tessl install github:giuseppe-trisciuoglio/developer-kit --skill aws-cloudformation-elasticachegithub.com/giuseppe-trisciuoglio/developer-kit
AWS CloudFormation patterns for Amazon ElastiCache. Use when creating ElastiCache clusters (Redis, Memcached), replication groups, parameter groups, subnet groups, and implementing template structure with Parameters, Outputs, Mappings, Conditions, and cross-stack references for distributed caching infrastructure.
Review Score
79%
Validation Score
10/16
Implementation Score
65%
Activation Score
100%
Create production-ready Amazon ElastiCache infrastructure using AWS CloudFormation templates. This skill covers Redis clusters, Memcached clusters, replication groups, parameter groups, subnet groups, security groups, template structure best practices, parameter patterns, and cross-stack references for modular, reusable infrastructure as code.
Use this skill when:
AWSTemplateFormatVersion: 2010-09-09
Description: Simple Redis ElastiCache cluster with basic configuration
Parameters:
CacheNodeType:
Type: String
Default: cache.t3.micro
Description: Cache node instance type
NumCacheNodes:
Type: Number
Default: 1
Description: Number of cache nodes
Resources:
CacheSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: Subnet group for ElastiCache
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheNodeType: !Ref CacheNodeType
NumCacheNodes: !Ref NumCacheNodes
Engine: redis
CacheSubnetGroupName: !Ref CacheSubnetGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroup
Outputs:
RedisEndpoint:
Description: Redis cluster endpoint address
Value: !GetAtt CacheCluster.RedisEndpoint.Address
RedisPort:
Description: Redis cluster port
Value: !GetAtt CacheCluster.RedisEndpoint.PortAWSTemplateFormatVersion: 2010-09-09
Description: Redis Replication Group with primary and read replicas
Parameters:
CacheNodeType:
Type: String
Default: cache.t3.micro
Description: Cache node instance type
Resources:
CacheSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: Subnet group for Redis replication
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
ReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupDescription: Primary and replicas for HA
Engine: redis
CacheNodeType: !Ref CacheNodeType
NumNodeGroups: 1
ReplicasPerNodeGroup: 1
AutomaticFailoverEnabled: true
MultiAZEnabled: true
CacheSubnetGroupName: !Ref CacheSubnetGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroup
Outputs:
PrimaryEndpoint:
Description: Primary endpoint for write operations
Value: !GetAtt ReplicationGroup.PrimaryEndPoint.Address
ReaderEndpoint:
Description: Reader endpoint for read operations
Value: !GetAtt ReplicationGroup.ReaderEndPoint.AddressAWS CloudFormation templates are JSON or YAML files with specific sections. Each section serves a purpose in defining your infrastructure.
AWSTemplateFormatVersion: 2010-09-09 # Required - template version
Description: Optional description string # Optional description
# Section order matters for readability but CloudFormation accepts any order
Mappings: {} # Static configuration tables
Metadata: {} # Additional information about resources
Parameters: {} # Input values for customization
Rules: {} # Parameter validation rules
Conditions: {} # Conditional resource creation
Transform: {} # Macro processing (e.g., AWS::Serverless)
Resources: {} # AWS resources to create (REQUIRED)
Outputs: {} # Return values after stack creationThe AWSTemplateFormatVersion identifies the template version. Current version is 2010-09-09.
AWSTemplateFormatVersion: 2010-09-09
Description: ElastiCache Redis Cluster TemplateAdd a description to document the template's purpose. Must appear after the format version.
AWSTemplateFormatVersion: 2010-09-09
Description: >
This template creates an ElastiCache Redis cluster with:
- Multi-AZ deployment for high availability
- Automatic failover enabled
- Encrypted at-rest and in-transit
- Parameter group for custom configurationUse Metadata for additional information about resources or parameters, including AWS::CloudFormation::Interface for parameter grouping.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Cache Configuration
Parameters:
- CacheNodeType
- NumCacheNodes
- Engine
- Label:
default: Network
Parameters:
- CacheSubnetGroupName
- VpcSecurityGroupIds
ParameterLabels:
CacheNodeType:
default: Cache Node Instance Type
NumCacheNodes:
default: Number of Cache NodesThe Resources section is the only required section. It defines AWS resources to provision.
