Top / Amazon Web Service / AWS ElastiCache / Replication Group

AWS ElastiCache Replication Group

This page shows how to write Terraform and CloudFormation for ElastiCache Replication Group and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_elasticache_replication_group (Terraform)

The Replication Group in ElastiCache can be configured in Terraform with the resource name aws_elasticache_replication_group. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

test_elasticsearch_replication_group.tf#L2
resource "aws_elasticache_replication_group" "missing_property" {
}

resource "aws_elasticache_replication_group" "sensitive_proprty_value" {
  transit_encryption_enabled = false  # Noncompliant {{Make sure allowing clear-text traffic is safe here.}}
}
elasticache_replication_group_test.tf#L12
resource "aws_elasticache_replication_group" "cluster" {
  replication_group_description = "This Replication Group"
  replication_group_id          = "tf-rep-group-1"
  automatic_failover_enabled    = true
  node_type                     = "cache.m4.large"
elasticache.tf#L7
resource "aws_elasticache_replication_group" "ec-single" {
  replication_group_id          = "ec-single"
  replication_group_description = "Cluster single node"
  node_type                     = "cache.t3.micro"
  number_cache_clusters         = 1
  port                          = 6379
elasticache_replication_group_test.tf#L12
resource "aws_elasticache_replication_group" "cluster" {
  replication_group_description = "This Replication Group"
  replication_group_id          = "tf-rep-group-1"
  automatic_failover_enabled    = true
  node_type                     = "cache.m4.large"
encryption_in_transit.tf#L2
resource "aws_elasticache_replication_group" "transit_encryption_enabled_is_set_to_true" {
  replication_group_id          = "foo"
  replication_group_description = "test description"
  node_type                     = "cache.m4.large"
  number_cache_clusters         = 2
  transit_encryption_enabled    = true

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_elasticache_replication_group

There are 2 settings in aws_elasticache_replication_group that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to enable in-transit encryption of ElastiCache

It's better to enable in-transit encryption of ElastiCahe. If the ElastiCache replication group uses unencrypted traffic, it is vulnerable to meet-in-the-middle (MITM) attacks.

risk-label

Enable at rest encryption of ElastiCache

It is better to enable at rest encryption of ElastiCache. Encryption reduces the risk of data leakage.

Review your AWS ElastiCache settings

You can check if the aws_elasticache_replication_group setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an ElastiCache Replication Group resource. For working with a Memcached cluster or a single-node Redis instance (Cluster Mode Disabled), see the aws_elasticache_cluster resource.

Note: When you change an attribute, such as engine_version, by default the ElastiCache API applies it in the next maintenance window. Because of this, Terraform may report a difference in its planning phase because the actual modification has not yet taken place. You can use the apply_immediately flag to instruct the service to apply the change immediately. Using apply_immediately can result in a brief downtime as servers reboots. See the AWS Documentation on Modifying an ElastiCache Cache Cluster for more information. Note: Any attribute changes that re-create the resource will be applied immediately, regardless of the value of apply_immediately. Note: Be aware of the terminology collision around "cluster" for aws_elasticache_replication_group. For example, it is possible to create a "Cluster Mode Disabled [Redis] Cluster". With "Cluster Mode Enabled", the data will be stored in shards (called "node groups"). See Redis Cluster Configuration for a diagram of the differences. To enable cluster mode, use a parameter group that has cluster mode enabled. The default parameter groups provided by AWS end with ".cluster.on", for example default.redis6.x.cluster.on.

>> from Terraform Registry

Tips: Best Practices for The Other AWS ElastiCache Resources

In addition to the aws_elasticache_cluster, AWS ElastiCache has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_elasticache_cluster

Ensure to enable backup retention of Elasitcache

It's better to take snapshots of Redis clusters to improve data availability.

Review your AWS ElastiCache settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::ElastiCache::ReplicationGroup (CloudFormation)

The ReplicationGroup in ElastiCache can be configured in CloudFormation with the resource name AWS::ElastiCache::ReplicationGroup. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::ElastiCache::ReplicationGroup resource creates an Amazon ElastiCache Redis replication group. A Redis (cluster mode disabled) replication group is a collection of cache clusters, where one of the clusters is a primary read-write cluster and the others are read-only replicas. A Redis (cluster mode enabled) cluster is comprised of from 1 to 90 shards (API/CLI: node groups). Each shard has a primary node and up to 5 read-only replica nodes. The configuration can range from 90 shards and 0 replicas to 15 shards and 5 replicas, which is the maximum number or replicas allowed. The node or shard limit can be increased to a maximum of 500 per cluster if the Redis engine version is 5.

6 or higher. For example, you can choose to configure a 500 node cluster that ranges between 83 shards (one primary and 5 replicas per shard) and 500 shards (single primary and no replicas). Make sure there are enough available IP addresses to accommodate the increase. Common pitfalls include the subnets in the subnet group have too small a CIDR range or the subnets are shared and heavily used by other clusters. For more information, see Creating a Subnet Group. For versions below 5.

6, the limit is 250 per cluster.

To request a limit increase, see Amazon Service Limits and choose the limit type Nodes per cluster per instance type.

>> from AWS CloudFormation Documentation

The Other Related AWS ElastiCache Resources

Frequently asked questions

What is AWS ElastiCache Replication Group?

AWS ElastiCache Replication Group is a resource for ElastiCache of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS ElastiCache Replication Group?

For Terraform, the SonarSource/sonar-iac, gilyas/infracost and guilhermeghm/terraform_scripts source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents