I am attempting to spin up an RDS stack via a Cloudformation template. I would like to enable Enhanced Monitoring on my DB instances. In order to do that, the MonitoringRoleArn property must be specified on the resource.
As I understand it, this ARN should point to an IAM Service Role that has been given the AmazonRDSEnhancedMonitoringRole policy, as described here:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html
I would ideally like to also create that role via Cloudformation. For the life of me, however, I can not find an example of how to do this in a Cloudformation template. And it turns out that the Cloudformer tool does not analyze IAM resources.
Has anyone done this? Can you share an example?
in YAML:
Role:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'
AssumeRolePolicyDocument:
Version: '2008-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'monitoring.rds.amazonaws.com'
Action: 'sts:AssumeRole'
You then need to reference the role in your RDS instance's MonitoringRoleArn property like this:
!GetAtt ["Role", "Arn"]
If you need the example in JSON let me know.