Redshift Cluster (encrypted, private)

aws-redshift — Amazon Redshift Cluster

A production-ready Amazon Redshift cluster, single-node by default, with secure defaults baked in. Encryption is always on, the cluster is never publicly accessible, a dedicated parameter group enforces require_ssl, and the cluster gets a locked-down security group (no inbound rules unless you list allowed_cidrs). By default the admin password is generated and stored in Secrets Manager — it is never written to Terraform state.

Self-contained for quick trials: leave subnet_ids empty and the module discovers the subnets of the account's default VPC and derives the matching VPC for the security group.

Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.

What it provisions

• aws_redshift_cluster — the cluster (encrypted, not publicly accessible).
• aws_redshift_subnet_group — where the cluster's ENIs live.
• aws_redshift_parameter_group — dedicated group with require_ssl = true.
• aws_security_group + standalone ingress/egress rules — client access on the cluster port from allowed_cidrs (none by default); all egress for COPY/UNLOAD and enhanced VPC routing.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).