Rework elasticache module to create a shared instance

terraform/deployments/elasticache/elasticache.tf

@@ -5,46 +5,52 @@ locals {
 }
 
 resource "aws_security_group" "cache" {
-  for_each    = var.instances
-  name        = "elasticache-${each.key}"
+  name        = "elasticache-shared"
   vpc_id      = data.tfe_outputs.vpc.nonsensitive_values.id
-  description = "EKS to ElastiCache instance ${each.key} (govuk-infrastructure/terraform/deployments/elasticache)"
+  description = "EKS to shared ElastiCache instance (govuk-infrastructure/terraform/deployments/elasticache)"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "cache" {
-  for_each          = var.instances
-  security_group_id = aws_security_group.cache[each.key].id
+  security_group_id = aws_security_group.cache.id
 
   from_port                    = 6379
   to_port                      = 6379
   ip_protocol                  = "tcp"
   referenced_security_group_id = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.node_security_group_id
 }
 
-resource "aws_elasticache_serverless_cache" "cache" {
-  for_each             = var.instances
-  name                 = each.key
-  engine               = "valkey"
-  major_engine_version = try(each.value.major_engine_version, local.default_engine_version)
-  security_group_ids   = [aws_security_group.cache[each.key].id]
-  subnet_ids           = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.private_subnets
-
-  cache_usage_limits {
-    data_storage {
-      maximum = try(each.value.max_storage_gb, local.default_max_storage_gb)
-      unit    = "GB"
-    }
-    ecpu_per_second {
-      maximum = try(each.value.max_ecpus_per_second, local.default_max_ecpus_per_second)
-    }
+resource "aws_elasticache_subnet_group" "cache" {
+  name       = "elasticache-shared"
+  subnet_ids = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.private_subnets
+}
+
+resource "aws_elasticache_parameter_group" "cache" {
+  name   = "elasticache-shared"
+  family = "valkey8"
+
+  parameter {
+    name  = "databases"
+    value = 10000
   }
 }
 
+resource "aws_elasticache_replication_group" "cache" {
+  replication_group_id = "govuk-shared"
+  description          = "Shared Valkey"
+  num_cache_clusters   = 1
+  node_type            = var.node_type
+  engine               = "valkey"
+  engine_version       = var.engine_version
+  parameter_group_name = aws_elasticache_parameter_group.cache.name
+  subnet_group_name    = aws_elasticache_subnet_group.cache.name
+  security_group_ids   = [aws_security_group.cache.id]
+}
+
 resource "aws_secretsmanager_secret" "urls" {
   name = "govuk/elasticache/urls"
 }
 
 resource "aws_secretsmanager_secret_version" "urls" {
   secret_id     = "govuk/elasticache/urls"
-  secret_string = jsonencode({ for name, cache in aws_elasticache_serverless_cache.cache : name => "rediss://${cache.endpoint[0].address}:${cache.endpoint[0].port}" })
+  secret_string = jsonencode({ for app, dbId in var.databases : app => "redis://${aws_elasticache_replication_group.cache.primary_endpoint_address}:6379/${dbId}" })
 }

terraform/deployments/elasticache/variables.tf

@@ -3,7 +3,19 @@ variable "govuk_environment" {
   description = "GOV.UK environment name"
 }
 
-variable "instances" {
-  type        = map(any)
-  description = "Map of instance name -> settings"
+variable "databases" {
+  type        = map(number)
+  description = "Map of app names to database IDs"
+}
+
+variable "engine_version" {
+  type        = string
+  default     = "8.0"
+  description = "ValKey version"
+}
+
+variable "node_type" {
+  type        = string
+  default     = "cache.m7g.xlarge"
+  description = "ElastiCache node type"
 }