我正在尝试通过 Cloudformation 模板启动 RDS 堆栈。我想在我的数据库实例上启用增强监控。为此,必须在资源上指定 MonitoringRoleArn 属性。
据我了解,此 ARN 应指向已获得 AmazonRDSEnhancedMonitoringRole 策略的 IAM 服务角色,如下所述:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html
理想情况下,我还希望通过 Cloudformation 创建该角色。然而,就我的一生而言,我无法在 Cloudformation 模板中找到如何执行此操作的示例。事实证明,Cloudformer 工具并没有分析 IAM 资源。
有人做过吗?可以分享一个例子吗?
【问题讨论】:
标签: amazon-web-services amazon-rds amazon-cloudformation
在 YAML 中:
Role:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'
AssumeRolePolicyDocument:
Version: '2008-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'monitoring.rds.amazonaws.com'
Action: 'sts:AssumeRole'
然后您需要在 RDS 实例的 MonitoringRoleArn 属性中引用该角色,如下所示:
!GetAtt ["Role", "Arn"]
如果您需要 JSON 格式的示例,请告诉我。
【讨论】:
monitoring.rds.amazonaws.com 每 docs.aws.amazon.com/IAM/latest/UserGuide/… 添加第二个允许语句,以避免错误 IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING
monitoring.rds.amazonaws.com
Service: 'monitoring.rds.amazonaws.com'
就像 avisheks 提到的那样,发生了变化。
hellomichibye 中的示例不再有效。这是我在 YAML 中的代码(带有可配置参数):
Parameters:
EnableEnhancedMonitoring:
Description: 'Provide metrics in real time for the operating system (OS) that your DB instance runs on.'
Type: String
AllowedValues: [true, false]
Default: false
Conditions:
HasEnhancedMonitoring: !Equals [ !Ref EnableEnhancedMonitoring, 'true' ]
Resources:
EnhancedMonitoringRole:
Condition: HasEnhancedMonitoring
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: monitoring.rds.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
Path: "/"
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
...
MonitoringInterval: !If [HasEnhancedMonitoring, 60, 0]
MonitoringRoleArn: !If [HasEnhancedMonitoring, !GetAtt ['EnhancedMonitoringRole', 'Arn'], !Ref 'AWS::NoValue']
...
【讨论】:
代码变化不大:
"EMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
],
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "monitoring.rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"RoleName": "rds-monitoring-role"
}
}
更改:“服务”:“monitoring.rds.amazonaws.com”
叫它"MonitoringRoleArn": {"Fn::GetAtt" : [ "EMRole", "Arn" ] },
【讨论】:
谢谢大家,以上答案很有帮助,因此,我能够在 Terraform 中完成。认为下面的代码可能对某人有所帮助。
resource "aws_iam_role" "rds-enhanced-monitoring-role" {
name = "rds-enhanced-monitoring-role"
assume_role_policy = "${file("enhanced-rds-monitoring-policy.json")}"
description = "RDS enhanced monitoring role"
tags = {
Name = "rds-enhanced-monitoring-role"
}
}
resource "aws_iam_role_policy_attachment" "rds-enhanced-monitoring-role-policy-attachment" {
policy_arn = "${data.aws_iam_policy.iam-rds-enhanced-monitoring-access-policy.arn}"
role = "${aws_iam_role.rds-enhanced-monitoring-role.name}"
}
data "aws_iam_policy" "iam-rds-enhanced-monitoring-access-policy" {
arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}
enhanced-rds-monitoring-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "monitoring.rds.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
【讨论】: