Top / Amazon Web Service / AWS DynamoDB / Global Table

AWS DynamoDB Global Table

This page shows how to write Terraform and CloudFormation for DynamoDB Global Table and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_dynamodb_global_table (Terraform)

The Global Table in DynamoDB can be configured in Terraform with the resource name aws_dynamodb_global_table. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

dynamodb.tf#L1
resource "aws_dynamodb_global_table" "harryStamper" {
  depends_on = ["aws_dynamodb_table.harryStamper-eu-west-1", "aws_dynamodb_table.harryStamper-eu-central-1"]
  provider   = "aws.eu-west-1"

  name = "harryStamper"
main.tf#L43
resource "aws_dynamodb_global_table" "myTable" {
  depends_on = [aws_dynamodb_table.us-east-1, aws_dynamodb_table.us-west-2]
  name = "myTable"
  provider = "aws.us-east-1"

  replica {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages DynamoDB Global Tables V1 (version 2017.11.29). These are layered on top of existing DynamoDB Tables.

NOTE: To instead manage DynamoDB Global Tables V2 (version 2019.11.21), use the aws_dynamodb_table resource replica configuration block. Note: There are many restrictions before you can properly create DynamoDB Global Tables in multiple regions. See the AWS DynamoDB Global Table Requirements for more information.

>> from Terraform Registry

Tips: Best Practices for The Other AWS DynamoDB Resources

In addition to the aws_dynamodb_table, AWS DynamoDB has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_dynamodb_table

Ensure to enable point-in-time recovery of DynamoDB table

It is better to enable point-in-time recovery of DynamoDB table. It may help you restore data that is modified or deleted maliciously or accidentally.

Review your AWS DynamoDB settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::DynamoDB::GlobalTable (CloudFormation)

The GlobalTable in DynamoDB can be configured in CloudFormation with the resource name AWS::DynamoDB::GlobalTable. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::DynamoDB::GlobalTable resource enables you to create and manage a Version 2019.

21 global table. This resource cannot be used to create or manage a Version 2017.

29 global table.

Important You cannot convert a resource of type AWS::DynamoDB::Table into a resource of type AWS::DynamoDB::GlobalTable by changing its type in your template. **Doing so might result in the deletion of your DynamoDB table.

**You should be aware of the following behaviors when working with DynamoDB global tables.

  • The IAM Principal executing the stack operation must have the permissions listed below in all regions where you plan to have a global table replica. The IAM Principal's permissions should not have restrictions based on IP source address. Some global tables operations (for example, adding a replica) are asynchronous, and require that the IAM Principal is valid until they complete. You should not delete the Principal (user or IAM role) until CloudFormation has finished updating your stack.
  • dynamodb:CreateTable + dynamodb:UpdateTable + dynamodb:DeleteTable + dynamodb:DescribeContinuousBackups + dynamodb:DescribeContributorInsights + dynamodb:DescribeTable + dynamodb:DescribeTableReplicaAutoScaling + dynamodb:DescribeTimeToLive + dynamodb:ListTables + dynamodb:UpdateTimeToLive + dynamodb:UpdateContributorInsights + dynamodb:UpdateContinuousBackups + dynamodb:ListTagsOfResource + dynamodb:TagResource + dynamodb:UntagResource + dynamodb:BatchWriteItem + dynamodb:CreateTableReplica + dynamodb:DeleteItem + dynamodb:DeleteTableReplica + dynamodb:DisableKinesisStreamingDestination + dynamodb:EnableKinesisStreamingDestination + dynamodb:GetItem + dynamodb:PutItem + dynamodb:Query + dynamodb:Scan + dynamodb:UpdateItem + dynamodb:DescribeTableReplicaAutoScaling + dynamodb:UpdateTableReplicaAutoScaling + iam:CreateServiceLinkedRole + kms:CreateGrant + kms:DescribeKey + application-autoscaling:DeleteScalingPolicy + application-autoscaling:DeleteScheduledAction + application-autoscaling:DeregisterScalableTarget + application-autoscaling:DescribeScalingPolicies + application-autoscaling:DescribeScalableTargets + application-autoscaling:PutScalingPolicy + application-autoscaling:PutScheduledAction + application-autoscaling:RegisterScalableTarget+ When using provisioned billing mode, CloudFormation will create an auto scaling policy on each of your replicas to control their write capacities. You must configure this policy using the WriteProvisionedThroughputSettings property. CloudFormation will ensure that all replicas have the same write capacity auto scaling property. You cannot directly specify a value for write capacity for a global table.

    • If your table uses provisioned capacity, you must configure auto scaling directly in the AWS::DynamoDB::GlobalTable resource. You should not configure additional auto scaling policies on any of the table replicas or global secondary indexes, either via API or via AWS::ApplicationAutoScaling::ScalableTarget or AWS::ApplicationAutoScaling::ScalingPolicy. Doing so might result in unexpected behavior and is unsupported.

    • In AWS CloudFormation, each global table is controlled by a single stack, in a single region, regardless of the number of replicas. When you deploy your template, CloudFormation will create/update all replicas as part of a single stack operation. You should not deploy the same AWS::DynamoDB::GlobalTable resource in multiple regions. Doing so will result in errors, and is unsupported. If you deploy your application template in multiple regions, you can use conditions to only create the resource in a single region. Alternatively, you can choose to define your AWS::DynamoDB::GlobalTable resources in a stack separate from your application stack, and make sure it is only deployed to a single region.

>> from AWS CloudFormation Documentation

The Other Related AWS DynamoDB Resources

Frequently asked questions

What is AWS DynamoDB Global Table?

AWS DynamoDB Global Table is a resource for DynamoDB of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS DynamoDB Global Table?

For Terraform, the leslieonline1/harry-stamper and arthurngatat/Tia-first-copy source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents