Skip to content

terraform-aws-modules/terraform-aws-redshift

AWS Redshift Terraform module

Terraform module which creates Redshift resources on AWS.

SWUbanner

Usage

module "redshift" {
  source  = "terraform-aws-modules/redshift/aws"

  cluster_identifier    = "example"
  allow_version_upgrade = true
  node_type             = "ra3.xlplus"
  number_of_nodes       = 3

  database_name          = "mydb"
  master_username        = "mydbuser"
  create_random_password = false
  master_password        = "MySecretPassw0rd1!" # Do better!

  encrypted   = true
  kms_key_arn = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

  enhanced_vpc_routing   = true
  vpc_security_group_ids = ["sg-12345678"]
  subnet_ids             = ["subnet-123456", "subnet-654321"]

  availability_zone_relocation_enabled = true

  snapshot_copy = {
    destination_region = "us-east-1"
    grant_name         = "example-grant"
  }

  logging = {
    enable        = true
    bucket_name   = "my-s3-log-bucket"
    s3_key_prefix = "example/"
  }

  # Parameter group
  parameter_group_name        = "example-custom"
  parameter_group_description = "Custom parameter group for example cluster"
  parameter_group_parameters = {
    wlm_json_configuration = {
      name = "wlm_json_configuration"
      value = jsonencode([
        {
          query_concurrency = 15
        }
      ])
    }
    require_ssl = {
      name  = "require_ssl"
      value = true
    }
    use_fips_ssl = {
      name  = "use_fips_ssl"
      value = false
    }
    enable_user_activity_logging = {
      name  = "enable_user_activity_logging"
      value = true
    }
    max_concurrency_scaling_clusters = {
      name  = "max_concurrency_scaling_clusters"
      value = 3
    }
    enable_case_sensitive_identifier = {
      name  = "enable_case_sensitive_identifier"
      value = true
    }
  }
  parameter_group_tags = {
    Additional = "CustomParameterGroup"
  }

  # Subnet group
  subnet_group_name        = "example-custom"
  subnet_group_description = "Custom subnet group for example cluster"
  subnet_group_tags = {
    Additional = "CustomSubnetGroup"
  }

  # Snapshot schedule
  create_snapshot_schedule        = true
  snapshot_schedule_identifier    = local.name
  use_snapshot_identifier_prefix  = true
  snapshot_schedule_description   = "Example snapshot schedule"
  snapshot_schedule_definitions   = ["rate(12 hours)"]
  snapshot_schedule_force_destroy = true

  # Scheduled actions
  create_scheduled_action_iam_role = true
  scheduled_actions = {
    pause = {
      name          = "example-pause"
      description   = "Pause cluster every night"
      schedule      = "cron(0 22 * * ? *)"
      pause_cluster = true
    }
    resize = {
      name        = "example-resize"
      description = "Resize cluster (demo only)"
      schedule    = "cron(00 13 * * ? *)"
      resize_cluster = {
        node_type       = "ds2.xlarge"
        number_of_nodes = 5
      }
    }
    resume = {
      name           = "example-resume"
      description    = "Resume cluster every morning"
      schedule       = "cron(0 12 * * ? *)"
      resume_cluster = true
    }
  }

  # Endpoint access
  create_endpoint_access          = true
  endpoint_name                   = "example-example"
  endpoint_subnet_group_name      = "example-subnet-group"
  endpoint_vpc_security_group_ids = ["sg-12345678"]

  # Usage limits
  usage_limits = {
    currency_scaling = {
      feature_type  = "concurrency-scaling"
      limit_type    = "time"
      amount        = 60
      breach_action = "emit-metric"
    }
    spectrum = {
      feature_type  = "spectrum"
      limit_type    = "data-scanned"
      amount        = 2
      breach_action = "disable"
      tags = {
        Additional = "CustomUsageLimits"
      }
    }
  }

