tfe-cache/template.yaml at main · ServerlessOpsIO/tfe-cache · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  tfe-redis

  TFE Redis cache cluster


Parameters:
  Domain:
    Type: String
    Description: 'Name of Domain'

  System:
    Type: String
    Description: "Name of System"

  Component:
    Type: String
    Description: "Name of Component"

  CodeBranch:
    Type: String
    Description: "Name of GitHub Branch"

  VpcId:
    Type: AWS::SSM::Parameter::Value<String>
    Description: Account VPC ID

  VpcSubnets:
    Type: AWS::SSM::Parameter::Value<CommaDelimitedList>
    Description: Account subnets

  Engine:
    Type: String
    Description: Database engine
    AllowedValues:
      - redis
      - valkey

  NodeType:
    Type: String
    Description: ElastiCache node type
    # NOTE: Just suggestions. Tune to own needs
    AllowedPattern: "^cache\\.(t3|t4g|m5|m6|r5|r6g|r6gd)\\.(micro|small|medium|large|xlarge)$"

  NumCacheClusters:
    Type: Number
    Description: Number of cache clusters (replicas)
    MinValue: 2  # Redis with AutomaticFailoverEnabled requires at least 2 nodes
    MaxValue: 6

  EngineVersion:
    Type: String
    Description: Engine version

  Port:
    Type: Number
    Description: Port number
    Default: 6379

  EncryptionInTransit:
    Type: String
    Description: Enable encryption in transit
    AllowedValues:
      - "true"
      - "false"
    Default: "true"

  EncryptionAtRest:
    Type: String
    Description: Enable encryption at rest
    AllowedValues:
      - "true"
      - "false"
    Default: "true"

Resources:
  # Log group
  EngineCloudwatchLogGroup:
    Type: AWS::Logs::LogGroup
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      LogGroupName: !Sub '/${AWS::StackName}/engine-log'
      RetentionInDays: 5

  SlowCloudwatchLogGroup:
    Type: AWS::Logs::LogGroup
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      LogGroupName: !Sub '/${AWS::StackName}/slow-log'
      RetentionInDays: 5

  # Redis Security Group
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub 'Security group for ${Component} cache cluster'
      VpcId: !Ref VpcId

  # ElastiCache Subnet Group
  SubnetGroup:
    Type: AWS::ElastiCache::SubnetGroup
    Properties:
      Description: !Sub 'Subnet group for ${Component} cache cluster'
      SubnetIds: !Ref VpcSubnets

  # ElastiCache Replication Group
  ReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      ReplicationGroupDescription: !Sub 'Cache replication group for ${Component}'
      Engine: !Ref Engine
      EngineVersion: !Ref EngineVersion
      Port: !Ref Port
      CacheNodeType: !Ref NodeType
      NumCacheClusters: !Ref NumCacheClusters
      AutomaticFailoverEnabled: true
      MultiAZEnabled: true
      CacheSubnetGroupName: !Ref SubnetGroup
      SecurityGroupIds:
        - !Ref SecurityGroup
      AtRestEncryptionEnabled: !Ref EncryptionAtRest
      TransitEncryptionEnabled: !Ref EncryptionInTransit
      LogDeliveryConfigurations:
        - LogType: engine-log
          DestinationType: cloudwatch-logs
          LogFormat: json
          DestinationDetails:
            CloudWatchLogsDetails:
              LogGroup: !Ref EngineCloudwatchLogGroup
        - LogType: slow-log
          DestinationType: cloudwatch-logs
          LogFormat: json
          DestinationDetails:
            CloudWatchLogsDetails:
              LogGroup: !Ref SlowCloudwatchLogGroup
      SnapshotRetentionLimit: 0   # NOTE: No need for snapshots
      PreferredMaintenanceWindow: 'sun:05:00-sun:07:00'
      AutoMinorVersionUpgrade: true

  # SSM Parameters for service consumption
  PrimaryEndpointSsmParam:
    Type: AWS::SSM::Parameter
    Properties:
      Type: String
      Description: Cache primary endpoint address
      Name: !Sub '/${Domain}/${System}/${Component}/${CodeBranch}/CachePrimaryEndpoint'
      Value: !GetAtt ReplicationGroup.PrimaryEndPoint.Address

  ReaderEndpointSsmParam:
    Type: AWS::SSM::Parameter
    Properties:
      Type: String
      Description: Cache reader endpoint address
      Name: !Sub '/${Domain}/${System}/${Component}/${CodeBranch}/CacheReaderEndpoint'
      Value: !GetAtt ReplicationGroup.ReaderEndPoint.Address

  PortSsmParam:
    Type: AWS::SSM::Parameter
    Properties:
      Type: String
      Description: Cache port
      Name: !Sub '/${Domain}/${System}/${Component}/${CodeBranch}/CachePort'
      Value: !Ref Port

  SecurityGroupIdSsmParam:
    Type: AWS::SSM::Parameter
    Properties:
      Type: String
      Description: Cache security group ID
      Name: !Sub '/${Domain}/${System}/${Component}/${CodeBranch}/CacheSecurityGroupId'
      Value: !Ref SecurityGroup

Outputs:
  ReplicationGroupId:
    Description: ID of the ElastiCache Replication Group
    Value: !Ref ReplicationGroup

  PrimaryEndpointAddress:
    Description: Primary endpoint address
    Value: !GetAtt ReplicationGroup.PrimaryEndPoint.Address

  ReaderEndpointAddress:
    Description: Reader endpoint address
    Value: !GetAtt ReplicationGroup.ReaderEndPoint.Address

  Port:
    Description: Port
    Value: !Ref Port

  SecurityGroupId:
    Description: Security group ID for the cluster
    Value: !Ref SecurityGroup