Terraform实例monitoring_role_arn不工作

Question

我正在尝试使用Terraform创建一个AWS实例。我正在尝试使用PostgreSQL 12作为DB。除了监视部分之外，一切看起来都很好，因为我无法在脚本中指定'monitoring_role_arn‘。

下面是我创建PostgreSQL DB实例的Terraform脚本：

rds.tf

# AWS PSQL RDS Instance 
resource "aws_db_instance" "test-DB" {

  depends_on = [aws_security_group.test-PSQL-DB-SG, aws_iam_role.test-IAM-Role-RDS]

  // General Configurations
  name                 = "testdb"
  identifier = "am-poc-spoke1-db"
  engine               = "postgres"
  engine_version       = "12.5"
  instance_class       = "db.t2.micro" 
  parameter_group_name = "default.postgres12"
  port = "5432"

  // Authentication
  username             = "postgres"
  password             = "postgres"

  // Storage Configurations
  storage_type = "gp2"
  allocated_storage    = 20
  max_allocated_storage = 100

  // Networking and Security 
  vpc_security_group_ids = [aws_security_group.test-PSQL-DB-SG.id]
  availability_zone = "ap-southeast-1a"
  publicly_accessible = false

  // Backup Configuration
  backup_retention_period = 7
  backup_window = "16:00-16:30"
  copy_tags_to_snapshot = true

  // Monitoring and Performance Insight
  performance_insights_enabled = true
  performance_insights_retention_period = 7

  monitoring_interval = "60"
  monitoring_role_arn = aws_iam_role.test-IAM-Role-RDS.arn
  enabled_cloudwatch_logs_exports = ["postgresql"]

  // Other Configurations
  auto_minor_version_upgrade = false
  deletion_protection = false
  skip_final_snapshot = true

  tags = {
    Name = "test-DB"
  }
}

因为'monitoring_role_arn‘需要一个带有'AmazonRDSEnhancedMonitoringRole’策略的AWS角色，所以我也为此创建了一个脚本。

iam-role.tf

# IAM Role for RDS Enhanced Monitoring
resource "aws_iam_role" "test-IAM-Role-RDS" {

  name = "test-IAM-Role-RDS"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      },
    ]
  })

  tags = {
    Name = "test-IAM-Role-RDS"
  }
}

然后将策略添加到IAM角色中。

iam-role-policy.tf

# IAM Role Policy for RDS Enhanced Monitoring
resource "aws_iam_role_policy" "test-Enhanced-Monitoring-Policy" {

  depends_on = [aws_iam_role.test-IAM-Role-RDS]

  name = "test-Enhanced-Monitoring-Policy"
  role = aws_iam_role.test-IAM-Role-RDS.id

  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroups",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:PutRetentionPolicy"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:RDS*"
            ]
        },
        {
            "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogStreams",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:RDS*:log-stream:*"
            ]
        }
    ]
  })
}

运行'terraform plan'时，不显示错误。但是，一旦我运行'terraform apply'，我将得到以下错误。

错误:创建DB实例的错误: InvalidParameterValue: IAM角色ARN值无效或不包括以下命令的必需权限: ENHANCED_MONITORING│状态代码: 400，请求id: 59e6127d-f393d-885 a-868e38415fc1，{

现在有谁能解决这个问题吗？

Answer 1

而不是使用AmazonRDSEnhancedMonitoringRole.的托管策略，而不是使用内联策略。也就是说，我们已经将AWS管理策略直接添加到IAM角色中。

此外，我还在IAM角色中将服务从ec2.amazonaws.com更改为monitoring.rds.amazonaws.com。这个错误实际上是被触发的，因为我们没有这个改变。认为它也可以与内联策略一起工作，但是我们可以避免使用AWS管理策略来增加代码行，而不是创建新的内联策略。

全面变动：

iam.tf

# IAM Role for RDS Enhanced Monitoring
resource "aws_iam_role" "test-IAM-Role-RDS" {

  name = "test-IAM-Role-RDS"
  assume_role_policy = jsonencode({
         Version = "2012-10-17"
          Statement = [
            {
              Action = "sts:AssumeRole"
              Effect = "Allow"
              Sid    = ""
              Principal = {
                Service = "monitoring.rds.amazonaws.com"
             }
            },
          ]
        })

  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"]

  tags = {
    Name = "test-IAM-Role-RDS"
  }
}