Introduction
Previously, Terraform Enterprise relied on a static Redis password for authentication. This model presents several operational and security challenges:
- Manual Rotation: Requires downtime and reconfiguration effort.
- Credential Sprawl: The password must be shared across systems, which violates the principles of least privilege and credential minimization.
-
Insecure Transport: The password travels in plaintext if TLS is not enforced on port
6379.
By using AWS IAM-based authentication for ElastiCache for Redis, you can eliminate the need to store or distribute static credentials. Instead, Terraform Enterprise receives temporary IAM tokens at connection time, removing password handling entirely. This approach aligns with modern zero-trust and secrets-free architectures, significantly reducing administrative and security burdens.
Prerequisites
- A Terraform Enterprise instance deployed in AWS.
- An AWS ElastiCache for Redis instance with in-transit and at-rest encryption enabled.
- AWS CLI access with permissions to manage ElastiCache and IAM resources.
Procedure
Follow these steps to configure passwordless Redis authentication for your Terraform Enterprise instance.
Step 1: Configure AWS ElastiCache for IAM Authentication
First, create an IAM-enabled user in ElastiCache, add it to a user group, and associate the group with your Redis replication group.
-
Create an IAM-enabled Redis user. This user does not have a password and authenticates using IAM.
$ aws elasticache create-user \ --user-name iam-redis \ --user-id iam-redis \ --authentication-mode Type=iam \ --engine redis \ --access-string "on ~* +@all"
-
Create a user group and add the new IAM user to it.
$ aws elasticache create-user-group \ --user-group-id tfe-redis-ug \ --engine redis \ --user-ids default iam-redis
-
Attach the user group to your Redis replication group.
$ aws elasticache modify-replication-group \ --replication-group-id instance-name \ --user-group-ids-to-add tfe-redis-ug \ --apply-immediately
Step 2: Create an IAM Policy for Terraform Enterprise
Create an IAM policy that grants the Terraform Enterprise instance permission to connect to the ElastiCache replication group and user. Attach this policy to the IAM role used by your Terraform Enterprise instance (e.g., an EC2 instance profile or an EKS node group role).
This policy allows the elasticache:Connect action for the specified replication group and user ARNs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticache:Connect",
"Resource": [
"arn:aws:elasticache:ap-south-1:186XXXXXXXXX:replicationgroup:redis-tfe",
"arn:aws:elasticache:ap-south-1:186XXXXXXXXX:user:iam-redis2"
]
}
]
}Step 3: Configure Terraform Enterprise
Update your Terraform Enterprise configuration to use the new passwordless IAM authentication method. This involves removing the old password-based variables and adding the new passwordless configuration.
Before: Password-based Configuration
TFE_REDIS_HOST: "redis_hostname:6379" TFE_REDIS_USER: "redis" TFE_REDIS_PASSWORD: "plaintext-password" TFE_REDIS_USE_AUTH: "true"
After: Passwordless IAM-based Configuration
No Redis password is stored, injected, or rotated in this configuration. Note that TLS must be enabled to support IAM token authentication.
TFE_REDIS_HOST: "redis_hostname:6379" TFE_REDIS_USER: "iam-redis" TFE_REDIS_USE_TLS: "true" ## Passwordless IAM configuration TFE_REDIS_PASSWORDLESS_AWS_USE_INSTANCE_PROFILE: "true" TFE_REDIS_PASSWORDLESS_AWS_REGION: "us-west-1" TFE_REDIS_PASSWORDLESS_AWS_HOST_NAME: "instance-name" TFE_REDIS_PASSWORDLESS_AWS_SERVICE_NAME: "elasticache" ## Passwordless Auth for Sidekiq TFE_REDIS_SIDEKIQ_HOST: "redis_hostname" TFE_REDIS_SIDEKIQ_USE_AUTH: true TFE_REDIS_SIDEKIQ_USE_TLS: true
After applying these changes, Terraform Enterprise will connect to Redis using ephemeral IAM authentication tokens instead of a static password.
Additional Information
- ElastiCache IAM Authentication Overview
- ElastiCache Identity-Based Policies (elasticache:Connect)
- Terraform Enterprise Configuration Reference (Environment Variables)