AWS Amazon DocumentDB Cluster
This page shows how to write Terraform and CloudFormation for Amazon DocumentDB Cluster and write them securely.
aws_docdb (Terraform)
The Cluster in Amazon DocumentDB can be configured in Terraform with the resource name aws_docdb
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Security Best Practices for aws_docdb
There is 1 setting in aws_docdb that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure AWS DocumentDB logging is enabled
It is better to enable AWS DocumentDB logging for auditing and following compliance requirements.
Parameters
For more detailed documentation about each argument, refer to the AWS official documentation.
The following arguments are supported:
apply_immediately
- (Optional) Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default isfalse
.availability_zones
- (Optional) A list of EC2 Availability Zones that instances in the DB cluster can be created in.backup_retention_period
- (Optional) The days to retain backups for. Default1
cluster_identifier_prefix
- (Optional, Forces new resource) Creates a unique cluster identifier beginning with the specified prefix. Conflicts withcluster_identifier
.cluster_identifier
- (Optional, Forces new resources) The cluster identifier. If omitted, Terraform will assign a random, unique identifier.db_subnet_group_name
- (Optional) A DB subnet group to associate with this DB instance.db_cluster_parameter_group_name
- (Optional) A cluster parameter group to associate with the cluster.deletion_protection
- (Optional) A value that indicates whether the DB cluster has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled.enabled_cloudwatch_logs_exports
- (Optional) List of log types to export to cloudwatch. If omitted, no logs will be exported. The following log types are supported:audit
,profiler
.engine_version
- (Optional) The database engine version. Updating this argument results in an outage.engine
- (Optional) The name of the database engine to be used for this DB cluster. Defaults todocdb
. Valid Values:docdb
final_snapshot_identifier
- (Optional) The name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made.kms_key_id
- (Optional) The ARN for the KMS encryption key. When specifyingkms_key_id
,storage_encrypted
needs to be set to true.master_password
- (Required unless asnapshot_identifier
is provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the DocDB Naming Constraints.master_username
- (Required unless asnapshot_identifier
is provided) Username for the master DB user.port
- (Optional) The port on which the DB accepts connectionspreferred_backup_window
- (Optional) The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.Time in UTC Default: A 30-minute window selected at random from an 8-hour block of time per regionE.g., 04:00-09:00preferred_maintenance_window
- (Optional) The weekly time range during which system maintenance can occur, in (UTC) e.g., wed:04:00-wed:04:30skip_final_snapshot
- (Optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value fromfinal_snapshot_identifier
. Default isfalse
.snapshot_identifier
- (Optional) Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot.storage_encrypted
- (Optional) Specifies whether the DB cluster is encrypted. The default isfalse
.tags
- (Optional) A map of tags to assign to the DB cluster. If configured with a providerdefault_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.vpc_security_group_ids
- (Optional) List of VPC security groups to associate with the Cluster
In addition to all arguments above, the following attributes are exported:
arn
- Amazon Resource Name (ARN) of clustercluster_members
– List of DocDB Instances that are a part of this clustercluster_resource_id
- The DocDB Cluster Resource IDendpoint
- The DNS address of the DocDB instancehosted_zone_id
- The Route53 Hosted Zone ID of the endpointid
- The DocDB Cluster Identifierreader_endpoint
- A read-only endpoint for the DocDB cluster, automatically load-balanced across replicastags_all
- A map of tags assigned to the resource, including those inherited from the providerdefault_tags
configuration block.
Explanation in Terraform Registry
Manages a DocDB Cluster. Changes to a DocDB Cluster can occur when you manually change a parameter, such as
port
, and are reflected in the next maintenance window. Because of this, Terraform may report a difference in its planning phase because a modification has not yet taken place. You can use theapply_immediately
flag to instruct the service to apply the change immediately (see documentation below).Note: using
apply_immediately
can result in a brief downtime as the server reboots. Note: All arguments including the username and password will be stored in the raw state as plain-text. Read more about sensitive data in state.
AWS::DocDB::DBCluster (CloudFormation)
The DBCluster in DocDB can be configured in CloudFormation with the resource name AWS::DocDB::DBCluster
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
StorageEncrypted
optional - Boolean -
EngineVersion
optional - String -
KmsKeyId
optional - String -
AvailabilityZones
optional - List -
SnapshotIdentifier
optional - String -
Port
optional - Integer -
DBClusterIdentifier
optional - String -
PreferredMaintenanceWindow
optional - String -
DBSubnetGroupName
optional - String -
DeletionProtection
optional - Boolean -
PreferredBackupWindow
optional - String -
MasterUserPassword
required - String -
VpcSecurityGroupIds
optional - List -
MasterUsername
required - String -
DBClusterParameterGroupName
optional - String -
BackupRetentionPeriod
optional - Integer -
Tags
optional - List of Tag -
EnableCloudwatchLogsExports
optional - List
Explanation in CloudFormation Registry
The
AWS::DocDB::DBCluster
Amazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine. For more information, see DBCluster in the Amazon DocumentDB Developer Guide.