Add enhanced monitoring

README.md

@@ -38,6 +38,10 @@ module "db" {
 
   maintenance_window = "Mon:00:00-Mon:03:00"
   backup_window      = "03:00-06:00"
+
+  # Enhanced Monitoring - see example for details on how to create the role
+  monitoring_interval = "30"
+  monitoring_role_arn = "arn:aws:iam::123456789012:role/rds-monitoring-role"
 
   tags = {
     Owner       = "user"

examples/complete/main.tf

@@ -31,27 +31,23 @@ module "db" {
   instance_class    = "db.t2.large"
   allocated_storage = 5
   storage_encrypted = false
-  # kms_key_id        = "arm:aws:kms:<region>:<accound id>:key/<kms key id>"
-
-  name     = "demodb"
-  username = "user"
-  password = "YourPwdShouldBeLongAndSecure!"
-  port     = "3306"
 
-  vpc_security_group_ids = ["${data.aws_security_group.default.id}"]
+  # kms_key_id        = "arm:aws:kms:<region>:<accound id>:key/<kms key id>"
 
+  name                    = "demodb"
+  username                = "user"
+  password                = "YourPwdShouldBeLongAndSecure!"
+  port                    = "3306"
+  vpc_security_group_ids  = ["${data.aws_security_group.default.id}"]
   maintenance_window      = "Mon:00:00-Mon:03:00"
   backup_window           = "03:00-06:00"
-  backup_retention_period = 0                     // disable backups to create DB faster
-
+  backup_retention_period = 0                                         // disable backups to create DB faster
   tags = {
     Owner       = "user"
     Environment = "dev"
   }
-
   # DB subnet group
   subnet_ids = ["${data.aws_subnet_ids.all.ids}"]
-
   # DB parameter group
   family = "mysql5.7"
 }

examples/enhanced_monitoring/README.md

@@ -0,0 +1,21 @@
+Enhanced Monitoring example
+===========================
+
+Configuration in this directory creates the additional resources required to use Enhanced Monitoring.
+
+See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html for details
+
+Data sources are used to discover existing VPC resources (VPC, subnet and security group).
+
+Usage
+=====
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.

examples/enhanced_monitoring/main.tf

@@ -0,0 +1,83 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+##############################################################
+# Data sources to get VPC, subnets and security group details
+##############################################################
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnet_ids" "all" {
+  vpc_id = "${data.aws_vpc.default.id}"
+}
+
+data "aws_security_group" "default" {
+  vpc_id = "${data.aws_vpc.default.id}"
+  name   = "default"
+}
+
+##################################################
+# Create an IAM role to allow enhanced monitoring
+##################################################
+resource "aws_iam_role" "rds_enhanced_monitoring" {
+  name               = "rds-enhanced_monitoring-role"
+  assume_role_policy = "${data.aws_iam_policy_document.rds_enhanced_monitoring.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
+  role       = "${aws_iam_role.rds_enhanced_monitoring.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}
+
+data "aws_iam_policy_document" "rds_enhanced_monitoring" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["monitoring.rds.amazonaws.com"]
+    }
+  }
+}
+
+#####
+# DB
+#####
+module "db" {
+  source = "../../"
+
+  identifier = "demodb"
+
+  engine            = "mysql"
+  engine_version    = "5.7.11"
+  instance_class    = "db.t2.large"
+  allocated_storage = 5
+  storage_encrypted = false
+
+  # kms_key_id        = "arm:aws:kms:<region>:<accound id>:key/<kms key id>"
+
+  name                    = "demodb"
+  username                = "user"
+  password                = "YourPwdShouldBeLongAndSecure!"
+  port                    = "3306"
+  vpc_security_group_ids  = ["${data.aws_security_group.default.id}"]
+  maintenance_window      = "Mon:00:00-Mon:03:00"
+  backup_window           = "03:00-06:00"
+  backup_retention_period = 0                                         // disable backups to create DB faster
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
+  # DB subnet group
+  subnet_ids = ["${data.aws_subnet_ids.all.ids}"]
+  # DB parameter group
+  family              = "mysql5.7"
+  monitoring_interval = "30"
+  monitoring_role_arn = "${aws_iam_role.rds_enhanced_monitoring.arn}"
+}

main.tf

@@ -65,5 +65,8 @@ module "db_instance" {
   backup_retention_period = "${var.backup_retention_period}"
   backup_window           = "${var.backup_window}"
 
+  monitoring_interval = "${var.monitoring_interval}"
+  monitoring_role_arn = "${var.monitoring_role_arn}"
+
   tags = "${var.tags}"
 }

modules/db_instance/main.tf

@@ -25,6 +25,7 @@ resource "aws_db_instance" "this" {
   iops                = "${var.iops}"
   publicly_accessible = "${var.publicly_accessible}"
   monitoring_interval = "${var.monitoring_interval}"
+  monitoring_role_arn = "${var.monitoring_role_arn}"
 
   allow_major_version_upgrade = "${var.allow_major_version_upgrade}"
   auto_minor_version_upgrade  = "${var.auto_minor_version_upgrade}"

modules/db_instance/variables.tf

@@ -18,7 +18,7 @@ variable "storage_encrypted" {
 
 variable "kms_key_id" {
   description = "The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used"
-  default = ""
+  default     = ""
 }
 
 variable "engine" {
@@ -84,6 +84,11 @@ variable "monitoring_interval" {
   default     = 0
 }
 
+variable "monitoring_role_arn" {
+  description = "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring_interval is non-zero."
+  default     = ""
+}
+
 variable "allow_major_version_upgrade" {
   description = "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible"
   default     = false

variables.tf

@@ -18,7 +18,7 @@ variable "storage_encrypted" {
 
 variable "kms_key_id" {
   description = "The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used"
-  default = ""
+  default     = ""
 }
 
 variable "engine" {
@@ -79,6 +79,16 @@ variable "publicly_accessible" {
   default     = false
 }
 
+variable "monitoring_interval" {
+  description = "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60."
+  default     = 0
+}
+
+variable "monitoring_role_arn" {
+  description = "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring_interval is non-zero."
+  default     = ""
+}
+
 variable "allow_major_version_upgrade" {
   description = "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible"
   default     = false