Skip to content

README.md

Latest commit

 

History

History
207 lines (160 loc) · 11.4 KB

README.md

File metadata and controls

207 lines (160 loc) · 11.4 KB

Contributors Forks Stargazers Issues Unlicense License


Logo

AWS DynamoDB Module

PSA-compliant DynamoDB module with mandatory PITR, deletion protection, and KMS encryption.
Explore the docs »

View Demo · Report Bug · Request Feature

Documentation

Full auto-generated documentation of inputs, outputs, and resources: TERRAFORM-DOCS.md

Table of Contents
  1. About The Project
  2. Getting Started
  3. Usage
  4. Security Features
  5. PSA Compliance Features
  6. Outputs
  7. Troubleshooting
  8. License

About The Project

This module creates PSA-compliant DynamoDB tables with a focus on data durability and access control. It defaults to the most secure configurations, such as Point-In-Time Recovery (PITR) and deletion protection.

Features

  • Serverless Scaling: Defaulted to PAY_PER_REQUEST billing mode for cost efficiency.
  • Data Protection: Mandatory PITR and Deletion Protection enabled by default.
  • KMS Encryption: Support for customer-managed KMS keys for encryption at rest.
  • Global & Local Indexes: Simplified configuration for GSI and LSI resources.
  • Resource Policies: Native support for DynamoDB resource-based access control.
  • TTL Support: Built-in Time-to-Live configuration for automatic data expiration.

(back to top)

Usage

Basic Usage

module "dynamodb" {
  source = "./terraform-aws-dynamodb"

  project_name = "myapp"
  environment  = "prod"
  
  hash_key  = "UserId"
  range_key = "OrderDate"
  
  attributes = [
    { name = "UserId", type = "S" },
    { name = "OrderDate", type = "N" }
  ]
}

(back to top)

Security Features

  • Point-In-Time Recovery: Enables 35 days of continuous backups for disaster recovery.
  • Deletion Protection: Prevents the table from being deleted via console or API without explicit reconfiguration.
  • Encryption at Rest: Mandatory server-side encryption using AWS managed keys or customer CMKs.
  • Resource Policies: Allows defining granular access control directly on the table resource.

(back to top)

PSA Compliance Features

This module implements the following PSA compliance features (referencing 05-Strukturierte_PSA_Anforderungen_DB_Hadoop_LLM.pdf):

Security Controls

  • Req 3.50-01 (Encryption): KMS encryption mandatory for data at rest.
  • Req 3.01-02 (Data Integrity): PITR enabled by default.
  • Req 3.69 (Access Control): Support for resource_policy to enforce least privilege.
  • Deletion Protection: Enforced to prevent accidental data loss.

(back to top)

Troubleshooting

Resource Policy Errors

  • Ensure the JSON policy is valid and references the correct principals.
  • Remember that resource-based policies for DynamoDB are a relatively new feature; ensure your AWS provider version is up to date.

Throughput Issues

  • If using PROVISIONED mode, monitor CloudWatch metrics for ReadThrottleEvents and WriteThrottleEvents.
  • Consider switching to PAY_PER_REQUEST for unpredictable workloads.

(back to top)

Requirements

Name Version
terraform >=1.3

Providers

Name Version
aws n/a

Modules

No modules.

Resources

Name Type
aws_dynamodb_resource_policy.this resource
aws_dynamodb_table.this resource

Inputs

Name Description Type Default Required
attributes List of nested attribute definitions. Only required for hash_key and range_key attributes 
list(object({
    name = string
    type = string
  }))
 n/a yes
billing_mode Controls how you are charged for read and write throughput and how you manage capacity (PROVISIONED or PAY_PER_REQUEST) string "PAY_PER_REQUEST" no
deletion_protection_enabled Whether to enable deletion protection for the table bool true no
environment Environment (e.g., prod, dev, test) string n/a yes
global_secondary_indexes Describe a GSI for the table 
list(object({
    name               = string
    hash_key           = string
    range_key          = optional(string)
    projection_type    = string
    non_key_attributes = optional(list(string))
    read_capacity      = optional(number)
    write_capacity     = optional(number)
  }))
 [] no
hash_key The attribute to use as the hash (partition) key string n/a yes
kms_key_arn The ARN of the KMS key to use for server-side encryption string "" no
local_secondary_indexes Describe an LSI for the table 
list(object({
    name               = string
    range_key          = string
    projection_type    = string
    non_key_attributes = optional(list(string))
  }))
 [] no
name_prefix Prefix for resource names (if not provided, will use project-environment pattern) string "" no
point_in_time_recovery_enabled Whether to enable point-in-time recovery bool true no
project_name Name of the project string n/a yes
range_key The attribute to use as the range (sort) key string null no
resource_policy The JSON-formatted resource-based policy to apply to the DynamoDB table string "" no
stream_enabled Indicates whether Streams are to be enabled bool false no
stream_view_type When an item in the table is modified, StreamViewType determines what information is written to the table's stream string "" no
table_name Name of the DynamoDB table (if empty, will use project-environment pattern) string "" no
tags Additional tags for all resources map(string) {} no
ttl_attribute_name The name of the table attribute to store the TTL timestamp in string "" no
ttl_enabled Indicates whether TTL is enabled bool false no

Outputs

Name Description
gsi_names Names of the configured global secondary indexes
lsi_names Names of the configured local secondary indexes
stream_arn The ARN of the DynamoDB stream
stream_label The label of the DynamoDB stream
table_arn The ARN of the DynamoDB table
table_class The storage class of the DynamoDB table
table_id The ID of the DynamoDB table
table_name The name of the DynamoDB table
table_stream_arn The ARN of the Table Stream
table_stream_label A timestamp, in ISO 8601 format, for the stream when it was enabled