Awesome
AWS Redshift Terraform module
Terraform module which creates Redshift resources on AWS.
Usage
module "redshift" {
source = "terraform-aws-modules/redshift/aws"
cluster_identifier = "example"
allow_version_upgrade = true
node_type = "ra3.xlplus"
number_of_nodes = 3
database_name = "mydb"
master_username = "mydbuser"
create_random_password = false
master_password = "MySecretPassw0rd1!" # Do better!
encrypted = true
kms_key_arn = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
enhanced_vpc_routing = true
vpc_security_group_ids = ["sg-12345678"]
subnet_ids = ["subnet-123456", "subnet-654321"]
availability_zone_relocation_enabled = true
snapshot_copy = {
destination_region = "us-east-1"
grant_name = "example-grant"
}
logging = {
enable = true
bucket_name = "my-s3-log-bucket"
s3_key_prefix = "example/"
}
# Parameter group
parameter_group_name = "example-custom"
parameter_group_description = "Custom parameter group for example cluster"
parameter_group_parameters = {
wlm_json_configuration = {
name = "wlm_json_configuration"
value = jsonencode([
{
query_concurrency = 15
}
])
}
require_ssl = {
name = "require_ssl"
value = true
}
use_fips_ssl = {
name = "use_fips_ssl"
value = false
}
enable_user_activity_logging = {
name = "enable_user_activity_logging"
value = true
}
max_concurrency_scaling_clusters = {
name = "max_concurrency_scaling_clusters"
value = 3
}
enable_case_sensitive_identifier = {
name = "enable_case_sensitive_identifier"
value = true
}
}
parameter_group_tags = {
Additional = "CustomParameterGroup"
}
# Subnet group
subnet_group_name = "example-custom"
subnet_group_description = "Custom subnet group for example cluster"
subnet_group_tags = {
Additional = "CustomSubnetGroup"
}
# Snapshot schedule
create_snapshot_schedule = true
snapshot_schedule_identifier = local.name
use_snapshot_identifier_prefix = true
snapshot_schedule_description = "Example snapshot schedule"
snapshot_schedule_definitions = ["rate(12 hours)"]
snapshot_schedule_force_destroy = true
# Scheduled actions
create_scheduled_action_iam_role = true
scheduled_actions = {
pause = {
name = "example-pause"
description = "Pause cluster every night"
schedule = "cron(0 22 * * ? *)"
pause_cluster = true
}
resize = {
name = "example-resize"
description = "Resize cluster (demo only)"
schedule = "cron(00 13 * * ? *)"
resize_cluster = {
node_type = "ds2.xlarge"
number_of_nodes = 5
}
}
resume = {
name = "example-resume"
description = "Resume cluster every morning"
schedule = "cron(0 12 * * ? *)"
resume_cluster = true
}
}
# Endpoint access
create_endpoint_access = true
endpoint_name = "example-example"
endpoint_subnet_group_name = "example-subnet-group"
endpoint_vpc_security_group_ids = ["sg-12345678"]
# Usage limits
usage_limits = {
currency_scaling = {
feature_type = "concurrency-scaling"
limit_type = "time"
amount = 60
breach_action = "emit-metric"
}
spectrum = {
feature_type = "spectrum"
limit_type = "data-scanned"
amount = 2
breach_action = "disable"
tags = {
Additional = "CustomUsageLimits"
}
}
}
# Authentication profile
authentication_profiles = {
example = {
name = "example"
content = {
AllowDBUserOverride = "1"
Client_ID = "ExampleClientID"
App_ID = "example"
}
}
bar = {
content = {
AllowDBUserOverride = "1"
Client_ID = "ExampleClientID"
App_ID = "bar"
}
}
}
tags = {
Environment = "dev"
Terraform = "true"
}
}
Examples
- Complete Redshift example creates VPC with Redshift subnet, VPC security group and Redshift cluster itself.
