Refactor Redis configuration and update CloudWatch metrics

- Introduced a new local variable for the Redis replication group ID to enhance maintainability.
- Updated CloudWatch dashboard metrics to reference the new Redis cluster ID variable.
- Removed unused random password resource and Secrets Manager secret for Redis authentication.
- Replaced the ElastiCache replication group resource with a cluster resource for simplified configuration.
- Added a CloudFormation stack to manage Redis replication group and its authentication token securely.

These changes streamline the Redis setup and improve the security of authentication management.

Author: Thomas-Boyle

infrastructure/account/cloudwatch_dashboards.tf

@@ -57,6 +57,8 @@ locals {
   # ECS (cluster names match instance short_prefix: imms-<sub_env>-ecs-cluster)
   ecs_clusters = [for sub_env in local.sub_environments_map[var.environment] : "imms-${sub_env}-ecs-cluster"]
 
+  redis_cache_cluster_id = "immunisation-redis-replication-group-001"
+
   # Alarms
   alarms = [
     "_create_imms-lambda-error",
@@ -745,7 +747,7 @@ resource "aws_cloudwatch_dashboard" "imms-metrics-dashboard" {
           "view" : "timeSeries",
           "stacked" : false,
           "metrics" : [
-            ["AWS/ElastiCache", "CacheHits", "CacheClusterId", "immunisation-redis-cluster", "CacheNodeId", "0001"]
+            ["AWS/ElastiCache", "CacheHits", "CacheClusterId", local.redis_cache_cluster_id, "CacheNodeId", "0001"]
           ],
           "region" : var.aws_region,
           "title" : "ElastiCache - CacheHits",
@@ -760,7 +762,7 @@ resource "aws_cloudwatch_dashboard" "imms-metrics-dashboard" {
         "height" : 6,
         "properties" : {
           "metrics" : [
-            ["AWS/ElastiCache", "CPUUtilization", "CacheClusterId", "immunisation-redis-cluster", "CacheNodeId", "0001"]
+            ["AWS/ElastiCache", "CPUUtilization", "CacheClusterId", local.redis_cache_cluster_id, "CacheNodeId", "0001"]
           ],
           "view" : "timeSeries",
           "stacked" : false,

infrastructure/account/main.tf

@@ -4,10 +4,6 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 6"
     }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3"
-    }
   }
   backend "s3" {
     region       = "eu-west-2"

infrastructure/account/redis_cache.tf

@@ -1,39 +1,59 @@
-resource "random_password" "redis_auth_token" {
-  length           = 32
-  special          = true
-  override_special = "!&#$^<>-"
-}
-
-resource "aws_secretsmanager_secret" "redis_auth_token" {
-  name        = "imms/redis/auth-token"
-  description = "Auth token for the immunisation Redis cache"
-}
-
-resource "aws_secretsmanager_secret_version" "redis_auth_token" {
-  secret_id     = aws_secretsmanager_secret.redis_auth_token.id
-  secret_string = random_password.redis_auth_token.result
+# Subnet Group for Redis
+resource "aws_elasticache_subnet_group" "redis_subnet_group" {
+  name       = "immunisation-redis-subnet-group"
+  subnet_ids = values(aws_subnet.private)[*].id
 }
 
-resource "aws_elasticache_replication_group" "redis_cluster" {
-  replication_group_id = "immunisation-redis-cluster"
-  description          = "Redis cache for immunisation configuration data"
+resource "aws_elasticache_cluster" "redis_cluster" {
+  cluster_id           = "immunisation-redis-cluster"
   engine               = "redis"
   engine_version       = "7.0"
   node_type            = "cache.t2.micro"
-  num_cache_clusters   = 1
+  num_cache_nodes      = 1
   parameter_group_name = "default.redis7"
   port                 = 6379
   security_group_ids   = [aws_security_group.lambda_redis_sg.id]
   subnet_group_name    = aws_elasticache_subnet_group.redis_subnet_group.name
-
-  at_rest_encryption_enabled = true
-  transit_encryption_enabled = true
-  auth_token                 = random_password.redis_auth_token.result
-  auth_token_update_strategy = "SET"
 }
 
