Home

Awesome

AWS Redshift Terraform module

Terraform module which creates Redshift resources on AWS.

SWUbanner

Usage

module "redshift" {
  source  = "terraform-aws-modules/redshift/aws"

  cluster_identifier    = "example"
  allow_version_upgrade = true
  node_type             = "ra3.xlplus"
  number_of_nodes       = 3

  database_name          = "mydb"
  master_username        = "mydbuser"
  create_random_password = false
  master_password        = "MySecretPassw0rd1!" # Do better!

  encrypted   = true
  kms_key_arn = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

  enhanced_vpc_routing   = true
  vpc_security_group_ids = ["sg-12345678"]
  subnet_ids             = ["subnet-123456", "subnet-654321"]

  availability_zone_relocation_enabled = true

  snapshot_copy = {
    destination_region = "us-east-1"
    grant_name         = "example-grant"
  }

  logging = {
    enable        = true
    bucket_name   = "my-s3-log-bucket"
    s3_key_prefix = "example/"
  }

  # Parameter group
  parameter_group_name        = "example-custom"
  parameter_group_description = "Custom parameter group for example cluster"
  parameter_group_parameters = {
    wlm_json_configuration = {
      name = "wlm_json_configuration"
      value = jsonencode([
        {
          query_concurrency = 15
        }
      ])
    }
    require_ssl = {
      name  = "require_ssl"
      value = true
    }
    use_fips_ssl = {
      name  = "use_fips_ssl"
      value = false
    }
    enable_user_activity_logging = {
      name  = "enable_user_activity_logging"
      value = true
    }
    max_concurrency_scaling_clusters = {
      name  = "max_concurrency_scaling_clusters"
      value = 3
    }
    enable_case_sensitive_identifier = {
      name  = "enable_case_sensitive_identifier"
      value = true
    }
  }
  parameter_group_tags = {
    Additional = "CustomParameterGroup"
  }

  # Subnet group
  subnet_group_name        = "example-custom"
  subnet_group_description = "Custom subnet group for example cluster"
  subnet_group_tags = {
    Additional = "CustomSubnetGroup"
  }

  # Snapshot schedule
  create_snapshot_schedule        = true
  snapshot_schedule_identifier    = local.name
  use_snapshot_identifier_prefix  = true
  snapshot_schedule_description   = "Example snapshot schedule"
  snapshot_schedule_definitions   = ["rate(12 hours)"]
  snapshot_schedule_force_destroy = true

  # Scheduled actions
  create_scheduled_action_iam_role = true
  scheduled_actions = {
    pause = {
      name          = "example-pause"
      description   = "Pause cluster every night"
      schedule      = "cron(0 22 * * ? *)"
      pause_cluster = true
    }
    resize = {
      name        = "example-resize"
      description = "Resize cluster (demo only)"
      schedule    = "cron(00 13 * * ? *)"
      resize_cluster = {
        node_type       = "ds2.xlarge"
        number_of_nodes = 5
      }
    }
    resume = {
      name           = "example-resume"
      description    = "Resume cluster every morning"
      schedule       = "cron(0 12 * * ? *)"
      resume_cluster = true
    }
  }

  # Endpoint access
  create_endpoint_access          = true
  endpoint_name                   = "example-example"
  endpoint_subnet_group_name      = "example-subnet-group"
  endpoint_vpc_security_group_ids = ["sg-12345678"]

  # Usage limits
  usage_limits = {
    currency_scaling = {
      feature_type  = "concurrency-scaling"
      limit_type    = "time"
      amount        = 60
      breach_action = "emit-metric"
    }
    spectrum = {
      feature_type  = "spectrum"
      limit_type    = "data-scanned"
      amount        = 2
      breach_action = "disable"
      tags = {
        Additional = "CustomUsageLimits"
      }
    }
  }

  # Authentication profile
  authentication_profiles = {
    example = {
      name = "example"
      content = {
        AllowDBUserOverride = "1"
        Client_ID           = "ExampleClientID"
        App_ID              = "example"
      }
    }
    bar = {
      content = {
        AllowDBUserOverride = "1"
        Client_ID           = "ExampleClientID"
        App_ID              = "bar"
      }
    }
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Examples

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.3
<a name="requirement_aws"></a> aws>= 5.45
<a name="requirement_random"></a> random>= 3.0

Providers

NameVersion
<a name="provider_aws"></a> aws>= 5.45
<a name="provider_random"></a> random>= 3.0

Modules

No modules.

