AWS Redshift Terraform module
January 8, 2026 ยท View on GitHub
Terraform module which creates Redshift resources on AWS.
Usage
module "redshift" {
source = "terraform-aws-modules/redshift/aws"
cluster_identifier = "example"
allow_version_upgrade = true
node_type = "ra3.xlplus"
number_of_nodes = 3
database_name = "mydb"
master_username = "mydbuser"
manage_master_password = true
manage_master_password_rotation = true
master_password_rotation_schedule_expression = "rate(90 days)"
encrypted = true
kms_key_arn = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
vpc_id = "vpc-1234556abcdef"
enhanced_vpc_routing = true
availability_zone_relocation_enabled = true
snapshot_copy = {
destination_region = "us-east-1"
grant_name = "example-grant"
}
logging = {
bucket_name = "my-s3-log-bucket"
s3_key_prefix = "example/"
}
# Parameter group
parameter_group_name = "example-custom"
parameter_group_description = "Custom parameter group for example cluster"
parameter_group_parameters = {
wlm_json_configuration = {
name = "wlm_json_configuration"
value = jsonencode([
{
query_concurrency = 15
}
])
}
require_ssl = {
name = "require_ssl"
value = true
}
use_fips_ssl = {
name = "use_fips_ssl"
value = false
}
enable_user_activity_logging = {
name = "enable_user_activity_logging"
value = true
}
max_concurrency_scaling_clusters = {
name = "max_concurrency_scaling_clusters"
value = 3
}
enable_case_sensitive_identifier = {
name = "enable_case_sensitive_identifier"
value = true
}
}
parameter_group_tags = {
Additional = "CustomParameterGroup"
}
# Subnet group
subnet_group_name = "example-custom"
subnet_group_description = "Custom subnet group for example cluster"
subnet_ids = ["subnet-123456", "subnet-654321"]
subnet_group_tags = {
Additional = "CustomSubnetGroup"
}
# Snapshot schedule
snapshot_schedule = {
identifier = "example"
use_prefix = true
description = "Example snapshot schedule"
definitions = ["rate(12 hours)"]
force_destroy = true
}
# Scheduled actions
create_scheduled_action_iam_role = true
scheduled_actions = {
pause = {
name = "example-pause"
description = "Pause cluster every night"
schedule = "cron(0 22 * * ? *)"
target_action = {
pause_cluster = true
}
}
resize = {
name = "example-resize"
description = "Resize cluster (demo only)"
schedule = "cron(00 13 * * ? *)"
target_action = {
resize_cluster = {
node_type = "ds2.xlarge"
number_of_nodes = 5
}
}
}
resume = {
name = "example-resume"
description = "Resume cluster every morning"
schedule = "cron(0 12 * * ? *)"
target_action = {
resume_cluster = true
}
}
}
# Endpoint access
endpoint_access = {
example = {
name = "example-example"
subnet_group_name = "example-subnet-group"
vpc_security_group_ids = ["sg-12345678"]
}
}
# Usage limits
usage_limits = {
currency_scaling = {
feature_type = "concurrency-scaling"
limit_type = "time"
amount = 60
breach_action = "emit-metric"
}
spectrum = {
feature_type = "spectrum"
limit_type = "data-scanned"
amount = 2
breach_action = "disable"
tags = {
Additional = "CustomUsageLimits"
}
}
}
# Authentication profile
authentication_profiles = {
example = {
name = "example"
content = {
AllowDBUserOverride = "1"
Client_ID = "ExampleClientID"
App_ID = "example"
}
}
bar = {
content = {
AllowDBUserOverride = "1"
Client_ID = "ExampleClientID"
App_ID = "bar"
}
}
}
tags = {
Environment = "dev"
Terraform = "true"
}
}
Examples
- Complete Redshift example creates VPC with Redshift subnet, VPC security group and Redshift cluster itself.
