DynamoDB

Amazon DynamoDB is a fully managed NoSQL database service that supports key–value and document data structures. DynamoDB is known for high performance and scale, and offers built-in security, continuous backups, automated multi-Region replication, in-memory caching and more.

Terraform Name

aws_dynamodb_table

DynamoDB

attributes:

Required arguments:

attribute - (Required) Set of nested attribute definitions. Only required for hash_key and range_key attributes. See below.
hash_key - (Required, Forces new resource) Attribute to use as the hash (partition) key. Must also be defined as an attribute. See below.
name - (Required) Unique within a region name of the table.

Optional arguments:

billing_mode - (Optional) Controls how you are charged for read and write throughput and how you manage capacity. The valid values are PROVISIONED and PAY_PER_REQUEST. Defaults to PROVISIONED.
global_secondary_index - (Optional) Describe a GSI for the table; subject to the normal limits on the number of GSIs, projected attributes, etc. See below.
local_secondary_index - (Optional, Forces new resource) Describe an LSI on the table; these can only be allocated at creation so you cannot change this definition after you have created the resource. See below.
point_in_time_recovery - (Optional) Enable point-in-time recovery options. See below.
range_key - (Optional, Forces new resource) Attribute to use as the range (sort) key. Must also be defined as an attribute, see below.
read_capacity - (Optional) Number of read units for this table. If the billing_mode is PROVISIONED, this field is required.
replica - (Optional) Configuration block(s) with DynamoDB Global Tables V2 (version 2019.11.21) replication configurations. See below.
restore_date_time - (Optional) Time of the point-in-time recovery point to restore.
restore_source_name - (Optional) Name of the table to restore. Must match the name of an existing table.
restore_to_latest_time - (Optional) If set, restores table to the most recent point-in-time recovery point.
server_side_encryption - (Optional) Encryption at rest options. AWS DynamoDB tables are automatically encrypted at rest with an AWS-owned Customer Master Key if this argument isn't specified. See below.
stream_enabled - (Optional) Whether Streams are enabled.
stream_view_type - (Optional) When an item in the table is modified, StreamViewType determines what information is written to the table's stream. Valid values are KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES.
table_class - (Optional) Storage class of the table. Valid values are STANDARD and STANDARD_INFREQUENT_ACCESS.
tags - (Optional) A map of tags to populate on the created table. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
ttl - (Optional) Configuration block for TTL. See below.
write_capacity - (Optional) Number of write units for this table. If the billing_mode is PROVISIONED, this field is required.

attribute

name - (Required) Name of the attribute
type - (Required) Attribute type. Valid values are S (string), N (number), B (binary).

global_secondary_index

hash_key - (Required) Name of the hash key in the index; must be defined as an attribute in the resource.
name - (Required) Name of the index.
non_key_attributes - (Optional) Only required with INCLUDE as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table.
projection_type - (Required) One of ALL, INCLUDE or KEYS_ONLY where ALL projects every attribute into the index, KEYS_ONLY projects just the hash and range key into the index, and INCLUDE projects only the keys specified in the non_key_attributes parameter.
range_key - (Optional) Name of the range key; must be defined
read_capacity - (Optional) Number of read units for this index. Must be set if billing_mode is set to PROVISIONED.
write_capacity - (Optional) Number of write units for this index. Must be set if billing_mode is set to PROVISIONED.

local_secondary_index

name - (Required) Name of the index
non_key_attributes - (Optional) Only required with INCLUDE as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table.
projection_type - (Required) One of ALL, INCLUDE or KEYS_ONLY where ALL projects every attribute into the index, KEYS_ONLY projects just the hash and range key into the index, and INCLUDE projects only the keys specified in the non_key_attributes parameter.
range_key - (Required) Name of the range key.

point_in_time_recovery

enabled - (Required) Whether to enable point-in-time recovery. It can take 10 minutes to enable for new tables. If the point_in_time_recovery block is not provided, this defaults to false.

