Managed DocumentDB (MongoDB-compatible) in AWS

This module creates and manages DocumentDB (MongoDB-compatible) in AWS. Key features:

flexible configuration
management of parameter and security groups
management of maintenance and backup windows
optional encryption at rest (data storage) of DocumentDB cluster with a managed KMS key

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_aws_documentdb_mongo" {
  source  = "solutions.corewide.com/aws/tf-aws-documentdb-mongo/aws"
  version = "~> 1.1.0"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 1.1 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "1.1.0"

€600

Dependencies included: €100

tf-aws-kms-key	€50
tf-aws-security-group	€50

BUY

License

v1.1.0 released 3 weeks, 3 days ago

New version approx. every 7 weeks

Upgrade Notes

Changelog

This module creates and manages DocumentDB (MongoDB-compatible) in AWS. Key features:

flexible configuration
management of parameter and security groups
management of maintenance and backup windows
optional encryption at rest (data storage) of DocumentDB cluster with a managed KMS key

From `v1.x` to `v2.x`

The module from v2.0 has several management changes that requires attention:

KMS encryption mode has been changed from disabled to module-managed
stopped utilizing Terraform aws_subnet data source in favor of vpc_id variable to omit recreations of resources on data source fetch

Update the declaration of the module according to the requirements and examples to match the designed configuration:

 hclmodule "db" {
  ...
  vpc_id = "vpc-01b7fd645a40acf4b"

  # This section is optional, and must be added only to continue running a non-encrypted DocumentDB cluster
  kms_encryption = {
    mode = "disabled"
  }
  ...
}

Then re-init the module:

 bashterraform init

Now the configuration can be applied.

Deploy DocumentDB cluster with multiple nodes, custom machine size, parameters, security groups, database credentials and engine version in specific subnets:

 hclmodule "db" {
  source  = "solutions.corewide.com/aws/tf-aws-documentdb-mongo/aws"
  version = "~> 1.1"

  name_prefix        = "foo"
  username           = "mongo"
  password           = "sensitive_password"
  engine_version     = "4.0.0"
  machine_size       = "db.t4g.medium"
  node_count         = 2
  backup_window_hour = 3

  subnet_ids = [
    "subnet-0f12bcde3456fg78h",
    "subnet-9i01234j567klm890",
  ]

  allowed_security_group_ids = [
    "sg-01234a5b678901234",
  ]

  db_parameters = [
    {
      name  = "tls"
      value = "enabled"
    },
    {
      name  = "ttl_monitor"
      value = "enabled"
    },
  ]

  tags = {
    foo = "bar"
  }
}

Create DocumentDB cluster with the encryption enabled with a module-managed KMS key:

 hclmodule "db" {
  source  = "solutions.corewide.com/aws/tf-aws-documentdb-mongo/aws"
  version = "~> 1.1"

  name_prefix = "foo"
  subnet_ids  = ["subnet-0f12bcde3456fg78h"]

  kms_encryption = {
    mode = "module-managed"
  }
}

Create DocumentDB cluster with the encryption enabled with a supplied KMS key created externally:

 hclmodule "db" {
  source  = "solutions.corewide.com/aws/tf-aws-documentdb-mongo/aws"
  version = "~> 1.1"

  name_prefix = "foo"
  subnet_ids  = ["subnet-0f12bcde3456fg78h"]

  kms_encryption = {
    mode    = "custom"
    key_arn = "arn:aws:kms:eu-west-1:1234567890:key/123qwer-45ty-678qwe-9012-3456tyqwe"
  }
}

Minimal setup with required parameters only:

 hclmodule "db" {
  source  = "solutions.corewide.com/aws/tf-aws-documentdb-mongo/aws"
  version = "~> 1.1"

  name_prefix = "foo"
  subnet_ids  = ["subnet-0f12bcde3456fg78h"]
}

Variable	Description	Type	Default	Required	Sensitive
`name_prefix`	Name prefix for the created resources	`string`		yes	no
`password`	Password for the master DB user (randomly generated if not specified)	`string`		yes	no
`subnet_ids`	List of VPC subnet IDs for DocumentDB subnet group creation	`list(string)`		yes	no
`allowed_security_group_ids`	List of security group IDs to allow connections to the cluster (re-ordering IDs in the list can cause re-creation of corresponding Security Group Rule)	`list(string)`	`[]`	no	no
`apply_during_maintenance_window`	Apply changes to the cluster during maintenance window	`bool`	`true`	no	no
`backup_retention_period`	Days to retain backups for	`number`	`2`	no	no
`backup_window_hour`	One hour time range in which daily automatic backups are created	`number`	`5`	no	no
`db_parameters`	List of database parameters objects	`list(object)`	`[]`	no	no
`db_parameters[*].apply_method`	Method in which parameter should be applied. Possible values are: `immediate` and `pending-reboot`	`string`	`pending-reboot`	no	no
`db_parameters[*].name`	Name of the DocumentDB parameter	`string`		yes	no
`db_parameters[*].value`	Value for DocumentDB parameter	`string`		yes	no
`deletion_protection_enabled`	Whether the DB cluster has deletion protection enabled	`bool`	`false`	no	no
`engine_version`	Database engine version. Possible values are: `3.6.0`, `4.0.0` and `5.0.0`	`string`	`5.0.0`	no	no
`kms_encryption`	KMS Encryption parameters	`object`	`{}`	no	no
`kms_encryption.key_arn`	ARN of the KMS key (required if `mode` is `custom`)	`string`		no	no
`kms_encryption.mode`	Encryption mode. Possible values are: `disabled` - DocumentDB cluster is not encrypted; `custom` - DocumentDB cluster is encrypted with a supplied custom KMS key; `module-managed` - DocumentDB cluster is encrypted with an automatically created KMS key	`string`	`disabled`	no	no
`machine_size`	Instance class to use for the cluster nodes	`string`	`db.t3.medium`	no	no
`maintenance_window`	Maintenance window configuration	`object`	`{}`	no	no
`maintenance_window.day`	The day of the week (`Mon`, `Tue`, `Wed`, etc.) the maintenance window occurs	`string`	`Mon`	no	no
`maintenance_window.hour`	The hour when the maintenance updates are applied, in UTC 24-hour format. Examples: `02`, `03`, `23`	`number`	`6`	no	no
`major_upgrade_allowed`	Whether engine major version upgrades are allowed	`bool`	`false`	no	no
`node_count`	Number of nodes in a DocumentDB cluster	`number`	`1`	no	no
`storage_type`	Storage type to associate with the DB cluster. Possible values are: `standard` and `iopt1`	`string`	`standard`	no	no
`tags`	Tags that must be assigned to resources	`map(string)`	`{}`	no	no
`username`	Username for the master DB user	`string`	`docdb`	no	no

Output	Description	Type	Sensitive
`connection_parameters`	Database connection parameters (`db_host`, `db_port`, `db_user`, `db_password`, `db_connection_url`)	`map`	yes
`database_cluster`	DocumentDB cluster resource attributes	`resource`	yes
`security_group`	Security group of the DocumentDB cluster	`resource`	no

Dependency	Version	Kind
`terraform`	`>= 1.3`	CLI
`hashicorp/aws`	`~> 5.0`	provider
`hashicorp/random`	`~> 3.3`	provider
`tf-aws-kms-key`	`~> 1.0`	module
`tf-aws-security-group`	`~> 2.0`	module