resource/aws_iam_instance_profile: Remove deprecated roles argument

Reference: hashicorp/terraform#13130 Reference: #13398 Output from acceptance testing: ``` --- PASS: TestAccAWSIAMInstanceProfile_withoutRole (6.44s) --- PASS: TestAccAWSIAMInstanceProfile_basic (6.92s) --- PASS: TestAccAWSIAMInstanceProfile_namePrefix (6.94s) --- PASS: TestAccAWSAutoScalingGroup_LaunchTemplate_IAMInstanceProfile (53.25s) --- PASS: TestAccAWSAppautoScalingTarget_emrCluster (790.81s) --- PASS: TestAccAWSBeanstalkEnv_tier (518.46s) --- PASS: TestAccAWSIAMRole_testNameChange (12.80s) --- PASS: TestAccAWSInstance_instanceProfileChange (204.32s) --- PASS: TestAccAWSInstance_withIamInstanceProfile (115.26s) --- PASS: TestAccAWSLaunchConfiguration_withIAMProfile (21.61s) ```
hashicorp · Jul 22, 2020 · 7f7e7f2 · 7f7e7f2
1 parent fc7daba
commit 7f7e7f2
Show file tree

Hide file tree

Showing 11 changed files with 52 additions and 127 deletions.
diff --git a/aws/resource_aws_appautoscaling_target_test.go b/aws/resource_aws_appautoscaling_target_test.go
@@ -566,8 +566,8 @@ EOT
 }
 
 resource "aws_iam_instance_profile" "emr_profile" {
-  name  = "emr_profile_%d"
-  roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
+  name = "emr_profile_%d"
+  role = aws_iam_role.iam_emr_profile_role.name
 }
 
 resource "aws_iam_role_policy_attachment" "profile-attach" {

diff --git a/aws/resource_aws_autoscaling_group_test.go b/aws/resource_aws_autoscaling_group_test.go
@@ -3677,8 +3677,8 @@ resource "aws_iam_role" "test" {
 }
 
 resource "aws_iam_instance_profile" "test" {
-  name  = %q
-  roles = ["${aws_iam_role.test.name}"]
+  name = %q
+  role = aws_iam_role.test.name
 }
 
 resource "aws_launch_template" "test" {

diff --git a/aws/resource_aws_elastic_beanstalk_environment_test.go b/aws/resource_aws_elastic_beanstalk_environment_test.go
@@ -927,8 +927,8 @@ resource "aws_elastic_beanstalk_environment" "test" {
 func testAccBeanstalkWorkerEnvConfig(rName string) string {
 	return testAccBeanstalkEnvConfigBase(rName) + fmt.Sprintf(`
 resource "aws_iam_instance_profile" "test" {
-  name  = %[1]q
-  roles = [aws_iam_role.test.name]
+  name = %[1]q
+  role = aws_iam_role.test.name
 }
 
 resource "aws_iam_role" "test" {

diff --git a/aws/resource_aws_iam_instance_profile.go b/aws/resource_aws_iam_instance_profile.go
@@ -70,21 +70,9 @@ func resourceAwsIamInstanceProfile() *schema.Resource {
 				ForceNew: true,
 			},
 
-			"roles": {
-				Type:          schema.TypeSet,
-				Optional:      true,
-				Computed:      true,
-				ConflictsWith: []string{"role"},
-				Elem:          &schema.Schema{Type: schema.TypeString},
-				Set:           schema.HashString,
-				Deprecated:    "Use `role` instead. Only a single role can be passed to an IAM Instance Profile",
-			},
-
 			"role": {
-				Type:          schema.TypeString,
-				Optional:      true,
-				Computed:      true,
-				ConflictsWith: []string{"roles"},
+				Type:     schema.TypeString,
+				Optional: true,
 			},
 		},
 	}
@@ -173,50 +161,14 @@ func instanceProfileRemoveRole(iamconn *iam.IAM, profileName, roleName string) e
 	return err
 }
 
