# README
Amazon DocumentDB Construct Library
Starting a Clustered Database
To set up a clustered DocumentDB database, define a DatabaseCluster. You must
always launch a database in a VPC. Use the vpcSubnets attribute to control whether
your instances will be launched privately or publicly:
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
// NOTE: 'admin' is reserved by DocumentDB
ExcludeCharacters: jsii.String("\"@/:"),
// optional, defaults to the set "\"@/" and is also used for eventually created rotations
SecretName: jsii.String("/myapp/mydocdb/masteruser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
CopyTagsToSnapshot: jsii.Boolean(true),
})
By default, the master password will be generated and stored in AWS Secrets Manager with auto-generated description.
Your cluster will be empty by default.
Connecting
To control who can access the cluster, use the .connections attribute. DocumentDB databases have a default port, so
you don't need to specify the port:
var cluster databaseCluster
cluster.Connections.AllowDefaultPortFromAnyIpv4(jsii.String("Open to the world"))
The endpoints to access your database cluster will be available as the .clusterEndpoint and .clusterReadEndpoint
attributes:
var cluster databaseCluster
writeAddress := cluster.ClusterEndpoint.SocketAddress
If you have existing security groups you would like to add to the cluster, use the addSecurityGroups method. Security
groups added in this way will not be managed by the Connections object of the cluster.
var vpc vpc
var cluster databaseCluster
securityGroup := ec2.NewSecurityGroup(this, jsii.String("SecurityGroup"), &SecurityGroupProps{
Vpc: Vpc,
})
cluster.AddSecurityGroups(securityGroup)
Deletion protection
Deletion protection can be enabled on an Amazon DocumentDB cluster to prevent accidental deletion of the cluster:
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
DeletionProtection: jsii.Boolean(true),
})
Rotating credentials
When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:
var cluster databaseCluster
cluster.AddRotationSingleUser()
cluster := docdb.NewDatabaseCluster(stack, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("docdb"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_R5, ec2.InstanceSize_LARGE),
Vpc: Vpc,
RemovalPolicy: cdk.RemovalPolicy_DESTROY,
})
cluster.AddRotationSingleUser()
The multi user rotation scheme is also available:
import secretsmanager "github.com/aws/aws-cdk-go/awscdk"
var myImportedSecret secret
var cluster databaseCluster
cluster.AddRotationMultiUser(jsii.String("MyUser"), &RotationMultiUserOptions{
Secret: myImportedSecret,
})
It's also possible to create user credentials together with the cluster and add rotation:
var cluster databaseCluster
myUserSecret := docdb.NewDatabaseSecret(this, jsii.String("MyUserSecret"), &DatabaseSecretProps{
Username: jsii.String("myuser"),
MasterSecret: cluster.Secret,
})
myUserSecretAttached := myUserSecret.attach(cluster) // Adds DB connections information in the secret
cluster.AddRotationMultiUser(jsii.String("MyUser"), &RotationMultiUserOptions{
// Add rotation using the multi user scheme
Secret: myUserSecretAttached,
})
Note: This user must be created manually in the database using the master credentials. The rotation will start as soon as this user exists.
See also aws-cdk-lib/aws-secretsmanager for credentials rotation of existing clusters.
Audit and profiler Logs
Sending audit or profiler needs to be configured in two places:
- Check / create the needed options in your ParameterGroup for audit and profiler logs.
- Enable the corresponding option(s) when creating the
DatabaseCluster:
import iam "github.com/aws/aws-cdk-go/awscdk"
import logs "github.com/aws/aws-cdk-go/awscdk"
var myLogsPublishingRole role
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
ExportProfilerLogsToCloudWatch: jsii.Boolean(true),
// Enable sending profiler logs
ExportAuditLogsToCloudWatch: jsii.Boolean(true),
// Enable sending audit logs
CloudWatchLogsRetention: logs.RetentionDays_THREE_MONTHS,
// Optional - default is to never expire logs
CloudWatchLogsRetentionRole: myLogsPublishingRole,
})
Enable Performance Insights
By enabling this feature it will be cascaded and enabled in all instances inside the cluster:
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
EnablePerformanceInsights: jsii.Boolean(true),
})
## Removal Policy
This resource supports the snapshot removal policy.
