This message was deleted.

Also if I run up again on the second option (associating the role to the instance) I get this:

* error associating RDS DB Instance (xxx) IAM Role (arn:aws:iam::xxx:role/xxx): InvalidDBInstanceState: The xxx DB instance is associated with a database cluster. Manage the arn:aws:iam::xxx:role/xxx IAM role from the cluster instead of from the DB instance.

To debug anything like this, I prefer to start in the AWS console. Since you've created the role and the DB cluster, I would use the console to try to associate them and see what error it pops up.

Thanks, so yeah, if I create the roles in pulumi and the cluster (without association). It runs fine. I can then go into the AWS console and manually add the role with the “s3import” feature.

In the AWS console does the Role's Trust Relationships tab list

<http://rds.amazonaws.com|rds.amazonaws.com>

? Or maybe this isn't a good error message indicating what is actually wrong since you can manually assign the role. This

<https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_AddRoleToDBInstance.html>

says

InvalidDBInstanceState

The DB instance isn't in a valid state.

HTTP Status Code: 400

@salmon-ghost-86211 it’s the

You might need to include the feature-name parameter.

part of the error and the fact that when adding it to the cluster (not instance) in the console it asks for a feature name that confuses me. There is no way to associate a role to an RDS cluster with a feature name. There is a way to include a feature name when associating a role to a DBInstance, but that fails (I was using the cluster name in the error I posted) because there is an error that says role can not be associated to DB Instance that belongs to a cluster.

No, sorry, I don't know about features or how they relate to the various resources. Might have to call in some big guns. @billowy-army-68599?

can you share your current code?

sure. this is a function that passes in an array of roles to associate to the cluster:

function build (environment: string, config: Config, roles: aws.iam.Role[]): {cluster: aws.rds.Cluster, instances: aws.rds.ClusterInstance[]} {
  // API RDS AURORA POSTGRESQL DATABASE
  const database: string = config.require('database')
  const password = config.requireSecret('password')
  const username: string = config.require('apiUsername')
  const name = `database-${environment}`
  const databaseName = `database_${environment}`

  const cluster = new aws.rds.Cluster(name, {
    availabilityZones: AVAILABILITY_ZONES,
    backupRetentionPeriod: BACKUP_RETENTION,
    clusterIdentifier: name,
    skipFinalSnapshot: true,
    databaseName,
    engine: ENGINE,
    masterPassword: password,
    masterUsername: username,
    iamRoles: roles.map(r => r.arn),
    preferredBackupWindow: BACKUP_WINDOW,
    tags: {
      Environment: environment,
      Name: name
    }
  })

this code results in the following error:

* InvalidParameterValue: The feature-name parameter must be provided with the current operation for the Aurora (PostgreSQL) engine.
        status code: 400, request id: c1ac5864-f2b9-48c3-a8c7-e2152f34f0c5

in the console there is a

feature

value used to associate roles.

@white-secretary-18260 i think you might need to use this resource: https://www.pulumi.com/docs/reference/pkg/aws/rds/roleassociation/ looks like a missing feature in the resource

That is for a postgres instance (tried that see earlier in thread), I am using postgres aurora cluster. the CLI equivalent is https://docs.aws.amazon.com/cli/latest/reference/rds/add-role-to-db-cluster.html. on postgres the feature is required.

i'll try repro this this afternoon, but i think it might be an upstream bug

thanks

Sorry I haven’t been able to get to this as of yet