Resources

NameType
aws_cloudwatch_log_group.thisresource
aws_iam_role.scheduled_actionresource
aws_iam_role_policy.scheduled_actionresource
aws_redshift_authentication_profile.thisresource
aws_redshift_cluster.thisresource
aws_redshift_cluster_iam_roles.thisresource
aws_redshift_endpoint_access.thisresource
aws_redshift_logging.thisresource
aws_redshift_parameter_group.thisresource
aws_redshift_scheduled_action.thisresource
aws_redshift_snapshot_copy.thisresource
aws_redshift_snapshot_schedule.thisresource
aws_redshift_snapshot_schedule_association.thisresource
aws_redshift_subnet_group.thisresource
aws_redshift_usage_limit.thisresource
aws_secretsmanager_secret_rotation.thisresource
random_password.master_passwordresource
aws_iam_policy_document.scheduled_actiondata source
aws_iam_policy_document.scheduled_action_assumedata source
aws_partition.currentdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_allow_version_upgrade"></a> allow_version_upgradeIf true, major version upgrades can be applied during the maintenance window to the Amazon Redshift engine that is running on the cluster. Default is trueboolnullno
<a name="input_apply_immediately"></a> apply_immediatelySpecifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is falseboolnullno
<a name="input_aqua_configuration_status"></a> aqua_configuration_statusThe value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) after the cluster is restored. Possible values are enabled, disabled, and auto. Requires Cluster rebootstringnullno
<a name="input_authentication_profiles"></a> authentication_profilesMap of authentication profiles to createany{}no
<a name="input_automated_snapshot_retention_period"></a> automated_snapshot_retention_periodThe number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with create-cluster-snapshot. Default is 1numbernullno
<a name="input_availability_zone"></a> availability_zoneThe EC2 Availability Zone (AZ) in which you want Amazon Redshift to provision the cluster. Can only be changed if availability_zone_relocation_enabled is truestringnullno
<a name="input_availability_zone_relocation_enabled"></a> availability_zone_relocation_enabledIf true, the cluster can be relocated to another availability zone, either automatically by AWS or when requested. Default is false. Available for use on clusters from the RA3 instance familyboolnullno
<a name="input_cloudwatch_log_group_kms_key_id"></a> cloudwatch_log_group_kms_key_idThe ARN of the KMS Key to use when encrypting log datastringnullno
<a name="input_cloudwatch_log_group_retention_in_days"></a> cloudwatch_log_group_retention_in_daysThe number of days to retain CloudWatch logs for the redshift clusternumber0no
<a name="input_cloudwatch_log_group_skip_destroy"></a> cloudwatch_log_group_skip_destroySet to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform stateboolnullno
<a name="input_cloudwatch_log_group_tags"></a> cloudwatch_log_group_tagsAdditional tags to add to cloudwatch log groups createdmap(string){}no
<a name="input_cluster_identifier"></a> cluster_identifierThe Cluster Identifier. Must be a lower case stringstring""no
<a name="input_cluster_timeouts"></a> cluster_timeoutsCreate, update, and delete timeout configurations for the clustermap(string){}no
<a name="input_cluster_version"></a> cluster_versionThe version of the Amazon Redshift engine software that you want to deploy on the cluster. The version selected runs on all the nodes in the clusterstringnullno
<a name="input_create"></a> createDetermines whether to create Redshift cluster and resources (affects all resources)booltrueno
<a name="input_create_cloudwatch_log_group"></a> create_cloudwatch_log_groupDetermines whether a CloudWatch log group is created for each var.logging.log_exportsboolfalseno
<a name="input_create_endpoint_access"></a> create_endpoint_accessDetermines whether to create an endpoint access (managed VPC endpoint)boolfalseno
<a name="input_create_parameter_group"></a> create_parameter_groupDetermines whether to create a parameter group or use existingbooltrueno
<a name="input_create_random_password"></a> create_random_passwordDetermines whether to create random password for cluster master_passwordbooltrueno
<a name="input_create_scheduled_action_iam_role"></a> create_scheduled_action_iam_roleDetermines whether a scheduled action IAM role is createdboolfalseno
<a name="input_create_snapshot_schedule"></a> create_snapshot_scheduleDetermines whether to create a snapshot scheduleboolfalseno
<a name="input_create_subnet_group"></a> create_subnet_groupDetermines whether to create a subnet group or use existingbooltrueno
<a name="input_database_name"></a> database_nameThe name of the first database to be created when the cluster is created. If you do not provide a name, Amazon Redshift will create a default database called devstringnullno
