AWS DynamoDB Module

PSA-compliant DynamoDB module with mandatory PITR, deletion protection, and KMS encryption.
Explore the docs »

View Demo · Report Bug · Request Feature

Documentation

Full auto-generated documentation of inputs, outputs, and resources: TERRAFORM-DOCS.md

Table of Contents

1. About The Project
2. Getting Started
3. Usage
4. Security Features
5. PSA Compliance Features
6. Outputs
7. Troubleshooting
8. License

About The Project

This module creates PSA-compliant DynamoDB tables with a focus on data durability and access control. It defaults to the most secure configurations, such as Point-In-Time Recovery (PITR) and deletion protection.

Features

• Serverless Scaling: Defaulted to PAY_PER_REQUEST billing mode for cost efficiency.
• Data Protection: Mandatory PITR and Deletion Protection enabled by default.
• KMS Encryption: Support for customer-managed KMS keys for encryption at rest.
• Global & Local Indexes: Simplified configuration for GSI and LSI resources.
• Resource Policies: Native support for DynamoDB resource-based access control.
• TTL Support: Built-in Time-to-Live configuration for automatic data expiration.

(back to top)

Usage

Basic Usage

module "dynamodb" {
  source = "./terraform-aws-dynamodb"

  project_name = "myapp"
  environment  = "prod"
  
  hash_key  = "UserId"
  range_key = "OrderDate"
  
  attributes = [
    { name = "UserId", type = "S" },
    { name = "OrderDate", type = "N" }
  ]
}

(back to top)

Security Features

• Point-In-Time Recovery: Enables 35 days of continuous backups for disaster recovery.
• Deletion Protection: Prevents the table from being deleted via console or API without explicit reconfiguration.
• Encryption at Rest: Mandatory server-side encryption using AWS managed keys or customer CMKs.
• Resource Policies: Allows defining granular access control directly on the table resource.

(back to top)

PSA Compliance Features

This module implements the following PSA compliance features (referencing 05-Strukturierte_PSA_Anforderungen_DB_Hadoop_LLM.pdf):

Security Controls

• Req 3.50-01 (Encryption): KMS encryption mandatory for data at rest.
• Req 3.01-02 (Data Integrity): PITR enabled by default.
• Req 3.69 (Access Control): Support for resource_policy to enforce least privilege.
• Deletion Protection: Enforced to prevent accidental data loss.

(back to top)

Troubleshooting

Resource Policy Errors

• Ensure the JSON policy is valid and references the correct principals.
• Remember that resource-based policies for DynamoDB are a relatively new feature; ensure your AWS provider version is up to date.

Throughput Issues

• If using PROVISIONED mode, monitor CloudWatch metrics for ReadThrottleEvents and WriteThrottleEvents.
• Consider switching to PAY_PER_REQUEST for unpredictable workloads.

(back to top)

Requirements

Name	Version
terraform	>=1.3

Providers

Name	Version
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_dynamodb_resource_policy.this	resource
aws_dynamodb_table.this	resource

Inputs

Name	Description	Type	Default	Required
attributes	List of nested attribute definitions. Only required for hash_key and range_key attributes	list(object({ name = string type = string }))	n/a	yes
billing_mode	Controls how you are charged for read and write throughput and how you manage capacity (PROVISIONED or PAY_PER_REQUEST)	string	"PAY_PER_REQUEST"	no
deletion_protection_enabled	Whether to enable deletion protection for the table	bool	true	no
environment	Environment (e.g., prod, dev, test)	string	n/a	yes
global_secondary_indexes	Describe a GSI for the table	list(object({ name = string hash_key = string range_key = optional(string) projection_type = string non_key_attributes = optional(list(string)) read_capacity = optional(number) write_capacity = optional(number) }))	[]	no
hash_key	The attribute to use as the hash (partition) key	string	n/a	yes
kms_key_arn	The ARN of the KMS key to use for server-side encryption	string	""	no
local_secondary_indexes	Describe an LSI for the table	list(object({ name = string range_key = string projection_type = string non_key_attributes = optional(list(string)) }))	[]	no
name_prefix	Prefix for resource names (if not provided, will use project-environment pattern)	string	""	no
point_in_time_recovery_enabled	Whether to enable point-in-time recovery	bool	true	no
project_name	Name of the project	string	n/a	yes
range_key	The attribute to use as the range (sort) key	string	null	no
resource_policy	The JSON-formatted resource-based policy to apply to the DynamoDB table	string	""	no
stream_enabled	Indicates whether Streams are to be enabled	bool	false	no
stream_view_type	When an item in the table is modified, StreamViewType determines what information is written to the table's stream	string	""	no
table_name	Name of the DynamoDB table (if empty, will use project-environment pattern)	string	""	no
tags	Additional tags for all resources	map(string)	{}	no
ttl_attribute_name	The name of the table attribute to store the TTL timestamp in	string	""	no
ttl_enabled	Indicates whether TTL is enabled	bool	false	no

Outputs

Name	Description
gsi_names	Names of the configured global secondary indexes
lsi_names	Names of the configured local secondary indexes
stream_arn	The ARN of the DynamoDB stream
stream_label	The label of the DynamoDB stream
table_arn	The ARN of the DynamoDB table
table_class	The storage class of the DynamoDB table
table_id	The ID of the DynamoDB table
table_name	The name of the DynamoDB table
table_stream_arn	The ARN of the Table Stream
table_stream_label	A timestamp, in ISO 8601 format, for the stream when it was enabled