Manage service-linked roles - ApsaraDB RDS - Alibaba Cloud Documentation Center

If this is the first time you create an ApsaraDB RDS for PostgreSQL instance, you must create the AliyunServiceRoleForRdsPgsqlOnEcs service-linked role for ApsaraDB RDS for PostgreSQL. This way, your RDS instance can mount Elastic Network Interfaces (ENIs) and establish network connections. This topic describes how to manage service-linked roles.

Prerequisites

An Alibaba Cloud account is created, and an AccessKey pair is created for the account. For more information, see Create an AccessKey pair.
Terraform is installed and configured. For more information, see Use Terraform in Cloud Shell or Install Terraform on your computer and configure Terraform.
Terraform 1.189.0 or later is used. You can run the terraform -version command to view the version of Terraform. If the version does not meet your business requirements, you must go to the Terraform official website to download and install the latest version.

Create a service-linked role

In the terraform.tf file in the Terraform working directory, configure the following information to create the AliyunServiceRoleForRdsPgsqlOnEcs service-linked role:
```
resource "alicloud_rds_service_linked_role" "default" {
  service_name = "AliyunServiceRoleForRdsPgsqlOnEcs"
}
```
Note For more information about service-linked role authorization, see Service-linked roles.

Run the terraform apply command.

If the following information appears, confirm the information and enter yes to create the service-linked role:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # alicloud_rds_service_linked_role.default will be created
  + resource "alicloud_rds_service_linked_role" "default" {
      + arn          = (known after apply)
      + id           = (known after apply)
      + role_id      = (known after apply)
      + role_name    = (known after apply)
      + service_name = "AliyunServiceRoleForRdsPgsqlOnEcs"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

If the following logs appear, the operation is successful:

alicloud_rds_service_linked_role.default: Creating...
alicloud_rds_service_linked_role.default: Creation complete after 3s [id=AliyunServiceRoleForRdsPgsqlOnEcs]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Run the terraform show command to view the result.

# alicloud_rds_service_linked_role.default:
resource "alicloud_rds_service_linked_role" "default" {
    arn          = "acs:ram::140****:role/aliyunserviceroleforrdspgsqlonecs"
    id           = "AliyunServiceRoleForRdsPgsqlOnEcs"
    role_id      = "399****"
    role_name    = "AliyunServiceRoleForRdsPgsqlOnEcs"
    service_name = "AliyunServiceRoleForRdsPgsqlOnEcs"
}

Delete a service-linked role

In the terraform.tf file, delete the resource "alicloud_rds_service_linked_role" "default"{} configuration item. In this example, delete the following information:
```
resource "alicloud_rds_service_linked_role" "default" {
  service_name = "AliyunServiceRoleForRdsPgsqlOnEcs"
}
```

Run the terraform apply command.

After the following information appears, confirm the information and enter yes to delete the service-linked role:

alicloud_rds_service_linked_role.default: Refreshing state... [id=AliyunServiceRoleForRdsPgsqlOnEcs]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  - destroy

Terraform will perform the following actions:

  # alicloud_rds_service_linked_role.default will be destroyed
  # (because alicloud_rds_service_linked_role.default is not in configuration)
  - resource "alicloud_rds_service_linked_role" "default" {
      - arn          = "acs:ram::140***:role/aliyunserviceroleforrdspgsqlonecs" -> null
      - id           = "AliyunServiceRoleForRdsPgsqlOnEcs" -> null
      - role_id      = "399****" -> null
      - role_name    = "AliyunServiceRoleForRdsPgsqlOnEcs" -> null
      - service_name = "AliyunServiceRoleForRdsPgsqlOnEcs" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

If the following logs appear, the operation is successful:

alicloud_rds_service_linked_role.default: Destroying... [id=AliyunServiceRoleForRdsPgsqlOnEcs]
alicloud_rds_service_linked_role.default: Destruction complete after 0s

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

Query the created service-linked roles

In the terraform.tf file, add the following content:
```
data "alicloud_resource_manager_roles" "slr" {
}
```

Run the terraform apply command to query the service-linked roles that are created.

If the following logs appear, the operation is successful:

data.alicloud_resource_manager_roles.slr: Reading...
data.alicloud_resource_manager_roles.slr: Read complete after 2s [id=163141****]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are
needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Run the terraform show command to view the result.

# data.alicloud_resource_manager_roles.slr:
data "alicloud_resource_manager_roles" "slr" {
    enable_details = false
    id             = "163141****"
    ids            = [
        "AliyunActionTrailDefaultRole",
        "AliyunAdamAccessingDatabaseRole",
        "AliyunAnalyticDBAccessingDTSRole",
        ...
    ]
    names          = [
        "AliyunActionTrailDefaultRole",
        "AliyunAdamAccessingDatabaseRole",
        "AliyunAnalyticDBAccessingDTSRole",
        ...
    ]
    roles          = [
        {
            arn                         = "acs:ram::140****:role/aliyunactiontraildefaultrole"
            assume_role_policy_document = ""
            description = "By default, ActionTrail assumes this role to access your cloud resources."
            id                          = "AliyunActionTrailDefaultRole"
            max_session_duration        = 3600
            role_id                     = "394****"
            role_name                   = "AliyunActionTrailDefaultRole"
            update_date                 = "2019-05-07T02:29:41Z"
        },
        {
            arn                         = "acs:ram::140****:role/aliyunadamaccessingdatabaserole"
            assume_role_policy_document = ""
            description = "ADAM assumes this role to access your cloud resources."
            id                          = "AliyunAdamAccessingDatabaseRole"
            max_session_duration        = 3600
            role_id                     = "351****"
            role_name                   = "AliyunAdamAccessingDatabaseRole"
            update_date                 = "2020-04-26T07:42:32Z"
        },
        {
            arn                         = "acs:ram::140****:role/aliyunanalyticdbaccessingdtsrole"
            assume_role_policy_document = ""
            description                 = "The Open Analytics will use this role to access DTS."
            id                          = "AliyunAnalyticDBAccessingDTSRole"
            max_session_duration        = 3600
            role_id                     = "312****"
            role_name                   = "AliyunAnalyticDBAccessingDTSRole"
            update_date                 = "2020-03-10T01:49:16Z"
        },
        ...
    ]
}