<a name="input_default_iam_role_arn"></a> default_iam_role_arnThe Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was createdstringnullno
<a name="input_elastic_ip"></a> elastic_ipThe Elastic IP (EIP) address for the clusterstringnullno
<a name="input_encrypted"></a> encryptedIf true, the data in the cluster is encrypted at restbooltrueno
<a name="input_endpoint_name"></a> endpoint_nameThe Redshift-managed VPC endpoint namestring""no
<a name="input_endpoint_resource_owner"></a> endpoint_resource_ownerThe Amazon Web Services account ID of the owner of the cluster. This is only required if the cluster is in another Amazon Web Services accountstringnullno
<a name="input_endpoint_subnet_group_name"></a> endpoint_subnet_group_nameThe subnet group from which Amazon Redshift chooses the subnet to deploy the endpointstring""no
<a name="input_endpoint_vpc_security_group_ids"></a> endpoint_vpc_security_group_idsThe security group IDs to use for the endpoint access (managed VPC endpoint)list(string)[]no
<a name="input_enhanced_vpc_routing"></a> enhanced_vpc_routingIf true, enhanced VPC routing is enabledboolnullno
<a name="input_final_snapshot_identifier"></a> final_snapshot_identifierThe identifier of the final snapshot that is to be created immediately before deleting the cluster. If this parameter is provided, skip_final_snapshot must be falsestringnullno
<a name="input_iam_role_arns"></a> iam_role_arnsA list of IAM Role ARNs to associate with the cluster. A Maximum of 10 can be associated to the cluster at any timelist(string)[]no
<a name="input_iam_role_description"></a> iam_role_descriptionDescription of the scheduled action IAM rolestringnullno
<a name="input_iam_role_name"></a> iam_role_nameName to use on scheduled action IAM role createdstringnullno
<a name="input_iam_role_path"></a> iam_role_pathScheduled action IAM role pathstringnullno
<a name="input_iam_role_permissions_boundary"></a> iam_role_permissions_boundaryARN of the policy that is used to set the permissions boundary for the scheduled action IAM rolestringnullno
<a name="input_iam_role_tags"></a> iam_role_tagsA map of additional tags to add to the scheduled action IAM role createdmap(string){}no
<a name="input_iam_role_use_name_prefix"></a> iam_role_use_name_prefixDetermines whether scheduled action the IAM role name (iam_role_name) is used as a prefixstringtrueno
<a name="input_kms_key_arn"></a> kms_key_arnThe ARN for the KMS encryption key. When specifying kms_key_arn, encrypted needs to be set to truestringnullno
<a name="input_logging"></a> loggingLogging configuration for the clusterany{}no
<a name="input_maintenance_track_name"></a> maintenance_track_nameThe name of the maintenance track for the restored cluster. When you take a snapshot, the snapshot inherits the MaintenanceTrack value from the cluster. The snapshot might be on a different track than the cluster that was the source for the snapshot. Default value is currentstringnullno
<a name="input_manage_master_password"></a> manage_master_passwordWhether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with master_password. One of master_password or manage_master_password is required unless snapshot_identifier is providedboolfalseno
<a name="input_manage_master_password_rotation"></a> manage_master_password_rotationWhether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation.boolfalseno
<a name="input_manual_snapshot_retention_period"></a> manual_snapshot_retention_periodThe default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots. Valid values are between -1 and 3653. Default value is -1numbernullno
<a name="input_master_password"></a> master_passwordPassword for the master DB user. (Required unless a snapshot_identifier is provided). Must contain at least 8 chars, one uppercase letter, one lowercase letter, and one numberstringnullno
<a name="input_master_password_rotate_immediately"></a> master_password_rotate_immediatelySpecifies whether to rotate the secret immediately or wait until the next scheduled rotation window.boolnullno
<a name="input_master_password_rotation_automatically_after_days"></a> master_password_rotation_automatically_after_daysSpecifies the number of days between automatic scheduled rotations of the secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified.numbernullno
<a name="input_master_password_rotation_duration"></a> master_password_rotation_durationThe length of the rotation window in hours. For example, 3h for a three hour window.stringnullno
<a name="input_master_password_rotation_schedule_expression"></a> master_password_rotation_schedule_expressionA cron() or rate() expression that defines the schedule for rotating your secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified.stringnullno