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.11 |
| aws | >= 6.27 |
Providers
| Name | Version |
|---|---|
| aws | >= 6.27 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_iam_role.scheduled_action | resource |
| aws_iam_role_policy.scheduled_action | resource |
| aws_redshift_authentication_profile.this | resource |
| aws_redshift_cluster.this | resource |
| aws_redshift_cluster_iam_roles.this | resource |
| aws_redshift_endpoint_access.this | resource |
| aws_redshift_logging.this | resource |
| aws_redshift_parameter_group.this | resource |
| aws_redshift_scheduled_action.this | resource |
| aws_redshift_snapshot_copy.this | resource |
| aws_redshift_snapshot_schedule.this | resource |
| aws_redshift_snapshot_schedule_association.this | resource |
| aws_redshift_subnet_group.this | resource |
| aws_redshift_usage_limit.this | resource |
| aws_secretsmanager_secret_rotation.this | resource |
| aws_security_group.this | resource |
| aws_vpc_security_group_egress_rule.this | resource |
| aws_vpc_security_group_ingress_rule.this | resource |
| aws_iam_policy_document.scheduled_action | data source |
| aws_iam_policy_document.scheduled_action_assume | data source |
| aws_service_principal.scheduler_redshift | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_version_upgrade | If true, major version upgrades can be applied during the maintenance window to the Amazon Redshift engine that is running on the cluster. Default is true | bool | null | no |
| apply_immediately | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is false | bool | null | no |
| authentication_profiles | Map of authentication profiles to create | map(object({ | {} | no |
| automated_snapshot_retention_period | The number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with create-cluster-snapshot. Default is 1 | number | null | no |
| availability_zone | The EC2 Availability Zone (AZ) in which you want Amazon Redshift to provision the cluster. Can only be changed if availability_zone_relocation_enabled is true | string | null | no |
| availability_zone_relocation_enabled | If true, the cluster can be relocated to another availability zone, either automatically by AWS or when requested. Default is false. Available for use on clusters from the RA3 instance family | bool | null | no |
| cloudwatch_log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data | string | null | no |
| cloudwatch_log_group_retention_in_days | The number of days to retain CloudWatch logs for the redshift cluster | number | 0 | no |
| cloudwatch_log_group_skip_destroy | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | bool | null | no |
| cloudwatch_log_group_tags | Additional tags to add to cloudwatch log groups created | map(string) | {} | no |
| cluster_identifier | The Cluster Identifier. Must be a lower case string | string | "" | no |
| cluster_timeouts | Create, update, and delete timeout configurations for the cluster | object({ | null | no |
| cluster_version | The version of the Amazon Redshift engine software that you want to deploy on the cluster. The version selected runs on all the nodes in the cluster | string | null | no |
| create | Determines whether to create Redshift cluster and resources (affects all resources) | bool | true | no |
| create_cloudwatch_log_group | Determines whether a CloudWatch log group is created for each var.logging.log_exports | bool | false | no |
| create_parameter_group | Determines whether to create a parameter group or use existing | bool | true | no |
| create_scheduled_action_iam_role | Determines whether a scheduled action IAM role is created | bool | false | no |
| create_security_group | Determines whether to create security group for Redshift cluster | bool | true | no |
| create_subnet_group | Determines whether to create a subnet group or use existing | bool | true | no |
| database_name | The name of the first database to be created when the cluster is created. If you do not provide a name, Amazon Redshift will create a default database called dev | string | null | no |
| default_iam_role_arn | The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created | string | null | no |
| elastic_ip | The Elastic IP (EIP) address for the cluster | string | null | no |
| encrypted | If true, the data in the cluster is encrypted at rest | bool | null | no |
| endpoint_access | Map of endpoint access (managed VPC endpoint) definitions to create | map(object({ | {} | no |
| enhanced_vpc_routing | If true, enhanced VPC routing is enabled | bool | null | no |
| final_snapshot_identifier | The identifier of the final snapshot that is to be created immediately before deleting the cluster. If this parameter is provided, skip_final_snapshot must be false | string | null | no |
| iam_role_arns | A list of IAM Role ARNs to associate with the cluster. A Maximum of 10 can be associated to the cluster at any time | list(string) | [] | no |
