Automatically create enhanced monitoring role (#21)

README.md

@@ -42,8 +42,10 @@ module "db" {
   backup_window      = "03:00-06:00"
 
   # Enhanced Monitoring - see example for details on how to create the role
+  # by yourself, in case you don't want to create it automatically
   monitoring_interval = "30"
-  monitoring_role_arn = "arn:aws:iam::123456789012:role/rds-monitoring-role"
+  monitoring_role_name = "MyRDSMonitoringRole"
+  create_monitoring_role = true
 
   tags = {
     Owner       = "user"

main.tf

@@ -72,8 +72,10 @@ module "db_instance" {
   backup_retention_period = "${var.backup_retention_period}"
   backup_window           = "${var.backup_window}"
 
-  monitoring_interval = "${var.monitoring_interval}"
-  monitoring_role_arn = "${var.monitoring_role_arn}"
+  monitoring_interval    = "${var.monitoring_interval}"
+  monitoring_role_arn    = "${var.monitoring_role_arn}"
+  monitoring_role_name   = "${var.monitoring_role_name}"
+  create_monitoring_role = "${var.create_monitoring_role}"
 
   tags = "${var.tags}"
 }

modules/db_instance/main.tf

 ##############
 # DB instance
 ##############
+
+resource "aws_iam_role" "enhanced_monitoring" {
+  count = "${var.create_monitoring_role ? 1 : 0}"
+
+  name               = "${var.monitoring_role_name}"
+  assume_role_policy = "${file("${path.module}/policy/enhancedmonitoring.json")}"
+}
+
+resource "aws_iam_policy_attachment" "enhanced_monitoring" {
+  count = "${var.create_monitoring_role ? 1 : 0}"
+
+  name       = "${var.monitoring_role_name}"
+  roles      = ["${aws_iam_role.enhanced_monitoring.name}"]
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}
+
 resource "aws_db_instance" "this" {
   identifier = "${var.identifier}"
 
@@ -31,7 +47,7 @@ resource "aws_db_instance" "this" {
   iops                = "${var.iops}"
   publicly_accessible = "${var.publicly_accessible}"
   monitoring_interval = "${var.monitoring_interval}"
-  monitoring_role_arn = "${var.monitoring_role_arn}"
+  monitoring_role_arn = "${coalesce(var.monitoring_role_arn, join("", aws_iam_role.enhanced_monitoring.*.arn))}"
 
   allow_major_version_upgrade = "${var.allow_major_version_upgrade}"
   auto_minor_version_upgrade  = "${var.auto_minor_version_upgrade}"

modules/db_instance/policy/enhancedmonitoring.json

+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "monitoring.rds.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

modules/db_instance/variables.tf

@@ -114,6 +114,16 @@ variable "monitoring_role_arn" {
   default     = ""
 }
 
+variable "monitoring_role_name" {
+  description = "Name of the IAM role which will be created when create_monitoring_role is enabled."
+  default     = "rds-monitoring-role"
+}
+
+variable "create_monitoring_role" {
+  description = "Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs."
+  default     = false
+}
+
 variable "allow_major_version_upgrade" {
   description = "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible"
   default     = false

variables.tf

@@ -114,6 +114,16 @@ variable "monitoring_role_arn" {
   default     = ""
 }
 
+variable "monitoring_role_name" {
+  description = "Name of the IAM role which will be created when create_monitoring_role is enabled."
+  default     = "rds-monitoring-role"
+}
+
+variable "create_monitoring_role" {
+  description = "Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs."
+  default     = false
+}
+
 variable "allow_major_version_upgrade" {
   description = "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible"
   default     = false