diff --git a/README.md b/README.md
index 48a6b15..a74fd8d 100644
--- a/README.md
+++ b/README.md
@@ -103,6 +103,7 @@ module "cache_redis" {
 | subnet\_group\_name | The name of the cache subnet group to be used for the replication group | `string` | n/a | yes |
 | subnet\_ids | List of Subnet IDs for the RDS Subnet Group | `list(any)` | `[]` | no |
 | transit\_encryption\_enabled | n/a | `bool` | `false` | no |
+| user\_group\_ids | (Optional) User Group ID to associate with the replication group. Only a maximum of one (1) user group ID is valid. NOTE: This argument is a set because the AWS specification allows for multiple IDs. However, in practice, AWS only allows a maximum size of one. | `set(string)` | `null` | no |
 | vpc\_id | n/a | `string` | n/a | yes |
 
 ## Outputs
diff --git a/_variables.tf b/_variables.tf
index 8ec932f..86a1da4 100644
--- a/_variables.tf
+++ b/_variables.tf
@@ -114,4 +114,10 @@ variable "subnet_ids" {
 
 variable "vpc_id" {
   type = string
+}
+
+variable "user_group_ids" {
+  description = "(Optional) User Group ID to associate with the replication group. Only a maximum of one (1) user group ID is valid. NOTE: This argument is a set because the AWS specification allows for multiple IDs. However, in practice, AWS only allows a maximum size of one."
+  type        = set(string)
+  default     = null
 }
\ No newline at end of file
diff --git a/redis.tf b/redis.tf
index aa5d0c5..2b6793d 100644
--- a/redis.tf
+++ b/redis.tf
@@ -11,21 +11,21 @@ resource "aws_elasticache_replication_group" "redis" {
   at_rest_encryption_enabled    = var.at_rest_encryption_enabled
   transit_encryption_enabled    = var.transit_encryption_enabled
   multi_az_enabled              = var.multi_az_enabled
-  # auth_token                    = var.transit_encryption_enabled ? var.auth_token != null ? var.auth_token : random_string.redis_password[0].result : null
-  auth_token               = var.transit_encryption_enabled ? random_string.redis_password[0].result : null
-  engine                   = var.engine
-  engine_version           = var.engine_version
-  kms_key_id               = var.kms_key_id
-  maintenance_window       = var.maintenance_window
-  node_type                = var.node_type
-  notification_topic_arn   = var.notification_topic_arn
-  number_cache_clusters    = var.number_cache_clusters
-  port                     = var.port
-  security_group_ids       = [aws_security_group.redis.id]
-  snapshot_retention_limit = var.snapshot_retention_limit
-  snapshot_window          = var.snapshot_window
-  subnet_group_name        = try(aws_elasticache_subnet_group.redis[0].name, var.subnet_group_name)
-  parameter_group_name     = var.parameter_group_name
+  auth_token                    = var.transit_encryption_enabled ? random_string.redis_password[0].result : null
+  engine                        = var.engine
+  engine_version                = var.engine_version
+  kms_key_id                    = var.kms_key_id
+  maintenance_window            = var.maintenance_window
+  node_type                     = var.node_type
+  notification_topic_arn        = var.notification_topic_arn
+  number_cache_clusters         = var.number_cache_clusters
+  port                          = var.port
+  security_group_ids            = [aws_security_group.redis.id]
+  snapshot_retention_limit      = var.snapshot_retention_limit
+  snapshot_window               = var.snapshot_window
+  subnet_group_name             = try(aws_elasticache_subnet_group.redis[0].name, var.subnet_group_name)
+  parameter_group_name          = var.parameter_group_name
+  user_group_ids                = var.user_group_ids
 
   tags = {
     "Name"    = var.name