To specify it use the removalPolicy property:
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
RemovalPolicy: awscdk.RemovalPolicy_SNAPSHOT,
})
Note: A RemovalPolicy.DESTROY removal policy will be applied to the
cluster's instances and security group by default as they don't support the snapshot
removal policy.
Visit DeletionPolicy for more details.
To specify a custom removal policy for the cluster's instances, use the
instanceRemovalPolicy property:
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
RemovalPolicy: awscdk.RemovalPolicy_SNAPSHOT,
InstanceRemovalPolicy: awscdk.RemovalPolicy_RETAIN,
})
To specify a custom removal policy for the cluster's security group, use the
securityGroupRemovalPolicy property:
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
RemovalPolicy: awscdk.RemovalPolicy_SNAPSHOT,
SecurityGroupRemovalPolicy: awscdk.RemovalPolicy_RETAIN,
})
CA certificate
Use the caCertificate property to specify the CA certificate to use for all instances inside the cluster:
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
VpcSubnets: &SubnetSelection{
SubnetType: ec2.SubnetType_PUBLIC,
},
Vpc: Vpc,
CaCertificate: docdb.CaCertificate_RDS_CA_RSA4096_G1(),
})
Storage Type
You can specify storage type for the cluster.
var vpc vpc
cluster := docdb.NewDatabaseCluster(this, jsii.String("Database"), &DatabaseClusterProps{
MasterUser: &Login{
Username: jsii.String("myuser"),
},
InstanceType: ec2.InstanceType_Of(ec2.InstanceClass_MEMORY5, ec2.InstanceSize_LARGE),
Vpc: Vpc,
StorageType: docdb.StorageType_IOPT1,
})
Note: StorageType.IOPT1 is supported starting with engine version 5.0.0.
# Functions
Custom CA certificate.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
No description provided by the author
Returns `true` if a construct is a stack element (i.e.
Check whether the given object is a CfnResource.
Checks if `x` is a construct.
Imports a parameter group.
Checks if `x` is a construct.
Returns true if the construct was created by CDK, and false otherwise.
Check whether the given construct is a Resource.
No description provided by the author
No description provided by the author
Import an existing DatabaseCluster from properties.
Checks if `x` is a construct.
Returns true if the construct was created by CDK, and false otherwise.
Check whether the given construct is a Resource.
Import an existing database instance.
Checks if `x` is a construct.
Returns true if the construct was created by CDK, and false otherwise.
Check whether the given construct is a Resource.
Import an existing secret into the Stack.
Imports a secret by complete ARN.
Imports a secret by secret name.
Imports a secret by partial ARN.
Checks if `x` is a construct.
Returns true if the construct was created by CDK, and false otherwise.
Check whether the given construct is a Resource.
Return whether the given object is a Secret.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Constructs an Endpoint instance.
Constructs an Endpoint instance.
# Structs
Backup configuration for DocumentDB databases.
Properties for defining a `CfnDBClusterParameterGroup`.
Properties for defining a `CfnDBCluster`.
Properties for defining a `CfnDBInstance`.
Properties for defining a `CfnDBSubnetGroup`.
Properties for defining a `CfnEventSubscription`.
Properties for a cluster parameter group.
Properties that describe an existing cluster instance.
Properties for a new database cluster.
Properties that describe an existing instance.
Construction properties for a DatabaseInstanceNew.
Construction properties for a DatabaseSecret.
Login credentials for a database cluster.
Options to add the multi user rotation.
# Interfaces
The CA certificate used for a DB instance.
The `AWS::DocDB::DBCluster` Amazon DocumentDB (with MongoDB compatibility) resource describes a DBCluster.
The `AWS::DocDB::DBClusterParameterGroup` Amazon DocumentDB (with MongoDB compatibility) resource describes a DBClusterParameterGroup.
The `AWS::DocDB::DBInstance` Amazon DocumentDB (with MongoDB compatibility) resource describes a DBInstance.
The `AWS::DocDB::DBSubnetGroup` Amazon DocumentDB (with MongoDB compatibility) resource describes a DBSubnetGroup.
Creates an Amazon DocumentDB event notification subscription.
A cluster parameter group.
Create a clustered database with a given number of instances.
A database instance.
A database secret.
Connection endpoint of a database cluster or instance.
A parameter group.
Create a clustered database with a given number of instances.
A database instance.
# Type aliases
The storage type of the DocDB cluster.