Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid IAM Instance Profile name #15341

Closed
aleybovich opened this issue Jun 20, 2017 · 30 comments
Closed

Invalid IAM Instance Profile name #15341

aleybovich opened this issue Jun 20, 2017 · 30 comments

Comments

@aleybovich
Copy link

I have created an instance role and profile as following:

resource "aws_iam_role" "code-deploy-ec2-instance-profile" {
    name               = "code-deploy-ec2-instance-profile"
    path               = "/"
    assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}
resource "aws_iam_policy" "code-deploy-ec2-permissions" {
    name        = "code-deploy-ec2-permissions"
    path        = "/"
    description = "Policy for EC2 instances where Code Deploy would deploy the code"
    policy      = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::nibr-useast1-as-search-code-deploy-dev/*"
      ]
    }
  ]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "code-deploy-ec2-permissions-policy-attachment" {
    policy_arn = "${aws_iam_policy.code-deploy-ec2-permissions.arn}"
    role      = "${aws_iam_role.code-deploy-ec2-instance-profile.name}"
}
resource "aws_iam_instance_profile" "search-api-instance-profile" {
  name  = "search-api-instance-profile"
  role = "code-deploy-ec2-instance-profile" # The role is created in infrastructure template
}

Now, I add an EC2 instance:

resource "aws_instance" "search-api" {
  ... other params ...
  iam_instance_profile   = "${aws_iam_instance_profile.search-api-instance-profile.name}" 
}

And I get the floowing error:

* aws_instance.search-api.1: InvalidParameterValue: Value (search-api-instance-profile) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
        status code: 400, request id: XXX

Now, if I go check the role code-deploy-ec2-instance-profile in teh console, I see that it's Instrance Profile ARN is empty (but if i create an EC2 role via the AWS console it shows a valid ARN).

Any ideas if it's a bug or am I doing something wrong?

@aleybovich
Copy link
Author

aleybovich commented Jun 20, 2017

By the way, I am able to successfully change an existing EC2 instance's IAM Role to search-api-instance-profile manually via AWS console (as in https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/), so it's a valid instance profile. Must be a bug in terraform

@aleybovich
Copy link
Author

It started working, I must have missed smth originally. Closing as not an issue

@jsravn
Copy link

jsravn commented Jul 4, 2017

This happened to me as well. There seems to be some race condition for newly created profiles. When I wait a short period and rerun the terraform it succeeds.

@jsravn
Copy link

jsravn commented Jul 4, 2017

@aleybovich I think you should reopen this.

@captainpete
Copy link
Contributor

seeing same issue, @jsravn thanks for work-around

@ramkarthik-sys
Copy link

@aleybovich - I'm facing the same issue. You have to reopen the case as suggested by @jsravn

@spanktar
Copy link

spanktar commented Aug 2, 2017

@aleybovich +1 to reopen as I just hit this as well.

@aleybovich
Copy link
Author

I'm no longer able to reproduce after I took down my whole envo and rebuilt. You guys need to reopen with your steps to reproduce

@spanktar
Copy link

This is an intermittent error, where something that relies on IAM later in the cycle (usually immediately) cannot find the IAM resource. This is probably Amazon internal delay in actually making the resource available everywhere although the resource has been successfully created to Terraform. In my case, a simple re-run of Terraform got me past this. I hit it every now and then and now recognize it so I know what to do.

Suggested remedies: resources that require IAM resources specifically check that they are available before creation? Terraform will have marked them as created, but they may not be ready yet, so maybe a double-check is in order? This only seems to happen with Instance Profiles.

@stutefish
Copy link

I get the same behavior - rerun terra and it goes away.

@realflash
Copy link
Contributor

realflash commented Sep 9, 2017

I think this is probably hashicorp/terraform-provider-aws#838

@edmundcraske
Copy link
Contributor

Just seen this as well.

@gvirtuoso
Copy link

I get the same behavior, but with Ansible... so I waited for a couple minutes.. run again... and OK! No more issues!... as @spanktar said... I think that is an AWS internal delay!

@labkey-ians
Copy link

Seeing this too.

@six0h
Copy link

six0h commented Nov 20, 2017

Also ran into this.

@milankubin
Copy link

milankubin commented Nov 30, 2017

seeing this as well..This also seems to happen apparently on change, not just on create!

aws_iam_instance_profile.instance_profile: Destruction complete after 1s
aws_iam_instance_profile.instance_profile: Creating...
  arn:         "" => "<computed>"
  create_date: "" => "<computed>"
  name:        "" => "xxxxx_production_instance_profile"
  path:        "" => "/"
  role:        "" => "xxxxx_production_instance_role"
  roles.#:     "" => "<computed>"
  unique_id:   "" => "<computed>"
aws_iam_instance_profile.instance_profile: Creation complete after 1s (ID: salome_production_instance_profile)
aws_instance.web: Modifying... (ID: i-0xxxxxxxxxxxxxxxx)
  iam_instance_profile:              "test_profile" => "xxxxxx_production_instance_profile"
  vpc_security_group_ids.#:          "0" => "2"
  vpc_security_group_ids.3440854232: "" => "sg-xxxxxxxx"
  vpc_security_group_ids.745367653:  "" => "sg-xxxxxxxx1"

Error: Error applying plan:

1 error(s) occurred:

* aws_instance.web: 1 error(s) occurred:

* aws_instance.web: InvalidParameterValue: Value (xxxxx_salome_production_instance_profile) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
	status code: 400, request id: f67f36f8-a337-421d-bc3d-805e8ccf203a

Second run all ok!

@macropin
Copy link

macropin commented Dec 6, 2017

Seeing this as well. Looks like a race.

@spanktar
Copy link

@apparentlymart Petition to re-open?

@kristinepetrosyan
Copy link

Seeing this again with
Terraform v0.11.1

  • provider.aws v1.6.0

@milankubin
Copy link

milankubin commented Dec 20, 2017

@six0h Are you getting the same error with ansible ? (InvalidParameterValue)

Quick google found this thread at AWS.
https://forums.aws.amazon.com/thread.jspa?messageID=593651

According to AWS there is a hardcoded 2min delay for creating instance profiles, yet if you look at my example Terraform is reporting

 aws_iam_instance_profile.instance_profile: Creation complete after 1s 

@LucaFilipozzi
Copy link

Also encountering this bug.

@tsalisbury-zz
Copy link

Me also.

@rodrigodiez
Copy link

Me also

@danilogomesrosa
Copy link

I've been facing it about two hours and it still does not work...

@spanktar
Copy link

spanktar commented Jan 4, 2018

Here's a horrifying hack I used somewhere else to deal with bad timing issues. Maybe this would help in this scenario as well, adjust resource types to suit your needs:

resource "aws_appautoscaling_policy" "ecs_asp_up_eap" {

  name               = "tweedle"
  resource_id        = "service/beetle"
  scalable_dimension = "ecs:service:DesiredCount"
  service_namespace  = "ecs"

  step_scaling_policy_configuration {
    adjustment_type         = "ChangeInCapacity"
    cooldown                = 60
    metric_aggregation_type = "Maximum"

    step_adjustment {
      metric_interval_lower_bound = 0
      scaling_adjustment          = 3
    }
  }

  depends_on = ["null_resource.timer"]
}

resource "null_resource" "timer" {

  provisioner "local-exec" {
    command = "sleep 9"
  }

  triggers {
    trigger = "${aws_appautoscaling_target.ecs_asp_target_eap.resource_id}"
  }
}

@enm10k
Copy link
Contributor

enm10k commented Jan 14, 2018

I have the same issue.
In my case, IAM role created by terraform have no instance profile arn and it was the cause of error.

@Martinsos
Copy link

Martinsos commented Jan 26, 2018

Just to confirm the suspicion, I am not using terraform but am instead using javascript sdk in nodejs to first create the Instance Profile and then to associate it with the instance, and I get the same problem -> if I try to do association with instance immediately after, it will say Instance Profile does not yet exist. However, if I do it somewhat later, it will work.
Is seems like instance profile is visible in IAM, but is not yet visible in EC2.
Conclusion: this is delay on the AWS side as few people suggested.
Unfortunately I have not found a way to query AWS to find out when instance profile is visible through EC2, so I just repeatedly try to do the association until it does not succeed.

@bflad
Copy link
Contributor

bflad commented Jan 27, 2018

Hi folks, as suggested above and noted in the AWS IAM documentation, you are running against the eventual consistency nature of the IAM service.

In v1.7.1 of the AWS provider (specifically PR hashicorp/terraform-provider-aws#3055), we now appropriately retry for up to a minute on this particular condition of associating or re-associating IAM instance profiles with EC2 instances, which should cover the most common scenarios. We will adjust that retry period if necessary based on feedback.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading your AWS provider.

PS: If something is still wrong after that upgrade, I would highly suggest opening a new issue in the provider repository: https://github.com/terraform-providers/terraform-provider-aws

@Arun-Trichy
Copy link

I am facing this issue even in the latest terraform Docker Image, when trying to create instance by attaching it to existing IAM Instance Profile. Even tried hitting thrice, got the same error.

aws_instance.node.1: Error launching source instance: InvalidParameterValue: Value (kubernetes-aik8s-master) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name

When I try listing the IAM role via AWS CLI, it lists it and also visible via console.

@mildwonkey
Copy link
Contributor

Hi all,

New issues with the terraform aws provider should be opened in the aws provider repository.

Because this closed issue is generating notifications for subscribers, I am going to lock it and encourage anyone experiencing issues with the aws provider to open tickets there.

Please continue to open issues here for any other terraform issues you encounter, and thanks!

@hashicorp hashicorp locked and limited conversation to collaborators Sep 5, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests