Merge pull request #57 from clouddrove/feature/random_pass

Feature/random pass

Author: themaniskshah

_example/memcached/main.tf renamed to _example/memcached/example.tf

@@ -37,21 +37,21 @@ module "subnets" {
   ipv6_cidr_block    = module.vpc.ipv6_cidr_block
 }
 
-####----------------------------------------------------------------------------------
-## Amazon ElastiCache [REDIS-CLUSTER] is a fully managed in-memory data store and cache service by Amazon Web Services.
-## The service improves the performance of web applications by retrieving information from managed in-memory caches,
-## instead of relying entirely on slower disk-based databases.
-####----------------------------------------------------------------------------------
+###----------------------------------------------------------------------------------
+# Amazon ElastiCache [REDIS-CLUSTER] is a fully managed in-memory data store and cache service by Amazon Web Services.
+# The service improves the performance of web applications by retrieving information from managed in-memory caches,
+# instead of relying entirely on slower disk-based databases.
+###----------------------------------------------------------------------------------
 module "redis-cluster" {
   source = "./../../"
 
   name        = "redis-cluster"
   environment = "test"
   label_order = ["environment", "name"]
 
-  ####----------------------------------------------------------------------------------
-  ## Below A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
-  ####----------------------------------------------------------------------------------
+  ###----------------------------------------------------------------------------------
+  # Below A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
+  ###----------------------------------------------------------------------------------
   vpc_id        = module.vpc.vpc_id
   allowed_ip    = [module.vpc.vpc_cidr_block]
   allowed_ports = [6379]
@@ -71,9 +71,10 @@ module "redis-cluster" {
     Application = "CloudDrove"
   }
 
-  ####----------------------------------------------------------------------------------
-  ## will create ROUTE-53 for redis which will add the dns of the cluster.
-  ####----------------------------------------------------------------------------------
+
+  ###----------------------------------------------------------------------------------
+  # will create ROUTE-53 for redis which will add the dns of the cluster.
+  ###----------------------------------------------------------------------------------
   route53_record_enabled         = false
   ssm_parameter_endpoint_enabled = false
   dns_record_name                = "prod"

_example/redis-cluster/main.tf renamed to _example/redis-cluster/example.tf

@@ -22,3 +22,8 @@ output "redis_ssm_arn" {
   value       = module.redis-cluster.redis_ssm_name
   description = "A map of the names and ARNs created"
 }
+
+output "auth_token" {
+  value     = module.redis-cluster.auth_token
+  sensitive = true
+}

_example/redis-cluster/outputs.tf

@@ -137,6 +137,16 @@ resource "aws_elasticache_subnet_group" "default" {
   tags = module.labels.tags
 }
 
+##----------------------------------------------------------------------------------
+## Below resource will create random passoword for the auth_token
+##----------------------------------------------------------------------------------
+
+resource "random_password" "auth_token" {
+  count   = var.auth_token_enable && var.auth_token == null ? 1 : 0
+  length  = var.length
+  special = var.special
+}
+
 ##----------------------------------------------------------------------------------
 ## Below resource will create replication-group resource for redis-cluster and memcached.
 ##----------------------------------------------------------------------------------
@@ -165,7 +175,7 @@ resource "aws_elasticache_replication_group" "cluster" {
   at_rest_encryption_enabled = var.at_rest_encryption_enabled
   transit_encryption_enabled = var.transit_encryption_enabled
   multi_az_enabled           = var.multi_az_enabled
-  auth_token                 = var.auth_token
+  auth_token                 = var.auth_token_enable ? (var.auth_token == null ? random_password.auth_token[0].result : var.auth_token) : null
   kms_key_id                 = var.kms_key_id == "" ? join("", aws_kms_key.default[*].arn) : var.kms_key_id
   tags                       = module.labels.tags
   num_cache_clusters         = var.num_cache_clusters
@@ -223,15 +233,15 @@ resource "aws_route53_record" "elasticache" {
 }
 
 ##----------------------------------------------------------------------------------
-## Below resource will create ssm-parameter resource for redisand memcached with auth-token.
+## Below resource will create ssm-parameter resource for redis and memcached with auth-token.
 ##----------------------------------------------------------------------------------
 resource "aws_ssm_parameter" "secret" {
-  count = var.auth_token != null ? 1 : 0
+  count = var.auth_token_enable ? 1 : 0
 
   name        = format("/%s/%s/auth-token", var.environment, var.name)
   description = var.ssm_parameter_description
   type        = var.ssm_parameter_type
-  value       = var.auth_token
+  value       = var.auth_token == null ? random_password.auth_token[0].result : var.auth_token
   key_id      = var.kms_key_id == "" ? join("", aws_kms_key.default[*].arn) : var.kms_key_id
 }
 

_example/redis/main.tf renamed to _example/redis/example.tf

@@ -59,3 +59,9 @@ output "Memcached_ssm_name" {
   value       = join("", aws_ssm_parameter.memcached_secret-endpoint[*].name)
   description = "A list of all of the parameter values"
 }
+
+output "auth_token" {
+  value       = random_password.auth_token[0].result
+  sensitive   = true
+  description = "Auth token generated value"
+}

main.tf

@@ -175,6 +175,12 @@ variable "transit_encryption_enabled" {
   description = "Whether to enable encryption in transit."
 }
 
+variable "auth_token_enable" {
+  type        = bool
+  default     = true
+  description = "Flag to specify whether to create auth token (password) protected cluster. Can be specified only if transit_encryption_enabled = true."
+}
+
 variable "auth_token" {
   type        = string
   default     = null
@@ -324,12 +330,6 @@ variable "enable_security_group" {
   description = "Enable default Security Group with only Egress traffic allowed."
 }
 
-variable "existing_sg_id" {
-  type        = string
-  default     = null
-  description = "Provide existing security group id for updating existing rule"
-}
-
 variable "egress_rule" {
   type        = bool
   default     = true
@@ -432,3 +432,16 @@ variable "ssm_parameter_type" {
   default     = "SecureString"
   description = "Type of the parameter."
 }
+
+###------------------------------- random_password----------------------------
+
+variable "length" {
+  type    = number
+  default = 25
+}
+
+variable "special" {
+  type    = bool
+  default = false
+
+}