fix(aws): use memcached for sessions

Switch to using memcached backend for session manager in AWS deployment.

- Rename "rds" stack to "support" to reflect the more general nature of
  the stack. Up to this point, it has solely been used for the RDS
  instances (and the sentinel which is needed for initializing the RDS
  instance). However the intent is to use it for anything that needs to
  exist prior to deploying services (e.g. because services'
  configuration needs to reflect it).
- Add an ElastiCache instance to the support stack. This is the AWS'
  caching services (kinda like what RDS is to MySQL/Postgres, this is to
  reddis/memcached).
- Change services configuration to use the ElastiCache instance for
  session management.

This fixes a problem when there is more than one verification instance
active behind the load balancer. It is possible (and, in fact, likely)
that the session creation request and the subsequent attestation request
go to different instances. When using local session cache, the second
instance won't have the session created on the first, resulting in an
error.

Signed-off-by: Sergei Trofimov <[email protected]>

Author: setrofim

deployments/aws/bin/veraison

@@ -844,6 +844,7 @@ class CreateSupportStackCommand(BaseCommand):
 
         vpc_cidr = command_get_config(self, 'vpc-cidr')
         admin_cidr = command_get_config(self, 'admin-cidr')
+        region = command_get_config(self, 'region')
         key_name = command_get(self, 'key.name', 'a key pair been created')
         vpc_id = command_get(self, 'vpc.vpc-id', 'VPC stack been created')
         dns_name = command_get_config(self, 'dns-name')
@@ -876,6 +877,7 @@ class CreateSupportStackCommand(BaseCommand):
             {'ParameterKey': 'HostedZoneId', 'ParameterValue': hz_id},
             {'ParameterKey': 'SentinelImage', 'ParameterValue': sentinel_image},
             {'ParameterKey': 'AdminCidr', 'ParameterValue': admin_cidr},
+            {'ParameterKey': 'Region', 'ParameterValue': region},
         ]
 
         command_create_stack(cmd, args.deployment_name, 'support',
@@ -1076,6 +1078,8 @@ class CreateServicesImageCommand(BaseCommand):
         os.environ['KEYCLOAK_PORT'] = str(ports['keycloak'])
         os.environ['CW_LOG_RETENTION_DAYS'] = str(retention_days)
         os.environ['MAX_STORE_CONNECTIONS'] = str(total_max_conn // (3 * scaling['max-size'])) # pyright: ignore
+        os.environ['ELASTICACHE_ADDRESS'] = support['elasti-cache-config-address']
+        os.environ['ELASTICACHE_PORT'] = support['elasti-cache-config-port']
 
         config_path = command_instantiate_template(
                 self, args.deployment_name, args.services_config_template,

deployments/aws/templates/services-config.yaml.template

@@ -49,4 +49,9 @@ auth:
    backend: keycloak
    host: keycloak.${VERAISON_AWS_DNS_NAME}
    port: ${KEYCLOAK_PORT}
+sessionmanager:
+  backend: memcached
+  memcached:
+    servers:
+      - ${ELASTICACHE_ADDRESS}:${ELASTICACHE_PORT}
 # vim: set ft=yaml:

deployments/aws/templates/stack-support.yaml

@@ -67,6 +67,18 @@ Parameters:
   AdminCidr:
     Type: String
     Description: CIDR to used to configure remote access
+  Region:
+    Type: String
+    Description: |
+      AWS Region into which Veraison will be deployed
+  CacheNodeType:
+    Type: String
+    Default: cache.t2.micro
+  NumCacheNodes:
+    Type: Number
+    Default: 2
+    Description: |
+      Number of nodes that will be created in the cache cluster.
 
 Resources:
   RdsSubnetGroup:
@@ -148,11 +160,65 @@ Resources:
     Properties:
       HostedZoneId: !Ref HostedZoneId
       Name: !Join [ ".", [ !Ref SentinelSubdomainName , !Ref ParentDomain ] ]
-      ResourceRecords: 
+      ResourceRecords:
         - !GetAtt SentinelInstance.PublicDnsName
       TTL: 900
       Type: CNAME
-        
+
+  ElastiCacheIAMRole:
+    Type: AWS::IAM::ServiceLinkedRole
+    Properties:
+      AWSServiceName: elasticache.amazonaws.com
+      Description: Service-linked role for ElastiCache to access the deployment
+
+  ElastiCacheSubnetGroup:
+    Type: 'AWS::ElastiCache::SubnetGroup'
+    DependsOn: ElastiCacheIAMRole
+    Properties:
+      CacheSubnetGroupName: VeraisonCacheSubnetGroup
+      Description: ElastiCache cluster will be created across these subnets
+      SubnetIds: !Split [",", !Ref RdsSubnets]
+      Tags:
+        - Key: veraison-deployment
+          Value: !Ref DeploymentName
+
+  ElastiCacheSecurityGroup:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: ElastiCache Security Group
+      VpcId: !Ref VpcId
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 11211
+          ToPort: 11211
+          CidrIp: !Ref SubnetCidr
+      Tags:
+        - Key: veraison-deployment
+          Value: !Ref DeploymentName
+
+  ElastiCacheCluster:
+    Type: 'AWS::ElastiCache::CacheCluster'
+    DependsOn: ElastiCacheSubnetGroup
+    Properties:
+      AZMode: cross-az
+      CacheSubnetGroupName: VeraisonCacheSubnetGroup
+      PreferredAvailabilityZones:
+        - !Select
+          - 0
+          - !GetAZs
+            Ref: Region
+        - !Select
+          - 1
+          - !GetAZs
+            Ref: Region
+      Engine: memcached
+      CacheNodeType: !Ref CacheNodeType
+      NumCacheNodes: !Ref NumCacheNodes
+      VpcSecurityGroupIds:
+        - !GetAtt ElastiCacheSecurityGroup.GroupId
+      Tags:
+        - Key: veraison-deployment
+          Value: !Ref DeploymentName
 
 Outputs:
   InstanceId:
@@ -170,3 +236,12 @@ Outputs:
   SentinelDnsName:
     Description: DNS name of the sentinel instance
     Value: !Join [ ".", [ !Ref SentinelSubdomainName , !Ref ParentDomain ] ]
+  ElastiCacheClusterId:
+    Description: ID of the ElastiCache cluster
+    Value: !Ref ElastiCacheCluster
+  ElastiCacheConfigAddress:
+    Description: Address of ElastiCache cluster's configuration endpoint
+    Value: !GetAtt ElastiCacheCluster.ConfigurationEndpoint.Address
+  ElastiCacheConfigPort:
+    Description: Port of ElastiCache cluster's configuration endpoint
+    Value: !GetAtt ElastiCacheCluster.ConfigurationEndpoint.Port