Amazon DocumentDB (with MongoDB Compatibility)

Terraform module to provision an instance based cluster, Amazon DocumentDB (with MongoDB Compatibility).

An instance based cluster can scale the databases to millions of reads per second and up to 128 TiB of storage capacity.

Table of Contents:

• Amazon DocumentDB (with MongoDB Compatibility)
  • Important Notes
    • Cluster Access
    • Amazon DocumentDB Quotas and Limits
  • Usage
  • Requirements
  • Providers
  • Modules
  • Resources
  • Inputs
  • Outputs

Important Notes

• The cluster admin user name (cluster_master_username input variable) must be from 1 to 63 letters or numbers. The first character must be a letter and cannot be a reserved word.

• The cluster master password (cluster_master_password input variable) be at least eight characters long and cannot contain a / (slash), " (double quote) or @ (at symbol). If not value is set for the password, a random password will be generated. Optionally you can store the provided/generated password in AWS SSM Parameter Store (save_cluster_master_password_ssm_params=true) and/or AWS Secrets (save_cluster_master_password_aws_secrets); the password will be available at /documentdb/<CLUSTER_NAME>/CLUSTER_MASTER_PASSWORD key.

• All resources with tags support, will be tagged with the following tags as default:

  • Terraform: indicates the resources is managed by Terraform. Value true.
  • TerraformWorkspace: indicates the current Terraform's workspace. If no worksapce is used, the value is default.
  • Environment: indicates the name of the environment to which the resource belongs. The value is taken from the environment input variable.

  Additional tags can be defined by setting the tags input variable, e.g.:

  tags = {
    Project = "MyProject"
    TerraformModule = "documentdb_cluster"
  }

Cluster Access

This module attach a Security Group to the DocumentDB only allowing traffic within the Security Group itself. To allow others Security Group to access to the cluster, set the cluster_allowed_security_groups_id input parameter.

Amazon DocumentDB Quotas and Limits

For the resource quotas, limits, and naming constraints for Amazon DocumentDB (with MongoDB compatibility) see Amazon DocumentDB Quotas and Limits.

Usage

module "documentdb_cluster" {
  source = "../"

  environment                              = "testing"
  cluster_name                             = "mydocumentdb1245"
  cluster_size                             = 3
  cluster_engine_version                   = "5.0.0"
  cluster_instance_class                   = "db.t4g.medium"
  cluster_vpc_id                           = "vpc-xxx"
  cluster_subnets_id                       = ["subnet-abc", "subnet-cdf", "subnet-ghi"]
  cluster_master_username                  = "docadmin"
  deletion_protection                      = true
  save_cluster_master_password_ssm_params  = true

  tags = {
    Project         = "MyProject"
    TerraformModule = "documentdb_cluster"
  }
}

Requirements

Name	Version
terraform	>=1.5
aws	>=5.42.0
random	>=3.6.0

Providers

Name	Version
aws	5.42.0
random	3.6.0

Modules

No modules.

Resources

Name	Type
aws_docdb_cluster.this	resource
aws_docdb_cluster_instance.this	resource
aws_docdb_cluster_parameter_group.custom	resource
aws_docdb_subnet_group.default	resource
aws_secretsmanager_secret.cluster_master_password	resource
aws_secretsmanager_secret_version.cluster_master_password	resource
aws_security_group.docdb	resource
aws_security_group_rule.docdb_egress	resource
aws_security_group_rule.docdb_ingress	resource
aws_security_group_rule.docdb_self_ingress	resource
aws_ssm_parameter.cluster_master_password	resource
random_password.password	resource

