dynamodb

package
v0.40.0-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 26, 2026 License: MIT Imports: 10 Imported by: 0

README

DynamoDB Backend

The DynamoDB backend enables confd to retrieve configuration data from Amazon DynamoDB.

Configuration

The DynamoDB backend uses the AWS SDK for Go v2 credential chain, which checks credentials in the following order:

  1. Environment variables
  2. Shared credentials file (~/.aws/credentials)
  3. IAM role for EC2/ECS/EKS
Environment Variables
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_REGION=us-east-1
IAM Role for EC2/ECS/EKS

When running on AWS compute (EC2, ECS, EKS), confd can use the instance/task role automatically. No credential configuration is needed.

Required IAM Permissions
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:Scan",
        "dynamodb:DescribeTable"
      ],
      "Resource": "arn:aws:dynamodb:*:*:table/confd-config"
    }
  ]
}

Table Schema

The DynamoDB table must have the following schema:

Attribute Type Key
key String (S) Partition Key (HASH)
value String (S) -

Create the table:

aws dynamodb create-table \
  --region us-east-1 \
  --table-name confd-config \
  --attribute-definitions AttributeName=key,AttributeType=S \
  --key-schema AttributeName=key,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST

Options

Flag Description Default
--table DynamoDB table name Required
Environment Variables
Variable Description
AWS_ACCESS_KEY_ID AWS access key
AWS_SECRET_ACCESS_KEY AWS secret key
AWS_REGION AWS region
AWS_PROFILE Named profile from credentials file
DYNAMODB_LOCAL Enable local endpoint (for testing)
DYNAMODB_ENDPOINT_URL Custom DynamoDB endpoint URL

Basic Example

Add items to DynamoDB:

aws dynamodb put-item --table-name confd-config \
  --item '{"key": {"S": "/myapp/database/url"}, "value": {"S": "db.example.com"}}'

aws dynamodb put-item --table-name confd-config \
  --item '{"key": {"S": "/myapp/database/user"}, "value": {"S": "admin"}}'

aws dynamodb put-item --table-name confd-config \
  --item '{"key": {"S": "/myapp/database/password"}, "value": {"S": "secret123"}}'

Create template resource (/etc/confd/conf.d/myapp.toml):

[template]
src = "myapp.conf.tmpl"
dest = "/etc/myapp/config.conf"
keys = [
  "/myapp/database",
]

Create template (/etc/confd/templates/myapp.conf.tmpl):

[database]
url = {{getv "/myapp/database/url"}}
user = {{getv "/myapp/database/user"}}
password = {{getv "/myapp/database/password"}}

Run confd:

confd dynamodb --table confd-config --onetime

Advanced Example

Using Prefix-Based Retrieval

confd can retrieve all keys with a common prefix:

# Store hierarchical config
aws dynamodb put-item --table-name confd-config \
  --item '{"key": {"S": "/production/api/host"}, "value": {"S": "api.example.com"}}'
aws dynamodb put-item --table-name confd-config \
  --item '{"key": {"S": "/production/api/port"}, "value": {"S": "443"}}'
aws dynamodb put-item --table-name confd-config \
  --item '{"key": {"S": "/production/db/host"}, "value": {"S": "db.example.com"}}'

Template resource:

[template]
src = "app.conf.tmpl"
dest = "/etc/app/config.conf"
keys = [
  "/production",
]
Local Development with DynamoDB Local
# Start DynamoDB Local
docker run -p 8000:8000 amazon/dynamodb-local

# Create table
aws dynamodb create-table \
  --endpoint-url http://localhost:8000 \
  --table-name confd-config \
  --attribute-definitions AttributeName=key,AttributeType=S \
  --key-schema AttributeName=key,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST

# Run confd with local endpoint
export DYNAMODB_LOCAL=true
export DYNAMODB_ENDPOINT_URL=http://localhost:8000
export AWS_ACCESS_KEY_ID=dummy
export AWS_SECRET_ACCESS_KEY=dummy
export AWS_REGION=us-east-1

confd dynamodb --table confd-config --onetime
Kubernetes Deployment
apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  serviceAccountName: confd-sa  # With IRSA configured
  containers:
  - name: myapp
    command:
    - confd
    - dynamodb
    - --table=confd-config
    - --interval=300

Watch Mode Support

Watch mode is not supported for the DynamoDB backend. Use interval mode (--interval) for periodic polling.

confd dynamodb --table confd-config --interval 60

Per-Resource Backend Configuration

Instead of using the global backend, individual template resources can specify their own DynamoDB backend configuration. This allows mixing backends within a single confd instance.

Add a [backend] section to your template resource file:

[template]
src = "myapp.conf.tmpl"
dest = "/etc/myapp/config.conf"
keys = [
  "/myapp/database",
]

[backend]
backend = "dynamodb"
table = "my-config-table"

Available backend options:

  • backend - Must be "dynamodb"
  • table - DynamoDB table name

Note: AWS credentials are still read from the environment or IAM role.

Data Retrieval Behavior

  1. Exact key lookup: First attempts to get the item by exact key match
  2. Prefix scan: If not found, scans for items with keys starting with the specified prefix
  3. Value type: Only string (S) type values are supported; other types are skipped with a warning

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is a wrapper around the DynamoDB client and also holds the table to lookup key value pairs from

func NewDynamoDBClient 

func NewDynamoDBClient(table string) (*Client, error)

NewDynamoDBClient returns an *dynamodb.Client with a connection to the region configured via the AWS_REGION environment variable. It returns an error if the connection cannot be made or the table does not exist.

func (*Client) Close 

func (c *Client) Close() error

Close is a no-op for this backend.

func (*Client) GetValues 

func (c *Client) GetValues(ctx context.Context, keys []string) (map[string]string, error)

GetValues retrieves the values for the given keys from DynamoDB

func (*Client) HealthCheck 

func (c *Client) HealthCheck(ctx context.Context) error

HealthCheck verifies the backend connection is healthy. It checks that the DynamoDB table exists and is accessible.

func (*Client) HealthCheckDetailed 

func (c *Client) HealthCheckDetailed(ctx context.Context) (*types.HealthResult, error)

HealthCheckDetailed provides detailed health information for the DynamoDB backend.

func (*Client) WatchPrefix 

func (c *Client) WatchPrefix(ctx context.Context, prefix string, keys []string, waitIndex uint64, stopChan chan bool) (uint64, error)

WatchPrefix is not implemented

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.