From f6137eaccdca5ebfd550ae3f293da29995d440c8 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Wed, 11 Sep 2024 16:25:53 -0500
Subject: [PATCH] add enhanced monitoring #18

---
 rds.tf          |  5 +----
 rds_iam_role.tf | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 4 deletions(-)
 create mode 100644 rds_iam_role.tf

diff --git a/rds.tf b/rds.tf
index fb1846f..c443bd3 100644
--- a/rds.tf
+++ b/rds.tf
@@ -20,10 +20,6 @@ resource "aws_db_parameter_group" "postgres" {
     name  = "rds.force_ssl"
     value = "1"
   }
-  parameter {
-    name  = "ssl"
-    value = "1"
-  }
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
 resource "aws_db_instance" "postgresql" {
@@ -47,6 +43,7 @@ resource "aws_db_instance" "postgresql" {
   enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
   #checkov: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
   monitoring_interval = 10
+  monitoring_role_arn = aws_iam_role.rds_monitoring_role.arn
   #checkov: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
   deletion_protection = true
   #checkov: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
diff --git a/rds_iam_role.tf b/rds_iam_role.tf
new file mode 100644
index 0000000..d14776f
--- /dev/null
+++ b/rds_iam_role.tf
@@ -0,0 +1,22 @@
+##https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+resource "aws_iam_role" "rds_monitoring_role" {
+  name = "${var.name}-rds-monitoring-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRole",
+        Effect = "Allow",
+        Principal = {
+          Service = "monitoring.rds.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
+resource "aws_iam_role_policy_attachment" "managed_rds_monitoring_policy_attachement" {
+  role       = aws_iam_role.rds_monitoring_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}
\ No newline at end of file