feat: add argument to control auth_token update strategy

hahirwar-cd · hahirwar-cd · commit 66a75fa4d3da · 2025-08-12T04:12:58.000+05:30
diff --git a/examples/valkey/example.tf b/examples/valkey/example.tf
@@ -38,6 +38,36 @@ module "subnets" {
   ipv6_cidr_block    = module.vpc.ipv6_cidr_block
 }
 
+##----------------------------------------------------------------------------------
+## VALKEY MODULE CALL
+##----------------------------------------------------------------------------------
+module "secrets_manager" {
+  source  = "clouddrove/secrets-manager/aws"
+  version = "2.0.0"
+
+  name        = local.name
+  environment = local.environment
+
+  unmanaged = true
+  secrets = [
+    {
+      name                    = "aws/elasticache/auth-tokens"
+      description             = "Elasticache AUTH Token"
+      recovery_window_in_days = 7
+      secret_string           = "{ \"auth_token\": \"UseSomethingSecure*1234\"}"
+    }
+  ]
+}
+
+data "aws_secretsmanager_secret" "auth_token" {
+  depends_on = [module.secrets_manager]
+  name       = "aws/elasticache/auth-tokens"
+}
+
+data "aws_secretsmanager_secret_version" "auth_token" {
+  secret_id = data.aws_secretsmanager_secret.auth_token.id
+}
+
 ##----------------------------------------------------------------------------------
 ## VALKEY MODULE CALL
 ##----------------------------------------------------------------------------------
@@ -47,29 +77,29 @@ module "valkey" {
   name        = local.name
   environment = local.environment
 
-  vpc_id        = module.vpc.vpc_id
-  allowed_ip    = [module.vpc.vpc_cidr_block]
-  allowed_ports = [6379]
+  vpc_id                   = module.vpc.vpc_id
+  allowed_ip               = [module.vpc.vpc_cidr_block]
+  allowed_ports            = [6379]
+  subnet_ids               = concat(module.subnets.private_subnet_id, module.subnets.public_subnet_id)
+  subnet_group_description = "${local.environment}-${local.name} subnet group."
+  availability_zones       = ["${local.region}a", "${local.region}c"]
 
-  # -- valkey configuration
   cluster_replication_enabled = true
   replication_group = {
     engine                        = "valkey"
     engine_version                = "8.1"
     parameter_group_name          = "default.valkey8"
     port                          = 6379
     num_cache_clusters            = 2
-    node_type                     = "cache.t3.medium"
+    apply_immediately             = true
+    node_type                     = "cache.t3.micro"
     replication_group_description = "${local.environment}-${local.name} replication group."
-    maintenance_window            = "tue:07:00-tue:08:00"
+    maintenance_window            = "sat:03:30-sat:04:30"
   }
+  az_mode                    = "single-az"
+  kms_key_id                 = null # -- AWS Owned KMS Key
+  auth_token                 = jsondecode(data.aws_secretsmanager_secret_version.auth_token.secret_string)["auth_token"]
+  auth_token_update_strategy = "SET"
+  sg_ids                     = [module.vpc.vpc_default_security_group_id]
 
-  az_mode         = "single-az"
-  num_cache_nodes = 2
-  kms_key_id      = null
-  auth_token      = "UseSomethingSecure*1234"
-  # ---- valkey end -----------------
-  subnet_ids               = concat(module.subnets.private_subnet_id, module.subnets.public_subnet_id)
-  subnet_group_description = "${local.environment}-${local.name} subnet group."
-  availability_zones       = ["${local.region}a", "${local.region}c"]
-}
+}
diff --git a/main.tf b/main.tf
@@ -178,11 +178,12 @@ resource "aws_elasticache_replication_group" "cluster" {
   multi_az_enabled           = lookup(var.replication_group, "multi_az_enabled", false)
   network_type               = var.network_type
 
-  auth_token         = var.auth_token_enable ? (var.auth_token == null ? random_password.auth_token[0].result : var.auth_token) : ""
-  kms_key_id         = var.kms_key_id == "" ? join("", aws_kms_key.default[*].arn) : var.kms_key_id
-  tags               = module.labels.tags
-  num_cache_clusters = lookup(var.replication_group, "num_cache_clusters", 1)
-  user_group_ids     = var.user_group_ids
+  auth_token                 = var.auth_token_enable ? (var.auth_token == null ? random_password.auth_token[0].result : var.auth_token) : ""
+  auth_token_update_strategy = var.auth_token_enable ? var.auth_token_update_strategy : null
+  kms_key_id                 = var.kms_key_id == "" ? join("", aws_kms_key.default[*].arn) : var.kms_key_id
+  tags                       = module.labels.tags
+  num_cache_clusters         = lookup(var.replication_group, "num_cache_clusters", 1)
+  user_group_ids             = var.user_group_ids
 
   dynamic "log_delivery_configuration" {
     for_each = var.log_delivery_configuration
diff --git a/variables.tf b/variables.tf
@@ -99,6 +99,12 @@ variable "auth_token" {
   description = "The password used to access a password protected server. Can be specified only if transit_encryption_enabled = true. Find auto generated auth_token in terraform.tfstate or in AWS SSM Parameter Store."
 }
 
+variable "auth_token_update_strategy" {
+  type        = string
+  default     = null
+  description = "(Optional) Strategy to use when updating the auth_token. Valid values are SET, ROTATE, and DELETE. Required if auth_token is set. Defaults to ROTATE"
+}
+
 variable "cluster_replication_enabled" {
   type        = bool
   default     = false
