feat(elasticache): open one port, switch to valkey (#116)

# Goals

Noticing high connect times for redis in traces -- probably just first
query but still
https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/wwe-troubleshooting.html
recommends having both ports open in case a client tries to connect to
both

Also, we need to switch to valkey before we turn it on cause it's almost
1/3 cheaper per unit.

# Implementation

- open both ports
- upgrade AWS provider to get valkey support
- move to valkey
- set a dummy password on the disabled default user --
no-password-required apparently not supported for valkey
- fix some downstream effects of create_before_destroy being applied at
top of stack (shouldn't be as create_before_destroy will not work for
many resources)

Makefile

@@ -75,6 +75,11 @@ deploy/app/.terraform:
 
 init: deploy/app/.terraform .tfworkspace
 
+.PHONY: upgrade
+
+upgrade:
+	tofu -chdir=deploy/app init -upgrade
+
 .PHONY: validate
 
 validate: deploy/app/.terraform .tfworkspace

deploy/app/elasticcache.tf

@@ -9,7 +9,7 @@ resource "aws_kms_key" "cache_key" {
 resource "aws_elasticache_serverless_cache" "cache" {
   for_each = local.caches
 
-  engine = "redis"
+  engine = "valkey"
   name = "${terraform.workspace}-${var.app}-${each.key}-cache"
   cache_usage_limits {
     data_storage {
@@ -33,8 +33,8 @@ resource "aws_elasticache_serverless_cache" "cache" {
 }
 
 resource "aws_elasticache_user_group" "cache_user_group" {
-  engine = "REDIS"
-  user_group_id = "${terraform.workspace}-${var.app}-redis"
+  engine = "valkey"
+  user_group_id = "${terraform.workspace}-${var.app}-valkey"
 
   user_ids = [
     aws_elasticache_user.cache_default_user.id, 
@@ -51,12 +51,13 @@ resource "aws_elasticache_user" "cache_default_user" {
   user_name     = "default"
   access_string = "off ~keys* -@all +get"
   authentication_mode {
-    type = "no-password-required"
+    type = "password"
+    passwords = ["does not matter its disabled"]
   }
   lifecycle {
     ignore_changes = [authentication_mode]
   }
-  engine = "REDIS"
+  engine = "valkey"
 }
 
 resource "aws_elasticache_user" "cache_iam_user" {
@@ -66,7 +67,7 @@ resource "aws_elasticache_user" "cache_iam_user" {
   authentication_mode {
     type = "iam"
   }
-  engine = "REDIS"
+  engine = "valkey"
 }
 
 resource "aws_security_group" "cache_security_group" {
@@ -78,7 +79,7 @@ resource "aws_security_group" "cache_security_group" {
     cidr_blocks = [aws_vpc.vpc.cidr_block]
     description = "Redis"
     from_port = 6379
-    to_port = 6379
+    to_port = 6380
     protocol = "tcp"
   }
 }

deploy/app/gateway.tf

@@ -87,9 +87,6 @@ resource "aws_apigatewayv2_deployment" "deployment" {
 
   api_id = aws_apigatewayv2_api.api.id
   description = "${terraform.workspace} ${var.app} API Deployment"
-  lifecycle {
-    create_before_destroy = true
-  }
 }
 
 data "terraform_remote_state" "shared" {
@@ -136,10 +133,6 @@ resource "aws_apigatewayv2_stage" "stage" {
   api_id = aws_apigatewayv2_api.api.id
   name   = "$default"
   deployment_id = aws_apigatewayv2_deployment.deployment.id
-
-  lifecycle {
-    create_before_destroy = true
-  }
 }
 
 resource "aws_apigatewayv2_api_mapping" "api_mapping" {

deploy/app/lambda.tf

@@ -399,7 +399,7 @@ resource "aws_security_group" "lambda_security_group" {
 
   egress {
     from_port = 6379
-    to_port   = 6379
+    to_port   = 6380
     protocol  = "tcp"
     description = "Allow elasticache access"
     security_groups = [

deploy/app/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.73.0"
+      version = ">= 5.86.0"
     }
     archive = {
       source = "hashicorp/archive"

deploy/shared/main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.73.0"
+      version = ">= 5.86.0"
     }
   }
   backend "s3" {