rgl/terraform-aws-documentdb-example

An example Amazon DocumentDB instance, Amazon API Gateway, and AWS Lambda Function

About

This deploys an example Amazon DocumentDB instance, Amazon API Gateway, and AWS Lambda Function.

This will:

• Use the Amazon DocumentDB Service.
  • Create a Database instance.
• Build an example Go AWS Lambda Function as a Container Image.
  • At each request, increment the counters.hits.counter property, and return its modified value.
  • Create the counters database.
  • Create the hits database collection.
  • Get the database credentials from a Secret.
    • The Secret is stored in AWS Secrets Manager.
  • Upload it to the Amazon ECR.
• Create an Amazon API Gateway.
  • Configure it to use the Go AWS Lambda Function.
• Create a VPC and all the required plumbing required for the Go AWS Lambda Function to use an Amazon DocumentDB Database instance.
  • Make the Document DB Database instance available in a VPC database subnet.
  • Make the Secrets Manager service endpoint available as a VPC Endpoint.

Usage (on a Ubuntu Desktop)

Install the dependencies:

• AWS CLI.
• Terraform.
• Docker.

Set the AWS Account credentials using SSO:

# set the environment variables to use a specific profile.
# e.g. use the pattern <aws-sso-session-name>-<aws-account-name>-<aws-account-role>-<aws-account-id>
export AWS_PROFILE=example-dev-AdministratorAccess-123456
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
# set the account credentials.
# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso
aws configure sso
# dump the configured profile and sso-session.
cat ~/.aws/config
# show the user, user amazon resource name (arn), and the account id, of the
# profile set in the AWS_PROFILE environment variable.
aws sts get-caller-identity

Or, set the AWS Account credentials using an Access Key:

# set the account credentials.
# NB get these from your aws account iam console.
#    see Managing access keys (console) at
#        https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
unset AWS_PROFILE
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identity

Review the inputs.tf file.

Initialize the project:

terraform init -lockfile=readonly

Deploy the example:

terraform apply

Show the terraform state:

terraform state list
terraform show

Access the example service (hosted by the Go AWS Lambda Function Container):

example_url="$(terraform output --raw example_url)"
curl \
  -s \
  -X GET \
  "$example_url" \
  | jq

You should see a response alike the following, where the hitsCounter property value is incremented after each request:

{
  "hitsCounter": 1
}

Test recreating the lambda function:

terraform destroy -target=module.example_lambda_function
terraform apply

Destroy the example:

terraform destroy

List this repository dependencies (and which have newer versions):

GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh

Notes

• There is no way to use an AWS IAM Role to authenticate as a DocumentDB User.
  • This means we cannot use the Lambda Function IAM Role as a password-less authentication mechanism. So, we must manage the DocumentDB User password.