-# Subnet Group for Redis
-resource "aws_elasticache_subnet_group" "redis_subnet_group" {
-  name       = "immunisation-redis-subnet-group"
-  subnet_ids = values(aws_subnet.private)[*].id
+# CloudFormation dynamic references keep the generated auth token out of Terraform state.
+resource "aws_cloudformation_stack" "redis_replication_group" {
+  name = "immunisation-redis-replication-group"
+
+  template_body = jsonencode({
+    AWSTemplateFormatVersion = "2010-09-09"
+    Description              = "Redis replication group with Secrets Manager generated auth token"
+    Resources = {
+      RedisAuthToken = {
+        Type = "AWS::SecretsManager::Secret"
+        Properties = {
+          Name        = "imms/redis/auth-token"
+          Description = "Auth token for the immunisation Redis cache"
+          GenerateSecretString = {
+            ExcludePunctuation = true
+            PasswordLength     = 32
+          }
+        }
+      }
+      RedisReplicationGroup = {
+        Type      = "AWS::ElastiCache::ReplicationGroup"
+        DependsOn = "RedisAuthToken"
+        Properties = {
+          ReplicationGroupId          = "immunisation-redis-replication-group"
+          ReplicationGroupDescription = "Redis cache for immunisation configuration data"
+          Engine                      = "redis"
+          EngineVersion               = "7.0"
+          CacheNodeType               = "cache.t2.micro"
+          NumCacheClusters            = 1
+          CacheParameterGroupName     = "default.redis7"
+          Port                        = 6379
+          SecurityGroupIds            = [aws_security_group.lambda_redis_sg.id]
+          CacheSubnetGroupName        = aws_elasticache_subnet_group.redis_subnet_group.name
+          AtRestEncryptionEnabled     = true
+          TransitEncryptionEnabled    = true
+          AuthToken                   = "{{resolve:secretsmanager:imms/redis/auth-token:SecretString}}"
+        }
+      }
+    }
+  })
 }

infrastructure/instance/endpoints.tf

@@ -36,6 +36,15 @@ locals {
     local.redis_env_vars
   )
 }
+
+data "aws_iam_policy_document" "redis_auth_token_policy_document" {
+  statement {
+    effect    = "Allow"
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = [data.aws_secretsmanager_secret.redis_auth_token.arn]
+  }
+}
+
 data "aws_iam_policy_document" "imms_policy_document" {
   source_policy_documents = [
     templatefile("${local.policy_path}/dynamodb.json", {
@@ -55,6 +64,7 @@ data "aws_iam_policy_document" "imms_policy_document" {
     templatefile("${local.policy_path}/secret_manager.json", {
       "account_id" : data.aws_caller_identity.current.account_id
     }),
+    data.aws_iam_policy_document.redis_auth_token_policy_document.json,
     file("${local.policy_path}/ec2_network_interfaces.json")
   ]
 }

infrastructure/instance/main.tf

@@ -82,7 +82,7 @@ data "aws_kms_key" "existing_dynamo_encryption_key" {
 }
 
 data "aws_elasticache_replication_group" "existing_redis" {
-  replication_group_id = "immunisation-redis-cluster"
+  replication_group_id = "immunisation-redis-replication-group"
 }
 
 data "aws_secretsmanager_secret" "redis_auth_token" {

infrastructure/instance/policies/secret_manager.json

@@ -6,8 +6,7 @@
       "Action": "secretsmanager:GetSecretValue",
       "Resource": [
         "arn:aws:secretsmanager:eu-west-2:${account_id}:secret:imms/outbound/*/*",
-        "arn:aws:secretsmanager:eu-west-2:${account_id}:secret:imms/pds/*/*",
-        "arn:aws:secretsmanager:eu-west-2:${account_id}:secret:imms/redis/auth-token-*"
+        "arn:aws:secretsmanager:eu-west-2:${account_id}:secret:imms/pds/*/*"
       ]
     }
   ]