https://pulumi.com logo
Title
w

white-secretary-18260

03/22/2021, 1:54 PM
Reposting in channel, since I got no response… I want to create a cluster with a role that gives it access to s3 for import/export.  When I include the role in the 
iamRoles
 property I get an error saying:
DBClusterRoleNotFound: Role ARN arn:aws:iam::xxx:role/xxx-xxx cannot be found for DB Cluster: xxx. Verify your role ARN and try again. You might need to include the feature-name parameter.
if I use 
RoleAssociation
 which has feature name I get an error like:
error associating RDS DB Instance (api-rds-cluster-dev) IAM Role (arn:aws:iam::xxx:role/xxx): DBInstanceNotFound: DBInstance not found: xxx
What’s a good working example of creating an RDS cluster with a role associated to it?
Also if I run up again on the second option (associating the role to the instance) I get this:
* error associating RDS DB Instance (xxx) IAM Role (arn:aws:iam::xxx:role/xxx): InvalidDBInstanceState: The xxx DB instance is associated with a database cluster. Manage the arn:aws:iam::xxx:role/xxx IAM role from the cluster instead of from the DB instance.
l

little-cartoon-10569

03/22/2021, 8:05 PM
To debug anything like this, I prefer to start in the AWS console. Since you've created the role and the DB cluster, I would use the console to try to associate them and see what error it pops up.
The iamRoles property is the correct way to do it, but maybe the role needs a particular configuration. The assumeRolePolicy property is often to blame when you can't associate a role in the way you want.
w

white-secretary-18260

03/22/2021, 8:51 PM
Thanks, so yeah, if I create the roles in pulumi and the cluster (without association). It runs fine. I can then go into the AWS console and manually add the role with the “s3import” feature.
no errors.
it works.
But since the
new aws.rds.Cluster
input options only has a role input that takes an array of arns, I can not set the
feature
for the role.
s

salmon-ghost-86211

03/22/2021, 10:12 PM
In the AWS console does the Role's Trust Relationships tab list
<http://rds.amazonaws.com|rds.amazonaws.com>
? Or maybe this isn't a good error message indicating what is actually wrong since you can manually assign the role. This
<https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_AddRoleToDBInstance.html>
says
InvalidDBInstanceState
The DB instance isn't in a valid state.
HTTP Status Code: 400
w

white-secretary-18260

03/22/2021, 10:36 PM
@salmon-ghost-86211 it’s the
You might need to include the feature-name parameter.
part of the error and the fact that when adding it to the cluster (not instance) in the console it asks for a feature name that confuses me. There is no way to associate a role to an RDS cluster with a feature name. There is a way to include a feature name when associating a role to a DBInstance, but that fails (I was using the cluster name in the error I posted) because there is an error that says role can not be associated to DB Instance that belongs to a cluster.
btw the stack is down till tomorrow, i will answer your question then, thanks!
@salmon-ghost-86211 from the console:
Trusted entities
The identity provider(s) <http://rds.amazonaws.com|rds.amazonaws.com>
@salmon-ghost-86211 or @little-cartoon-10569 here’s a ping, any follow up?
l

little-cartoon-10569

03/25/2021, 7:50 PM
No, sorry, I don't know about features or how they relate to the various resources. Might have to call in some big guns. @billowy-army-68599?
b

billowy-army-68599

03/25/2021, 7:51 PM
can you share your current code?
w

white-secretary-18260

03/25/2021, 11:32 PM
sure. this is a function that passes in an array of roles to associate to the cluster:
function build (environment: string, config: Config, roles: aws.iam.Role[]): {cluster: aws.rds.Cluster, instances: aws.rds.ClusterInstance[]} {
  // API RDS AURORA POSTGRESQL DATABASE
  const database: string = config.require('database')
  const password = config.requireSecret('password')
  const username: string = config.require('apiUsername')
  const name = `database-${environment}`
  const databaseName = `database_${environment}`

  const cluster = new aws.rds.Cluster(name, {
    availabilityZones: AVAILABILITY_ZONES,
    backupRetentionPeriod: BACKUP_RETENTION,
    clusterIdentifier: name,
    skipFinalSnapshot: true,
    databaseName,
    engine: ENGINE,
    masterPassword: password,
    masterUsername: username,
    iamRoles: roles.map(r => r.arn),
    preferredBackupWindow: BACKUP_WINDOW,
    tags: {
      Environment: environment,
      Name: name
    }
  })
this code results in the following error:
* InvalidParameterValue: The feature-name parameter must be provided with the current operation for the Aurora (PostgreSQL) engine.
        status code: 400, request id: c1ac5864-f2b9-48c3-a8c7-e2152f34f0c5
in the console there is a
feature
value used to associate roles.
@billowy-army-68599 sorry for the delay.
Any love here?
b

billowy-army-68599

03/29/2021, 7:27 PM
@white-secretary-18260 i think you might need to use this resource: https://www.pulumi.com/docs/reference/pkg/aws/rds/roleassociation/ looks like a missing feature in the resource
so remove
iamRoles
and use that instead
w

white-secretary-18260

03/29/2021, 7:33 PM
That is for a postgres instance (tried that see earlier in thread), I am using postgres aurora cluster. the CLI equivalent is https://docs.aws.amazon.com/cli/latest/reference/rds/add-role-to-db-cluster.html. on postgres the feature is required.
here’s the error I get from instance role association:
* error associating RDS DB Instance (xxx) IAM Role (arn:aws:iam::xxx:role/xxx): InvalidDBInstanceState: The xxx DB instance is associated with a database cluster. Manage the arn:aws:iam::xxx:role/xxx IAM role from the cluster instead of from the DB instance.
b

billowy-army-68599

03/29/2021, 7:34 PM
i'll try repro this this afternoon, but i think it might be an upstream bug
w

white-secretary-18260

03/29/2021, 7:41 PM
thanks
any update?
b

billowy-army-68599

04/05/2021, 4:35 PM
Sorry I haven’t been able to get to this as of yet