replica

kms_key_arn - (Optional) ARN of the CMK that should be used for the AWS KMS encryption.
point_in_time_recovery - (Optional) Whether to enable Point In Time Recovery for the replica. Default is false.
propagate_tags - (Optional) Whether to propagate the global table's tags to a replica. Default is false. Changes to tags only move in one direction: from global (source) to replica. In other words, tag drift on a replica will not trigger an update. Tag or replica changes on the global table, whether from drift or configuration changes, are propagated to replicas. Changing from true to false on a subsequent apply means replica tags are left as they were, unmanaged, not deleted.
region_name - (Required) Region name of the replica.

server_side_encryption

enabled - (Required) Whether or not to enable encryption at rest using an AWS managed KMS customer master key (CMK). If enabled is false then server-side encryption is set to AWS owned CMK (shown as DEFAULT in the AWS console). If enabled is true and no kms_key_arn is specified then server-side encryption is set to AWS managed CMK (shown as KMS in the AWS console). The AWS KMS documentation explains the difference between AWS owned and AWS managed CMKs.
kms_key_arn - (Optional) ARN of the CMK that should be used for the AWS KMS encryption. This attribute should only be specified if the key is different from the default DynamoDB CMK, alias/aws/dynamodb.

ttl

enabled - (Required) Whether TTL is enabled.
attribute_name - (Required) Name of the table attribute to store the TTL timestamp in.

‍

Associating resources with a

DynamoDB

Resources do not "belong" to a

DynamoDB

Rather, one or more Security Groups are associated to a resource.

Create

DynamoDB

via Terraform:

The following HCL creates a dynamodb table description models the table and GSI shown in the AWS SDK example documentation

Syntax:

resource "aws_dynamodb_table" "basic-dynamodb-table" {
name = "GameScores"
billing_mode = "PROVISIONED"
read_capacity = 20
write_capacity = 20
hash_key = "UserId"
range_key = "GameTitle"

attribute {
name = "UserId"
type = "S"
}

attribute {
name = "GameTitle"
type = "S"
}

attribute {
name = "TopScore"
type = "N"
}

ttl {
attribute_name = "TimeToExist"
enabled = false
}

global_secondary_index {
name = "GameTitleIndex"
hash_key = "GameTitle"
range_key = "TopScore"
write_capacity = 10
read_capacity = 10
projection_type = "INCLUDE"
non_key_attributes = ["UserId"]
}

tags = {
Name = "dynamodb-table-1"
Environment = "production"
}
}

Create

DynamoDB

via CLI:

Parametres:

create-table
--attribute-definitions <value>
--table-name <value>
--key-schema <value>
[--local-secondary-indexes <value>]
[--global-secondary-indexes <value>]
[--billing-mode <value>]
[--provisioned-throughput <value>]
[--stream-specification <value>]
[--sse-specification <value>]
[--tags <value>]
[--table-class <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws dynamodb create-table \
--table-name MusicCollection \
--attribute-definitions AttributeName=Artist,AttributeType=S AttributeName=SongTitle,AttributeType=S \
--key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--tags Key=Owner,Value=blueTeam

Costs

The cost of using DynamoDB depends on several factors, including the amount of read and write capacity you provision, the amount of storage used, and the amount of data transfer. For read and write capacity, you are charged based on the number of read and write requests you make per second, as well as the amount of data returned. The cost of read and write capacity varies depending on the region you are using. For storage, you are charged based on the amount of data stored in your Amazon DynamoDB tables. The cost of storage varies depending on the region you are using. For data transfer, you are charged based on the amount of data transferred in and out of your DynamoDB tables. The cost of data transfer varies depending on the region you are using.

DynamoDB

Terraform Name

Required arguments:

Optional arguments:

attribute

global_secondary_index

local_secondary_index

point_in_time_recovery

replica

server_side_encryption

ttl

Costs

Indirect Cost

Streamline Your Cloud Data Security and Governance with Stream Security and AWS Macie