islamelkadi/terraform-aws-dynamodb

GitHub: islamelkadi/terraform-aws-dynamodb

生产级 AWS DynamoDB Terraform 模块,内置多框架安全合规支持与环境感知的安全控制策略。

Stars: 0 | Forks: 0

# Terraform AWS DynamoDB 模块 [![Terraform Security](https://static.pigsec.cn/wp-content/uploads/repos/2026/03/99350e7b65132520.svg)](https://github.com/islamelkadi/terraform-aws-dynamodb/actions/workflows/terraform-security.yaml) [![Terraform Lint & Validation](https://static.pigsec.cn/wp-content/uploads/repos/2026/03/06cfab8142132521.svg)](https://github.com/islamelkadi/terraform-aws-dynamodb/actions/workflows/terraform-lint.yaml) [![Terraform Docs](https://static.pigsec.cn/wp-content/uploads/repos/2026/03/865116087d132522.svg)](https://github.com/islamelkadi/terraform-aws-dynamodb/actions/workflows/terraform-docs.yaml) 一个可复用的 Terraform 模块,用于创建符合 AWS Security Hub 合规性(FSBP, CIS, NIST 800-53, NIST 800-171, PCI DSS)的 AWS DynamoDB 表,支持灵活的安全控制覆盖和全面的配置选项。 ## 目录 - [前置条件](#prerequisites) - [安全](#security) - [功能](#features) - [用法](#usage) - [要求](#requirements) - [MCP 服务器](#mcp-servers) ## 前置条件 本模块专为 macOS 设计。您的机器上必须已安装以下内容: - Python 3 和 pip - [Kiro](https://kiro.dev) 和 Kiro CLI - [Homebrew](https://brew.sh) 要安装其余的开发工具,请运行: ``` make bootstrap ``` 这将安装/升级:tfenv、Terraform(通过 tfenv)、tflint、terraform-docs、checkov 和 pre-commit。 ## 安全 ### 安全控制 本模块实现了 AWS Security Hub 合规性,并配有可扩展的覆盖系统。当从 metadata 模块提供 `security_controls` 时,默认会强制执行安全控制。 ### 可用的安全控制覆盖 | 覆盖标志 | 描述 | 常见理由 | |--------------|-------------|---------------------| | `disable_kms_requirement` | 允许 AWS 托管加密 | “开发环境表,无敏感数据” | | `disable_pitr_requirement` | 禁用时间点恢复 | “临时数据,可丢弃的表” | | `disable_deletion_protection` | 允许删除表 | “开发环境表,需要易于拆除” | ### 安全最佳实践 **生产环境表:** - 使用 KMS 客户户托管密钥进行加密 - 启用时间点恢复 (PITR) 以保护数据 - 启用删除保护以防止意外删除 - 使用按需计费或配置了自动伸缩的预置模式 - 启用 DynamoDB Streams 进行变更数据捕获 - 为限制和错误设置 CloudWatch 告警 **开发环境表:** - 仍建议使用 KMS 加密(成本极低) - PITR 可选,以节省成本 - 可在有正当理由的情况下禁用删除保护 ### 基于环境的安全控制 安全控制通过 [terraform-aws-metadata](https://github.com/islamelkadi/terraform-aws-metadata?tab=readme-ov-file#security-profiles) 模块的安全配置文件,根据环境自动应用: | 控制 | 开发环境 | 预发布环境 | 生产环境 | |---------|-----|---------|------| | KMS 客户户托管密钥 | 可选 | 必需 | 必需 | | 时间点恢复 | 可选 | 必需 | 必需 | | 删除保护 | 禁用 | 启用 | 启用 | | DynamoDB Streams | 可选 | 推荐 | 推荐 | 有关安全配置文件以及控制如何因环境而异的完整详细信息,请参阅 [安全配置文件](https://github.com/islamelkadi/terraform-aws-metadata?tab=readme-ov-file#security-profiles) 文档。 ### 安全扫描抑制 本模块抑制了某些 Checkov 安全检查,这些检查要么不适用于示例/演示代码,要么代表可选功能。以下检查在 `.checkov.yaml` 中被抑制: **模块源版本控制 (CKV_TF_1, CKV_TF_2)** - 被抑制是因为我们使用语义版本标签(`?ref=v1.0.0`)而不是提交哈希,以获得更好的可维护性和可读性 - 语义版本控制是稳定版本的有效且广泛接受的版本控制策略 **KMS IAM 策略 (CKV_AWS_111, CKV_AWS_356, CKV_AWS_109)** - 在示例代码中被抑制,其中 KMS 模块使用灵活的 IAM 策略用于演示目的 - 生产环境部署应根据特定的安全要求自定义 KMS 策略,并应用最小权限原则 ## 功能 - 具有按需计费模式的 DynamoDB 表 - 使用客户托管密钥的 KMS 加密 - 用于数据保护的时间点恢复 (PITR) - 删除保护选项 - DynamoDB Streams 支持 - TTL(生存时间)配置 - 全局和本地二级索引 - 具有可扩展覆盖系统的安全控制集成 - 用于合规性的 Terraform 验证检查 ## 使用示例 ### 基础示例 ``` module "dynamodb_table" { source = "github.com/islamelkadi/terraform-aws-dynamodb" namespace = "example" environment = "prod" name = "events" region = "us-east-1" # Table schema hash_key = "event_id" range_key = "timestamp" attributes = [ { name = "event_id" type = "S" }, { name = "timestamp" type = "N" } ] # Encryption kms_key_arn = module.kms.key_arn tags = { Project = "CorporateActions" } } ``` ### 