Resources:
# Cache Subnet Group (required for VPC deployment)
CacheSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: Subnet group for ElastiCache deployment
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
# Cache Parameter Group
CacheParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Custom parameter group for Redis
Family: redis7.x
Parameters:
maxmemory-policy: allkeys-lru
timeout: 300
# Cache Cluster
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheNodeType: cache.t3.micro
NumCacheNodes: 1
Engine: redis
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheParameterGroupName: !Ref CacheParameterGroupUse AWS-specific parameter types for validation and easier selection in the console.
Parameters:
CacheNodeType:
Type: String
Description: ElastiCache node instance type
Default: cache.t3.micro
CacheSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup::Name
Description: Existing cache subnet group
VpcSecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Description: Security group for cache clusterCommon ElastiCache node types:
Parameters:
CacheNodeType:
Type: String
Default: cache.t3.micro
AllowedValues:
- cache.t3.micro
- cache.t3.small
- cache.t3.medium
- cache.t3.large
- cache.m5.large
- cache.m5.xlarge
- cache.m5.2xlarge
- cache.m5.4xlarge
- cache.r5.large
- cache.r5.xlarge
- cache.r5.2xlarge
- cache.r5.4xlarge
- cache.r6g.large
- cache.r6g.xlarge
- cache.r6g.2xlargeAdd constraints to validate parameter values.
Parameters:
CacheClusterId:
Type: String
Description: Cache cluster identifier
Default: myrediscluster
AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
ConstraintDescription: Must begin with a letter; contain only alphanumeric characters
MinLength: 1
MaxLength: 50
NumCacheNodes:
Type: Number
Description: Number of cache nodes
Default: 1
MinValue: 1
MaxValue: 10
CachePort:
Type: Number
Description: Cache port number
Default: 6379
MinValue: 1024
MaxValue: 65535Parameters:
Engine:
Type: String
Description: Cache engine
Default: redis
AllowedValues:
- redis
- memcached
EngineVersion:
Type: String
Description: Cache engine version
Default: 7.0
EngineVersionMajor:
Type: String
Description: Cache engine major version
Default: "7.0"
AllowedValues:
- "6.x"
- "7.0"Reference Systems Manager parameters for dynamic values.
Parameters:
LatestRedisVersion:
Type: AWS::SSM::Parameter::Value<String>
Description: Latest Redis version from SSM
Default: /elasticache/redis/latest/version
LatestMemcachedVersion:
Type: AWS::SSM::Parameter::Value<String>
Description: Latest Memcached version from SSM
Default: /elasticache/memcached/latest/versionUse Mappings for static configuration data based on regions or instance types.
Mappings:
CacheNodeConfig:
cache.t3.micro:
CPU: 2
MemoryMiB: 555
NetworkGbits: 5
cache.t3.medium:
CPU: 2
MemoryMiB: 3218
NetworkGbits: 10
cache.m5.large:
CPU: 2
MemoryMiB: 6910
NetworkGbits: 10
cache.r5.large:
CPU: 2
MemoryMiB: 13866
NetworkGbits: 10
RegionMap:
us-east-1:
RedisPort: 6379
MemcachedPort: 11211
us-west-2:
RedisPort: 6379
MemcachedPort: 11211
eu-west-1:
RedisPort: 6379
MemcachedPort: 11211
Resources:
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheNodeType: !Ref CacheNodeType
NumCacheNodes: 1
Engine: redis
CachePort: !FindInMap [RegionMap, !Ref AWS::Region, RedisPort]Use Conditions to conditionally create resources based on parameters.
