我试图通过Cloudformation模板启动RDS堆栈。我想在我的数据库实例上启用增强监控。为此,必须在资源上指定MonitoringRoleArn属性。
据我了解,此ARN应指向已获得AmazonRDSEnhancedMonitoringRole策略的IAM服务角色,如下所述:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html
我还希望通过Cloudformation创建该角色。然而,对于我的生活,我找不到如何在Cloudformation模板中执行此操作的示例。事实证明,Cloudformer工具不会分析IAM资源。
有人这样做过吗?你能分享一个例子吗?
答案 0 :(得分:6)
在YAML:
Role:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'
AssumeRolePolicyDocument:
Version: '2008-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'rds.amazonaws.com'
Action: 'sts:AssumeRole'
然后,您需要在RDS实例的MonitoringRoleArn属性中引用该角色,如下所示:
!GetAtt ["Role", "Arn"]
如果你需要JSON中的例子,请告诉我。
答案 1 :(得分:1)
代码几乎没有变化:
"EMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
],
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "monitoring.rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"RoleName": "rds-monitoring-role"
}
}
更改:“服务”:“ monitoring.rds.amazonaws.com”
命名为"MonitoringRoleArn": {"Fn::GetAtt" : [ "EMRole", "Arn" ] },
答案 2 :(得分:0)
就像提到的 avisheks 一样,发生了变化。
hellomichibye 中的示例不再起作用。这是我在YAML中的代码(带有可配置的参数):
Parameters:
EnableEnhancedMonitoring:
Description: 'Provide metrics in real time for the operating system (OS) that your DB instance runs on.'
Type: String
AllowedValues: [true, false]
Default: false
Conditions:
HasEnhancedMonitoring: !Equals [ !Ref EnableEnhancedMonitoring, 'true' ]
Resources:
EnhancedMonitoringRole:
Condition: HasEnhancedMonitoring
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: monitoring.rds.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
Path: "/"
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
...
MonitoringInterval: !If [HasEnhancedMonitoring, 60, 0]
MonitoringRoleArn: !If [HasEnhancedMonitoring, !GetAtt ['EnhancedMonitoringRole', 'Arn'], !Ref 'AWS::NoValue']
...
答案 3 :(得分:0)
谢谢,上面的回答很有帮助,因此,我能够用 Terraform 完成。考虑以下代码可能对某人有帮助。
resource "aws_iam_role" "rds-enhanced-monitoring-role" {
name = "rds-enhanced-monitoring-role"
assume_role_policy = "${file("enhanced-rds-monitoring-policy.json")}"
description = "RDS enhanced monitoring role"
tags = {
Name = "rds-enhanced-monitoring-role"
}
}
resource "aws_iam_role_policy_attachment" "rds-enhanced-monitoring-role-policy-attachment" {
policy_arn = "${data.aws_iam_policy.iam-rds-enhanced-monitoring-access-policy.arn}"
role = "${aws_iam_role.rds-enhanced-monitoring-role.name}"
}
data "aws_iam_policy" "iam-rds-enhanced-monitoring-access-policy" {
arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}
enhanced-rds-monitoring-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "monitoring.rds.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}