Terraform reports an error when trying to add IAM role to aws_rds_cluster resource

Terraform Providers AWS
1

Hi

I am trying to create an Aurora Postgres cluster using Terraform, as part of the deployment I am enabling Kerberos authentication. I am using a variable to control if Kerberos authentication should be enabled for the cluster. The IAM role required to enable Kerberos authentication is also created as part of the same deployment. Terraform generates an error when the IAM role needs to be associated with the cluster, the error indicates that the IAM role does not exist. However, if I rerun the same plan Terraform is able to associate the role with the cluster and enable Kerberos authentication sucessfully. It almost seems as if there is a delay between when the role is created and when it needs to be associated with the cluster. Does anyone know of a workaround to prevent the error?

Cluster template:

resource "aws_rds_cluster" "default" {
  allow_major_version_upgrade         = var.allow_major_version_upgrade
  apply_immediately                   = var.apply_immediately
  backup_retention_period             = var.backup_retention_period
  cluster_identifier                  = var.cluster_identifier
  copy_tags_to_snapshot               = var.copy_tags_to_snapshot
  database_name                       = var.database_name
  db_cluster_parameter_group_name     = aws_rds_cluster_parameter_group.default.name
  db_subnet_group_name                = var.create_db_subnet_group ? aws_db_subnet_group.default[0].name : var.db_subnet_group_name
  deletion_protection                 = var.deletion_protection
  domain                              = var.enable_kerberos_authentication ? var.domain : null
  domain_iam_role_name                = var.enable_kerberos_authentication ? data.aws_iam_role.rds_directoryservice_kerberos_access[0].id : null #aws_iam_role.rds_directoryservice_kerberos_access[0].name : null
  enabled_cloudwatch_logs_exports     = ["postgresql"]
  engine                              = var.engine
  engine_mode                         = var.engine_mode
  engine_version                      = var.engine_version
  final_snapshot_identifier           = var.cluster_identifier
  iam_database_authentication_enabled = var.iam_database_authentication_enabled
  iam_roles                           = var.iam_roles
  kms_key_id                          = var.kms_key
  master_username                     = var.snapshot_identifier != "" ? null : random_string.master_username.result
  manage_master_user_password         = var.snapshot_identifier == "" ? true : null
  master_user_secret_kms_key_id       = var.snapshot_identifier == "" ? var.kms_key : null
  master_password                     = null
  preferred_backup_window             = var.preferred_backup_window
  preferred_maintenance_window        = var.preferred_maintenance_window
  skip_final_snapshot                 = var.skip_final_snapshot
  snapshot_identifier                 = var.snapshot_identifier
  storage_encrypted                   = true
  storage_type                        = var.storage_type
  vpc_security_group_ids              = length(var.vpc_security_group_ids) == 0 ? [aws_security_group.default[0].id] : var.vpc_security_group_ids

  serverlessv2_scaling_configuration {
    max_capacity = var.max_capacity
    min_capacity = 0.5
  }
}

IAM role:

data "aws_iam_policy_document" "rds_directoryservice_kerberos_access_assume" {
  count = var.enable_kerberos_authentication ? 1 : 0
  statement {
    actions = [
      "sts:AssumeRole",
    ]

    principals {
      type        = "Service"
      identifiers = ["directoryservice.rds.amazonaws.com","rds.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "rds_directoryservice_kerberos_access_policy_document" {
  count = var.enable_kerberos_authentication ? 1 : 0
  version = "2012-10-17"
  statement {
    effect = "Allow"
    actions = [
      "ds:DescribeDirectories",
      "ds:AuthorizeApplication",
      "ds:UnauthorizeApplication",
      "ds:GetAuthorizedApplicationDetails"
    ]
    resources = [ "*" ]
  }
}

resource "aws_iam_policy" "rds_directoryservice_kerberos_access_policy" {
  count = var.enable_kerberos_authentication ? 1 : 0
  policy = data.aws_iam_policy_document.rds_directoryservice_kerberos_access_policy_document[0].json
  name   = "${var.cluster_identifier}-directoryservice-kerberos-access-policy"
}

resource "aws_iam_role" "rds_directoryservice_kerberos_access" {
  count = var.enable_kerberos_authentication ? 1 : 0
  name                  = "${var.cluster_identifier}-directoryservice-kerberos-access-role"
  description           = "Role used for Kerberos authentication by Aurora cluster"
  force_detach_policies = true
  assume_role_policy    = data.aws_iam_policy_document.rds_directoryservice_kerberos_access_assume[0].json
  permissions_boundary  = var.permissions_boundary_arn

  tags = var.tags
}

resource "aws_iam_role_policy_attachment" "rds_directoryservice_kerberos_access" {
  count = var.enable_kerberos_authentication ? 1 : 0
  role       = aws_iam_role.rds_directoryservice_kerberos_access[0].id
  policy_arn = aws_iam_policy.rds_directoryservice_kerberos_access_policy[0].arn
}
2

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.