diff --git a/aws/stack/app/elasticache.tf b/aws/stack/app/elasticache.tf
index ef9431cc..5d5b545d 100644
--- a/aws/stack/app/elasticache.tf
+++ b/aws/stack/app/elasticache.tf
@@ -29,4 +29,5 @@ module "elasticache" {
   cluster_mode               = var.elasticache_cluster_mode
   maxmemory_policy           = var.elasticache_maxmemory_policy == null ? (var.elasticache_cluster_mode ? "volatile-lru" : "noeviction") : var.elasticache_maxmemory_policy
   transit_encryption_enabled = var.elasticache_transit_encryption_enabled
+  transit_encryption_mode    = var.elasticache_transit_encryption_mode
 }
diff --git a/aws/stack/app/variables.tf b/aws/stack/app/variables.tf
index c62fe82c..18f3c53e 100644
--- a/aws/stack/app/variables.tf
+++ b/aws/stack/app/variables.tf
@@ -397,6 +397,17 @@ variable "rds_ca_cert_identifier" {
 # =============== ECS ================ #
 variable "health_check_path" { default = "/livez" }
 
+variable "elasticache_transit_encryption_mode" {
+  type        = string
+  default     = "required"
+  description = "when migrating from no encryption to encryption, this must be set to 'preferred', then apply changes, then set to 'required'"
+
+  validation {
+    condition     = contains(["required", "preferred"], var.elasticache_transit_encryption_mode)
+    error_message = "elasticache_transit_encryption_mode must be either 'required' or 'preferred'"
+  }
+}
+
 variable "enable_container_insights" {
   type    = bool
   default = null