RedisLabs
diff --git a/‎.github/workflows/terraform_provider_pr.yml‎
Lines changed: 11 additions & 0 deletions b/‎.github/workflows/terraform_provider_pr.yml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎docs/data-sources/rediscloud_active_active_subscription_database.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/data-sources/rediscloud_active_active_subscription_database.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/data-sources/rediscloud_database.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/data-sources/rediscloud_database.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/resources/rediscloud_active_active_subscription.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/resources/rediscloud_active_active_subscription.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/resources/rediscloud_active_active_subscription_database.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/resources/rediscloud_active_active_subscription_database.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/resources/rediscloud_subscription.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/resources/rediscloud_subscription.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/resources/rediscloud_subscription_database.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/resources/rediscloud_subscription_database.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
@@ -182,6 +182,17 @@ jobs:
       - run: EXECUTE_TESTS=true make testacc TESTARGS='-run="TestAccResourceRedisCloudPrivateLink_CRUDI"'
 
 
+  go_test_block_public_endpoints:
+    name: go test smoke public endpoints
+    needs: [ go_build ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+      - run: EXECUTE_TESTS=true make testacc TESTARGS='-run="TestAcc(RedisCloudProDatabaseBlockPublicEndpoints|ActiveActiveSubscriptionDatabaseBlockPublicEndpoints)"'
+
   go_unit_test:
     name: go unit test
     needs: [go_build]
 
@@ -3,6 +3,15 @@
 All notable changes to this project will be documented in this file.
 See updating [Changelog example here](https://keepachangelog.com/en/1.0.0/)
 
+# 2.6.0 (17th October 2025)
+
+## Added:
+- Support for disabling public endpoints on databases. When public endpoints are disabled, database connections are restricted to private networks only (via VPC peering, PrivateLink, or Private Service Connect).
+- `source_ips` attribute added to `rediscloud_database` data source.
+- `global_source_ips` attribute added to `rediscloud_active_active_subscription_database` data source.
+
+## Fixed:
+- The default value for `enable_default_user` on each region for active-active subscriptions made the global default effectively redundant. The default has been removed meaning that the global default should work correctly now.
 
 # 2.5.0 (13th October 2025)
 
 
@@ -49,6 +49,7 @@ data "rediscloud_active_active_subscription_database" "example" {
 * `external_endpoint_for_oss_cluster_api` - Use the external endpoint for open-source (OSS) Cluster API.
 * `enable_tls` - Enable TLS for database.
 * `tls_certificate` - TLS certificate used for authentication.
+* `global_source_ips` - Set of CIDR addresses to allow access to the database.
 * `data_eviction` - The data items eviction policy.
 * `global_modules` - A list of modules to be enabled on all deployments of this database.
 * `public_endpoint` - Public endpoint to access the database.
 
@@ -63,6 +63,7 @@ data "rediscloud_database" "example" {
 * `private_endpoint` - Private endpoint to access the database
 * `enable_tls` - Enable TLS for database, default is `false`
 * `enable_default_user` - When `true` enables connecting to the database with the default user. Default `true`.
+* `source_ips` - Set of CIDR addresses to allow access to the database.
 * `latest_backup_status` - A latest_backup_status object, documented below.
 * `latest_import_status` - A latest_import_status object, documented below.
 * `tags` - A string/string map of all Tags associated with this database.
 
@@ -59,6 +59,7 @@ The following arguments are supported:
 * `name` - (Required) A meaningful name to identify the subscription
 * `payment_method` - (Optional) The payment method for the requested subscription, (either `credit-card` or `marketplace`).  Must not be set for direct contracts. If `credit-card` is specified, `payment_method_id` must be defined. Default: 'credit-card'. **(Changes to) this attribute are ignored after creation.**
 * `payment_method_id` - (Optional) A valid payment method pre-defined in the current account. This value is __Optional__ for AWS/GCP Marketplace accounts, but __Required__ for all other account types
+* `public_endpoint_access` - (Optional) Allow public access to databases within this subscription. When set to `false`, database access is restricted to private IP ranges only. Default: `true`.
 * `cloud_provider` - (Optional) The cloud provider to use with the subscription, (either `AWS` or `GCP`). Default: ‘AWS’. **Modifying this attribute will force creation of a new resource.**
 * `redis_version` - (Optional) The Redis version of the databases in the subscription. If omitted, the Redis version will be the default. **Deprecated: This attribute is deprecated on the subscription level. Please specify `redis_version` on databases directly instead.**
 * `creation_plan` - (Required) A creation plan object, documented below. Ignored after creation.
 