Requirements
| Name | Version |
|---|---|
| <a name="requirement_terraform"></a> terraform | >= 1.3 |
| <a name="requirement_aws"></a> aws | >= 5.45 |
| <a name="requirement_random"></a> random | >= 3.0 |
Providers
| Name | Version |
|---|---|
| <a name="provider_aws"></a> aws | >= 5.45 |
| <a name="provider_random"></a> random | >= 3.0 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_iam_role.scheduled_action | resource |
| aws_iam_role_policy.scheduled_action | resource |
| aws_redshift_authentication_profile.this | resource |
| aws_redshift_cluster.this | resource |
| aws_redshift_cluster_iam_roles.this | resource |
| aws_redshift_endpoint_access.this | resource |
| aws_redshift_logging.this | resource |
| aws_redshift_parameter_group.this | resource |
| aws_redshift_scheduled_action.this | resource |
| aws_redshift_snapshot_copy.this | resource |
| aws_redshift_snapshot_schedule.this | resource |
| aws_redshift_snapshot_schedule_association.this | resource |
| aws_redshift_subnet_group.this | resource |
| aws_redshift_usage_limit.this | resource |
| aws_secretsmanager_secret_rotation.this | resource |
| random_password.master_password | resource |
| aws_iam_policy_document.scheduled_action | data source |
| aws_iam_policy_document.scheduled_action_assume | data source |
| aws_partition.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_allow_version_upgrade"></a> allow_version_upgrade | If true, major version upgrades can be applied during the maintenance window to the Amazon Redshift engine that is running on the cluster. Default is true | bool | null | no |
| <a name="input_apply_immediately"></a> apply_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is false | bool | null | no |
| <a name="input_aqua_configuration_status"></a> aqua_configuration_status | The value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) after the cluster is restored. Possible values are enabled, disabled, and auto. Requires Cluster reboot | string | null | no |
| <a name="input_authentication_profiles"></a> authentication_profiles | Map of authentication profiles to create | any | {} | no |
| <a name="input_automated_snapshot_retention_period"></a> automated_snapshot_retention_period | The number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with create-cluster-snapshot. Default is 1 | number | null | no |
| <a name="input_availability_zone"></a> availability_zone | The EC2 Availability Zone (AZ) in which you want Amazon Redshift to provision the cluster. Can only be changed if availability_zone_relocation_enabled is true | string | null | no |
| <a name="input_availability_zone_relocation_enabled"></a> availability_zone_relocation_enabled | If true, the cluster can be relocated to another availability zone, either automatically by AWS or when requested. Default is false. Available for use on clusters from the RA3 instance family | bool | null | no |
| <a name="input_cloudwatch_log_group_kms_key_id"></a> cloudwatch_log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data | string | null | no |
| <a name="input_cloudwatch_log_group_retention_in_days"></a> cloudwatch_log_group_retention_in_days | The number of days to retain CloudWatch logs for the redshift cluster | number | 0 | no |
| <a name="input_cloudwatch_log_group_skip_destroy"></a> cloudwatch_log_group_skip_destroy | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | bool | null | no |
| <a name="input_cloudwatch_log_group_tags"></a> cloudwatch_log_group_tags | Additional tags to add to cloudwatch log groups created | map(string) | {} | no |
| <a name="input_cluster_identifier"></a> cluster_identifier | The Cluster Identifier. Must be a lower case string | string | "" | no |
| <a name="input_cluster_timeouts"></a> cluster_timeouts | Create, update, and delete timeout configurations for the cluster | map(string) | {} | no |
| <a name="input_cluster_version"></a> cluster_version | The version of the Amazon Redshift engine software that you want to deploy on the cluster. The version selected runs on all the nodes in the cluster | string | null | no |
| <a name="input_create"></a> create | Determines whether to create Redshift cluster and resources (affects all resources) | bool | true | no |
| <a name="input_create_cloudwatch_log_group"></a> create_cloudwatch_log_group | Determines whether a CloudWatch log group is created for each var.logging.log_exports | bool | false | no |
| <a name="input_create_endpoint_access"></a> create_endpoint_access | Determines whether to create an endpoint access (managed VPC endpoint) | bool | false | no |
| <a name="input_create_parameter_group"></a> create_parameter_group | Determines whether to create a parameter group or use existing | bool | true | no |
| <a name="input_create_random_password"></a> create_random_password | Determines whether to create random password for cluster master_password | bool | true | no |
| <a name="input_create_scheduled_action_iam_role"></a> create_scheduled_action_iam_role | Determines whether a scheduled action IAM role is created | bool | false | no |
| <a name="input_create_snapshot_schedule"></a> create_snapshot_schedule | Determines whether to create a snapshot schedule | bool | false | no |