Parameters:
EnableMultiAZ:
Type: String
Default: false
AllowedValues:
- true
- false
EnableEncryption:
Type: String
Default: true
AllowedValues:
- true
- false
Environment:
Type: String
Default: development
AllowedValues:
- development
- staging
- production
Conditions:
IsMultiAZ: !Equals [!Ref EnableMultiAZ, true]
IsEncrypted: !Equals [!Ref EnableEncryption, true]
IsProduction: !Equals [!Ref Environment, production]
Resources:
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheNodeType: !Ref CacheNodeType
NumCacheNodes: !If [IsMultiAZ, 2, 1]
Engine: redis
AutomaticFailoverEnabled: !If [IsMultiAZ, true, false]
CacheSubnetGroupName: !Ref CacheSubnetGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroupConditions:
IsDev: !Equals [!Ref Environment, development]
IsStaging: !Equals [!Ref Environment, staging]
IsProduction: !Equals [!Ref Environment, production]
Resources:
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
# Production gets larger instances
CacheNodeType: !If [IsProduction, cache.r5.large, cache.t3.micro]
# Production gets multi-AZ
NumCacheNodes: !If [IsProduction, 3, 1]
AutomaticFailoverEnabled: !If [IsProduction, true, false]Use Transform for macros like AWS::Serverless for SAM templates.
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Serverless ElastiCache application template
Globals:
Function:
Timeout: 30
Runtime: python3.11
Resources:
CacheFunction:
Type: AWS::Serverless::Function
Properties:
Handler: app.handler
CodeUri: function/
Policies:
- ElastiCacheFullAccessPolicy:
CacheClusterId: !Ref CacheCluster
Environment:
Variables:
CACHE_ENDPOINT: !GetAtt CacheCluster.RedisEndpoint.Address
CACHE_PORT: !GetAtt CacheCluster.RedisEndpoint.PortOutputs:
CacheClusterId:
Description: Cache Cluster ID
Value: !Ref CacheCluster
CacheClusterEndpoint:
Description: Cache cluster endpoint address
Value: !GetAtt CacheCluster.RedisEndpoint.Address
CacheClusterPort:
Description: Cache cluster port
Value: !GetAtt CacheCluster.RedisEndpoint.Port
CacheClusterArn:
Description: Cache Cluster ARN
Value: !GetAtt CacheCluster.Arn
CacheNodeType:
Description: Cache Node Type
Value: !Ref CacheNodeTypeExport values so other stacks can import them.
Outputs:
CacheClusterId:
Description: Cache Cluster ID for other stacks
Value: !Ref CacheCluster
Export:
Name: !Sub ${AWS::StackName}-CacheClusterId
CacheClusterEndpoint:
Description: Cache cluster endpoint for application stacks
Value: !GetAtt CacheCluster.RedisEndpoint.Address
Export:
Name: !Sub ${AWS::StackName}-CacheEndpoint
CacheClusterPort:
Description: Cache cluster port for application stacks
Value: !GetAtt CacheCluster.RedisEndpoint.Port
Export:
Name: !Sub ${AWS::StackName}-CachePort
ConnectionString:
Description: Full connection string for applications
Value: !Sub redis://${CacheClusterEndpoint}:${CacheClusterPort}/0
Export:
Name: !Sub ${AWS::StackName}-CacheConnectionStringParameters:
CacheClusterId:
Type: AWS::ElastiCache::Cluster::Id
Description: Cache cluster ID from cache stack
CacheEndpoint:
Type: String
Description: Cache cluster endpoint address
Resources:
ApplicationConfig:
Type: AWS::SSM::Parameter
Properties:
Name: /app/cache/endpoint
Value: !Ref CacheEndpoint
Type: StringCreate a dedicated cache stack that exports values:
# cache-stack.yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Cache infrastructure stack
Parameters:
EnvironmentName:
Type: String
Default: production
Resources:
CacheSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: !Sub Subnet group for ${EnvironmentName}
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
CacheParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Redis parameter group
Family: redis7.x
Parameters:
maxmemory-policy: allkeys-lru
CacheSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Cache security group
VpcId: !Ref VPCId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 6379
ToPort: 6379
SourceSecurityGroupId: !Ref AppSecurityGroup
ReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupDescription: Redis replication for ${EnvironmentName}
Engine: redis
CacheNodeType: cache.r5.large
NumNodeGroups: 1
ReplicasPerNodeGroup: 1
AutomaticFailoverEnabled: true
MultiAZEnabled: true
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheParameterGroupName: !Ref CacheParameterGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroup
Outputs:
CacheClusterId:
Value: !Ref ReplicationGroup
Export:
Name: !Sub ${EnvironmentName}-CacheClusterId
CacheEndpoint:
Value: !GetAtt ReplicationGroup.PrimaryEndPoint.Address
Export:
Name: !Sub ${EnvironmentName}-CacheEndpoint
CachePort:
Value: !GetAtt ReplicationGroup.PrimaryEndPoint.Port
Export:
Name: !Sub ${EnvironmentName}-CachePort
CacheReaderEndpoint:
Value: !GetAtt ReplicationGroup.ReaderEndPoint.Address
Export:
Name: !Sub ${EnvironmentName}-CacheReaderEndpointApplication stack imports these values:
# application-stack.yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Application stack that imports from cache stack
Parameters:
CacheStackName:
Type: String
Description: Name of the cache stack
Default: cache-stack
Resources:
ApplicationConfig:
Type: AWS::SSM::Parameter
Properties:
Name: /app/cache/endpoint
Value: !ImportValue
Fn::Sub: ${CacheStackName}-CacheEndpoint
Type: String
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: python3.11
Handler: app.handler
Environment:
Variables:
CACHE_ENDPOINT: !ImportValue
Fn::Sub: ${CacheStackName}-CacheEndpointRequired for VPC deployment. Must include at least 2 subnets in different AZs.
Resources:
CacheSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: Subnet group for ElastiCache
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
- !Ref PrivateSubnet3
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-cache-subnetCustom parameter groups for cache configuration.
Resources:
CacheParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Custom parameter group for Redis 7.x
Family: redis7.x
Parameters:
# Memory management
maxmemory-policy: allkeys-lru
maxmemory-samples: 5
# Connection settings
timeout: 300
tcp-keepalive: 300
# Slow log
slowlog-log-slower-than: 10000
slowlog-max-len: 128
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-cache-param# For caching with LRU eviction
CacheParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Redis LRU cache config
Family: redis7.x
Parameters:
maxmemory-policy: allkeys-lru
maxmemory-samples: 5
# For session storage
CacheParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Redis session store config
Family: redis7.x
Parameters:
maxmemory-policy: volatile-lru
timeout: 3600
tcp-keepalive: 60
# For Redis Cluster
CacheParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Redis Cluster config
Family: redis7.x
Parameters:
cluster-enabled: yes
timeout: 5000Resources:
MemcachedParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Memcached parameter group
Family: memcached1.6
Parameters:
max_item_size: 10485760
request_max_size: 2097152
connection_idle_timeout: 600Resources:
RedisCacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheClusterIdentifier: redis-standalone
CacheNodeType: cache.t3.medium
NumCacheNodes: 1
Engine: redis
EngineVersion: "7.0"
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheParameterGroupName: !Ref CacheParameterGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroup
AutoMinorVersionUpgrade: true
SnapshotRetentionLimit: 0
SnapshotWindow: 05:00-06:00Resources:
MemcachedCacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheClusterIdentifier: memcached-cluster
CacheNodeType: cache.m5.large
NumCacheNodes: 3
Engine: memcached
EngineVersion: "1.6"
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheParameterGroupName: !Ref MemcachedParameterGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroupResources:
RedisReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupIdentifier: redis-replication
ReplicationGroupDescription: Redis with automatic failover
