ElastiCache for Redis / Valkey

aws-elasticache-redis

Amazon ElastiCache for Redis / Valkey, cluster mode disabled (a single primary with optional read replicas). Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. Secure by default and self-contained: encryption at rest and in transit are both on, the cache is never publicly reachable, and the networking pieces (subnet group + security group) are created for you — falling back to the account's default VPC so a minimal cache applies with just a name.

Secure defaults:

• Encryption at rest on (at_rest_encryption_enabled = true); use a customer-managed key via kms_key_id, otherwise the AWS-managed ElastiCache key
• Encryption in transit (TLS) on (transit_encryption_enabled = true); optional auth_token adds Redis AUTH on top (the token is never an output)
• No public exposure — access is via a module-created security group that opens the cache port only to allowed_cidrs / allowed_security_group_ids (no ingress at all by default)
• Automatic minor version upgrades on, to pick up security patches
• Footgun guards (plan-time preconditions): Multi-AZ implies automatic failover, automatic failover implies num_cache_clusters >= 2, auth_token implies TLS, kms_key_id implies at-rest encryption

Cost note: the default cache.t4g.micro single node is the cheapest option (~$0.016/hr). HA (replicas + automatic_failover_enabled + multi_az_enabled) is off by default — opt in for production.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).