Terraform-provider-aws: Support for RDS AddRoleToDBCluster with FeatureName

Created on 30 Jul 2019  路  12Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Resource object exists aws_rds_cluster which supports optional IAM Role attachments to the cluster via the argument iam_roles.

The implementation leverages AddRoleToDBCLuster to accomplish this task.

_FeatureName_ is not listed as a required argument. For Amazon Aurora PostgreSQL attaching an IAM Role without a feature name results in The feature-name parameter must be provided with the current operation for the Aurora (PostgreSQL) engine.

Currently there is not a mechanism for attaching feature-name on the existing _aws_rds_cluster_ resource. There is an aws_db_instance_role_association resource which accepts feature_name for attaching a role to an instance.

This request is to add a resource for associating a role to an RDS cluster.

New or Affected Resource(s)

  • aws_rds_cluster_role_association

Potential Terraform Configuration

resource "aws_rds_cluster_role_association" "example" {
  cluster_identifier = "${aws_rds_cluster.example.id}"
  feature_name           = "s3Import"
  role_arn               = "${aws_iam_role.example.arn}"
}

References


https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_AddRoleToDBCluster.html

https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-aurora-with-postgresql-compatibility-supports-data-import-from-amazon-s3/

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBEngineVersion.html
SupportedFeatureNames:

  • s3Import

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Migrating.html#USER_PostgreSQL.S3Import

new-resource servicrds
Source
picture dmlogs
👍69

All 12 comments

I'd like to take this

andyyaldoo picture andyyaldoo on 20 Oct 2019

If you create the cluster in Terraform using the aws_rds_cluster resource then as a workaround you can manually add the role association via the console, Just remember to add:
lifecycle { ignore_changes = [iam_roles] }
to the aws_rds_cluster resource, otherwise, it complains that the associated role cannot be found in a manner similar to this:

Error: DBClusterRoleNotFound: Role ARN arn:aws:iam::********:role/rds-s3-import cannot be found for DB Cluster: ********. Verify your role ARN and try again. You might need to include the feature-name parameter. status code: 404, request id: 0aa8c5e2-a405-4161-a5e3-fce271cdbb52.

richardj-bsquare picture richardj-bsquare on 20 Nov 2019

@richardj-bsquare For us adding via AWS Console is enough, TF correctly picks up the association and no changes are shown in the plan even without the ignore. What AWS provider version do you use?

jurajseffer picture jurajseffer on 20 Nov 2019
👎2

No idea on the precise version, since I have a '~>' version specification on a rolling CI/CD deployment, so it would be whatever version was released prior to the post date above.

richardj-bsquare picture richardj-bsquare on 12 Dec 2019

If you create the cluster in Terraform using the aws_rds_cluster resource then as a workaround you can manually add the role association via the console, Just remember to add:
lifecycle { ignore_changes = [iam_roles] }
to the aws_rds_cluster resource, otherwise, it complains that the associated role cannot be found in a manner similar to this:

Error: DBClusterRoleNotFound: Role ARN arn:aws:iam::********:role/rds-s3-import cannot be found for DB Cluster: ********. Verify your role ARN and try again. You might need to include the feature-name parameter. status code: 404, request id: 0aa8c5e2-a405-4161-a5e3-fce271cdbb52.

Unfortunately, @richardj-bsquare's workaround is not working for me. After adding the role with the s3Import feature in the console, the resource becomes tainted and gets re-created.

Anyone know of any other workarounds?

Terraform v0.12.26
+ provider.aws v2.44.0
jritsema picture jritsema on 12 Jun 2020

Update: appears to work if I manually un-taint it

terraform untaint aws_rds_cluster.main
jritsema picture jritsema on 12 Jun 2020

when you say it worked, do you mean you used lifecycle { ignore_changes = [iam_roles] } and terraform untaint aws_rds_cluster.main?

antoxavier picture antoxavier on 27 Jun 2020

yes @antoxavier

jritsema picture jritsema on 29 Jun 2020
👍1

@jritsema i see this new code that has been added for aws_db_cluster_role_association. This will help lot of us but my question is should i upgrade to a newer version of terraform to consume this change?

https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_db_instance_role_association.go

if i am correct we are using 0.11

antoxavier picture antoxavier on 2 Jul 2020

no need to upgrade terraform itself...just terraform init -upgrade=true to upgrade the aws provider

jritsema picture jritsema on 2 Jul 2020
👍1

@jritsema thank you

antoxavier picture antoxavier on 2 Jul 2020

The update still only adds instance-level association as opposed to role-level association. That's not necessarily conducive to using a count on the aws_rds_cluster_instance resource. Ideally the aws_rds_cluster resource should enhance the iam_roles field to also take a feature name per role. Then the AddRoleToDbCluster API call that happens within that resource should pass that along.

kassemsandarusi picture kassemsandarusi on 17 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

blaltarriba picture blaltarriba  路  3Comments
ccslamstack picture ccslamstack  路  3Comments
hashibot picture hashibot  路  3Comments
gothrek22 picture gothrek22  路  3Comments
hashibot picture hashibot  路  3Comments