  # Authentication profile
  authentication_profiles = {
    example = {
      name = "example"
      content = {
        AllowDBUserOverride = "1"
        Client_ID           = "ExampleClientID"
        App_ID              = "example"
      }
    }
    bar = {
      content = {
        AllowDBUserOverride = "1"
        Client_ID           = "ExampleClientID"
        App_ID              = "bar"
      }
    }
  }

  tags = {
    Environment = "dev"
    Terraform   = "true"
  }
}

Examples

Requirements

Name Version
terraform >= 1.3
aws >= 5.45
random >= 3.0

Providers

Name Version
aws >= 5.45
random >= 3.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.this resource
aws_iam_role.scheduled_action resource
aws_iam_role_policy.scheduled_action resource
aws_redshift_authentication_profile.this resource
aws_redshift_cluster.this resource
aws_redshift_cluster_iam_roles.this resource
aws_redshift_endpoint_access.this resource
aws_redshift_logging.this resource
aws_redshift_parameter_group.this resource
aws_redshift_scheduled_action.this resource
aws_redshift_snapshot_copy.this resource
aws_redshift_snapshot_schedule.this resource
aws_redshift_snapshot_schedule_association.this resource
aws_redshift_subnet_group.this resource
aws_redshift_usage_limit.this resource
aws_secretsmanager_secret_rotation.this resource
random_password.master_password resource
aws_iam_policy_document.scheduled_action data source
aws_iam_policy_document.scheduled_action_assume data source
aws_partition.current data source

Inputs

Name Description Type Default Required
allow_version_upgrade If true, major version upgrades can be applied during the maintenance window to the Amazon Redshift engine that is running on the cluster. Default is true bool null no
apply_immediately Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is false bool null no
aqua_configuration_status The value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) after the cluster is restored. Possible values are enabled, disabled, and auto. Requires Cluster reboot string null no
authentication_profiles Map of authentication profiles to create any {} no
automated_snapshot_retention_period The number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with create-cluster-snapshot. Default is 1 number null no
availability_zone The EC2 Availability Zone (AZ) in which you want Amazon Redshift to provision the cluster. Can only be changed if availability_zone_relocation_enabled is true string null no
availability_zone_relocation_enabled If true, the cluster can be relocated to another availability zone, either automatically by AWS or when requested. Default is false. Available for use on clusters from the RA3 instance family bool null no
cloudwatch_log_group_kms_key_id The ARN of the KMS Key to use when encrypting log data string null no
cloudwatch_log_group_retention_in_days The number of days to retain CloudWatch logs for the redshift cluster number 0 no
cloudwatch_log_group_skip_destroy Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state bool null no
cloudwatch_log_group_tags Additional tags to add to cloudwatch log groups created map(string) {} no
cluster_identifier The Cluster Identifier. Must be a lower case string string "" no
cluster_timeouts Create, update, and delete timeout configurations for the cluster map(string) {} no
cluster_version The version of the Amazon Redshift engine software that you want to deploy on the cluster. The version selected runs on all the nodes in the cluster string null no
create Determines whether to create Redshift cluster and resources (affects all resources) bool true no
create_cloudwatch_log_group Determines whether a CloudWatch log group is created for each var.logging.log_exports bool false no
create_endpoint_access Determines whether to create an endpoint access (managed VPC endpoint) bool false no
create_parameter_group Determines whether to create a parameter group or use existing bool true no
create_random_password Determines whether to create random password for cluster master_password bool true no
create_scheduled_action_iam_role Determines whether a scheduled action IAM role is created bool false no
create_snapshot_schedule Determines whether to create a snapshot schedule bool false no
create_subnet_group Determines whether to create a subnet group or use existing bool true no
database_name The name of the first database to be created when the cluster is created. If you do not provide a name, Amazon Redshift will create a default database called dev string null no
default_iam_role_arn The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created string null no
elastic_ip The Elastic IP (EIP) address for the cluster string null no
encrypted If true, the data in the cluster is encrypted at rest bool true no
endpoint_name The Redshift-managed VPC endpoint name string "" no
endpoint_resource_owner The Amazon Web Services account ID of the owner of the cluster. This is only required if the cluster is in another Amazon Web Services account string null no
endpoint_subnet_group_name The subnet group from which Amazon Redshift chooses the subnet to deploy the endpoint string "" no
endpoint_vpc_security_group_ids The security group IDs to use for the endpoint access (managed VPC endpoint) list(string) [] no
enhanced_vpc_routing If true, enhanced VPC routing is enabled bool null no
final_snapshot_identifier The identifier of the final snapshot that is to be created immediately before deleting the cluster. If this parameter is provided, skip_final_snapshot must be false string null no
iam_role_arns A list of IAM Role ARNs to associate with the cluster. A Maximum of 10 can be associated to the cluster at any time list(string) [] no
iam_role_description Description of the scheduled action IAM role string null no
iam_role_name Name to use on scheduled action IAM role created string null no
iam_role_path Scheduled action IAM role path string null no
iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the scheduled action IAM role string null no
iam_role_tags A map of additional tags to add to the scheduled action IAM role created map(string) {} no
iam_role_use_name_prefix Determines whether scheduled action the IAM role name (iam_role_name) is used as a prefix string true no
kms_key_arn The ARN for the KMS encryption key. When specifying kms_key_arn, encrypted needs to be set to true string null no
logging Logging configuration for the cluster any {} no
maintenance_track_name The name of the maintenance track for the restored cluster. When you take a snapshot, the snapshot inherits the MaintenanceTrack value from the cluster. The snapshot might be on a different track than the cluster that was the source for the snapshot. Default value is current string null no
manage_master_password Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with master_password. One of master_password or manage_master_password is required unless snapshot_identifier is provided bool false no
manage_master_password_rotation Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation. bool false no
manual_snapshot_retention_period The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots. Valid values are between -1 and 3653. Default value is -1 number null no
master_password Password for the master DB user. (Required unless a snapshot_identifier is provided). Must contain at least 8 chars, one uppercase letter, one lowercase letter, and one number string null no
master_password_rotate_immediately Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. bool null no
master_password_rotation_automatically_after_days Specifies the number of days between automatic scheduled rotations of the secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified. number null no
master_password_rotation_duration The length of the rotation window in hours. For example, 3h for a three hour window. string null no
master_password_rotation_schedule_expression A cron() or rate() expression that defines the schedule for rotating your secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified. string null no
master_password_secret_kms_key_id ID of the KMS key used to encrypt the cluster admin credentials secret string null no
master_username Username for the master DB user (Required unless a snapshot_identifier is provided). Defaults to awsuser string "awsuser" no
multi_az Specifies if the Redshift cluster is multi-AZ bool null no
node_type The node type to be provisioned for the cluster string "" no
number_of_nodes Number of nodes in the cluster. Defaults to 1. Note: values greater than 1 will trigger cluster_type to switch to multi-node number 1 no
owner_account The AWS customer account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshot string null no
parameter_group_description The description of the Redshift parameter group. Defaults to Managed by Terraform string null no
parameter_group_family The family of the Redshift parameter group string "redshift-1.0" no
parameter_group_name The name of the Redshift parameter group, existing or to be created string null no
parameter_group_parameters value map(any) {} no
parameter_group_tags Additional tags to add to the parameter group map(string) {} no
port The port number on which the cluster accepts incoming connections. Default port is 5439 number null no
preferred_maintenance_window The weekly time range (in UTC) during which automated cluster maintenance can occur. Format: ddd:hh24:mi-ddd:hh24:mi string "sat:10:00-sat:10:30" no
publicly_accessible If true, the cluster can be accessed from a public network bool false no
random_password_length Length of random password to create. Defaults to 16 number 16 no
scheduled_actions Map of maps containing scheduled action definitions any {} no
skip_final_snapshot Determines whether a final snapshot of the cluster is created before Redshift deletes the cluster. If true, a final cluster snapshot is not created. If false , a final cluster snapshot is created before the cluster is deleted bool true no
snapshot_cluster_identifier The name of the cluster the source snapshot was created from string null no
snapshot_copy Configuration of automatic copy of snapshots from one region to another any {} no
snapshot_identifier The name of the snapshot from which to create the new cluster string null no
snapshot_schedule_definitions The definition of the snapshot schedule. The definition is made up of schedule expressions, for example cron(30 12 *) or rate(12 hours) list(string) [] no
snapshot_schedule_description The description of the snapshot schedule string null no
snapshot_schedule_force_destroy Whether to destroy all associated clusters with this snapshot schedule on deletion. Must be enabled and applied before attempting deletion bool null no
snapshot_schedule_identifier The snapshot schedule identifier string null no
subnet_group_description The description of the Redshift Subnet group. Defaults to Managed by Terraform string null no
subnet_group_name The name of the Redshift subnet group, existing or to be created string null no
subnet_group_tags Additional tags to add to the subnet group map(string) {} no
subnet_ids An array of VPC subnet IDs to use in the subnet group list(string) [] no
tags A map of tags to add to all resources map(string) {} no
usage_limits Map of usage limit definitions to create any {} no
use_snapshot_identifier_prefix Determines whether the identifier (snapshot_schedule_identifier) is used as a prefix bool true no
vpc_security_group_ids A list of Virtual Private Cloud (VPC) security groups to be associated with the cluster list(string) [] no

