Support Attaching and Detaching IAM Roles to RDS Database Instances (e.g. Oracle S3 Integration)

[bflad]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon recently announced an integration between Amazon RDS for Oracle instances and Amazon S3: https://aws.amazon.com/about-aws/whats-new/2019/02/Amazon-RDS-for-Oracle-Now-Supports-Amazon-S3-Integration/

With Amazon S3 Integration, you can perform data ingress with Oracle Data Pump to migrate workloads into your RDS Oracle DB Instance. After exporting your data from your source instance, you upload your Data Pump files to your Amazon S3 bucket. You can then copy the files from your S3 bucket to the RDS Oracle host and finally use the DBMS_DATAPUMP package to import your data into the target RDS Oracle DB Instance.

With Amazon S3 Integration, you can also perform data egress out of your RDS Oracle DB instance. First, back up the data locally on the RDS Oracle host. This local backup can either be an Oracle RMAN backup or Oracle Data Pump export of the database. Once these files are created locally, you can copy the files to the S3 bucket. Optionally, you can move these backups from Amazon S3 to Amazon S3 Glacier for long term storage that complements your automated backup strategy. By using this method, you can satisfy regulatory requirements for storing database backups in an off-site location and, at the same time, cost effectively support your long-term retention policies.

Details for configuring this integration can be found at: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html

While we should already have the necessary support required for Option Groups, the DB Instance requires new management of IAM Role attachments. This is similar to DB Cluster attachments for IAM Roles, however DB Instance attachments also require a feature name.

New or Affected Resource(s)

• aws_db_instance or potentially a new aws_db_instance_role_attachment resource

Potential Terraform Configuration

# If implemented within the resource
resource "aws_db_instance" "example" {
  role {
    feature_name = "..."
    role_arn = "${aws_iam_role.example.arn}"
  }
}

# If implemented as a separate resource
resource "aws_db_instance_role_attachment" "example" {
  db_instance_identifier = "${aws_db_instance.example.id}"
  feature_name = "..."
  role_arn = "${aws_iam_role.example.arn}"
}

References

• https://aws.amazon.com/about-aws/whats-new/2019/02/Amazon-RDS-for-Oracle-Now-Supports-Amazon-S3-Integration/
• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/oracle-s3-integration.html
• Similar, but requires additional configuration as compared to: Feature Request: Specify IAM role(s) for RDS Cluster #382
• https://docs.aws.amazon.com/sdk-for-go/api/service/rds/#RDS.AddRoleToDBInstance
• https://docs.aws.amazon.com/sdk-for-go/api/service/rds/#RDS.RemoveRoleFromDBInstance

[bflad]

Pull request submitted: #8466

[bflad]

This should support the new Importing Amazon S3 Data into an RDS PostgreSQL DB Instance feature as well with something like:

resource "aws_db_instance_role_association" "test" {
  db_instance_identifier = "${aws_db_instance.test.id}"
  feature_name           = "s3Import"
  role_arn               = "${aws_iam_role.test.id}"
}

[nywilken]

The new aws_db_instance_role_association resource has been merged and will be released with version 2.9.0 of the Terraform AWS provider.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!