具有安全控制的生产环境表 ``` module "dynamodb_table" { source = "github.com/islamelkadi/terraform-aws-dynamodb" security_controls = module.metadata.security_controls namespace = "example" environment = "prod" name = "corporate-actions-events" region = "us-east-1" # Table schema hash_key = "event_id" range_key = "timestamp" attributes = [ { name = "event_id" type = "S" }, { name = "timestamp" type = "N" }, { name = "cusip" type = "S" } ] # Global secondary index global_secondary_indexes = [ { name = "cusip-timestamp-index" hash_key = "cusip" range_key = "timestamp" projection_type = "ALL" } ] # KMS encryption (required by security controls) kms_key_arn = module.kms.key_arn # Point-in-time recovery (required by security controls) enable_point_in_time_recovery = true # Deletion protection (required by security controls) deletion_protection_enabled = true # DynamoDB Streams for change data capture stream_enabled = true stream_view_type = "NEW_AND_OLD_IMAGES" # TTL for automatic data expiration ttl_enabled = true ttl_attribute_name = "expires_at" tags = { Project = "CorporateActions" Compliance = "PCI-DSS" DataClass = "Confidential" } } ``` ### 具有覆盖的开发环境表 ``` module "dynamodb_table" { source = "github.com/islamelkadi/terraform-aws-dynamodb" security_controls = module.metadata.security_controls # Override security controls for development security_control_overrides = { disable_pitr_requirement = true disable_deletion_protection = true justification = "Development table for testing. Data is disposable and recreated from seed scripts. PITR adds unnecessary cost. Deletion protection disabled for easy environment teardown." } namespace = "example" environment = "dev" name = "test-events" region = "us-east-1" hash_key = "id" attributes = [ { name = "id" type = "S" } ] # Still use KMS encryption kms_key_arn = module.kms.key_arn # Overrides allow these to be disabled enable_point_in_time_recovery = false deletion_protection_enabled = false tags = { Project = "CorporateActions" Environment = "Development" } } ``` ### 用于事件处理的带 Streams 表 ``` module "events_table" { source = "github.com/islamelkadi/terraform-aws-dynamodb" security_controls = module.metadata.security_controls namespace = "example" environment = "prod" name = "events" region = "us-east-1" hash_key = "event_id" range_key = "timestamp" attributes = [ { name = "event_id" type = "S" }, { name = "timestamp" type = "N" } ] kms_key_arn = module.kms.key_arn enable_point_in_time_recovery = true deletion_protection_enabled = true # Enable streams for Lambda processing stream_enabled = true stream_view_type = "NEW_AND_OLD_IMAGES" tags = { Project = "CorporateActions" Purpose = "EventSourcing" } } # Lambda 处理 DynamoDB stream module "stream_processor" { source = "github.com/islamelkadi/terraform-aws-dynamodb" namespace = "example" environment = "prod" name = "events-stream-processor" region = "us-east-1" runtime = "python3.13" handler = "index.handler" filename = "processor.zip" # Grant Lambda permission to read from stream managed_policy_arns = [ "arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole" ] } # Event source mapping resource "aws_lambda_event_source_mapping" "dynamodb_stream" { event_source_arn = module.events_table.stream_arn function_name = module.stream_processor.function_name starting_position = "LATEST" batch_size = 100 maximum_batching_window_in_seconds = 5 } ``` ## MCP 服务器 本模块包含两个在 `.kiro/settings/mcp.json` 中配置的 [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) 服务器,用于 Kiro: | 服务器 | 包 | 描述 | |--------|---------|-------------| | `aws-docs` | `awslabs.aws-documentation-mcp-server@latest` | 提供对 AWS 文档的访问,以便上下文查找服务功能、API 参考和最佳实践。 | | `terraform` | `awslabs.terraform-mcp-server@latest` | 支持直接从 IDE 执行 Terraform 操作(init, validate, plan, fmt, tflint),并为常见工作流提供自动批准的命令。 | 两个服务器都通过 `uvx` 运行,除了 [引导](#prerequisites) 步骤外,不需要额外安装。 ## 用法 ``` # DynamoDB Module 示例 # 演示包含 GSI、TTL 和 streams 的表创建 module "dynamodb_table" { source = "github.com/islamelkadi/terraform-aws-dynamodb" namespace = var.namespace environment = var.environment name = var.name region = var.region # Composite key hash_key = var.hash_key range_key = var.range_key # Attributes attributes = var.attributes # Global Secondary Indexes global_secondary_indexes = var.global_secondary_indexes # TTL configuration ttl_enabled = var.ttl_enabled ttl_attribute_name = var.ttl_attribute_name # Streams configuration stream_enabled = var.stream_enabled stream_view_type = var.stream_view_type # Recovery and protection enable_point_in_time_recovery = var.enable_point_in_time_recovery deletion_protection_enabled = var.deletion_protection_enabled # Encryption kms_key_arn = var.kms_key_arn tags = var.tags } ``` ## 要求 | 名称 | 版本 | |------|---------| | [terraform](#requirement\_terraform) | >= 1.14.3 | | [aws](#requirement\_aws) | >= 6.34 | ## Providers | 名称 | 版本 | |------|---------| | [aws](#provider\_aws) | >= 6.34 | ## 模块 | 名称 | 来源 | 版本 | |------|--------|---------| | [metadata](#module\_metadata) | github.com/islamelkadi/terraform-aws-metadata | v1.1.0 | ## 资源 | 名称 | 类型 | |------|------| | [aws_dynamodb_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | ## 输入 | 名称 | 描述 | 类型 | 默认值 | 必需 | |------|-------------|------|---------|:--------:| | [attributes](#input\_attributes) | 属性定义列表。每个属性必须包含 'name' 和 'type'(S、N 或 B) | 
list(object({
    name = string
    type = string
  }))
| n/a | yes | | [deletion\_protection\_enabled](#input\_deletion\_protection\_enabled) | 为表启用删除保护 | `bool` | `false` | no | | [delimiter](#input\_delimiter) | 名称组件之间使用的分隔符 | `string` | `"-"` | no | | [enable\_point\_in\_time\_recovery](#input\_enable\_point\_in\_time\_recovery) | 为表启用时间点恢复 | `bool` | `true` | no | | [environment](#input\_environment) | 环境名称(dev, staging, prod) | `string` | n/a | yes | | [global\_secondary\_indexes](#input\_global\_secondary\_indexes) | 全局二级索引配置列表 | 
list(object({
    name               = string
    hash_key           = string
    range_key          = optional(string)
    projection_type    = optional(string)
    non_key_attributes = optional(list(string))
  }))
| `[]` | no | | [hash\_key](#input\_hash\_key) | 用作哈希(分区)键的属性 | `string` | n/a | yes | | [kms\_key\_arn](#input\_kms\_key\_arn) | 用于表加密的 KMS 密钥 ARN | `string` | n/a | yes | | [local\_secondary\_indexes](#input\_local\_secondary\_indexes) | 本地二级索引配置列表 | 
list(object({
    name               = string
    range_key          = string
    projection_type    = optional(string)
    non_key_attributes = optional(list(string))
  }))
