I created an AWS RDS resource with the help of the Terraform public module. The main.tf file contains the following
module "demo_rds_sg" {
source = "git::https://github.com/terraform-aws-modules/terraform-aws-security-group.git?ref=v4.9.0"
name = "demo-rds-sg"
vpc_id = var.vpc_id
egress_with_cidr_blocks = [
{
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = "0.0.0.0/0"
}
]
ingress_with_cidr_blocks = [
{
.........
}
module "demo_rds" {
depends_on = [module.demo_rds_sg]
source = "git::https://github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.0.1"
identifier = "${local.prefix}-demo"
monitoring_interval = 60
monitoring_role_name = "${local.prefix}-demo-monitoring-role"
........
When I try to remove the egress rule (0.0.0.0/0) from the main.tf file I can see the role "enhanced_monitoring" update is listed in the terraform plan. The plan is given below. It is a bit weird as am not making any changes to the role or policy in the TF code. If I add back the rule and execute TF plan again, then it won't list any changes. (expected)
~ resource "aws_iam_role" "enhanced_monitoring" {
~ assume_role_policy = jsonencode(
{
- Statement = [
- {
- Action = "sts:AssumeRole"
- Effect = "Allow"
- Principal = {
- Service = "monitoring.rds.amazonaws.com"
}
}
- Sid = ""
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
id = "demo-monitoring-role"
name = "demo-monitoring-role"
tags = {
"Name" = "demo-monitoring-role"
}
# (8 unchanged attributes hidden)
# (1 unchanged block hidden)
}
# module.demo_rds.module.db_instance.aws_iam_role_policy_attachment.enhanced_monitoring[0] must be replaced
-/+ resource "aws_iam_role_policy_attachment" "enhanced_monitoring" {
~ id = "demo-monitoring-role-20221219095538103100000006" -> (known after apply)
~ policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" # forces replacement -> (known after apply) # forces replacement
# (1 unchanged attribute hidden)
}
The AWS provider version which I am using is "5.33.0". Any help will be much appreciated. Thanks