Engine: redis
EngineVersion: "7.0"
CacheNodeType: cache.r5.large
NumNodeGroups: 1
ReplicasPerNodeGroup: 2
AutomaticFailoverEnabled: true
MultiAZEnabled: true
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheParameterGroupName: !Ref CacheParameterGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroupResources:
RedisClusterReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupIdentifier: redis-cluster
ReplicationGroupDescription: Redis Cluster with data partitioning
Engine: redis
EngineVersion: "7.0"
CacheNodeType: cache.r5.xlarge
NumNodeGroups: 3
ReplicasPerNodeGroup: 1
AutomaticFailoverEnabled: true
MultiAZEnabled: true
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheParameterGroupName: !Ref CacheParameterGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroupResources:
CacheSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ElastiCache
VpcId: !Ref VPCId
GroupName: !Sub ${AWS::StackName}-cache-sg
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 6379
ToPort: 6379
SourceSecurityGroupId: !Ref AppSecurityGroup
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-cache-sgResources:
GlobalReplicationGroup:
Type: AWS::ElastiCache::GlobalReplicationGroup
Properties:
GlobalReplicationGroupIdSuffix: global
GlobalReplicationGroupDescription: Global Redis replication
Members:
- ReplicationGroupId: !Ref PrimaryReplicationGroup
ReplicationGroupRegion: !Ref AWS::Region
- ReplicationGroupId: !Ref SecondaryReplicationGroup
ReplicationGroupRegion: us-west-2Resources:
CacheParameterGroup:
Type: AWS::ElastiCache::ParameterGroup
Properties:
Description: Redis with encryption
Family: redis7.x
Parameters:
# TLS configuration
tls-enabled: yes
CacheSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Encrypted cache security group
VpcId: !Ref VPCId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 6379
ToPort: 6379
SourceSecurityGroupId: !Ref AppSecurityGroup
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheNodeType: cache.r5.large
NumCacheNodes: 1
Engine: redis
CacheSubnetGroupName: !Ref CacheSubnetGroup
CacheParameterGroupName: !Ref CacheParameterGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroup
# Encryption settings
AtRestEncryptionEnabled: true
TransitEncryptionEnabled: true
AuthToken: !Ref CacheAuthTokenResources:
CacheAuthTokenSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub ${AWS::StackName}/elasticache/auth-token
Description: ElastiCache Redis authentication token
SecretString: !Sub '{"auth-token":"${CacheAuthToken}"}'
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheNodeType: cache.r5.large
NumCacheNodes: 1
Engine: redis
CacheSubnetGroupName: !Ref CacheSubnetGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroup
TransitEncryptionEnabled: true
AuthToken: !Ref CacheAuthTokenResources:
RedisReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupDescription: Multi-AZ Redis with failover
Engine: redis
CacheNodeType: cache.r5.large
NumNodeGroups: 1
ReplicasPerNodeGroup: 2
AutomaticFailoverEnabled: true
MultiAZEnabled: true
CacheSubnetGroupName: !Ref CacheSubnetGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroupParameters:
NumCacheNodes:
Type: Number
Default: 3
MinValue: 1
MaxValue: 20
Resources:
MemcachedCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheClusterIdentifier: memcached-cluster
CacheNodeType: cache.m5.xlarge
NumCacheNodes: !Ref NumCacheNodes
Engine: memcached
CacheSubnetGroupName: !Ref CacheSubnetGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroupResources:
RedisReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
ReplicationGroupDescription: Redis with read replicas
Engine: redis
CacheNodeType: cache.r5.large
NumNodeGroups: 1
ReplicasPerNodeGroup: 3
AutomaticFailoverEnabled: true
MultiAZEnabled: true
CacheSubnetGroupName: !Ref CacheSubnetGroup
VpcSecurityGroupIds:
- !Ref CacheSecurityGroupAlways use AWS-specific parameter types for validation and easier selection.
