Support for RDS AddRoleToDBCluster with FeatureName

[dmlogs]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Resource object exists aws_rds_cluster which supports optional IAM Role attachments to the cluster via the argument iam_roles.

The implementation leverages AddRoleToDBCLuster to accomplish this task.

FeatureName is not listed as a required argument. For Amazon Aurora PostgreSQL attaching an IAM Role without a feature name results in The feature-name parameter must be provided with the current operation for the Aurora (PostgreSQL) engine.

Currently there is not a mechanism for attaching feature-name on the existing aws_rds_cluster resource. There is an aws_db_instance_role_association resource which accepts feature_name for attaching a role to an instance.

This request is to add a resource for associating a role to an RDS cluster.

New or Affected Resource(s)

• aws_rds_cluster_role_association

Potential Terraform Configuration

resource "aws_rds_cluster_role_association" "example" {
  cluster_identifier = "${aws_rds_cluster.example.id}"
  feature_name           = "s3Import"
  role_arn               = "${aws_iam_role.example.arn}"
}

References

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_AddRoleToDBCluster.html

https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-aurora-with-postgresql-compatibility-supports-data-import-from-amazon-s3/

https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBEngineVersion.html
SupportedFeatureNames:

• s3Import

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Migrating.html#USER_PostgreSQL.S3Import

[andyyaldoo]

I'd like to take this

[richardj-bsquare]

If you create the cluster in Terraform using the aws_rds_cluster resource then as a workaround you can manually add the role association via the console, Just remember to add:
lifecycle { ignore_changes = [iam_roles] }
to the aws_rds_cluster resource, otherwise, it complains that the associated role cannot be found in a manner similar to this:

Error: DBClusterRoleNotFound: Role ARN arn:aws:iam::********:role/rds-s3-import cannot be found for DB Cluster: ********. Verify your role ARN and try again. You might need to include the feature-name parameter. status code: 404, request id: 0aa8c5e2-a405-4161-a5e3-fce271cdbb52.

[jurajseffer]

@richardj-bsquare For us adding via AWS Console is enough, TF correctly picks up the association and no changes are shown in the plan even without the ignore. What AWS provider version do you use?

[richardj-bsquare]

No idea on the precise version, since I have a '~>' version specification on a rolling CI/CD deployment, so it would be whatever version was released prior to the post date above.

[jritsema]

If you create the cluster in Terraform using the aws_rds_cluster resource then as a workaround you can manually add the role association via the console, Just remember to add:
lifecycle { ignore_changes = [iam_roles] }
to the aws_rds_cluster resource, otherwise, it complains that the associated role cannot be found in a manner similar to this:

Error: DBClusterRoleNotFound: Role ARN arn:aws:iam::********:role/rds-s3-import cannot be found for DB Cluster: ********. Verify your role ARN and try again. You might need to include the feature-name parameter. status code: 404, request id: 0aa8c5e2-a405-4161-a5e3-fce271cdbb52.

Unfortunately, @richardj-bsquare's workaround is not working for me. After adding the role with the s3Import feature in the console, the resource becomes tainted and gets re-created.

Anyone know of any other workarounds?

Terraform v0.12.26
+ provider.aws v2.44.0

[jritsema]

Update: appears to work if I manually un-taint it

terraform untaint aws_rds_cluster.main

[antoxavier]

when you say it worked, do you mean you used lifecycle { ignore_changes = [iam_roles] } and terraform untaint aws_rds_cluster.main?

[jritsema]

yes @antoxavier

[antoxavier]

@jritsema i see this new code that has been added for aws_db_cluster_role_association. This will help lot of us but my question is should i upgrade to a newer version of terraform to consume this change?

https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_db_instance_role_association.go

if i am correct we are using 0.11

[jritsema]

no need to upgrade terraform itself...just terraform init -upgrade=true to upgrade the aws provider

[antoxavier]

@jritsema thank you

[kassemsandarusi]

The update still only adds instance-level association as opposed to role-level association. That's not necessarily conducive to using a count on the aws_rds_cluster_instance resource. Ideally the aws_rds_cluster resource should enhance the iam_roles field to also take a feature name per role. Then the AddRoleToDbCluster API call that happens within that resource should pass that along.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.