From fea701e117e52d9b36e11dd13ff65bef31f31cbd Mon Sep 17 00:00:00 2001
From: Will Salt <will.salt@ext.assetreality.com>
Date: Tue, 8 Apr 2025 12:09:09 +0100
Subject: [PATCH 1/3] fix: enable transit mode encryption var as it is now
 available in redis

---
 main.tf      | 3 ++-
 variables.tf | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 98cbbb0..98e7f68 100644
--- a/main.tf
+++ b/main.tf
@@ -58,7 +58,8 @@ resource "aws_elasticache_cluster" "this" {
   snapshot_retention_limit     = local.in_replication_group ? null : var.snapshot_retention_limit
   snapshot_window              = local.in_replication_group ? null : var.snapshot_window
   subnet_group_name            = local.in_replication_group ? null : local.subnet_group_name
-  transit_encryption_enabled   = var.engine == "memcached" ? var.transit_encryption_enabled : null
+  # this makes it so that the transit encryption is enabled by default for memcached, which prevents a backwards incompatible change
+  transit_encryption_enabled   = var.engine == "memcached" ? true : var.transit_encryption_enabled
 
   tags = local.tags
 
diff --git a/variables.tf b/variables.tf
index f4049d6..d4a130a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -176,9 +176,9 @@ variable "snapshot_window" {
 }
 
 variable "transit_encryption_enabled" {
-  description = "Enable encryption in-transit. Supported only with Memcached versions `1.6.12` and later, running in a VPC"
+  description = "Enable encryption in-transit."
   type        = bool
-  default     = true
+  default     = null
 }
 
 variable "transit_encryption_mode" {

From 5694400e097fa369ed0085334d03432ccd52ba1a Mon Sep 17 00:00:00 2001
From: Will Salt <will.salt@ext.assetreality.com>
Date: Tue, 8 Apr 2025 12:15:39 +0100
Subject: [PATCH 2/3] fix: docs, add examples and fix formatting

---
 README.md                                |  2 +-
 examples/redis-replication-group/main.tf | 11 +++++++----
 main.tf                                  |  2 +-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index e437ed6..a694d89 100644
--- a/README.md
+++ b/README.md
@@ -463,7 +463,7 @@ No modules.
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of VPC Subnet IDs for the Elasticache subnet group | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Define maximum timeout for creating, updating, and deleting cluster resource | `map(string)` | `{}` | no |
-| <a name="input_transit_encryption_enabled"></a> [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Enable encryption in-transit. Supported only with Memcached versions `1.6.12` and later, running in a VPC | `bool` | `true` | no |
+| <a name="input_transit_encryption_enabled"></a> [transit\_encryption\_enabled](#input\_transit\_encryption\_enabled) | Enable encryption in-transit. | `bool` | `null` | no |
 | <a name="input_transit_encryption_mode"></a> [transit\_encryption\_mode](#input\_transit\_encryption\_mode) | A setting that enables clients to migrate to in-transit encryption with no downtime. Valid values are preferred and required | `string` | `null` | no |
 | <a name="input_user_group_ids"></a> [user\_group\_ids](#input\_user\_group\_ids) | User Group ID to associate with the replication group. Only a maximum of one (1) user group ID is valid | `list(string)` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Identifier of the VPC where the security group will be created | `string` | `null` | no |
diff --git a/examples/redis-replication-group/main.tf b/examples/redis-replication-group/main.tf
index 52ae6ed..8bbeef2 100644
--- a/examples/redis-replication-group/main.tf
+++ b/examples/redis-replication-group/main.tf
@@ -30,10 +30,9 @@ module "elasticache" {
   engine_version = "7.1"
   node_type      = "cache.t4g.small"
 
-  transit_encryption_enabled = true
-  auth_token                 = "PickSomethingMoreSecure123!"
-  maintenance_window         = "sun:05:00-sun:09:00"
-  apply_immediately          = true
+  auth_token         = "PickSomethingMoreSecure123!"
+  maintenance_window = "sun:05:00-sun:09:00"
+  apply_immediately  = true
 
   # Security Group
   vpc_id = module.vpc.vpc_id
@@ -63,6 +62,10 @@ module "elasticache" {
     }
   ]
 
+  # enable encryption in-transit
+  transit_encryption_enabled = true
+  transit_encryption_mode    = "preferred"
+
   tags = local.tags
 }
 
diff --git a/main.tf b/main.tf
index 98e7f68..fc0e4a3 100644
--- a/main.tf
+++ b/main.tf
@@ -59,7 +59,7 @@ resource "aws_elasticache_cluster" "this" {
   snapshot_window              = local.in_replication_group ? null : var.snapshot_window
   subnet_group_name            = local.in_replication_group ? null : local.subnet_group_name
   # this makes it so that the transit encryption is enabled by default for memcached, which prevents a backwards incompatible change
-  transit_encryption_enabled   = var.engine == "memcached" ? true : var.transit_encryption_enabled
+  transit_encryption_enabled = var.engine == "memcached" ? true : var.transit_encryption_enabled
 
   tags = local.tags
 

From d98451cafaa9bf95751d3a9a38e24f5313ce9dfc Mon Sep 17 00:00:00 2001
From: Will Salt <will.salt@ext.assetreality.com>
Date: Tue, 8 Apr 2025 12:56:52 +0100
Subject: [PATCH 3/3] fix: force encryption in example

---
 examples/redis-replication-group/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/redis-replication-group/main.tf b/examples/redis-replication-group/main.tf
index 8bbeef2..5d036ab 100644
--- a/examples/redis-replication-group/main.tf
+++ b/examples/redis-replication-group/main.tf
@@ -64,7 +64,7 @@ module "elasticache" {
 
   # enable encryption in-transit
   transit_encryption_enabled = true
-  transit_encryption_mode    = "preferred"
+  transit_encryption_mode    = "required"
 
   tags = local.tags
 }