Allow enabling of transit encryption for Redis >= 7.0.5 without recre…

…ating instance. This requires that `transit_encryption_mode` is specified. Fixes #29403.

internal/service/elasticache/replication_group.go

@@ -126,6 +126,7 @@ func ResourceReplicationGroup() *schema.Resource {
 					"node_type",
 					"security_group_names",
 					"transit_encryption_enabled",
+					"transit_encryption_mode",
 					"at_rest_encryption_enabled",
 					"snapshot_arns",
 					"snapshot_name",
@@ -305,9 +306,13 @@ func ResourceReplicationGroup() *schema.Resource {
 			"transit_encryption_enabled": {
 				Type:     schema.TypeBool,
 				Optional: true,
-				ForceNew: true,
 				Computed: true,
 			},
+			"transit_encryption_mode": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice([]string{"preferred", "required"}, false),
+			},
 			"user_group_ids": {
 				Type:          schema.TypeSet,
 				Optional:      true,
@@ -348,6 +353,9 @@ func ResourceReplicationGroup() *schema.Resource {
 					diff.HasChange("num_node_groups") ||
 					diff.HasChange("replicas_per_node_group")
 			}),
+			customdiff.ForceNewIf("transit_encryption_enabled", func(_ context.Context, d *schema.ResourceDiff, meta interface{}) bool {
+				return verify.SemVerLessThan(d.Get("engine_version_actual").(string), "7.0.5")
+			}),
 			verify.SetTagsDiff,
 		),
 	}
@@ -463,6 +471,10 @@ func resourceReplicationGroupCreate(ctx context.Context, d *schema.ResourceData,
 		input.TransitEncryptionEnabled = aws.Bool(d.Get("transit_encryption_enabled").(bool))
 	}
 
+	if v, ok := d.GetOk("transit_encryption_mode"); ok {
+		input.TransitEncryptionMode = aws.String(v.(string))
+	}
+
 	if _, ok := d.GetOk("at_rest_encryption_enabled"); ok {
 		input.AtRestEncryptionEnabled = aws.Bool(d.Get("at_rest_encryption_enabled").(bool))
 	}
@@ -653,6 +665,7 @@ func resourceReplicationGroupRead(ctx context.Context, d *schema.ResourceData, m
 
 		d.Set("at_rest_encryption_enabled", c.AtRestEncryptionEnabled)
 		d.Set("transit_encryption_enabled", c.TransitEncryptionEnabled)
+		d.Set("transit_encryption_mode", c.TransitEncryptionMode)
 
 		if c.AuthTokenEnabled != nil && !aws.BoolValue(c.AuthTokenEnabled) {
 			d.Set("auth_token", nil)
@@ -808,6 +821,16 @@ func resourceReplicationGroupUpdate(ctx context.Context, d *schema.ResourceData,
 			}
 		}
 
+		if d.HasChange("transit_encryption_enabled") {
+			input.TransitEncryptionEnabled = aws.Bool(d.Get("transit_encryption_enabled").(bool))
+			requestUpdate = true
+		}
+
+		if d.HasChange("transit_encryption_mode") {
+			input.TransitEncryptionMode = aws.String(d.Get("transit_encryption_mode").(string))
+			requestUpdate = true
+		}
+
 		if requestUpdate {
 			_, err := conn.ModifyReplicationGroupWithContext(ctx, input)
 			if err != nil {

website/docs/r/elasticache_replication_group.html.markdown

@@ -212,6 +212,7 @@ The following arguments are optional:
 * `subnet_group_name` - (Optional) Name of the cache subnet group to be used for the replication group.
 * `tags` - (Optional) Map of tags to assign to the resource. Adding tags to this resource will add or overwrite any existing tags on the clusters in the replication group and not to the group itself. If configured with a provider [`default_tags` configuration block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block) present, tags with matching keys will overwrite those defined at the provider-level.
 * `transit_encryption_enabled` - (Optional) Whether to enable encryption in transit.
+* `transit_encryption_mode` - (Optional) Valid values are `preferred` or `required`. When enabling encryption on an existing replication group, you must first set this to `preferred` before you can set it to `required`. Required when `transit_encryption_enabled` is `true`.
 * `user_group_ids` - (Optional) User Group ID to associate with the replication group. Only a maximum of one (1) user group ID is valid. **NOTE:** This argument _is_ a set because the AWS specification allows for multiple IDs. However, in practice, AWS only allows a maximum size of one.
 
 ### Log Delivery Configuration