RDS Enhanced Monitoring MonitoringRoleARN value is required

[deanmraz]

I am getting an weird issue with trying to enable RDS enhanced monitoring..

• aws_db_instance.mysql: Error modifying DB Instance : InvalidParameterCombination: A MonitoringRoleARN value is required if you specify a MonitoringInterval value other than 0.

I do have the variable set and I've copied the implementation used in the test case here: stack72@e87d3bb

I wonder if it has something to do with expecting capital ARN in MonitoringRoleARN, but when I try various variables it fails as invalid.

My implementation:

  monitoring_role_arn = "${aws_iam_role.enhanced_policy_role.arn}"
  monitoring_interval = "${var.enhanced_monitoring_interval}"

Also, confirmed that the role and policy gets created with the right access. I manually turned on the enhanced monitoring and it worked using the role created by terraform.

@stack72 do you have any ideas?

[deanmraz]

still playing around with this... Removing the role and the policy and trying again I get this error first:

• aws_db_instance.mysql: Error modifying DB Instance : InvalidParameterValue: IAM role ARN value is invalid or does not include the required permissions for: ENHANCED_MONITORING

then trying again I get the
MonitoringRoleARN value is required

I also have the depends_on defined on the aws_db_instance resource
depends_on = ["aws_iam_policy_attachment.policy-attach"]

[deanmraz]

Ensuring role created before policy attachment fixed this issue for me

resource "aws_iam_policy_attachment" "policy-attach" {
  depends_on = ["aws_iam_role.enhanced_policy_role"]

[deanmraz]

That wasn't it.. looks like theres an issue with attaching the policy to multiple roles across regions. The last one ran gets the attached profile while the rest are blank. Instead of using attach policy resource I created a custom policy with the enhanced policy.

resource "aws_iam_role_policy" "policy" {
  depends_on = ["aws_iam_role.enhanced_policy_role"]
  name = "enhanced-monitoring-attachment-${var.mysql_base_name}-${var.mysql_name}"
  role = "${aws_iam_role.enhanced_policy_role.name}"
  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogGroups",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:PutRetentionPolicy"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:RDS*"
            ]
        },
        {
            "Sid": "EnableCreationAndManagementOfRDSCloudwatchLogStreams",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:RDS*:log-stream:*"
            ]
        }
    ]
}
EOF
}

[stack72]

@deanmraz this was a really good find. Is this now resolved?

[deanmraz]

@stack72 yup confirmed its working!

[stack72]

Nice thanks for this @deanmraz

[s-nakka]

I don't see it working. I have a preconfigured role that I would like to attach which is out of terrafrom and I am passing it as a variable to aws_db_instance resource. Its still failing with same error

InvalidParameterCombination: A MonitoringRoleARN value is required if you specify a MonitoringInterval value other than 0

Using TF Version 0.11.3

[mars64]

I believe I can confirm @SandyFox's findings on TF 0.11.7. TF'ed a dedicated role for this function which attaches to the AmazonRDSEnhancedMonitoringRole managed policy. Our RDS is invoked from a module using the aws_db_instance resource. Variables have been defined, plan succeeds but only seems to indicate changes to the monitoring_interval.

Terraform will perform the following actions:

  ~ module.rds.aws_db_instance.<instance name>
      monitoring_interval: "0" => "1"

Plan: 0 to add, 1 to change, 0 to destroy.

applying results in:

Error modifying DB Instance <instance> InvalidParameterCombination: A MonitoringRoleARN value is required if you specify a MonitoringInterval value other than 0.

[bflad]

For continued tracking of this issue, its probably best to continue the discussion in the open AWS provider issue here: hashicorp/terraform-provider-aws#315

I believe I tried reproducing it awhile ago and wasn't successful, but maybe the more recent folks here can provide samples of their configurations before and after so we can get this fixed up once and for all (or at least document why this behavior occurs).

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.