-func instanceProfileSetRoles(d *schema.ResourceData, iamconn *iam.IAM) error {
-	oldInterface, newInterface := d.GetChange("roles")
-	oldRoles := oldInterface.(*schema.Set)
-	newRoles := newInterface.(*schema.Set)
-
-	currentRoles := schema.CopySet(oldRoles)
-
-	for _, role := range oldRoles.Difference(newRoles).List() {
-		err := instanceProfileRemoveRole(iamconn, d.Id(), role.(string))
-		if err != nil {
-			return fmt.Errorf("Error removing role %s from IAM instance profile %s: %s", role, d.Id(), err)
-		}
-		currentRoles.Remove(role)
-		d.Set("roles", currentRoles)
-	}
-
-	for _, role := range newRoles.Difference(oldRoles).List() {
-		err := instanceProfileAddRole(iamconn, d.Id(), role.(string))
-		if err != nil {
-			return fmt.Errorf("Error adding role %s to IAM instance profile %s: %s", role, d.Id(), err)
-		}
-		currentRoles.Add(role)
-		d.Set("roles", currentRoles)
-	}
-
-	return nil
-}
-
 func instanceProfileRemoveAllRoles(d *schema.ResourceData, iamconn *iam.IAM) error {
-	role, hasRole := d.GetOk("role")
-	roles, hasRoles := d.GetOk("roles")
-	if hasRole && !hasRoles { // "roles" will always be a superset of "role", if set
+	if role, ok := d.GetOk("role"); ok {
 		err := instanceProfileRemoveRole(iamconn, d.Id(), role.(string))
 		if err != nil {
 			return fmt.Errorf("Error removing role %s from IAM instance profile %s: %s", role, d.Id(), err)
 		}
-	} else {
-		for _, role := range roles.(*schema.Set).List() {
-			err := instanceProfileRemoveRole(iamconn, d.Id(), role.(string))
-			if err != nil {
-				return fmt.Errorf("Error removing role %s from IAM instance profile %s: %s", role, d.Id(), err)
-			}
-		}
 	}
+
 	return nil
 }
 
@@ -241,10 +193,6 @@ func resourceAwsIamInstanceProfileUpdate(d *schema.ResourceData, meta interface{
 		}
 	}
 
-	if d.HasChange("roles") {
-		return instanceProfileSetRoles(d, iamconn)
-	}
-
 	return nil
 }
 
@@ -306,10 +254,5 @@ func instanceProfileReadResult(d *schema.ResourceData, result *iam.InstanceProfi
 		d.Set("role", result.Roles[0].RoleName) //there will only be 1 role returned
 	}
 
-	roles := &schema.Set{F: schema.HashString}
-	for _, role := range result.Roles {
-		roles.Add(*role.RoleName)
-	}
-	err := d.Set("roles", roles)
-	return err
+	return nil
 }
diff --git a/aws/resource_aws_iam_instance_profile_test.go b/aws/resource_aws_iam_instance_profile_test.go
@@ -37,32 +37,6 @@ func TestAccAWSIAMInstanceProfile_basic(t *testing.T) {
 	})
 }
 
-func TestAccAWSIAMInstanceProfile_withRoleNotRoles(t *testing.T) {
-	var conf iam.GetInstanceProfileOutput
-	resourceName := "aws_iam_instance_profile.test"
-
-	rName := acctest.RandString(5)
-	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testAccCheckAWSInstanceProfileDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccAWSInstanceProfileWithRoleSpecified(rName),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAWSInstanceProfileExists(resourceName, &conf),
-				),
-			},
-			{
-				ResourceName:            resourceName,
-				ImportState:             true,
-				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"name_prefix"},
-			},
-		},
-	})
-}
-
 func TestAccAWSIAMInstanceProfile_withoutRole(t *testing.T) {
 	var conf iam.GetInstanceProfileOutput
 	resourceName := "aws_iam_instance_profile.test"
@@ -195,8 +169,8 @@ resource "aws_iam_role" "test" {
 }
 
 resource "aws_iam_instance_profile" "test" {
-  name  = "test"
-  roles = ["${aws_iam_role.test.name}"]
+  name = "test-%[1]s"
+  role = aws_iam_role.test.name
 }
 `, rName)
 }
@@ -218,21 +192,7 @@ resource "aws_iam_role" "test" {
 
 resource "aws_iam_instance_profile" "test" {
   name_prefix = "test-"
-  roles       = ["${aws_iam_role.test.name}"]
-}
-`, rName)
-}
-
-func testAccAWSInstanceProfileWithRoleSpecified(rName string) string {
-	return fmt.Sprintf(`
-resource "aws_iam_role" "test" {
-  name               = "test-%s"
-  assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
-}
-
-resource "aws_iam_instance_profile" "test" {
-  name_prefix = "test-"
-  role        = "${aws_iam_role.test.name}"
+  role        = aws_iam_role.test.name
 }
 `, rName)
 }
diff --git a/aws/resource_aws_iam_role_test.go b/aws/resource_aws_iam_role_test.go
@@ -745,9 +745,9 @@ EOF
 }
 