| iam_role_description | Description of the scheduled action IAM role | string | null | no |
| iam_role_name | Name to use on scheduled action IAM role created | string | null | no |
| iam_role_path | Scheduled action IAM role path | string | null | no |
| iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the scheduled action IAM role | string | null | no |
| iam_role_tags | A map of additional tags to add to the scheduled action IAM role created | map(string) | {} | no |
| iam_role_use_name_prefix | Determines whether scheduled action the IAM role name (iam_role_name) is used as a prefix | string | true | no |
| kms_key_arn | The ARN for the KMS encryption key. When specifying kms_key_arn, encrypted needs to be set to true | string | null | no |
| logging | Logging configuration for the cluster | object({ | null | no |
| maintenance_track_name | The name of the maintenance track for the restored cluster. When you take a snapshot, the snapshot inherits the MaintenanceTrack value from the cluster. The snapshot might be on a different track than the cluster that was the source for the snapshot. Default value is current | string | null | no |
| manage_master_password | Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with master_password_wo. One of master_password_wo or manage_master_password is required unless snapshot_identifier is provided | bool | true | no |
| manage_master_password_rotation | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation | bool | false | no |
| manual_snapshot_retention_period | The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots. Valid values are between -1 and 3653. Default value is -1 | number | null | no |
| master_password_rotate_immediately | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window | bool | null | no |
| master_password_rotation_automatically_after_days | Specifies the number of days between automatic scheduled rotations of the secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified | number | null | no |
| master_password_rotation_duration | The length of the rotation window in hours. For example, 3h for a three hour window | string | null | no |
| master_password_rotation_schedule_expression | A cron() or rate() expression that defines the schedule for rotating your secret. Either master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression must be specified | string | null | no |
| master_password_secret_kms_key_id | ID of the KMS key used to encrypt the cluster admin credentials secret | string | null | no |
| master_password_wo | Password for the master DB user. Must contain at least 8 chars, one uppercase letter, one lowercase letter, and one number | string | null | no |
| master_password_wo_version | Used together with master_password_wo to trigger an update. Increment this value when an update to the master_password_wo is required | string | null | no |
| master_username | Username for the master DB user. Defaults to awsuser | string | "awsuser" | no |
| multi_az | Specifies if the Redshift cluster is multi-AZ | bool | null | no |
| node_type | The node type to be provisioned for the cluster | string | "" | no |
| number_of_nodes | Number of nodes in the cluster. Defaults to 1. Note: values greater than 1 will trigger cluster_type to switch to multi-node | number | 1 | no |
| owner_account | The AWS customer account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshot | string | null | no |
| parameter_group_description | The description of the Redshift parameter group. Defaults to Managed by Terraform | string | null | no |
| parameter_group_family | The family of the Redshift parameter group | string | "redshift-2.0" | no |
| parameter_group_name | The name of the Redshift parameter group, existing or to be created | string | null | no |
| parameter_group_parameters | A list of Redshift parameters to apply | list(object({ | null | no |
| parameter_group_tags | Additional tags to add to the parameter group | map(string) | {} | no |
| port | The port number on which the cluster accepts incoming connections. Default port is 5439 | number | 5439 | no |
| preferred_maintenance_window | The weekly time range (in UTC) during which automated cluster maintenance can occur. Format: ddd:hh24:mi-ddd:hh24:mi | string | "sat:10:00-sat:10:30" | no |
| publicly_accessible | If true, the cluster can be accessed from a public network | bool | null | no |
| region | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | string | null | no |
| scheduled_actions | Map of scheduled action definitions to create | map(object({ | {} | no |
| security_group_description | The description of the security group. If value is set to empty string it will contain cluster name in the description | string | null | no |
| security_group_egress_rules | Map of security group egress rules to add to the security group created | map(object({ | {} | no |
| security_group_ingress_rules | Map of security group ingress rules to add to the security group created | map(object({ | {} | no |
