Cloudformation template for AmazonRDSEnhancedMonitoringRole

10
votes

I am attempting to spin up an RDS stack via a Cloudformation template. I would like to enable Enhanced Monitoring on my DB instances. In order to do that, the MonitoringRoleArn property must be specified on the resource.

As I understand it, this ARN should point to an IAM Service Role that has been given the AmazonRDSEnhancedMonitoringRole policy, as described here:

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html

I would ideally like to also create that role via Cloudformation. For the life of me, however, I can not find an example of how to do this in a Cloudformation template. And it turns out that the Cloudformer tool does not analyze IAM resources.

Has anyone done this? Can you share an example?

4
amazon-web-servicesamazon-rdsamazon-cloudformation

4 Answers

14
votes

in YAML:

Role:
  Type: 'AWS::IAM::Role'
  Properties:
    ManagedPolicyArns:
    - 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'
    AssumeRolePolicyDocument:
      Version: '2008-10-17'
      Statement:
      - Effect: Allow
        Principal:
          Service: 'monitoring.rds.amazonaws.com'
        Action: 'sts:AssumeRole'

You then need to reference the role in your RDS instance's MonitoringRoleArn property like this:

!GetAtt ["Role", "Arn"]

If you need the example in JSON let me know.

7
votes

Like avisheks mentioned, there was a change.
The example from hellomichibye doesn't work anymore. This is my code in YAML (with configurable parameter):

Parameters:
  EnableEnhancedMonitoring:
    Description: 'Provide metrics in real time for the operating system (OS) that your DB instance runs on.'
    Type: String
    AllowedValues: [true, false]
    Default: false

Conditions:
  HasEnhancedMonitoring: !Equals [ !Ref EnableEnhancedMonitoring, 'true' ]

Resources:
  EnhancedMonitoringRole:
    Condition: HasEnhancedMonitoring
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: ''
          Effect: Allow
          Principal:
            Service: monitoring.rds.amazonaws.com
          Action: sts:AssumeRole
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
      Path: "/"

  DBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      ...
      MonitoringInterval: !If [HasEnhancedMonitoring, 60, 0]
      MonitoringRoleArn: !If [HasEnhancedMonitoring, !GetAtt ['EnhancedMonitoringRole', 'Arn'], !Ref 'AWS::NoValue']
      ...
3
votes

There is little change in the code:

    "EMRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
            ],
            "AssumeRolePolicyDocument": {
                "Version": "2008-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "monitoring.rds.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "RoleName": "rds-monitoring-role"
        }
    }

Change: "Service": "monitoring.rds.amazonaws.com"

Call it as "MonitoringRoleArn": {"Fn::GetAtt" : [ "EMRole", "Arn" ] },

1
votes

Thanks all, the above answers are helpful and because of that, I was able to accomplish in Terraform. Thinking the below code can be helpful to someone. 

resource "aws_iam_role" "rds-enhanced-monitoring-role" {
  name                = "rds-enhanced-monitoring-role"
  assume_role_policy  = "${file("enhanced-rds-monitoring-policy.json")}"
  description         = "RDS enhanced monitoring role"
  tags = {
      Name            = "rds-enhanced-monitoring-role"
  }
}

resource "aws_iam_role_policy_attachment" "rds-enhanced-monitoring-role-policy-attachment" {
  policy_arn          = "${data.aws_iam_policy.iam-rds-enhanced-monitoring-access-policy.arn}"
  role                = "${aws_iam_role.rds-enhanced-monitoring-role.name}" 
}

data "aws_iam_policy" "iam-rds-enhanced-monitoring-access-policy" {
  arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}

enhanced-rds-monitoring-policy.json

{
"Version": "2012-10-17",
"Statement": [
   {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "monitoring.rds.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    }
]
}