Cloudformation template for AmazonRDSEnhancedMonitoringRole

Question

I am attempting to spin up an RDS stack via a Cloudformation template. I would like to enable Enhanced Monitoring on my DB instances. In order to do that, the MonitoringRoleArn property must be specified on the resource.

As I understand it, this ARN should point to an IAM Service Role that has been given the AmazonRDSEnhancedMonitoringRole policy, as described here:

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html

I would ideally like to also create that role via Cloudformation. For the life of me, however, I can not find an example of how to do this in a Cloudformation template. And it turns out that the Cloudformer tool does not analyze IAM resources.

Has anyone done this? Can you share an example?

Answer 1

in YAML:

Role:
  Type: 'AWS::IAM::Role'
  Properties:
    ManagedPolicyArns:
    - 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'
    AssumeRolePolicyDocument:
      Version: '2008-10-17'
      Statement:
      - Effect: Allow
        Principal:
          Service: 'monitoring.rds.amazonaws.com'
        Action: 'sts:AssumeRole'

You then need to reference the role in your RDS instance's MonitoringRoleArn property like this:

!GetAtt ["Role", "Arn"]

If you need the example in JSON let me know.

Answer 2

Like avisheks mentioned, there was a change.
The example from hellomichibye doesn't work anymore. This is my code in YAML (with configurable parameter):

Parameters:
  EnableEnhancedMonitoring:
    Description: 'Provide metrics in real time for the operating system (OS) that your DB instance runs on.'
    Type: String
    AllowedValues: [true, false]
    Default: false

Conditions:
  HasEnhancedMonitoring: !Equals [ !Ref EnableEnhancedMonitoring, 'true' ]

Resources:
  EnhancedMonitoringRole:
    Condition: HasEnhancedMonitoring
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: ''
          Effect: Allow
          Principal:
            Service: monitoring.rds.amazonaws.com
          Action: sts:AssumeRole
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole
      Path: "/"

  DBInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      ...
      MonitoringInterval: !If [HasEnhancedMonitoring, 60, 0]
      MonitoringRoleArn: !If [HasEnhancedMonitoring, !GetAtt ['EnhancedMonitoringRole', 'Arn'], !Ref 'AWS::NoValue']
      ...