Terraform module to provision a DocumentDB cluster on AWS
Amazon has announced IO-optimized storage type for DocumentDB. Support for it has been added since HashiCorp AWS provider version 5.29.0
Keep standard as default but also add ability to create IO-optimized DocumentDB clusters.
https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-documentdb-i-o-optimized/ https://registry.terraform.io/providers/hashicorp/aws/5.29.0/docs/resources/docdb_cluster#storage_type
Hey folks π
First of all thanks for the work πͺ
Here the goal is to allow the user of the module to attach security groups which are managed outside of the module
This is pretty useful, when you have some design where security groups are centrally managed and so outside of the scope of the module
Note: If you have any questions don't hesitate to ping me π
Cheers βοΈ
In this PR, we can use the Cloud Posse ssm parameter store module to store the documentdb master_password information.
The objective behind this PR is to ensure the secure distribution of the docdb cluster's master password within the AWS infrastructure. We can centrally manage and protect sensitive information, increasing operational efficiency.
No issue relates to the current improvement.
I have run these required commands.
make init
make readme
Kindly review this PR for documentdb module improvements. Thank you, Cloud Posse Team!
We need to have the possibility to select the certificate we need to use, or directly the default amazon one.
Because https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
Please read the link -> https://docs.aws.amazon.com/es_es/documentdb/latest/developerguide/ca_cert_rotation.html
module "disabled_docdb" {
source = "../../work/terraform-aws-documentdb-cluster"
enabled = false
vpc_id = ""
subnet_ids = []
}
egress_source_port
, egress_dest_port
, egress_protocol
, and allowed_egress_cidr_blocks
for the "aws_security_group_rule" "egress"
resource.0.0.0.0/0
will be created. If user is expected to restrict outbound traffic, they can specify the required values.0.0.0.0/0
. By providing the option to customize the egress rule, we are giving users a control over their security posture (compliance). For example, our docdb may only connected with internal applications inside the aws eks cluster, or users may integrate their cloud resources with a third party, such as Prisma Cloud or maybe use tfsec as their security scanner, which prompts users to kindly avoid 0.0.0.0/0
for security best practices.Thank you
Support AWS Provider V5 Linter fixes
Maintenance
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.0
allow_ingress_from_self
which configures the security group to allow traffic within itself on DB porthttps://github.com/cloudposse/terraform-aws-rds-cluster/pull/145
aws_secretsmanager_secret_version
as part of the terraform configuration that creates the cluster.Rebuild github dir from the template
Sync github workflows with the template
propagated preferred_maintenance_window
to the docdb cluster instances resources
aws_docdb_cluster_instance.default
such that the cluster and its instances have the same value given by the user