Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for RDS AddRoleToDBCluster with FeatureName #9552

Closed
dmlogs opened this issue Jul 30, 2019 · 13 comments · Fixed by #12370
Closed

Support for RDS AddRoleToDBCluster with FeatureName #9552

dmlogs opened this issue Jul 30, 2019 · 13 comments · Fixed by #12370
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/rds Issues and PRs that pertain to the rds service.

Comments

@dmlogs
Copy link

dmlogs commented Jul 30, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Resource object exists aws_rds_cluster which supports optional IAM Role attachments to the cluster via the argument iam_roles.

The implementation leverages AddRoleToDBCLuster to accomplish this task.

FeatureName is not listed as a required argument. For Amazon Aurora PostgreSQL attaching an IAM Role without a feature name results in The feature-name parameter must be provided with the current operation for the Aurora (PostgreSQL) engine.

Currently there is not a mechanism for attaching feature-name on the existing aws_rds_cluster resource. There is an aws_db_instance_role_association resource which accepts feature_name for attaching a role to an instance.

This request is to add a resource for associating a role to an RDS cluster.

New or Affected Resource(s)

  • aws_rds_cluster_role_association

Potential Terraform Configuration

resource "aws_rds_cluster_role_association" "example" {
  cluster_identifier = "${aws_rds_cluster.example.id}"
  feature_name           = "s3Import"
  role_arn               = "${aws_iam_role.example.arn}"
}

References

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_AddRoleToDBCluster.html

https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-aurora-with-postgresql-compatibility-supports-data-import-from-amazon-s3/

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBEngineVersion.html
SupportedFeatureNames:

  • s3Import

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Migrating.html#USER_PostgreSQL.S3Import

@dmlogs dmlogs added the enhancement Requests to existing resources that expand the functionality or scope. label Jul 30, 2019
@ghost ghost added the service/rds Issues and PRs that pertain to the rds service. label Jul 30, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Jul 30, 2019
@bflad bflad added new-resource Introduces a new resource. and removed enhancement Requests to existing resources that expand the functionality or scope. needs-triage Waiting for first response or review from a maintainer. labels Jul 30, 2019
@andyyaldoo
Copy link
Contributor

I'd like to take this

@richardj-bsquare
Copy link

If you create the cluster in Terraform using the aws_rds_cluster resource then as a workaround you can manually add the role association via the console, Just remember to add:
lifecycle { ignore_changes = [iam_roles] }
to the aws_rds_cluster resource, otherwise, it complains that the associated role cannot be found in a manner similar to this:

Error: DBClusterRoleNotFound: Role ARN arn:aws:iam::********:role/rds-s3-import cannot be found for DB Cluster: ********. Verify your role ARN and try again. You might need to include the feature-name parameter. status code: 404, request id: 0aa8c5e2-a405-4161-a5e3-fce271cdbb52.

@jurajseffer
Copy link
Contributor

@richardj-bsquare For us adding via AWS Console is enough, TF correctly picks up the association and no changes are shown in the plan even without the ignore. What AWS provider version do you use?

@richardj-bsquare
Copy link

No idea on the precise version, since I have a '~>' version specification on a rolling CI/CD deployment, so it would be whatever version was released prior to the post date above.

@jritsema
Copy link

jritsema commented Jun 12, 2020

If you create the cluster in Terraform using the aws_rds_cluster resource then as a workaround you can manually add the role association via the console, Just remember to add:
lifecycle { ignore_changes = [iam_roles] }
to the aws_rds_cluster resource, otherwise, it complains that the associated role cannot be found in a manner similar to this:

Error: DBClusterRoleNotFound: Role ARN arn:aws:iam::********:role/rds-s3-import cannot be found for DB Cluster: ********. Verify your role ARN and try again. You might need to include the feature-name parameter. status code: 404, request id: 0aa8c5e2-a405-4161-a5e3-fce271cdbb52.

Unfortunately, @richardj-bsquare's workaround is not working for me. After adding the role with the s3Import feature in the console, the resource becomes tainted and gets re-created.

Anyone know of any other workarounds?

Terraform v0.12.26
+ provider.aws v2.44.0

@jritsema
Copy link

Update: appears to work if I manually un-taint it

terraform untaint aws_rds_cluster.main

@antoxavier
Copy link

when you say it worked, do you mean you used lifecycle { ignore_changes = [iam_roles] } and terraform untaint aws_rds_cluster.main?

@jritsema
Copy link

yes @antoxavier

@antoxavier
Copy link

antoxavier commented Jul 2, 2020

@jritsema i see this new code that has been added for aws_db_cluster_role_association. This will help lot of us but my question is should i upgrade to a newer version of terraform to consume this change?

https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_db_instance_role_association.go

if i am correct we are using 0.11

@jritsema
Copy link

jritsema commented Jul 2, 2020

no need to upgrade terraform itself...just terraform init -upgrade=true to upgrade the aws provider

@antoxavier
Copy link

@jritsema thank you

@kassemsandarusi
Copy link

The update still only adds instance-level association as opposed to role-level association. That's not necessarily conducive to using a count on the aws_rds_cluster_instance resource. Ideally the aws_rds_cluster resource should enhance the iam_roles field to also take a feature name per role. Then the AddRoleToDbCluster API call that happens within that resource should pass that along.

@github-actions
Copy link

github-actions bot commented Aug 6, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. new-resource Introduces a new resource. service/rds Issues and PRs that pertain to the rds service.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants