IAM Role ARN value is invalid or does not include the required permissions for AWS Role Integration

[rbizzell40]

Community Note Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.14.0 AWS Provider 3.38.0 If you are not running the latest version of Terraform, please try upgrading because your issue may have already been fixed. -->

...

Terraform Configuration Files

Postgres.tf
resource "aws_rds_cluster_instance" "aurora_postgresql_instance" {
  count              = local.number_of_private_subnets
  identifier         = "${var.prefix}-${count.index}"
  cluster_identifier = aws_rds_cluster.aurora_postgresql_cluster.id
  instance_class     = var.rds_instance_type.stg
  engine             = aws_rds_cluster.aurora_postgresql_cluster.engine
  engine_version     = local.engine_version
  depends_on         = [aws_rds_cluster.aurora_postgresql_cluster]
  tags = {
    "Name" = "${var.prefix}-${count.index}"
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_rds_cluster" "aurora_postgresql_cluster" {
  cluster_identifier = var.prefix
  # used to access database name
  engine                      = "aurora-postgresql"
  engine_version              = local.engine_version
  database_name               = var.database_name
  db_subnet_group_name        = data.terraform_remote_state.vpc.outputs.ap2_db_subnet_group
  iam_database_authentication_enabled = true
  iam_roles                   = aws_iam_role.role.arn.*
  allow_major_version_upgrade = true
  master_password             = var.master_password
  master_username             = var.master_username
  kms_key_id                  = aws_kms_key.ap2_key.arn
  storage_encrypted           = true
  backup_retention_period     = 7
  skip_final_snapshot         = true
  availability_zones          = data.aws_availability_zones.available.names
  vpc_security_group_ids      = [aws_security_group.rds_postgres.id]
  tags = {
    Name = "postgres"
  }

  lifecycle {
    create_before_destroy = true
  }
}

IAM.tf
data "aws_iam_policy_document" "test-rds-s3" {
  statement {
    effect = "Allow"
    actions = [
      "s3:ListBucket"
    ]

    resources = [
      "arn:aws:s3:::${var.bucket_name}"
    ]
  }

  statement {
    effect = "Allow"
    actions = [
      "s3:GetObject"
    ]

    resources = [
      "arn:aws:s3:::${var.bucket_name}"
    ]
  }
}

resource "aws_iam_policy" "test-rds-s3-import-policy" {
  name        = "rdss3"
  description = "s3 import policy access"
  policy      = data.aws_iam_policy_document.test-rds-s3.json
}

data "aws_iam_policy_document" "test-rds-role-policy"{
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole",
    ]
    principals {
      identifiers = ["rds.amazonaws.com"]
      type = "Service"
    }
  }
}

resource "aws_iam_role" "role" {
  name               = "s3role"
  assume_role_policy = data.aws_iam_policy_document.test-rds-role-policy.json

  tags = {
    name = "s3role"
  }
}

resource "aws_iam_role_policy_attachment" "test-rds-s3-attach-role" {
  role       = aws_iam_role.role.name
  policy_arn = aws_iam_policy.test-rds-s3-import-policy.arn
}

...

Debug Output

Expected Behavior

Actual Behavior

Terraform CLI 0.14.0 Terraform AWS Provider Version 3.38.0

Affected Resources

AWS RDS Aurora Cluster Database and AWS RDS Aurora Cluster Instances

Steps to Reproduce

[justinretzolk]

Hey @rbizzell40 👋 Thank you for submitting this issue. So that we have all of the necessary information in order to best look into this, would you mind updating the issue with the rest of the template?

[rbizzell40]

I updated the information with everything from the template I created gist with the link to the debug output please let me know if I am missing anything.

On Fri, Sep 17, 2021 at 1:21 PM Justin Retzolk @.***> wrote:

Hey @rbizzell40 https://github.com/rbizzell40 👋 Thank you for submitting this issue. So that we have all of the necessary information in order to best look into this, would you mind updating the issue with the rest of the template https://github.com/hashicorp/terraform-provider-aws/blob/main/.github/ISSUE_TEMPLATE/Bug_Report.md ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-aws/issues/20945#issuecomment-921958460, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJKELT2C6F5MS3XMZY5F33UCN2JDANCNFSM5EH57FJA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[justinretzolk]

@rbizzell40 thanks for updating the issue! Unfortunately it looks like the gist link may not have made it into the debug section - would you mind adding that, as well as the "Community Note" section (in case anyone else runs into this and needs the information on how to add their voice to the issue)?

[rbizzell40]

Ok let me do that thanks

On Fri, Sep 17, 2021, 1:40 PM Justin Retzolk @.***> wrote:

@rbizzell40 https://github.com/rbizzell40 thanks for updating the issue! Unfortunately it looks like the gist link may not have made it into the debug section - would you mind adding that, as well as the "Community Note" section (in case anyone else runs into this and needs the information on how to add their voice to the issue)?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-aws/issues/20945#issuecomment-921969516, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJKELRS3OQTPTEK7SYNM7TUCN4SBANCNFSM5EH57FJA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[justinretzolk]

Hey @rbizzell40 - thank you for getting that information over to us. In taking a quick glance over the gist, it appears you may have some credentials in there. I'm not able to redact that from my end, so would recommend you take a quick look and rotate any credentials as necessary.

[rbizzell40]

Ok, I will do that.

On Fri, Sep 17, 2021, 2:42 PM Justin Retzolk @.***> wrote:

Hey @rbizzell40 https://github.com/rbizzell40 - thank you for getting that information over to us. In taking a quick glance over the gist, it appears you may have some credentials in there. I'm not able to redact that from my end, so would recommend you take a quick look and rotate any credentials as necessary.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-aws/issues/20945#issuecomment-922005041, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJKELRTTFRP76D6ZUINCT3UCODZXANCNFSM5EH57FJA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[rbizzell40]

Any update

[eternaltyro]

~This affects me as well.~ AWS provider version 5.1.0

Edit: False alarm! See below.

[eternaltyro]

I must retract my previous comment. The issue was that I was trying to assign a monitoring role (that was supposed to be associated to the cluster instance) to the RDS Cluster - which only takes a service linked role.