The CDK Construct Library for AWS::DocDB
Project description
Amazon DocumentDB Construct Library
---
Starting a Clustered Database
To set up a clustered DocumentDB database, define a DatabaseCluster. You must
always launch a database in a VPC. Use the vpcSubnets attribute to control whether
your instances will be launched privately or publicly:
# Example automatically generated from non-compiling source. May contain errors.
cluster = DatabaseCluster(self, "Database",
master_user={
"username": "myuser", # NOTE: 'admin' is reserved by DocumentDB
"exclude_characters": "\"@/:", # optional, defaults to the set "\"@/" and is also used for eventually created rotations
"secret_name": "/myapp/mydocdb/masteruser"
},
instance_type=ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
vpc_subnets={
"subnet_type": ec2.SubnetType.PUBLIC
},
vpc=vpc
)
By default, the master password will be generated and stored in AWS Secrets Manager with auto-generated description.
Your cluster will be empty by default.
Connecting
To control who can access the cluster, use the .connections attribute. DocumentDB databases have a default port, so
you don't need to specify the port:
# Example automatically generated from non-compiling source. May contain errors.
cluster.connections.allow_default_port_from_any_ipv4("Open to the world")
The endpoints to access your database cluster will be available as the .clusterEndpoint and .clusterReadEndpoint
attributes:
# Example automatically generated from non-compiling source. May contain errors.
write_address = cluster.cluster_endpoint.socket_address
If you have existing security groups you would like to add to the cluster, use the addSecurityGroups method. Security
groups added in this way will not be managed by the Connections object of the cluster.
# Example automatically generated from non-compiling source. May contain errors.
security_group = ec2.SecurityGroup(stack, "SecurityGroup",
vpc=vpc
)
cluster.add_security_groups(security_group)
Deletion protection
Deletion protection can be enabled on an Amazon DocumentDB cluster to prevent accidental deletion of the cluster:
# Example automatically generated from non-compiling source. May contain errors.
cluster = DatabaseCluster(self, "Database",
master_user={
"username": "myuser"
},
instance_type=ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
vpc_subnets={
"subnet_type": ec2.SubnetType.PUBLIC
},
vpc=vpc,
deletion_protection=True
)
Rotating credentials
When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:
# Example automatically generated from non-compiling source. May contain errors.
cluster.add_rotation_single_user()
cluster = docdb.DatabaseCluster(stack, "Database",
master_user=docdb.Login(
username="docdb"
),
instance_type=ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
vpc=vpc,
removal_policy=cdk.RemovalPolicy.DESTROY
)
cluster.add_rotation_single_user()
The multi user rotation scheme is also available:
# Example automatically generated from non-compiling source. May contain errors.
cluster.add_rotation_multi_user("MyUser",
secret=my_imported_secret
)
It's also possible to create user credentials together with the cluster and add rotation:
# Example automatically generated from non-compiling source. May contain errors.
my_user_secret = docdb.DatabaseSecret(self, "MyUserSecret",
username="myuser",
master_secret=cluster.secret
)
my_user_secret_attached = my_user_secret.attach(cluster) # Adds DB connections information in the secret
cluster.add_rotation_multi_user("MyUser", # Add rotation using the multi user scheme
secret=my_user_secret_attached)
Note: This user must be created manually in the database using the master credentials. The rotation will start as soon as this user exists.
See also @aws-cdk/aws-secretsmanager for credentials rotation of existing clusters.
Audit and profiler Logs
Sending audit or profiler needs to be configured in two places:
- Check / create the needed options in your ParameterGroup for audit and profiler logs.
- Enable the corresponding option(s) when creating the
DatabaseCluster:
# Example automatically generated from non-compiling source. May contain errors.
cluster = DatabaseCluster(self, "Database", ...,
export_profiler_logs_to_cloud_watch=True, # Enable sending profiler logs
export_audit_logs_to_cloud_watch=True, # Enable sending audit logs
cloud_watch_logs_retention=logs.RetentionDays.THREE_MONTHS, # Optional - default is to never expire logs
cloud_watch_logs_retention_role=my_logs_publishing_role
)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-cdk.aws-docdb-1.138.2.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7872ddbe1cef0ec6d541112790e794a57d71a3dcfe7e155770cfa1956d5de867 |
|
| MD5 | eb9232e6173fd77287fd119ad108c81e |
|
| BLAKE2b-256 | 5da3b24a3b5af7d885db459d84e26d2a932ecc59c741d0cb1c8ff184c7d95a83 |
Hashes for aws_cdk.aws_docdb-1.138.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b8ade9d9491c668a9726839661b7581db007c360a081f717dc3da98dbbb55e11 |
|
| MD5 | 1a1dc20fc0d36d006f46fcc364963734 |
|
| BLAKE2b-256 | 905df4ba986bab32ed54e0cb4c5c1ed5a7c0fdf4ad82365f9fa2ecdd720edc41 |
