Valkey Serverless Cache (Redis Compatible)
This module is an opinionated implementation of AWS elasticache, it opts for serveless and valkey.
Valkey is a Redis-compatible.
User & Password Creation
Exactly one of existing_password_parameter_name or create_password_parameter must be chosen. A built-in validation rule enforces this.
High-level flow
┌───────────────────────┐
│ Input variables │
└──────────┬────────────┘
│
┌─────────────────▼─────────────────┐
│ Choose password source │
│ • existing_password_parameter_name│
│ • create_password_parameter │
└──────────┬────────────────────────┘
│
┌───────▼────────┐ ┌────────────────┐
│ Read SSM param │ │ Generate new │
│ (existing) │ │ password & SSM │
└───────┬────────┘ │ parameter │
│ └───────┬────────┘
│ │
└────────────┬────────────────┘
│
┌──────────▼─────────┐
│ Provision Valkey │
│ user with password │
└────────────────────┘
Behavior details
- Re-use an existing password
- If is supplied, the module fetches that SecureString directly from AWS Systems Manager Parameter Store.
- Create a new password automatically
- Set
create_password_parameter = true(and leave unset). - A 36-character random password is generated (only alphanumeric characters to stay Redis-compatible).
- The password is stored as a new SecureString in Parameter Store.
- Valkey user
- One Valkey user is created per cache instance.
- "default" is the default username.
Route 53 Record (Optional)
| Variable | Type | Default | Description |
|---|---|---|---|
create_record |
bool | false |
Set to true to create a DNS record. |
internal_zone_name |
string | null |
Name of a private Route 53 hosted zone (e.g. corp.local). |
| Behaviour: | |||
1. When create_record = true, the module looks up the private hosted zone whose name matches . internal_zone_name |
|||
| 2. It then creates a CNAME record named | |||
| which points to the cache’s primary endpoint. | |||
| 1. TTL is set to 30 seconds for quick fail-over in the unlikely event that AWS changes the cache endpoint. |
If create_record = false the DNS portion is skipped entirely.
Default Capacity Limits
Both limits are meant to give “sane defaults” that keep costs predictable in most dev or small-prod scenarios, while still allowing bursts.
| Limit | Variable | Default | Unit |
|---|---|---|---|
| Maximum cache size | max_cache_size_in_gb |
10 | GB |
| Maximum ECPU per second | max_ecpu_per_second |
10 000 | ECPU |
| You can raise or lower these numbers to match your workload without replacing the cache; the service will enforce the new ceilings at runtime. |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_security_group_ids | The application security group IDs | list(string) |
n/a | yes |
| create | Whether to create the Valkey cache | bool |
true |
no |
| create_password_parameter | Whether to create a new password parameter in Parameter Store | bool |
false |
no |
| create_record | Whether to create a Route 53 record for the Valkey cache | bool |
false |
no |
| existing_password_parameter_name | The name of the parameter in Parameter Store that contains the password for the Valkey cache | string |
null |
no |
| internal_zone_name | Name of the internal Route 53 zone to create the internal CNAME record in | string |
null |
no |
| kms_key_id | Optional KMS key ID for encryption | string |
null |
no |
| max_cache_size_in_gb | The maximum cache size in GB | number |
10 |
no |
| max_ecpu_per_second | The maximum ECPU per second | number |
10000 |
no |
| name_prefix | The name prefix for the resources | string |
n/a | yes |
| password_parameter_path | The path for the new password parameter in Parameter Store | string |
"/valkey/cache/password" |
no |
| subnet_ids | The database subnet IDs | list(string) |
n/a | yes |
| vpc_id | The database VPC ID | string |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| endpoint | The endpoint of the Valkey cache |
| internal_endpoint | The alias hostname for the Valkey cache |
| password_parameter | The name of the password parameter in Parameter Store |
| port | The port of the Valkey cache |
| security_group_id | The security group ID for the Valkey cache |
| user_id | The user ID for the Valkey cache |