You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating an RDS instance and specifying a "Name" tag, enabling Enhanced Monitoring causes the monitoring role in IAM to inherit the same "Name" tag. This behavior may lead to unexpected naming conflicts or inconsistencies, especially if the "Name" tag is intended to uniquely identify the RDS instance rather than associated resources like the monitoring role.
Versions
Module version [Required]:
All from 2.0.0 until latest
Terraform version:
Any / produced by Terraform v1.9.8
terraform {
required_providers {
aws={
source ="hashicorp/aws"
version =">= 5.73.0, < 6.0.0"
}
}
}
provider"aws" {
region="us-east-1"
}
module"rds" {
source="terraform-aws-modules/rds/aws"engine="postgres"engine_version="16.5"family="postgres16"instance_class="db.t2.micro"allocated_storage=20storage_type="gp2"identifier="rds-instance"username="admin"password="..."port=5432skip_final_snapshot=truetags={
Name ="rds-instance"
}
monitoring_interval=30monitoring_role_name="rds-monitoring-role"monitoring_role_description="Role for RDS monitoring"create_monitoring_role=true
}
Do terraform plan
Observe the plan part related to module.rds.module.db_instance.aws_iam_role.enhanced_monitoring[0]
Expected behavior
# module.rds.module.db_instance.aws_iam_role.enhanced_monitoring[0] will be created+resource"aws_iam_role""enhanced_monitoring" {
...+tags={
+"Name" = "rds-monitoring-role"
}
+tags_all={
+"Name" = "rds-monitoring-role"
}
...
}
Actual behavior
the plan shows Name tag inherited from RDS tags
# module.rds.module.db_instance.aws_iam_role.enhanced_monitoring[0] will be created+resource"aws_iam_role""enhanced_monitoring" {
...+tags={
+"Name" = "rds-instance"
}
+tags_all={
+"Name" = "rds-instance"
}
...
}
Terminal Output Screenshot(s)
Terminal Output
module.rds.module.db_instance.data.aws_iam_policy_document.enhanced_monitoring: Reading...
module.rds.module.db_instance.data.aws_partition.current: Reading...
module.rds.module.db_instance.data.aws_partition.current: Read complete after 0s [id=aws]
module.rds.module.db_instance.data.aws_iam_policy_document.enhanced_monitoring: Read complete after 0s [id=76086537]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:+ create
Terraform will perform the following actions:# module.rds.module.db_instance.aws_db_instance.this[0] will be created+resource"aws_db_instance""this" {
+address=(known after apply)
+allocated_storage=20+allow_major_version_upgrade=false+apply_immediately=false+arn=(known after apply)
+auto_minor_version_upgrade=true+availability_zone=(known after apply)
+backup_retention_period=(known after apply)
+backup_target=(known after apply)
+backup_window=(known after apply)
+ca_cert_identifier=(known after apply)
+character_set_name=(known after apply)
+copy_tags_to_snapshot=false+db_name=(known after apply)
+db_subnet_group_name=(known after apply)
+dedicated_log_volume=false+delete_automated_backups=true+deletion_protection=false+domain_fqdn=(known after apply)
+endpoint=(known after apply)
+engine="postgres"+engine_lifecycle_support=(known after apply)
+engine_version="16.5"+engine_version_actual=(known after apply)
+hosted_zone_id=(known after apply)
+iam_database_authentication_enabled=false+id=(known after apply)
+identifier="rds-instance"+identifier_prefix=(known after apply)
+instance_class="db.t2.micro"+iops=(known after apply)
+kms_key_id=(known after apply)
+latest_restorable_time=(known after apply)
+license_model=(known after apply)
+listener_endpoint=(known after apply)
+maintenance_window=(known after apply)
+manage_master_user_password=true+master_user_secret=(known after apply)
+master_user_secret_kms_key_id=(known after apply)
+max_allocated_storage=0+monitoring_interval=30+monitoring_role_arn=(known after apply)
+multi_az=false+nchar_character_set_name=(known after apply)
+network_type=(known after apply)
+option_group_name=(known after apply)
+parameter_group_name=(known after apply)
+performance_insights_enabled=false+performance_insights_kms_key_id=(known after apply)
+performance_insights_retention_period=(known after apply)
+port=5432+publicly_accessible=false+replica_mode=(known after apply)
+replicas=(known after apply)
+resource_id=(known after apply)
+skip_final_snapshot=true+snapshot_identifier=(known after apply)
+status=(known after apply)
+storage_encrypted=true+storage_throughput=(known after apply)
+storage_type="gp2"+tags={
+"Name" = "rds-instance"
}
+tags_all={
+"Name" = "rds-instance"
}
+timezone=(known after apply)
+username="admin"+vpc_security_group_ids=(known after apply)
+timeouts {}
}
# module.rds.module.db_instance.aws_iam_role.enhanced_monitoring[0] will be created+resource"aws_iam_role""enhanced_monitoring" {
+arn=(known after apply)
+assume_role_policy=jsonencode(
{
+ Statement = [
+ {
+ Action ="sts:AssumeRole"+ Effect ="Allow"+ Principal = {
+ Service ="monitoring.rds.amazonaws.com"
}
},
]
+ Version ="2012-10-17"
}
)
+create_date=(known after apply)
+description="Role for RDS monitoring"+force_detach_policies=false+id=(known after apply)
+managed_policy_arns=(known after apply)
+max_session_duration=3600+name="rds-monitoring-role"+name_prefix=(known after apply)
+path="/"+tags={
+"Name" = "rds-instance"
}
+tags_all={
+"Name" = "rds-instance"
}
+unique_id=(known after apply)
+ inline_policy (known after apply)
}
# module.rds.module.db_instance.aws_iam_role_policy_attachment.enhanced_monitoring[0] will be created+resource"aws_iam_role_policy_attachment""enhanced_monitoring" {
+id=(known after apply)
+policy_arn="arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"+role="rds-monitoring-role"
}
# module.rds.module.db_parameter_group.aws_db_parameter_group.this[0] will be created+resource"aws_db_parameter_group""this" {
+arn=(known after apply)
+description="rds-instance parameter group"+family="postgres16"+id=(known after apply)
+name=(known after apply)
+name_prefix="rds-instance-"+skip_destroy=false+tags={
+"Name" = "rds-instance"
}
+tags_all={
+"Name" = "rds-instance"
}
}
Plan:4 to add, 0 to change, 0 to destroy.
Additional context
Within latest version, code of master/modules/db_instance/main.tf at line 195 causes the issue:
Description
When creating an RDS instance and specifying a "Name" tag, enabling Enhanced Monitoring causes the monitoring role in IAM to inherit the same "Name" tag. This behavior may lead to unexpected naming conflicts or inconsistencies, especially if the "Name" tag is intended to uniquely identify the RDS instance rather than associated resources like the monitoring role.
Versions
Module version [Required]:
All from 2.0.0 until latest
Terraform version:
Any / produced by Terraform v1.9.8
Provider version(s):
registry.terraform.io/hashicorp/aws 5.62.0
registry.terraform.io/hashicorp/random 3.1.0
Reproduction Code [Required]
terraform planmodule.rds.module.db_instance.aws_iam_role.enhanced_monitoring[0]Expected behavior
Actual behavior
the plan shows Name tag inherited from RDS tags
Terminal Output Screenshot(s)
Terminal Output
Additional context
Within latest version, code of master/modules/db_instance/main.tf at line 195 causes the issue:
var.tagsshould be the first element in merge, to getNamecorrectly overriding RDSNametag when present.The text was updated successfully, but these errors were encountered: