Enabling `transit_encryption_enabled` on a redis 7 based cluster requires resource replacement

Question

Enabling `transit_encryption_enabled` on a redis 7 based cluster requires resource replacement

Closed this issue 2 years ago · 1 comments

What is the current behavior?
I have a redis 7 based cluster without transit_encryption_enabled, if I enable it then tf wants to replace the resource..

  # module.tf-aws.module.redis.aws_elasticache_replication_group.redis must be replaced
-/+ resource "aws_elasticache_replication_group" "redis" {
# SNIP
      ~ transit_encryption_enabled     = false -> true # forces replacement
      - user_group_ids                 = [] -> null
        # (20 unchanged attributes hidden)

According to the AWS docs enabling transit encryption for redis 7 is supported without recreating the cluster..

Modifying the in-transit encryption setting, for an existing cluster, is supported on replication groups running Redis version 7 and later.

The ability to change the in-transit encryption is also available in the AWS console.

What is the expected behavior?
Changing the transit_encryption_enabled value should not require resource recreation when engine_version>=7.0

Software versions?

  source  = "umotif-public/elasticache-redis/aws"
  version = "v3.2.0"

+ provider registry.terraform.io/hashicorp/aws v4.51.0

Answer 1 · 2023-03-13T11:58:05.000Z

Ah - I just checked and that param is just passed in as part of the main aws_elasticache_replication_group resource, so this is a problem with the aws provider. I'll raise it upstream :)