Skip to content

[Bug]: User group based access control requires encryption-in-transit to be enabled on the replication group. #42966

New issue
New issue
Open
#42969
Open
[Bug]: User group based access control requires encryption-in-transit to be enabled on the replication group.#42966
#42969
Labels
bugAddresses a defect in current functionality.service/elasticacheIssues and PRs that pertain to the elasticache service.
@sunkaraamrutha

Description

@sunkaraamrutha
sunkaraamrutha
opened on Jun 11, 2025

Terraform and AWS Provider Version

Terraform v1.4.2
AWS Provider~> 5.47

Affected Resource(s) or Data Source(s)

Expected Behavior

Currently, There is no rule to enforce user group association to the elasticache after TLS on the replication group is enabled. When transit_encryption_enabled = true for a elasticache cluster that is created with TLS disabled & user_ids are supplied at the same time, the expected behavior should be that TLS is enabled on the cluster before associating the user groups to elasticache cluster.

Actual Behavior

For a single region elasticache cluster created with TLS = false, when trying to enable TLS & pass user_id to the resource, it fails with User group based access control requires encryption-in-transit to be enabled on the replication group, since it tries to enable TLS & also associate the user group to the elasticache at the same time.

Relevant Error/Panic Output

User group based access control requires encryption-in-transit to be enabled on the replication group.

Sample Terraform Configuration

Click to expand configuration 
module "elasticache_redis" {
  source                               = "git::https://github.com/wbd-streaming/terraform-bolt-aws-elasticache-redis?ref=3.0.11"
  vpc_id                               = data.aws_vpc.vpc.id
  availability_zones                   = var.availability_zones
  security_group_ids                   = [data.aws_security_group.sg_group.id]
  cluster_size                         = local.local_config_map.cluster_size
  instance_type                        = local.local_config_map.instance_type
  apply_immediately                    = var.apply_immediately
  automatic_failover_enabled           = var.automatic_failover_enabled
  engine_version                       = local.local_config_map.engine_version
  family                               = local.local_config_map.family
  at_rest_encryption_enabled           = var.at_rest_encryption_enabled
  transit_encryption_enabled           = var.transit_encryption_enabled
  cloudwatch_metric_alarms_enabled     = var.cloudwatch_metric_alarms_enabled
  elasticache_subnet_group_name        = local.local_subnet_group_name
  maintenance_window                   = var.maintenance_window == null ? element(random_shuffle.maint_window.result, 0) : var.maintenance_window
  port                                 = var.port
  notification_topic_arn               = var.notification_topic_arn
  multi_az_enabled                     = var.multi_az_enabled
  auth_token                           = var.auth_token
  kms_key_id                           = data.aws_kms_key.kms_key.arn
  snapshot_arns                        = var.snapshot_arns
  snapshot_name                        = var.snapshot_name
  snapshot_window                      = var.snapshot_window
  snapshot_retention_limit             = var.snapshot_retention_limit
  final_snapshot_identifier            = var.final_snapshot_identifier
  cluster_mode_enabled                 = var.cluster_mode_enabled
  cluster_mode_replicas_per_node_group = local.local_config_map.replicas_per_node_group
  cluster_mode_num_node_groups         = local.local_config_map.num_node_groups
  tags                                 = local.common_tags
  parameter                            = var.parameter
  omd_environment                      = var.omd_environment
  log_delivery_configuration           = local.log_delivery_configuration
  cluster_version                      = var.cluster_version
  cluster_name                         = local.cluster_name
  parameter_group_description          = local.parameter_group_description
  replication_group_description        = local.replication_group_description
  namespace                            = local.namespace
  pg_attributes                        = local.pg_attributes
  auto_minor_version_upgrade           = var.auto_minor_version_upgrade
  user_group_ids                       = var.user_group_ids
  data_tiering_enabled                 = local.data_tiering_enabled
  # serverless variables
  serverless_enabled              = var.serverless_enabled
  subnets                         = data.aws_elasticache_subnet_group.subnet_group.subnet_ids
  serverless_major_engine_version = var.serverless_major_engine_version
  serverless_cache_usage_limits   = var.serverless_cache_usage_limits
  serverless_user_group_id        = var.serverless_user_group_id
  serverless_snapshot_time        = var.serverless_snapshot_time
  engine                          = var.engine
  parameter_group_name            = local.parameter_group_name
  create_parameter_group          = local.create_parameter_group
}

Steps to Reproduce

Terraform apply

Debug Logging

Click to expand log output 




GenAI / LLM Assisted Development


n/a


Important Facts and References


No response


Would you like to implement a fix?


No
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugAddresses a defect in current functionality.service/elasticacheIssues and PRs that pertain to the elasticache service.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions