Org policy restricting DB instance types, creating auto scaling target fails

Question

I have a terraform script that is standing up an RDS instance with auto scaling.  This script works in our production account but does not work in our sandbox account.  The RDS instance launches, but the autoscaling returns this error:

Error: creating Application AutoScaling Target (cluster:___): ValidationException: User is missing the following permissions: rds:CreateDBInstance

Since I am able to create the instance itself, I'm pretty sure that's not the issue.  But, in our sandbox account, we have an org policy that only allows burstable EC2 and DB instance types.  I saw this article that describes that in order to create the policy, a preflight call is made to create the DB instance with an invalid parameter: https://docs.aws.amazon.com/autoscaling/application/userguide/security_iam_permission_validation.html - my guess is that this preflight call is using an instance type that is forbidden by my org policy.

Has anyone encountered this issue, and if so, is there a way to define what instance type the preflight call uses?

Answer

Hello.

I think the following stackoverflow question is close to your situation.  
I saw an answer that said the issue was resolved by contacting AWS Support.  
https://stackoverflow.com/questions/77966844/aws-rds-custom-oracle-instance-creation-fails-due-to-missing-iam-permissions-ho

Therefore, I recommend that you open a case with AWS Support under "Account and billing" and inquire.  
Inquiries under "Account and billing" can be made free of charge.  
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html

Answer

Thanks - I will reach out to AWS support and see if they can resolve it.

Org policy restricting DB instance types, creating auto scaling target fails

Relevant content