| <a name="input_create_subnet_group"></a> create_subnet_group | Determines whether to create a subnet group or use existing | bool | true | no |
| <a name="input_database_name"></a> database_name | The name of the first database to be created when the cluster is created. If you do not provide a name, Amazon Redshift will create a default database called dev | string | null | no |
| <a name="input_default_iam_role_arn"></a> default_iam_role_arn | The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created | string | null | no |
| <a name="input_elastic_ip"></a> elastic_ip | The Elastic IP (EIP) address for the cluster | string | null | no |
| <a name="input_encrypted"></a> encrypted | If true, the data in the cluster is encrypted at rest | bool | true | no |
| <a name="input_endpoint_name"></a> endpoint_name | The Redshift-managed VPC endpoint name | string | "" | no |
| <a name="input_endpoint_resource_owner"></a> endpoint_resource_owner | The Amazon Web Services account ID of the owner of the cluster. This is only required if the cluster is in another Amazon Web Services account | string | null | no |
| <a name="input_endpoint_subnet_group_name"></a> endpoint_subnet_group_name | The subnet group from which Amazon Redshift chooses the subnet to deploy the endpoint | string | "" | no |
| <a name="input_endpoint_vpc_security_group_ids"></a> endpoint_vpc_security_group_ids | The security group IDs to use for the endpoint access (managed VPC endpoint) | list(string) | [] | no |
| <a name="input_enhanced_vpc_routing"></a> enhanced_vpc_routing | If true, enhanced VPC routing is enabled | bool | null | no |
| <a name="input_final_snapshot_identifier"></a> final_snapshot_identifier | The identifier of the final snapshot that is to be created immediately before deleting the cluster. If this parameter is provided, skip_final_snapshot must be false | string | null | no |
| <a name="input_iam_role_arns"></a> iam_role_arns | A list of IAM Role ARNs to associate with the cluster. A Maximum of 10 can be associated to the cluster at any time | list(string) | [] | no |
| <a name="input_iam_role_description"></a> iam_role_description | Description of the scheduled action IAM role | string | null | no |
| <a name="input_iam_role_name"></a> iam_role_name | Name to use on scheduled action IAM role created | string | null | no |
| <a name="input_iam_role_path"></a> iam_role_path | Scheduled action IAM role path | string | null | no |
| <a name="input_iam_role_permissions_boundary"></a> iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the scheduled action IAM role | string | null | no |
| <a name="input_iam_role_tags"></a> iam_role_tags | A map of additional tags to add to the scheduled action IAM role created | map(string) | {} | no |
| <a name="input_iam_role_use_name_prefix"></a> iam_role_use_name_prefix | Determines whether scheduled action the IAM role name (iam_role_name) is used as a prefix | string | true | no |
| <a name="input_kms_key_arn"></a> kms_key_arn | The ARN for the KMS encryption key. When specifying kms_key_arn, encrypted needs to be set to true | string | null | no |
| <a name="input_logging"></a> logging | Logging configuration for the cluster | any | {} | no |
| <a name="input_maintenance_track_name"></a> maintenance_track_name | The name of the maintenance track for the restored cluster. When you take a snapshot, the snapshot inherits the MaintenanceTrack value from the cluster. The snapshot might be on a different track than the cluster that was the source for the snapshot. Default value is current | string | null | no |
| <a name="input_manage_master_password"></a> manage_master_password | Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with master_password. One of master_password or manage_master_password is required unless snapshot_identifier is provided | bool | false | no |
| <a name="input_manage_master_password_rotation"></a> manage_master_password_rotation | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation. | bool | false | no |
| <a name="input_manual_snapshot_retention_period"></a> manual_snapshot_retention_period | The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots. Valid values are between -1 and 3653. Default value is -1 | number | null | no |
| <a name="input_master_password"></a> master_password | Password for the master DB user. (Required unless a snapshot_identifier is provided). Must contain at least 8 chars, one uppercase letter, one lowercase letter, and one number | string | null | no |
| <a name="input_master_password_rotate_immediately"></a> master_password_rotate_immediately | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. | bool | null | no |
| <a name="input_master_password_rotation_automatically_after_days"></a> master_password_rotation_automatically_after_days | Specifies the number of days between automatic scheduled rotations of the secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified. | number | null | no |
| <a name="input_master_password_rotation_duration"></a> master_password_rotation_duration | The length of the rotation window in hours. For example, 3h for a three hour window. | string | null | no |
| <a name="input_master_password_rotation_schedule_expression"></a> master_password_rotation_schedule_expression | A cron() or rate() expression that defines the schedule for rotating your secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified. | string | null | no |
| <a name="input_master_password_secret_kms_key_id"></a> master_password_secret_kms_key_id | ID of the KMS key used to encrypt the cluster admin credentials secret | string | null | no |
| <a name="input_master_username"></a> master_username | Username for the master DB user (Required unless a snapshot_identifier is provided). Defaults to awsuser | string | "awsuser" | no |
| <a name="input_multi_az"></a> multi_az | Specifies if the Redshift cluster is multi-AZ | bool | null | no |
| <a name="input_node_type"></a> node_type | The node type to be provisioned for the cluster | string | "" | no |
| <a name="input_number_of_nodes"></a> number_of_nodes | Number of nodes in the cluster. Defaults to 1. Note: values greater than 1 will trigger cluster_type to switch to multi-node | number | 1 | no |
| <a name="input_owner_account"></a> owner_account | The AWS customer account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshot | string | null | no |
| <a name="input_parameter_group_description"></a> parameter_group_description | The description of the Redshift parameter group. Defaults to Managed by Terraform | string | null | no |
| <a name="input_parameter_group_family"></a> parameter_group_family | The family of the Redshift parameter group | string | "redshift-1.0" | no |
| <a name="input_parameter_group_name"></a> parameter_group_name | The name of the Redshift parameter group, existing or to be created | string | null | no |
| <a name="input_parameter_group_parameters"></a> parameter_group_parameters | value | map(any) | {} | no |
| <a name="input_parameter_group_tags"></a> parameter_group_tags | Additional tags to add to the parameter group | map(string) | {} | no |
| <a name="input_port"></a> port | The port number on which the cluster accepts incoming connections. Default port is 5439 | number | null | no |
| <a name="input_preferred_maintenance_window"></a> preferred_maintenance_window | The weekly time range (in UTC) during which automated cluster maintenance can occur. Format: ddd:hh24:mi-ddd:hh24:mi | string | "sat:10:00-sat:10:30" | no |
| <a name="input_publicly_accessible"></a> publicly_accessible | If true, the cluster can be accessed from a public network | bool | false | no |
| <a name="input_random_password_length"></a> random_password_length | Length of random password to create. Defaults to 16 | number | 16 | no |
| <a name="input_scheduled_actions"></a> scheduled_actions | Map of maps containing scheduled action definitions | any | {} | no |
| <a name="input_skip_final_snapshot"></a> skip_final_snapshot | Determines whether a final snapshot of the cluster is created before Redshift deletes the cluster. If true, a final cluster snapshot is not created. If false , a final cluster snapshot is created before the cluster is deleted | bool | true | no |
| <a name="input_snapshot_cluster_identifier"></a> snapshot_cluster_identifier | The name of the cluster the source snapshot was created from | string | null | no |
| <a name="input_snapshot_copy"></a> snapshot_copy | Configuration of automatic copy of snapshots from one region to another | any | {} | no |
| <a name="input_snapshot_identifier"></a> snapshot_identifier | The name of the snapshot from which to create the new cluster | string | null | no |
| <a name="input_snapshot_schedule_definitions"></a> snapshot_schedule_definitions | The definition of the snapshot schedule. The definition is made up of schedule expressions, for example cron(30 12 *) or rate(12 hours) | list(string) | [] | no |
| <a name="input_snapshot_schedule_description"></a> snapshot_schedule_description | The description of the snapshot schedule | string | null | no |
| <a name="input_snapshot_schedule_force_destroy"></a> snapshot_schedule_force_destroy | Whether to destroy all associated clusters with this snapshot schedule on deletion. Must be enabled and applied before attempting deletion | bool | null | no |
| <a name="input_snapshot_schedule_identifier"></a> snapshot_schedule_identifier | The snapshot schedule identifier | string | null | no |
| <a name="input_subnet_group_description"></a> subnet_group_description | The description of the Redshift Subnet group. Defaults to Managed by Terraform | string | null | no |
| <a name="input_subnet_group_name"></a> subnet_group_name | The name of the Redshift subnet group, existing or to be created | string | null | no |
| <a name="input_subnet_group_tags"></a> subnet_group_tags | Additional tags to add to the subnet group | map(string) | {} | no |
| <a name="input_subnet_ids"></a> subnet_ids | An array of VPC subnet IDs to use in the subnet group | list(string) | [] | no |
| <a name="input_tags"></a> tags | A map of tags to add to all resources | map(string) | {} | no |
| <a name="input_usage_limits"></a> usage_limits | Map of usage limit definitions to create | any | {} | no |
