Skip to main content
The db_instance_role_association submodule creates an aws_db_instance_role_association resource, linking an IAM role to an RDS DB instance for a named feature (e.g. S3 integration, Lambda access). The root module uses this submodule via for_each over the db_instance_role_associations map variable.

Source

./modules/db_instance_role_association

How the root module uses this submodule

The root module creates one association per entry in the db_instance_role_associations map: 
# From the root module (simplified)
module "db_instance_role_association" {
  source   = "./modules/db_instance_role_association"
  for_each = var.db_instance_role_associations

  feature_name           = each.key
  role_arn               = each.value
  db_instance_identifier = module.db_instance.db_instance_identifier
}
To use role associations via the root module, set db_instance_role_associations: 
module "db" {
  source  = "terraform-aws-modules/rds/aws"
  version = "~> 7.0"

  identifier = "mydb"
  # ... other variables

  db_instance_role_associations = {
    s3_integration = "arn:aws:iam::123456789012:role/rds-s3-export-role"
    lambda_access  = "arn:aws:iam::123456789012:role/rds-lambda-role"
  }
}
The map key becomes the feature_name and the map value becomes the role_arn.

Standalone usage

To use this submodule directly — for example when the DB instance is managed by a separate module: 
module "rds_s3_association" {
  source  = "terraform-aws-modules/rds/aws//modules/db_instance_role_association"
  version = "~> 7.0"

  db_instance_identifier = "my-existing-db-instance"
  feature_name           = "s3Import"
  role_arn               = aws_iam_role.rds_s3.arn

  region = "us-east-1"
}
The feature_name must match the RDS feature name exactly as recognized by the AWS API. Common values include s3Import, s3Export, Lambda, and SageMaker.

Input variables

create
bool
Determines whether to create the DB instance role association resource.Default: true
feature_name
string
The name of the RDS feature to associate with the IAM role. Common values: s3Import, s3Export, Lambda, SageMaker.Default: null
role_arn
string
The Amazon Resource Name (ARN) of the IAM role to associate with the DB instance.Default: null
db_instance_identifier
string
The identifier of the DB instance to associate with the IAM role.Default: null
region
string
Region where the association will be managed. Defaults to the region set in the provider configuration.Default: null

Outputs

db_instance_role_association_id
string
The association ID, formatted as db_instance_identifier,role_arn. This is the composite identifier used by the AWS provider.

Build docs developers (and LLMs) love

Get started for freeTalk to us