string	null	no
private_subnet_address_prefix	The name of the subnet for private endpoints	any	null	no
redis_configuration	Additional configuration for the Redis instance. Some of the keys are set automatically. See https://www.terraform.io/docs/providers/azurerm/r/redis_cache.html#redis_configuration for full reference.	object({ aof_backup_enabled = optional(bool) aof_storage_connection_string_0 = optional(string) aof_storage_connection_string_1 = optional(string) enable_authentication = optional(bool) maxmemory_reserved = optional(number) maxmemory_delta = optional(number) maxmemory_policy = optional(string) maxfragmentationmemory_reserved = optional(number) rdb_backup_enabled = optional(bool) rdb_backup_frequency = optional(number) rdb_backup_max_snapshot_count = optional(number) rdb_storage_connection_string = optional(string) notify_keyspace_events = optional(string) })	{}	no
redis_version	Redis version to deploy. Allowed values are 4 or 6	number	6	no
sku_name	Redis Cache Sku name. Can be Basic, Standard or Premium	string	"Premium"	no
tags	A map of tags to add to all resources	map(string)	{}	no
use_naming	Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no
virtual_network_name	Name of the virtual network for the private endpoint	any	null	no
workload_name	A name for the workload. It defaults to hub-core.	string	"hub-core"	no
zones	A list of a one or more Availability Zones, where the Redis Cache should be allocated.	list(number)	null	no

Outputs

Name	Description
redis_capacity	Redis capacity
redis_family	Redis family
redis_hostname	Redis instance hostname
redis_id	Redis instance id
redis_name	Redis instance name
redis_port	Redis instance port
redis_primary_access_key	Redis primary access key
redis_private_static_ip_address	Redis private static IP address
redis_secondary_access_key	Redis secondary access key
redis_sku_name	Redis SKU name
redis_ssl_port	Redis instance SSL port