Parameters:
CacheNodeType:
Type: AWS::ElastiCache::CacheCluster::CacheNodeType
Description: ElastiCache node type
CacheSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup::Name
Description: Cache subnet group
VpcSecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
Description: Security group for cacheResources:
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
# Encryption at rest
AtRestEncryptionEnabled: true
# Encryption in transit
TransitEncryptionEnabled: true
# Authentication
AuthToken: !Ref CacheAuthTokenConditions:
IsProduction: !Equals [!Ref Environment, production]
Resources:
RedisReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
AutomaticFailoverEnabled: !If [IsProduction, true, false]
MultiAZEnabled: !If [IsProduction, true, false]
ReplicasPerNodeGroup: !If [IsProduction, 2, 1]Resources:
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
Tags:
- Key: Name
Value: !Sub ${Environment}-${Application}-redis
- Key: Environment
Value: !Ref Environment
- Key: Application
Value: !Ref ApplicationName
- Key: ManagedBy
Value: CloudFormation# cache-stack.yaml - Rarely changes
AWSTemplateFormatVersion: 2010-09-09
Description: Cache infrastructure (VPC, subnets, ElastiCache)
Resources:
CacheSubnetGroup: AWS::ElastiCache::SubnetGroup
CacheParameterGroup: AWS::ElastiCache::ParameterGroup
CacheSecurityGroup: AWS::EC2::SecurityGroup
CacheCluster: AWS::ElastiCache::Cluster
# application-stack.yaml - Changes frequently
AWSTemplateFormatVersion: 2010-09-09
Description: Application resources
Parameters:
CacheStackName:
Type: String
Resources:
ApplicationConfig: AWS::SSM::ParameterUse pseudo parameters for region-agnostic templates.
Resources:
CacheCluster:
Type: AWS::ElastiCache::Cluster
Properties:
CacheClusterIdentifier: !Sub ${AWS::StackName}-${AWS::Region}
Tags:
- Key: Region
Value: !Ref AWS::Region
- Key: AccountId
Value: !Ref AWS::AccountId# Validate template
aws cloudformation validate-template --template-body file://template.yaml
# Use cfn-lint for advanced validation
pip install cfn-lint
cfn-lint template.yaml
# Check for AWS-specific issues
cfn-lint template.yaml --region us-east-1Stack policies protect critical resources from unintended updates during stack operations.
{
"Statement": [
{
"Effect": "Allow",
"Action": "Update:*",
"Principal": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"Update:Replace",
"Update:Delete"
],
"Principal": "*",
"Resource": "LogicalResourceId/CacheCluster"
},
{
"Effect": "Deny",
"Action": [
"Update:Replace",
"Update:Delete"
],
"Principal": "*",
"Resource": "LogicalResourceId/ReplicationGroup"
}
]
}Drift detection identifies when the actual infrastructure configuration differs from the CloudFormation template.
# Detect drift on entire stack
aws cloudformation detect-stack-drift \
--stack-name production-elasticache
# Detect drift on specific resources
aws cloudformation detect-stack-drift \
--stack-name production-elasticache \
--logical-resource-ids CacheCluster,CacheParameterGroup
# Get drift detection status
aws cloudformation describe-stack-drift-detection-status \
--stack-drift-detection-id <detection-id>{
"StackResourceDrifts": [
{
"LogicalResourceId": "CacheCluster",
"PhysicalResourceId": "production-cache-cluster",
"ResourceType": "AWS::ElastiCache::Cluster",
"StackId": "arn:aws:cloudformation:us-east-1:123456789:stack/production-elasticache/...",
"DriftStatus": "MODIFIED",
"PropertyDifferences": [
{
"PropertyPath": "NumCacheNodes",
"ExpectedValue": "3",
"ActualValue": "2"
}
]
}
]
}