Inputs

Name	Description	Type	Default	Required
apply_immediately	Specifies whether any cluster modifications are applied immediately, or during the next maintenance window.	bool	false	no
ca_cert_identifier	The identifier of the CA certificate for the DocumentDB instance,	string	null	no
cluster_allowed_security_groups_id	A list with the allowed Security Groups ID to access to the DocumentDB Cluster.	list(string)	[]	no
cluster_at_rest_encryption	Whether to enable encryption of data stored on disk.	bool	true	no
cluster_backup_retention_period	The days to retain backups for.	number	35	no
cluster_custom_parameters	A map of string with the custom parameters for this DocumentDB Cluster.	map(string)	{}	no
cluster_db_port	The port on which the DB accepts connections.	number	27017	no
cluster_engine_version	The database engine version. To see the available versions issue: aws docdb describe-db-engine-versions --engine docdb --query 'DBEngineVersions[*].EngineVersion' --output text	string	"5.0.0"	no
cluster_instance_class	The DocumentDB instance class. For a list of the supported instances, see: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-instance-classes.html#db-instance-class-specs	string	"db.t4g.medium"	no
cluster_master_password	Password for the master DB user. Password must be at least eight characters long and cannot contain a / (slash), " (double quote) or @ (at symbol). Don't set when snapshot_identifier is provided. If no value is set, a random password will be generated.	string	""	no
cluster_master_username	Username for the master DB user. Required unless a snapshot_identifier is provided.	string	"admin"	no
cluster_name	A unique name for this DocumentDB Cluster.	string	n/a	yes
cluster_preferred_backup_window	The daily time range during which automated backups are created if automated backups are enabled. The format is hh24:mi-hh24:mi (24H Clock UTC).	string	"02:00-02:30"	no
cluster_preferred_maintenance_window	Specifies the weekly time range for when maintenance on the DocumentDB Cluster is performed. The format is ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance window is a 60 minute period.	string	"wed:04:00-wed:05:30"	no
cluster_size	Set he number of instances to be deployed in this DocumentDB Cluster. A cluster can have up to sixteen instances (one primary and up to 15 replicas).	number	3	no
cluster_storage_type	The storage type to associate with the DB cluster.	string	"standard"	no
cluster_subnet_group_name	The subnet group name for the DocumentDB Cluster. This input variable is ignored when cluster_subnets_id is set.	string	""	no
cluster_subnets_id	A list with the subnets ID to add to the Cluster Subnet Group. By setting this input variable, the cluster_subnet_group_name will be ignored and a new subnet group with the given subnets will be created and used by the DocumentDB Cluster. Subnet groups must contain at least two subnets in two different Availability Zones in the same region.	list(string)	[]	no
cluster_vpc_id	The VPC ID where the cluster will be provisioned.	string	n/a	yes
deletion_protection	Whether the DocumentDB Cluster has deletion protection enabled.	bool	false	no
enable_performance_insights	Whether to enable Performance Insights for the DocumentDB Instance.	bool	false	no
enabled_cloudwatch_logs_exports	List of log types to export to Amazon CloudWatch. The following log types are supported: audit, profiler. To enable auditing, ensure that both exporting auditing logs to Amazon CloudWatch is enabled and the Cluster Parameter "Auditing" is enabled.	list(string)	[]	no
environment	The environment name, e.g: testing.	string	n/a	yes
save_cluster_master_password_aws_secrets	Whether or no save the cluster master password in AWS Secrets. The password is stored in a secret called /documentdb/<CLUSTER_NAME>/CLUSTER_MASTER_PASSWORD.	bool	false	no
save_cluster_master_password_ssm_params	Whether or no save the cluster master password in AWS SSM Parameter Store. The password is stored as secure string in /documentdb/<CLUSTER_NAME>/CLUSTER_MASTER_PASSWORD.	bool	false	no
skip_final_snapshot	Determines whether a final DB snapshot is created before the DB cluster is deleted.	bool	false	no
snapshot_identifier	Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot. Automated snapshots should not be used for this attribute, unless from a different cluster. Automated snapshots are deleted as part of cluster destruction when the resource is replaced.	string	""	no
tags	Tags added to all supported resources.	map(any)	{}	no

Outputs

Name	Description
arn	Amazon Resource Name (ARN) of the cluster.
cluster_name	Cluster Identifier
endpoint	Endpoint of the DocumentDB cluster.
master_password	Password for the master DB user.
master_username	Username for the master DB user.
reader_endpoint	A read-only endpoint of the DocumentDB cluster, automatically load-balanced across replicas.
security_group_arn	ARN of the DocumentDB cluster Security Group.
security_group_id	ID of the DocumentDB cluster Security Group.
security_group_name	Name of the DocumentDB cluster Security Group.