From 4f8adaadc1f65d7aabf2d9011e266536e8d17a46 Mon Sep 17 00:00:00 2001
From: Sam Simpson <sam.simpson@digital.cabinet-office.gov.uk>
Date: Tue, 25 Feb 2025 11:33:03 +0000
Subject: [PATCH 1/2] Rework elasticache module to create a shared instance

---
 .../deployments/elasticache/elasticache.tf    | 55 +++++++++++--------
 .../deployments/elasticache/variables.tf      | 18 +++++-
 2 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/terraform/deployments/elasticache/elasticache.tf b/terraform/deployments/elasticache/elasticache.tf
index 553a8e7ad..1cb29d971 100644
--- a/terraform/deployments/elasticache/elasticache.tf
+++ b/terraform/deployments/elasticache/elasticache.tf
@@ -5,15 +5,13 @@ locals {
 }
 
 resource "aws_security_group" "cache" {
-  for_each    = var.instances
-  name        = "elasticache-${each.key}"
+  name        = "elasticache-shared"
   vpc_id      = data.tfe_outputs.vpc.nonsensitive_values.id
-  description = "EKS to ElastiCache instance ${each.key} (govuk-infrastructure/terraform/deployments/elasticache)"
+  description = "EKS to shared ElastiCache instance (govuk-infrastructure/terraform/deployments/elasticache)"
 }
 
 resource "aws_vpc_security_group_ingress_rule" "cache" {
-  for_each          = var.instances
-  security_group_id = aws_security_group.cache[each.key].id
+  security_group_id = aws_security_group.cache.id
 
   from_port                    = 6379
   to_port                      = 6379
@@ -21,23 +19,36 @@ resource "aws_vpc_security_group_ingress_rule" "cache" {
   referenced_security_group_id = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.node_security_group_id
 }
 
-resource "aws_elasticache_serverless_cache" "cache" {
-  for_each             = var.instances
-  name                 = each.key
-  engine               = "valkey"
-  major_engine_version = try(each.value.major_engine_version, local.default_engine_version)
-  security_group_ids   = [aws_security_group.cache[each.key].id]
-  subnet_ids           = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.private_subnets
-
-  cache_usage_limits {
-    data_storage {
-      maximum = try(each.value.max_storage_gb, local.default_max_storage_gb)
-      unit    = "GB"
-    }
-    ecpu_per_second {
-      maximum = try(each.value.max_ecpus_per_second, local.default_max_ecpus_per_second)
-    }
+resource "aws_elasticache_subnet_group" "cache" {
+  name       = "elasticache-shared"
+  subnet_ids = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.private_subnets
+}
+
+resource "aws_elasticache_parameter_group" "cache" {
+  name   = "elasticache-shared"
+  family = "valkey8"
+
+  parameter {
+    name  = "databases"
+    value = 10000
   }
+
+  parameter {
+    name  = "maxmemory-policy"
+    value = "noeviction"
+  }
+}
+
+resource "aws_elasticache_replication_group" "cache" {
+  replication_group_id = "govuk-shared"
+  description          = "Shared Valkey"
+  num_cache_clusters   = 1
+  node_type            = var.node_type
+  engine               = "valkey"
+  engine_version       = var.engine_version
+  parameter_group_name = aws_elasticache_parameter_group.cache.name
+  subnet_group_name    = aws_elasticache_subnet_group.cache.name
+  security_group_ids   = [aws_security_group.cache.id]
 }
 
 resource "aws_secretsmanager_secret" "urls" {
@@ -46,5 +57,5 @@ resource "aws_secretsmanager_secret" "urls" {
 
 resource "aws_secretsmanager_secret_version" "urls" {
   secret_id     = "govuk/elasticache/urls"
-  secret_string = jsonencode({ for name, cache in aws_elasticache_serverless_cache.cache : name => "rediss://${cache.endpoint[0].address}:${cache.endpoint[0].port}" })
+  secret_string = jsonencode({ for app, dbId in var.databases : app => "redis://${aws_elasticache_replication_group.cache.primary_endpoint_address}:6379/${dbId}" })
 }
diff --git a/terraform/deployments/elasticache/variables.tf b/terraform/deployments/elasticache/variables.tf
index 644150689..e610c15de 100644
--- a/terraform/deployments/elasticache/variables.tf
+++ b/terraform/deployments/elasticache/variables.tf
@@ -3,7 +3,19 @@ variable "govuk_environment" {
   description = "GOV.UK environment name"
 }
 
-variable "instances" {
-  type        = map(any)
-  description = "Map of instance name -> settings"
+variable "databases" {
+  type        = map(number)
+  description = "Map of app names to database IDs"
+}
+
+variable "engine_version" {
+  type        = string
+  default     = "8.0"
+  description = "ValKey version"
+}
+
+variable "node_type" {
+  type        = string
+  default     = "cache.m7g.xlarge"
+  description = "ElastiCache node type"
 }

From 84c6c0a1789a8e6dc56c5d3af048e833f0d0fcf4 Mon Sep 17 00:00:00 2001
From: Sam Simpson <sam.simpson@digital.cabinet-office.gov.uk>
Date: Tue, 25 Feb 2025 15:47:10 +0000
Subject: [PATCH 2/2] Set DB IDs for all apps that need redis in integration

---
 .../deployments/elasticache/variables.tf      |  2 +-
 .../variables-integration.tf                  | 43 +++++++++++++++----
 2 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/terraform/deployments/elasticache/variables.tf b/terraform/deployments/elasticache/variables.tf
index e610c15de..ad946c701 100644
--- a/terraform/deployments/elasticache/variables.tf
+++ b/terraform/deployments/elasticache/variables.tf
@@ -11,7 +11,7 @@ variable "databases" {
 variable "engine_version" {
   type        = string
   default     = "8.0"
-  description = "ValKey version"
+  description = "Valkey version"
 }
 
 variable "node_type" {
diff --git a/terraform/deployments/tfc-configuration/variables-integration.tf b/terraform/deployments/tfc-configuration/variables-integration.tf
index 0ed43d617..904c4521f 100644
--- a/terraform/deployments/tfc-configuration/variables-integration.tf
+++ b/terraform/deployments/tfc-configuration/variables-integration.tf
@@ -629,15 +629,40 @@ module "variable-set-elasticache-integration" {
   name = "elasticache-integration"
 
   tfvars = {
-    instances = {
-      /*
-      "example" = {
-        max_storage_gb       = 30
-        max_ecpus_per_second = 7000
-        major_engine_version = "7"
-      }
-      */
-      "publishing-api" = {}
+
+    # a map of app names to database IDs
+    databases = {
+      "account-api"                = 0
+      "asset-manager"              = 1
+      "collections-publisher"      = 2
+      "contacts-admin"             = 3
+      "content-data-admin"         = 4
+      "content-data-api"           = 5
+      "content-publisher"          = 6
+      "content-tagger"             = 7
+      "draft-email-alert-frontend" = 8
+      "email-alert-api"            = 9
+      "email-alert-frontend"       = 10
+      "email-alert-service"        = 11
+      "link-checker-api"           = 12
+      "local-links-manager"        = 13
+      "locations-api"              = 14
+      "manuals-publisher"          = 15
+      "places-manager"             = 16
+      "publisher-on-pg"            = 17
+      "publisher"                  = 18
+      "publishing-api"             = 19
+      "search-admin"               = 20
+      "search-api"                 = 21
+      "search-api-v2"              = 22
+      "short-url-manager"          = 23
+      "signon"                     = 24
+      "specialist-publisher"       = 25
+      "support-api"                = 26
+      "support"                    = 27
+      "transition"                 = 28
+      "travel-advice-publisher"    = 29
+      "whitehall-admin"            = 30
     }
   }
 }