| <a name="input_use_snapshot_identifier_prefix"></a> use_snapshot_identifier_prefix | Determines whether the identifier (snapshot_schedule_identifier) is used as a prefix | bool | true | no |
| <a name="input_vpc_security_group_ids"></a> vpc_security_group_ids | A list of Virtual Private Cloud (VPC) security groups to be associated with the cluster | list(string) | [] | no |
Outputs
| Name | Description |
|---|---|
| <a name="output_authentication_profiles"></a> authentication_profiles | Map of authentication profiles created and their associated attributes |
| <a name="output_cluster_arn"></a> cluster_arn | The Redshift cluster ARN |
| <a name="output_cluster_automated_snapshot_retention_period"></a> cluster_automated_snapshot_retention_period | The backup retention period |
| <a name="output_cluster_availability_zone"></a> cluster_availability_zone | The availability zone of the Cluster |
| <a name="output_cluster_database_name"></a> cluster_database_name | The name of the default database in the Cluster |
| <a name="output_cluster_dns_name"></a> cluster_dns_name | The DNS name of the cluster |
| <a name="output_cluster_encrypted"></a> cluster_encrypted | Whether the data in the cluster is encrypted |
| <a name="output_cluster_endpoint"></a> cluster_endpoint | The connection endpoint |
| <a name="output_cluster_hostname"></a> cluster_hostname | The hostname of the Redshift cluster |
| <a name="output_cluster_id"></a> cluster_id | The Redshift cluster ID |
| <a name="output_cluster_identifier"></a> cluster_identifier | The Redshift cluster identifier |
| <a name="output_cluster_namespace_arn"></a> cluster_namespace_arn | The namespace Amazon Resource Name (ARN) of the cluster |
| <a name="output_cluster_node_type"></a> cluster_node_type | The type of nodes in the cluster |
| <a name="output_cluster_nodes"></a> cluster_nodes | The nodes in the cluster. Each node is a map of the following attributes: node_role, private_ip_address, and public_ip_address |
| <a name="output_cluster_parameter_group_name"></a> cluster_parameter_group_name | The name of the parameter group to be associated with this cluster |
| <a name="output_cluster_port"></a> cluster_port | The port the cluster responds on |
| <a name="output_cluster_preferred_maintenance_window"></a> cluster_preferred_maintenance_window | The backup window |
| <a name="output_cluster_public_key"></a> cluster_public_key | The public key for the cluster |
| <a name="output_cluster_revision_number"></a> cluster_revision_number | The specific revision number of the database in the cluster |
| <a name="output_cluster_secretsmanager_secret_rotation_enabled"></a> cluster_secretsmanager_secret_rotation_enabled | Specifies whether automatic rotation is enabled for the secret |
| <a name="output_cluster_subnet_group_name"></a> cluster_subnet_group_name | The name of a cluster subnet group to be associated with this cluster |
| <a name="output_cluster_type"></a> cluster_type | The Redshift cluster type |
| <a name="output_cluster_version"></a> cluster_version | The version of Redshift engine software |
| <a name="output_cluster_vpc_security_group_ids"></a> cluster_vpc_security_group_ids | The VPC security group ids associated with the cluster |
| <a name="output_endpoint_access_address"></a> endpoint_access_address | The DNS address of the endpoint |
| <a name="output_endpoint_access_id"></a> endpoint_access_id | The Redshift-managed VPC endpoint name |
| <a name="output_endpoint_access_port"></a> endpoint_access_port | The port number on which the cluster accepts incoming connections |
| <a name="output_endpoint_access_vpc_endpoint"></a> endpoint_access_vpc_endpoint | The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below |
| <a name="output_master_password_secret_arn"></a> master_password_secret_arn | ARN of managed master password secret |
| <a name="output_parameter_group_arn"></a> parameter_group_arn | Amazon Resource Name (ARN) of the parameter group created |
| <a name="output_parameter_group_id"></a> parameter_group_id | The name of the Redshift parameter group created |
| <a name="output_scheduled_action_iam_role_arn"></a> scheduled_action_iam_role_arn | Scheduled actions IAM role ARN |
| <a name="output_scheduled_action_iam_role_name"></a> scheduled_action_iam_role_name | Scheduled actions IAM role name |
| <a name="output_scheduled_action_iam_role_unique_id"></a> scheduled_action_iam_role_unique_id | Stable and unique string identifying the scheduled action IAM role |
| <a name="output_scheduled_actions"></a> scheduled_actions | A map of maps containing scheduled action details |
| <a name="output_snapshot_schedule_arn"></a> snapshot_schedule_arn | Amazon Resource Name (ARN) of the Redshift Snapshot Schedule |
| <a name="output_subnet_group_arn"></a> subnet_group_arn | Amazon Resource Name (ARN) of the Redshift subnet group created |
| <a name="output_subnet_group_id"></a> subnet_group_id | The ID of Redshift Subnet group created |
| <a name="output_usage_limits"></a> usage_limits | Map of usage limits created and their associated attributes |
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.