 resource "aws_iam_instance_profile" "role_update_test" {
-  name  = "role_update_test_%s"
-  path  = "/test/"
-  roles = ["${aws_iam_role.test.name}"]
+  name = "role_update_test_%s"
+  path = "/test/"
+  role = aws_iam_role.test.name
 }
 `, rName, rName, rName)
 }
@@ -799,9 +799,9 @@ EOF
 }
 
 resource "aws_iam_instance_profile" "role_update_test" {
-  name  = "role_update_test_%s"
-  path  = "/test/"
-  roles = ["${aws_iam_role.test.name}"]
+  name = "role_update_test_%s"
+  path = "/test/"
+  role = aws_iam_role.test.name
 }
 `, rName, rName, rName)
 }

diff --git a/aws/resource_aws_instance_test.go b/aws/resource_aws_instance_test.go
@@ -4113,8 +4113,8 @@ resource "aws_iam_role" "test" {
 }
 
 resource "aws_iam_instance_profile" "test" {
-  name  = %[1]q
-  roles = ["${aws_iam_role.test.name}"]
+  name = %[1]q
+  role = aws_iam_role.test.name
 }
 
 resource "aws_instance" "test" {

diff --git a/aws/resource_aws_launch_configuration_test.go b/aws/resource_aws_launch_configuration_test.go
@@ -888,8 +888,8 @@ EOF
 }
 
 resource "aws_iam_instance_profile" "profile" {
-  name  = "tf-acc-test-%[1]d"
-  roles = ["${aws_iam_role.role.name}"]
+  name = "tf-acc-test-%[1]d"
+  role = aws_iam_role.role.name
 }
 
 resource "aws_launch_configuration" "test" {

diff --git a/website/docs/guides/version-3-upgrade.html.md b/website/docs/guides/version-3-upgrade.html.md
@@ -386,6 +386,32 @@ resource "aws_emr_cluster" "example" {
 }
 ```
 
+## Resource: aws_iam_instance_profile
+
+### roles Argument Removal
+
+Switch your Terraform configuration to the `role` argument instead.
+
+For example, given this previous configuration:
+
+```hcl
+resource "aws_iam_instance_profile" "example" {
+  # ... other configuration ...
+
+  roles = [aws_iam_role.example.id]
+}
+```
+
+An updated configuration:
+
+```hcl
+resource "aws_iam_instance_profile" "example" {
+  # ... other configuration ...
+
+  role = aws_iam_role.example.id
+}
+```
+
 ## Resource: aws_lambda_alias
 
 ### Import No Longer Converts Function Name to ARN

diff --git a/website/docs/r/emr_cluster.html.markdown b/website/docs/r/emr_cluster.html.markdown
@@ -642,8 +642,8 @@ EOF
 }
 
 resource "aws_iam_instance_profile" "emr_profile" {
-  name  = "emr_profile"
-  roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
+  name = "emr_profile"
+  role = aws_iam_role.iam_emr_profile_role.name
 }
 
 resource "aws_iam_role_policy" "iam_emr_profile_policy" {

diff --git a/website/docs/r/iam_instance_profile.html.markdown b/website/docs/r/iam_instance_profile.html.markdown
@@ -47,9 +47,6 @@ The following arguments are supported:
 * `name` - (Optional, Forces new resource) The profile's name. If omitted, Terraform will assign a random, unique name.
 * `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with `name`.
 * `path` - (Optional, default "/") Path in which to create the profile.
-* `roles` - (**Deprecated**)
-A list of role names to include in the profile.  The current default is 1.  If you see an error message similar to `Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1`, then you must contact AWS support and ask for a limit increase.
- WARNING: This is deprecated since [version 0.9.3 (April 12, 2017)](https://github.com/hashicorp/terraform/blob/master/CHANGELOG.md#093-april-12-2017), as >= 2 roles are not possible. See [issue #11575](https://github.com/hashicorp/terraform/issues/11575).
 * `role` - (Optional) The role name to include in the profile.
 
 ## Attribute Reference
@@ -60,7 +57,6 @@ A list of role names to include in the profile.  The current default is 1.  If y
 * `name` - The instance profile's name.
 * `path` - The path of the instance profile in IAM.
 * `role` - The role assigned to the instance profile.
-* `roles` - The list of roles assigned to the instance profile. (**Deprecated**)
 * `unique_id` - The [unique ID][1] assigned by AWS.
 
   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html#GUIDs