| security_group_name | The security group name | string | "" | no |
| security_group_tags | Additional tags for the security group | map(string) | {} | no |
| security_group_use_name_prefix | Determines whether the security group name (security_group_name) is used as a prefix | bool | true | no |
| skip_final_snapshot | Determines whether a final snapshot of the cluster is created before Redshift deletes the cluster. If true, a final cluster snapshot is not created. If false , a final cluster snapshot is created before the cluster is deleted | bool | true | no |
| snapshot_arn | The ARN of the snapshot from which to create the new cluster. Conflicts with snapshot_identifier | string | null | no |
| snapshot_cluster_identifier | The name of the cluster the source snapshot was created from | string | null | no |
| snapshot_copy | Configuration of automatic copy of snapshots from one region to another | object({ | null | no |
| snapshot_identifier | The name of the snapshot from which to create the new cluster. Conflicts with snapshot_arn | string | null | no |
| snapshot_schedule | Configuration for creating a snapshot schedule and associating it with the cluster | object({ | null | no |
| subnet_group_description | The description of the Redshift Subnet group. Defaults to Managed by Terraform | string | null | no |
| subnet_group_name | The name of the Redshift subnet group, existing or to be created | string | null | no |
| subnet_group_tags | Additional tags to add to the subnet group | map(string) | {} | no |
| subnet_ids | An array of VPC subnet IDs to use in the subnet group | list(string) | [] | no |
| tags | A map of tags to add to all resources | map(string) | {} | no |
| usage_limits | Map of usage limit definitions to create | map(object({ | {} | no |
| vpc_id | ID of the VPC where to create security group | string | "" | no |
| vpc_security_group_ids | A list of Virtual Private Cloud (VPC) security groups to be associated with the cluster | list(string) | [] | no |
Outputs
| Name | Description |
|---|---|
| authentication_profiles | Map of authentication profiles created and their associated attributes |
| cluster_arn | The Redshift cluster ARN |
| cluster_automated_snapshot_retention_period | The backup retention period |
| cluster_availability_zone | The availability zone of the Cluster |
| cluster_database_name | The name of the default database in the Cluster |
| cluster_dns_name | The DNS name of the cluster |
| cluster_encrypted | Whether the data in the cluster is encrypted |
| cluster_endpoint | The connection endpoint |
| cluster_hostname | The hostname of the Redshift cluster |
| cluster_id | The Redshift cluster ID |
| cluster_identifier | The Redshift cluster identifier |
| cluster_master_password | The Redshift cluster master password |
| cluster_master_username | The Redshift cluster master username |
| cluster_namespace_arn | The namespace Amazon Resource Name (ARN) of the cluster |
| cluster_node_type | The type of nodes in the cluster |
| cluster_nodes | The nodes in the cluster. Each node is a map of the following attributes: node_role, private_ip_address, and public_ip_address |
| cluster_parameter_group_name | The name of the parameter group to be associated with this cluster |
| cluster_port | The port the cluster responds on |
| cluster_preferred_maintenance_window | The backup window |
| cluster_public_key | The public key for the cluster |
| cluster_revision_number | The specific revision number of the database in the cluster |
| cluster_secretsmanager_secret_rotation_enabled | Specifies whether automatic rotation is enabled for the secret |
| cluster_subnet_group_name | The name of a cluster subnet group to be associated with this cluster |
| cluster_type | The Redshift cluster type |
| cluster_version | The version of Redshift engine software |
| cluster_vpc_security_group_ids | The VPC security group ids associated with the cluster |
| endpoint_access | A map of access endpoints created and their attributes |
| master_password_secret_arn | ARN of managed master password secret |
| parameter_group_arn | Amazon Resource Name (ARN) of the parameter group created |
| parameter_group_id | The name of the Redshift parameter group created |
| scheduled_action_iam_role_arn | Scheduled actions IAM role ARN |
| scheduled_action_iam_role_name | Scheduled actions IAM role name |
| scheduled_action_iam_role_unique_id | Stable and unique string identifying the scheduled action IAM role |
| scheduled_actions | A map of maps containing scheduled action details |
| snapshot_schedule_arn | Amazon Resource Name (ARN) of the Redshift Snapshot Schedule |
| subnet_group_arn | Amazon Resource Name (ARN) of the Redshift subnet group created |
| subnet_group_id | The ID of Redshift Subnet group created |
| usage_limits | Map of usage limits created and their associated attributes |
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.