AWS Amazon DocumentDB Cluster
This page shows how to write Terraform and CloudFormation for Amazon DocumentDB Cluster and write them securely.
The Cluster in Amazon DocumentDB can be configured in Terraform with the resource name
aws_docdb. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Security Best Practices for aws_docdb
There is 1 setting in aws_docdb that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure AWS DocumentDB logging is enabled
It is better to enable AWS DocumentDB logging for auditing and following compliance requirements.
For more detailed documentation about each argument, refer to the AWS official documentation.
The following arguments are supported:
apply_immediately- (Optional) Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is
availability_zones- (Optional) A list of EC2 Availability Zones that instances in the DB cluster can be created in.
backup_retention_period- (Optional) The days to retain backups for. Default
cluster_identifier_prefix- (Optional, Forces new resource) Creates a unique cluster identifier beginning with the specified prefix. Conflicts with
cluster_identifier- (Optional, Forces new resources) The cluster identifier. If omitted, Terraform will assign a random, unique identifier.
db_subnet_group_name- (Optional) A DB subnet group to associate with this DB instance.
db_cluster_parameter_group_name- (Optional) A cluster parameter group to associate with the cluster.
deletion_protection- (Optional) A value that indicates whether the DB cluster has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled.
enabled_cloudwatch_logs_exports- (Optional) List of log types to export to cloudwatch. If omitted, no logs will be exported. The following log types are supported:
engine_version- (Optional) The database engine version. Updating this argument results in an outage.
engine- (Optional) The name of the database engine to be used for this DB cluster. Defaults to
docdb. Valid Values:
final_snapshot_identifier- (Optional) The name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made.
kms_key_id- (Optional) The ARN for the KMS encryption key. When specifying
storage_encryptedneeds to be set to true.
master_password- (Required unless a
snapshot_identifieris provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the DocDB Naming Constraints.
master_username- (Required unless a
snapshot_identifieris provided) Username for the master DB user.
port- (Optional) The port on which the DB accepts connections
preferred_backup_window- (Optional) The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.Time in UTC Default: A 30-minute window selected at random from an 8-hour block of time per regionE.g., 04:00-09:00
preferred_maintenance_window- (Optional) The weekly time range during which system maintenance can occur, in (UTC) e.g., wed:04:00-wed:04:30
skip_final_snapshot- (Optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from
final_snapshot_identifier. Default is
snapshot_identifier- (Optional) Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot.
storage_encrypted- (Optional) Specifies whether the DB cluster is encrypted. The default is
tags- (Optional) A map of tags to assign to the DB cluster. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
vpc_security_group_ids- (Optional) List of VPC security groups to associate with the Cluster
In addition to all arguments above, the following attributes are exported:
arn- Amazon Resource Name (ARN) of cluster
cluster_members– List of DocDB Instances that are a part of this cluster
cluster_resource_id- The DocDB Cluster Resource ID
endpoint- The DNS address of the DocDB instance
hosted_zone_id- The Route53 Hosted Zone ID of the endpoint
id- The DocDB Cluster Identifier
reader_endpoint- A read-only endpoint for the DocDB cluster, automatically load-balanced across replicas
tags_all- A map of tags assigned to the resource, including those inherited from the provider
Explanation in Terraform Registry
Manages a DocDB Cluster. Changes to a DocDB Cluster can occur when you manually change a parameter, such as
port, and are reflected in the next maintenance window. Because of this, Terraform may report a difference in its planning phase because a modification has not yet taken place. You can use the
apply_immediatelyflag to instruct the service to apply the change immediately (see documentation below).
apply_immediatelycan result in a brief downtime as the server reboots. Note: All arguments including the username and password will be stored in the raw state as plain-text. Read more about sensitive data in state.
The DBCluster in DocDB can be configured in CloudFormation with the resource name
AWS::DocDB::DBCluster. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
StorageEncryptedoptional - Boolean
EngineVersionoptional - String
KmsKeyIdoptional - String
AvailabilityZonesoptional - List
SnapshotIdentifieroptional - String
Portoptional - Integer
DBClusterIdentifieroptional - String
PreferredMaintenanceWindowoptional - String
DBSubnetGroupNameoptional - String
DeletionProtectionoptional - Boolean
PreferredBackupWindowoptional - String
MasterUserPasswordrequired - String
VpcSecurityGroupIdsoptional - List
MasterUsernamerequired - String
DBClusterParameterGroupNameoptional - String
BackupRetentionPeriodoptional - Integer
Tagsoptional - List of Tag
EnableCloudwatchLogsExportsoptional - List
Explanation in CloudFormation Registry
AWS::DocDB::DBClusterAmazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster. Amazon DocumentDB is a fully managed, MongoDB-compatible document database engine. For more information, see DBCluster in the Amazon DocumentDB Developer Guide.