| `[]` | no | | [name](#input\_name) | DynamoDB 表的名称 | `string` | n/a | yes | | [namespace](#input\_namespace) | 命名空间(组织/团队名称) | `string` | n/a | yes | | [naming\_attributes](#input\_naming\_attributes) | 用于命名的附加属性 | `list(string)` | `[]` | no | | [range\_key](#input\_range\_key) | 用作范围(排序)键的属性。可选 | `string` | `null` | no | | [region](#input\_region) | 将创建资源的 AWS 区域 | `string` | n/a | yes | | [security\_control\_overrides](#input\_security\_control\_overrides) | 使用文档化的理由覆盖特定的安全控制 | 
object({
    disable_kms_requirement     = optional(bool, false)
    disable_pitr_requirement    = optional(bool, false)
    disable_deletion_protection = optional(bool, false)
    justification               = optional(string, "")
  })
| 
{
  "disable_deletion_protection": false,
  "disable_kms_requirement": false,
  "disable_pitr_requirement": false,
  "justification": ""
}
| no | | [security\_controls](#input\_security\_controls) | 来自 metadata 模块的安全控制配置 | 
object({
    encryption = object({
      require_kms_customer_managed  = bool
      require_encryption_at_rest    = bool
      require_encryption_in_transit = bool
      enable_kms_key_rotation       = bool
    })
    logging = object({
      require_cloudwatch_logs = bool
      min_log_retention_days  = number
      require_access_logging  = bool
      require_flow_logs       = bool
    })
    monitoring = object({
      enable_xray_tracing         = bool
      enable_enhanced_monitoring  = bool
      enable_performance_insights = bool
      require_cloudtrail          = bool
    })
    network = object({
      require_private_subnets = bool
      require_vpc_endpoints   = bool
      block_public_ingress    = bool
      require_imdsv2          = bool
    })
    compliance = object({
      enable_point_in_time_recovery = bool
      require_reserved_concurrency  = bool
      enable_deletion_protection    = bool
    })
    data_protection = object({
      require_versioning         = bool
      require_mfa_delete         = bool
      require_automated_backups  = bool
      block_public_access        = bool
      require_lifecycle_policies = bool
    })
  })
| `null` | no | | [stream\_enabled](#input\_stream\_enabled) | 启用 DynamoDB Streams | `bool` | `false` | no | | [stream\_view\_type](#input\_stream\_view\_type) | 流视图类型(KEYS\_ONLY, NEW\_IMAGE, OLD\_IMAGE, NEW\_AND\_OLD\_IMAGES) | `` | `"NEW_AND_OLD_IMAGES"` | no | | [tags](#input\_tags) | 应用于资源的附加标签 | `map(string)` | `{}` | no | | [ttl\_attribute\_name](#input\_ttl\_attribute\_name) | 用于 TTL 的表属性名称。设置为 null 以禁用 TTL | `string` | `"ttl"` | no | | [ttl\_enabled](#input\_ttl\_enabled) | 为表启用 TTL | `bool` | `true` | no | ## 输出 | 名称 | 描述 | |------|-------------| | [hash\_key](#output\_hash\_key) | 哈希键属性名称 | | [range\_key](#output\_range\_key) | 范围键属性名称 | | [stream\_arn](#output\_stream\_arn) | DynamoDB 表流 ARN | | [stream\_label](#output\_stream\_label) | DynamoDB 表流标签 | | [table\_arn](#output\_table\_arn) | DynamoDB 表 ARN | | [table\_id](#output\_table\_id) | DynamoDB 表 ID(与表名相同) | | [table\_name](#output\_table\_name) | DynamoDB 表名称 | | [tags](#output\_tags) | 应用于 DynamoDB 表的标签 | ## 示例 有关包含 GSI、TTL 和流的完整工作示例,请参阅 [example/](example/)。
标签:AWS, CIS, DNS解析, DPI, DynamoDB, EC2, ECS, IaC, Kiro, KMS加密, NIST, PCI DSS, Pre-commit, Security Hub, Terraform, Tflint, 企业级, 安全合规, 开源项目, 数据库, 模块, 特权提升, 网络代理, 自动化部署, 逆向工具