@@ -102,7 +102,7 @@ The following arguments are supported:
 * `global_password` - (Optional) Password to access the database of regions that don't override global settings. If left empty, the password will be generated automatically
 * `global_alert` - (Optional) A block defining Redis database alert of regions that don't override global settings, documented below, can be specified multiple times. (either: 'dataset-size', 'datasets-size', 'throughput-higher-than', 'throughput-lower-than', 'latency', 'syncsource-error', 'syncsource-lag' or 'connections-limit')
 * `global_modules` - (Optional) A list of modules to be enabled on all deployments of this database. Supported modules: `RedisJSON`, `RediSearch`. Ignored after database creation.
-* `global_source_ips` - (Optional) List of source IP addresses or subnet masks of regions that don't override global settings. If specified, Redis clients will be able to connect to this database only from within the specified source IP addresses ranges (example: ['192.168.10.0/32', '192.168.12.0/24'])
+* `global_source_ips` - (Optional) List of source IP addresses or subnet masks that are allowed to connect to the database across all regions that don't override this setting (example: ['192.168.10.0/32', '192.168.12.0/24']). When not specified, the default behavior depends on the subscription's `public_endpoint_access` setting: if `false`, defaults to RFC1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10); if `true`, defaults to 0.0.0.0/0 (unrestricted public access)
 * `global_enable_default_user` - (Optional) When 'true', enables connecting to the database with the 'default' user across all regions. Default: 'true'
 * `global_resp_version` - (Optional) Either 'resp2' or 'resp3'. Resp version for Crdb databases within the AA database. Must be compatible with Redis version.
 * `port` - (Optional) TCP port on which the database is available - must be between 10000 and 19999. **Modifying this attribute will force creation of a new resource.**
@@ -114,7 +114,7 @@ The `override_region` block supports:
 * `name` - (Required) Region name.
 * `override_global_alert` - (Optional) A block defining Redis regional instance of an Active-Active database alert, documented below, can be specified multiple times
 * `override_global_password` - (Optional) If specified, this regional instance of an Active-Active database password will be used to access the database
-* `override_global_source_ips` - (Optional)  List of regional instance of an Active-Active database source IP addresses or subnet masks. If specified, Redis clients will be able to connect to this database only from within the specified source IP addresses ranges (example: ['192.168.10.0/32', '192.168.12.0/24'] )
+* `override_global_source_ips` - (Optional) List of source IP addresses or subnet masks that are allowed to connect to the database in this specific region, overriding the global `global_source_ips` setting (example: ['192.168.10.0/32', '192.168.12.0/24']). If not specified, the global `global_source_ips` setting applies to this region
 * `override_global_data_persistence` - (Optional) Regional instance of an Active-Active database data persistence rate (in persistent storage)
 * `remote_backup` - (Optional) Specifies the backup options for the database in this region, documented below
 * `enable_default_user` - (Optional) Whether the default user should be enabled or not. True by default.
 
@@ -72,6 +72,7 @@ The following arguments are supported:
 * `name` - (Required) A meaningful name to identify the subscription
 * `payment_method` (Optional) The payment method for the requested subscription, (either `credit-card` or `marketplace`). Must not be set for direct contracts. If `credit-card` is specified, `payment_method_id` must be defined. Default: 'credit-card'. **(Changes to) this attribute are ignored after creation.**
 * `payment_method_id` - (Optional) A valid payment method pre-defined in the current account. Only __Required__ when `payment_method` is `credit-card`.
+* `public_endpoint_access` - (Optional) Allow public access to databases within this subscription. When set to `false`, database access is restricted to private IP ranges only. Default: `true`.
 * `memory_storage` - (Optional) Memory storage preference: either ‘ram’ or a combination of ‘ram-and-flash’. Default: ‘ram’. **Modifying this attribute will force creation of a new resource.**
 * `redis_version` - (Optional) The Redis version of the databases in the subscription. If omitted, the Redis version will be the default.  **Deprecated: This attribute is deprecated on the subscriptions level. Please specify `redis_version` on databases directly instead.**
 * `allowlist` - (Optional) An allowlist object, documented below
 
@@ -96,7 +96,7 @@ The following arguments are supported:
 * `replication` - (Optional) Databases replication. Default: ‘true’
 * `average_item_size_in_bytes` - (Optional) Relevant only to ram-and-flash clusters. Estimated average size (measured in bytes)
   of the items stored in the database. Default: 1000
-* `source_ips` - (Optional) List of source IP addresses or subnet masks. If specified, Redis clients will be able to connect to this database only from within the specified source IP addresses ranges (example: [‘192.168.10.0/32’, ‘192.168.12.0/24’])
+* `source_ips` - (Optional) List of source IP addresses or subnet masks that are allowed to connect to the database (example: ['192.168.10.0/32', '192.168.12.0/24']). When not specified, the default behavior depends on the subscription's `public_endpoint_access` setting: if `false`, defaults to RFC1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10); if `true`, defaults to 0.0.0.0/0 (unrestricted public access)
 * `hashing_policy` - (Optional) List of regular expression rules to shard the database by. See
   [the documentation on clustering](https://docs.redislabs.com/latest/rc/concepts/clustering/) for more information on the
   hashing policy. This cannot be set when `support_oss_cluster_api` is set to true.
 
@@ -5,7 +5,7 @@ go 1.24.0
 toolchain go1.24.1
 
 require (
-	github.com/RedisLabs/rediscloud-go-api v0.37.0
+	github.com/RedisLabs/rediscloud-go-api v0.38.0
 	github.com/bflad/tfproviderlint v0.31.0
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.1
 
@@ -4,8 +4,8 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw=
 github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
-github.com/RedisLabs/rediscloud-go-api v0.37.0 h1:qnu9mfGqOPZSMi17r3OwATzN72OkMkBPxjyWn619LBY=
-github.com/RedisLabs/rediscloud-go-api v0.37.0/go.mod h1:Hkh3i/EsHnyfgV0ijednbofz/EmZC3sFnSNNruF3G6I=
+github.com/RedisLabs/rediscloud-go-api v0.38.0 h1:lLOS0E8tQhUzuUfb/H+QWtDaZrC9xNnTvAPBygH4WS8=
+github.com/RedisLabs/rediscloud-go-api v0.38.0/go.mod h1:Hkh3i/EsHnyfgV0ijednbofz/EmZC3sFnSNNruF3G6I=
 github.com/agext/levenshtein v1.2.2 h1:0S/Yg6LYmFJ5stwQeRp6EeOcCbj7xiqQSdNelsXvaqE=
 github.com/agext/levenshtein v1.2.2/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=