Outputs

Name Description
authentication_profiles Map of authentication profiles created and their associated attributes
cluster_arn The Redshift cluster ARN
cluster_automated_snapshot_retention_period The backup retention period
cluster_availability_zone The availability zone of the Cluster
cluster_database_name The name of the default database in the Cluster
cluster_dns_name The DNS name of the cluster
cluster_encrypted Whether the data in the cluster is encrypted
cluster_endpoint The connection endpoint
cluster_hostname The hostname of the Redshift cluster
cluster_id The Redshift cluster ID
cluster_identifier The Redshift cluster identifier
cluster_namespace_arn The namespace Amazon Resource Name (ARN) of the cluster
cluster_node_type The type of nodes in the cluster
cluster_nodes The nodes in the cluster. Each node is a map of the following attributes: node_role, private_ip_address, and public_ip_address
cluster_parameter_group_name The name of the parameter group to be associated with this cluster
cluster_port The port the cluster responds on
cluster_preferred_maintenance_window The backup window
cluster_public_key The public key for the cluster
cluster_revision_number The specific revision number of the database in the cluster
cluster_secretsmanager_secret_rotation_enabled Specifies whether automatic rotation is enabled for the secret
cluster_subnet_group_name The name of a cluster subnet group to be associated with this cluster
cluster_type The Redshift cluster type
cluster_version The version of Redshift engine software
cluster_vpc_security_group_ids The VPC security group ids associated with the cluster
endpoint_access_address The DNS address of the endpoint
endpoint_access_id The Redshift-managed VPC endpoint name
endpoint_access_port The port number on which the cluster accepts incoming connections
endpoint_access_vpc_endpoint The connection endpoint for connecting to an Amazon Redshift cluster through the proxy. See details below
master_password_secret_arn ARN of managed master password secret
parameter_group_arn Amazon Resource Name (ARN) of the parameter group created
parameter_group_id The name of the Redshift parameter group created
scheduled_action_iam_role_arn Scheduled actions IAM role ARN
scheduled_action_iam_role_name Scheduled actions IAM role name
scheduled_action_iam_role_unique_id Stable and unique string identifying the scheduled action IAM role
scheduled_actions A map of maps containing scheduled action details
snapshot_schedule_arn Amazon Resource Name (ARN) of the Redshift Snapshot Schedule
subnet_group_arn Amazon Resource Name (ARN) of the Redshift subnet group created
subnet_group_id The ID of Redshift Subnet group created
usage_limits Map of usage limits created and their associated attributes

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.