From 374c8812f28c7ae28109f5f2eaa67fb00f87c6f0 Mon Sep 17 00:00:00 2001
From: Stefan Sundin <git@stefansundin.com>
Date: Sun, 2 Apr 2023 17:05:16 -0700
Subject: [PATCH] Allow enabling of transit encryption for Redis >= 7.0.5
 without recreating instance. This requires that `transit_encryption_mode` is
 specified. Fixes
 https://github.com/hashicorp/terraform-provider-aws/issues/29403.

---
 .../service/elasticache/replication_group.go  | 25 ++++++++++++++++++-
 ...lasticache_replication_group.html.markdown |  1 +
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/internal/service/elasticache/replication_group.go b/internal/service/elasticache/replication_group.go
index 28e05b3abaa..8f653745471 100644
--- a/internal/service/elasticache/replication_group.go
+++ b/internal/service/elasticache/replication_group.go
@@ -126,6 +126,7 @@ func ResourceReplicationGroup() *schema.Resource {
 					"node_type",
 					"security_group_names",
 					"transit_encryption_enabled",
+					"transit_encryption_mode",
 					"at_rest_encryption_enabled",
 					"snapshot_arns",
 					"snapshot_name",
@@ -305,9 +306,13 @@ func ResourceReplicationGroup() *schema.Resource {
 			"transit_encryption_enabled": {
 				Type:     schema.TypeBool,
 				Optional: true,
-				ForceNew: true,
 				Computed: true,
 			},
+			"transit_encryption_mode": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice([]string{"preferred", "required"}, false),
+			},
 			"user_group_ids": {
 				Type:          schema.TypeSet,
 				Optional:      true,
@@ -348,6 +353,9 @@ func ResourceReplicationGroup() *schema.Resource {
 					diff.HasChange("num_node_groups") ||
 					diff.HasChange("replicas_per_node_group")
 			}),
+			customdiff.ForceNewIf("transit_encryption_enabled", func(_ context.Context, d *schema.ResourceDiff, meta interface{}) bool {
+				return verify.SemVerLessThan(d.Get("engine_version_actual").(string), "7.0.5")
+			}),
 			verify.SetTagsDiff,
 		),
 	}
@@ -463,6 +471,10 @@ func resourceReplicationGroupCreate(ctx context.Context, d *schema.ResourceData,
 		input.TransitEncryptionEnabled = aws.Bool(d.Get("transit_encryption_enabled").(bool))
 	}
 
+	if v, ok := d.GetOk("transit_encryption_mode"); ok {
+		input.TransitEncryptionMode = aws.String(v.(string))
+	}
+
 	if _, ok := d.GetOk("at_rest_encryption_enabled"); ok {
 		input.AtRestEncryptionEnabled = aws.Bool(d.Get("at_rest_encryption_enabled").(bool))
 	}
@@ -653,6 +665,7 @@ func resourceReplicationGroupRead(ctx context.Context, d *schema.ResourceData, m
 
 		d.Set("at_rest_encryption_enabled", c.AtRestEncryptionEnabled)
 		d.Set("transit_encryption_enabled", c.TransitEncryptionEnabled)
+		d.Set("transit_encryption_mode", c.TransitEncryptionMode)
 
 		if c.AuthTokenEnabled != nil && !aws.BoolValue(c.AuthTokenEnabled) {
 			d.Set("auth_token", nil)
@@ -808,6 +821,16 @@ func resourceReplicationGroupUpdate(ctx context.Context, d *schema.ResourceData,
 			}
 		}
 
+		if d.HasChange("transit_encryption_enabled") {
+			input.TransitEncryptionEnabled = aws.Bool(d.Get("transit_encryption_enabled").(bool))
+			requestUpdate = true
+		}
+
+		if d.HasChange("transit_encryption_mode") {
+			input.TransitEncryptionMode = aws.String(d.Get("transit_encryption_mode").(string))
+			requestUpdate = true
+		}
+
 		if requestUpdate {
 			_, err := conn.ModifyReplicationGroupWithContext(ctx, input)
 			if err != nil {
diff --git a/website/docs/r/elasticache_replication_group.html.markdown b/website/docs/r/elasticache_replication_group.html.markdown
index 9f740118fd1..3792ae8d14a 100644
--- a/website/docs/r/elasticache_replication_group.html.markdown
+++ b/website/docs/r/elasticache_replication_group.html.markdown
@@ -212,6 +212,7 @@ The following arguments are optional:
 * `subnet_group_name` - (Optional) Name of the cache subnet group to be used for the replication group.
 * `tags` - (Optional) Map of tags to assign to the resource. Adding tags to this resource will add or overwrite any existing tags on the clusters in the replication group and not to the group itself. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 * `transit_encryption_enabled` - (Optional) Whether to enable encryption in transit.
+* `transit_encryption_mode` - (Optional) Valid values are `preferred` or `required`. When enabling encryption on an existing replication group, you must first set this to `preferred` before you can set it to `required`. Required when `transit_encryption_enabled` is `true`.
 * `user_group_ids` - (Optional) User Group ID to associate with the replication group. Only a maximum of one (1) user group ID is valid. **NOTE:** This argument _is_ a set because the AWS specification allows for multiple IDs. However, in practice, AWS only allows a maximum size of one.
 
 ### Log Delivery Configuration