【问题标题】:Cloudformation template for AmazonRDSEnhancedMonitoringRoleAmazonRDSEnhancedMonitoringRole 的 Cloudformation 模板
【发布时间】:2017-03-10 17:44:58
【问题描述】:

我正在尝试通过 Cloudformation 模板启动 RDS 堆栈。我想在我的数据库实例上启用增强监控。为此,必须在资源上指定 MonitoringRoleArn 属性。

据我了解,此 ARN 应指向已获得 AmazonRDSEnhancedMonitoringRole 策略的 IAM 服务角色,如下所述:

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html

理想情况下,我还希望通过 Cloudformation 创建该角色。然而,就我的一生而言,我无法在 Cloudformation 模板中找到如何执行此操作的示例。事实证明,Cloudformer 工具并没有分析 IAM 资源。

有人做过吗?可以分享一个例子吗?

【问题讨论】:

    标签: amazon-web-services amazon-rds amazon-cloudformation


    【解决方案1】:

    在 YAML 中:

    Role:
      Type: 'AWS::IAM::Role'
      Properties:
        ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'
        AssumeRolePolicyDocument:
          Version: '2008-10-17'
          Statement:
          - Effect: Allow
            Principal:
              Service: 'monitoring.rds.amazonaws.com'
            Action: 'sts:AssumeRole'
    

    然后您需要在 RDS 实例的 MonitoringRoleArn 属性中引用该角色,如下所示:

    !GetAtt ["Role", "Arn"]
    

    如果您需要 JSON 格式的示例,请告诉我。

    【讨论】:

    • 我必须为 monitoring.rds.amazonaws.comdocs.aws.amazon.com/IAM/latest/UserGuide/… 添加第二个允许语句,以避免错误 IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING
    • 可能是因为您启用了增强监控?
    • 可信实体必须是monitoring.rds.amazonaws.com
    • 可以确认请更新到Service: 'monitoring.rds.amazonaws.com'
    • 我使用 monitoring.rds.amazonaws.com 相应地更新了答案
    【解决方案2】:

    就像 avisheks 提到的那样,发生了变化。
    hellomichibye 中的示例不再有效。这是我在 YAML 中的代码(带有可配置参数):

    Parameters:
      EnableEnhancedMonitoring:
        Description: 'Provide metrics in real time for the operating system (OS) that your DB instance runs on.'
        Type: String
        AllowedValues: [true, false]
        Default: false
    
    Conditions:
      HasEnhancedMonitoring: !Equals [ !Ref EnableEnhancedMonitoring, 'true' ]
    
    Resources:
      EnhancedMonitoringRole:
        Condition: HasEnhancedMonitoring
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Sid: ''
              Effect: Allow
              Principal:
                Service: monitoring.rds.amazonaws.com
              Action: sts:AssumeRole
          ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
          Path: "/"
    
      DBInstance:
        Type: AWS::RDS::DBInstance
        Properties:
          ...
          MonitoringInterval: !If [HasEnhancedMonitoring, 60, 0]
          MonitoringRoleArn: !If [HasEnhancedMonitoring, !GetAtt ['EnhancedMonitoringRole', 'Arn'], !Ref 'AWS::NoValue']
          ...
    

    【讨论】:

      【解决方案3】:

      代码变化不大:

          "EMRole": {
              "Type": "AWS::IAM::Role",
              "Properties": {
                  "ManagedPolicyArns": [
                      "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
                  ],
                  "AssumeRolePolicyDocument": {
                      "Version": "2008-10-17",
                      "Statement": [
                          {
                              "Effect": "Allow",
                              "Principal": {
                                  "Service": "monitoring.rds.amazonaws.com"
                              },
                              "Action": "sts:AssumeRole"
                          }
                      ]
                  },
                  "RoleName": "rds-monitoring-role"
              }
          }
      

      更改:“服务”:“monitoring.rds.amazonaws.com”

      叫它"MonitoringRoleArn": {"Fn::GetAtt" : [ "EMRole", "Arn" ] },

      【讨论】:

        【解决方案4】:

        谢谢大家,以上答案很有帮助,因此,我能够在 Terraform 中完成。认为下面的代码可能对某人有所帮助。

        resource "aws_iam_role" "rds-enhanced-monitoring-role" {
          name                = "rds-enhanced-monitoring-role"
          assume_role_policy  = "${file("enhanced-rds-monitoring-policy.json")}"
          description         = "RDS enhanced monitoring role"
          tags = {
              Name            = "rds-enhanced-monitoring-role"
          }
        }
        
        resource "aws_iam_role_policy_attachment" "rds-enhanced-monitoring-role-policy-attachment" {
          policy_arn          = "${data.aws_iam_policy.iam-rds-enhanced-monitoring-access-policy.arn}"
          role                = "${aws_iam_role.rds-enhanced-monitoring-role.name}" 
        }
        
        data "aws_iam_policy" "iam-rds-enhanced-monitoring-access-policy" {
          arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
        }
        

        enhanced-rds-monitoring-policy.json

        {
        "Version": "2012-10-17",
        "Statement": [
           {
                "Action": "sts:AssumeRole",
                "Principal": {
                    "Service": "monitoring.rds.amazonaws.com"
                },
                "Effect": "Allow",
                "Sid": ""
            }
        ]
        }
        

        【讨论】:

          猜你喜欢
          • 1970-01-01
          • 2018-10-12
          • 2021-08-21
          • 2015-02-14
          • 2018-08-28
          • 2016-08-15
          • 2018-07-31
          • 2018-04-14
          • 2017-08-13
          相关资源
          最近更新 更多