<a name="input_master_password_secret_kms_key_id"></a> master_password_secret_kms_key_idID of the KMS key used to encrypt the cluster admin credentials secretstringnullno
<a name="input_master_username"></a> master_usernameUsername for the master DB user (Required unless a snapshot_identifier is provided). Defaults to awsuserstring"awsuser"no
<a name="input_multi_az"></a> multi_azSpecifies if the Redshift cluster is multi-AZboolnullno
<a name="input_node_type"></a> node_typeThe node type to be provisioned for the clusterstring""no
<a name="input_number_of_nodes"></a> number_of_nodesNumber of nodes in the cluster. Defaults to 1. Note: values greater than 1 will trigger cluster_type to switch to multi-nodenumber1no
<a name="input_owner_account"></a> owner_accountThe AWS customer account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshotstringnullno
<a name="input_parameter_group_description"></a> parameter_group_descriptionThe description of the Redshift parameter group. Defaults to Managed by Terraformstringnullno
<a name="input_parameter_group_family"></a> parameter_group_familyThe family of the Redshift parameter groupstring"redshift-1.0"no
<a name="input_parameter_group_name"></a> parameter_group_nameThe name of the Redshift parameter group, existing or to be createdstringnullno
<a name="input_parameter_group_parameters"></a> parameter_group_parametersvaluemap(any){}no
<a name="input_parameter_group_tags"></a> parameter_group_tagsAdditional tags to add to the parameter groupmap(string){}no
<a name="input_port"></a> portThe port number on which the cluster accepts incoming connections. Default port is 5439numbernullno
<a name="input_preferred_maintenance_window"></a> preferred_maintenance_windowThe weekly time range (in UTC) during which automated cluster maintenance can occur. Format: ddd:hh24:mi-ddd:hh24:mistring"sat:10:00-sat:10:30"no
<a name="input_publicly_accessible"></a> publicly_accessibleIf true, the cluster can be accessed from a public networkboolfalseno
<a name="input_random_password_length"></a> random_password_lengthLength of random password to create. Defaults to 16number16no
<a name="input_scheduled_actions"></a> scheduled_actionsMap of maps containing scheduled action definitionsany{}no
<a name="input_skip_final_snapshot"></a> skip_final_snapshotDetermines whether a final snapshot of the cluster is created before Redshift deletes the cluster. If true, a final cluster snapshot is not created. If false , a final cluster snapshot is created before the cluster is deletedbooltrueno
<a name="input_snapshot_cluster_identifier"></a> snapshot_cluster_identifierThe name of the cluster the source snapshot was created fromstringnullno
<a name="input_snapshot_copy"></a> snapshot_copyConfiguration of automatic copy of snapshots from one region to anotherany{}no
<a name="input_snapshot_identifier"></a> snapshot_identifierThe name of the snapshot from which to create the new clusterstringnullno
<a name="input_snapshot_schedule_definitions"></a> snapshot_schedule_definitionsThe definition of the snapshot schedule. The definition is made up of schedule expressions, for example cron(30 12 *) or rate(12 hours)list(string)[]no
<a name="input_snapshot_schedule_description"></a> snapshot_schedule_descriptionThe description of the snapshot schedulestringnullno
<a name="input_snapshot_schedule_force_destroy"></a> snapshot_schedule_force_destroyWhether to destroy all associated clusters with this snapshot schedule on deletion. Must be enabled and applied before attempting deletionboolnullno
<a name="input_snapshot_schedule_identifier"></a> snapshot_schedule_identifierThe snapshot schedule identifierstringnullno
<a name="input_subnet_group_description"></a> subnet_group_descriptionThe description of the Redshift Subnet group. Defaults to Managed by Terraformstringnullno
<a name="input_subnet_group_name"></a> subnet_group_nameThe name of the Redshift subnet group, existing or to be createdstringnullno
<a name="input_subnet_group_tags"></a> subnet_group_tagsAdditional tags to add to the subnet groupmap(string){}no
<a name="input_subnet_ids"></a> subnet_idsAn array of VPC subnet IDs to use in the subnet grouplist(string)[]no
<a name="input_tags"></a> tagsA map of tags to add to all resourcesmap(string){}no
<a name="input_usage_limits"></a> usage_limitsMap of usage limit definitions to createany{}no
<a name="input_use_snapshot_identifier_prefix"></a> use_snapshot_identifier_prefixDetermines whether the identifier (snapshot_schedule_identifier) is used as a prefixbooltrueno
<a name="input_vpc_security_group_ids"></a> vpc_security_group_idsA list of Virtual Private Cloud (VPC) security groups to be associated with the clusterlist(string)[]no

