aws-cloudformation-elasticache

# AWS CloudFormation ElastiCache

## Overview

Use this skill to model ElastiCache infrastructure with CloudFormation without turning `SKILL.md` into a full service manual.

Focus on the delivery decisions that matter most:
- choosing the right cache topology
- placing the cache safely inside a VPC
- configuring availability, encryption, and exports for downstream stacks

Use the bundled `references/` documents for larger production templates and service-specific detail.

## When to Use

Use this skill when:
- creating a Redis or Memcached cache tier with CloudFormation
- deciding between `AWS::ElastiCache::CacheCluster` and `AWS::ElastiCache::ReplicationGroup`
- configuring subnet groups, parameter groups, and security groups for application access
- adding snapshots, maintenance windows, encryption, and Multi-AZ behavior
- exporting cache endpoints to application or platform stacks
- reviewing cache changes for replacement risk, downtime, or operational cost

Typical trigger phrases include `cloudformation elasticache`, `redis replication group`, `memcached cluster`, `cache subnet group`, and `export redis endpoint`.

## Instructions

### 1. Choose the cache topology first

Use:
- `ReplicationGroup` for production Redis-style deployments that need failover, replicas, or sharding
- `CacheCluster` for Memcached or simple single-node cache scenarios

Do not start with resource YAML before deciding whether the application needs durability, read replicas, cluster mode, or just an ephemeral cache.

### 2. Model the network boundary explicitly

Create and wire:
- a subnet group with private application subnets
- a security group that allows access only from the application tier
- parameter groups only when default engine settings are insufficient

Keep the cache private unless there is a very unusual and well-reviewed reason not to.

### 3. Configure durability and security based on environment

For production-style Redis deployments, decide on:
- automatic failover and Multi-AZ
- at-rest and in-transit encryption
- snapshot retention and maintenance windows
- authentication or auth token strategy where supported

For lower environments, document when a cheaper single-node configuration is acceptable.

### 4. Add reusable parameters and outputs

Parameterize only the settings that truly vary between environments, such as node type, subnet IDs, or snapshot retention.

Export outputs that other stacks need, typically:
- primary or configuration endpoint
- reader endpoint when applicable
- security group or subnet group identifiers only if downstream stacks genuinely depend on them

### 5. Validate the stack change before rollout

Before deployment:
- run template validation
- inspect whether changes replace the cluster or replication group
- review security group exposure and encryption settings
- confirm maintenance, backup, and scaling choices match the application's recovery expectations

## Examples

### Example 1: Redis replication group with private networking

```yaml
Parameters:
  CacheNodeType:
    Type: String
    Default: cache.t4g.small

Resources:
  CacheSubnetGroup:
    Type: AWS::ElastiCache::SubnetGroup
    Properties:
      Description: Private subnets for the cache tier
      SubnetIds: !Ref PrivateSubnetIds

  CacheSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Application access to Redis
      VpcId: !Ref VpcId

  RedisReplicationGroup:
    Type: AWS::ElastiCache::ReplicationGroup
    Properties:
      ReplicationGroupDescription: Application Redis cluster
      Engine: redis
      CacheNodeType: !Ref CacheNodeType
      NumNodeGroups: 1
      ReplicasPerNodeGroup: 1
      AutomaticFailoverEnabled: true
      MultiAZEnabled: true
      CacheSubnetGroupName: !Ref CacheSubnetGroup
      SecurityGroupIds:
        - !Ref CacheSecurityGroup
      TransitEncryptionEnabled: true
      AtRestEncryptionEnabled: true
```

### Example 2: Export an endpoint for another stack

```yaml
Outputs:
  RedisPrimaryEndpoint:
    Description: Primary endpoint used by the application stack
    Value: !GetAtt RedisReplicationGroup.PrimaryEndPoint.Address
    Export:
      Name: !Sub "${AWS::StackName}-RedisPrimaryEndpoint"
```

Keep outputs small and stable so consumer stacks do not break unnecessarily.

## Best Practices

- Prefer replication groups over single-node Redis for production systems.
- Put caches in private subnets and restrict ingress to known application security groups.
- Turn on encryption and snapshots unless there is a documented reason not to.
- Review replacement risk before changing engine version, cluster mode, or subnet design.
- Use parameters for environment-specific sizing, not for every possible knob.
- Keep deep template variants in `references/examples.md` instead of expanding the root skill endlessly.

## Constraints and Warnings

- Some ElastiCache changes cause replacement or data loss if applied carelessly.
- NAT, subnet, and routing mistakes can make the cache unreachable even when the stack succeeds.
- Multi-AZ, replicas, and larger node types can change cost significantly.
- Cache endpoints, encryption support, and auth features vary by engine and version.
- Snapshot and maintenance windows must align with the application's recovery and deployment practices.

## References

- `references/examples.md`
- `references/reference.md`

## Related Skills

- `aws-cloudformation-vpc`
- `aws-cloudformation-security`
- `aws-cloudformation-ecs`
- `aws-cloudformation-lambda`