Outputs

NameDescription
<a name="output_authentication_profiles"></a> authentication_profilesMap of authentication profiles created and their associated attributes
<a name="output_cluster_arn"></a> cluster_arnThe Redshift cluster ARN
<a name="output_cluster_automated_snapshot_retention_period"></a> cluster_automated_snapshot_retention_periodThe backup retention period
<a name="output_cluster_availability_zone"></a> cluster_availability_zoneThe availability zone of the Cluster
<a name="output_cluster_database_name"></a> cluster_database_nameThe name of the default database in the Cluster
<a name="output_cluster_dns_name"></a> cluster_dns_nameThe DNS name of the cluster
<a name="output_cluster_encrypted"></a> cluster_encryptedWhether the data in the cluster is encrypted
<a name="output_cluster_endpoint"></a> cluster_endpointThe connection endpoint
<a name="output_cluster_hostname"></a> cluster_hostnameThe hostname of the Redshift cluster
<a name="output_cluster_id"></a> cluster_idThe Redshift cluster ID
<a name="output_cluster_identifier"></a> cluster_identifierThe Redshift cluster identifier
<a name="output_cluster_namespace_arn"></a> cluster_namespace_arnThe namespace Amazon Resource Name (ARN) of the cluster
<a name="output_cluster_node_type"></a> cluster_node_typeThe type of nodes in the cluster
<a name="output_cluster_nodes"></a> cluster_nodesThe nodes in the cluster. Each node is a map of the following attributes: node_role, private_ip_address, and public_ip_address
<a name="output_cluster_parameter_group_name"></a> cluster_parameter_group_nameThe name of the parameter group to be associated with this cluster
<a name="output_cluster_port"></a> cluster_portThe port the cluster responds on
<a name="output_cluster_preferred_maintenance_window"></a> cluster_preferred_maintenance_windowThe backup window
<a name="output_cluster_public_key"></a> cluster_public_keyThe public key for the cluster
<a name="output_cluster_revision_number"></a> cluster_revision_numberThe specific revision number of the database in the cluster
<a name="output_cluster_secretsmanager_secret_rotation_enabled"></a> cluster_secretsmanager_secret_rotation_enabledSpecifies whether automatic rotation is enabled for the secret
<a name="output_cluster_subnet_group_name"></a> cluster_subnet_group_nameThe name of a cluster subnet group to be associated with this cluster
<a name="output_cluster_type"></a> cluster_typeThe Redshift cluster type
<a name="output_cluster_version"></a> cluster_versionThe version of Redshift engine software
<a name="output_cluster_vpc_security_group_ids"></a> cluster_vpc_security_group_idsThe VPC security group ids associated with the cluster
<a name="output_endpoint_access_address"></a> endpoint_access_addressThe DNS address of the endpoint
<a name="output_endpoint_access_id"></a> endpoint_access_idThe Redshift-managed VPC endpoint name
<a name="output_endpoint_access_port"></a> endpoint_access_portThe port number on which the cluster accepts incoming connections
<a name="output_endpoint_access_vpc_endpoint"></a> endpoint_access_vpc_endpointThe connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below
<a name="output_master_password_secret_arn"></a> master_password_secret_arnARN of managed master password secret
<a name="output_parameter_group_arn"></a> parameter_group_arnAmazon Resource Name (ARN) of the parameter group created
<a name="output_parameter_group_id"></a> parameter_group_idThe name of the Redshift parameter group created
<a name="output_scheduled_action_iam_role_arn"></a> scheduled_action_iam_role_arnScheduled actions IAM role ARN
<a name="output_scheduled_action_iam_role_name"></a> scheduled_action_iam_role_nameScheduled actions IAM role name
<a name="output_scheduled_action_iam_role_unique_id"></a> scheduled_action_iam_role_unique_idStable and unique string identifying the scheduled action IAM role
<a name="output_scheduled_actions"></a> scheduled_actionsA map of maps containing scheduled action details
<a name="output_snapshot_schedule_arn"></a> snapshot_schedule_arnAmazon Resource Name (ARN) of the Redshift Snapshot Schedule
<a name="output_subnet_group_arn"></a> subnet_group_arnAmazon Resource Name (ARN) of the Redshift subnet group created
<a name="output_subnet_group_id"></a> subnet_group_idThe ID of Redshift Subnet group created
<a name="output_usage_limits"></a> usage_limitsMap of usage limits created and their associated attributes
<!-- END_TF_DOCS -->

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.