Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_iam_instance_profile incorrectly requires a role to be specified #10522

Closed
daveadams opened this issue Oct 16, 2019 · 3 comments · Fixed by #10525
Closed

aws_iam_instance_profile incorrectly requires a role to be specified #10522

daveadams opened this issue Oct 16, 2019 · 3 comments · Fixed by #10525
Labels
service/iam Issues and PRs that pertain to the iam service.
Milestone
v2.39.0

Comments

@daveadams
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.10
+ provider.aws v2.28.1

Affected Resource(s)

  • aws_iam_instance_profile

Terraform Configuration Files

resource "aws_iam_instance_profile" "test" {
  name = "test"
}

Expected Behavior

Terraform should create an instance-profile named "test" with no role attached.

Actual Behavior


Error: Either `role` or `roles` (deprecated) must be specified when creating an IAM Instance Profile

  on main.tf line 1, in resource "aws_iam_instance_profile" "test":
   1: resource "aws_iam_instance_profile" "test" {

Steps to Reproduce

  1. terraform apply
  2. View and approve the presented plan by typing yes
  3. Receive error message

Important Factoids

The aws_iam_instance_profile documentation does say that "Either role or roles (deprecated) must be specified." But specifying role = "" gets the same error, and specifying roles = [] gets a deprecation warning during the planning stage of terraform apply, followed by the same error after approving the plan.

But it's entirely possible to create and use an instance profile with no role via the IAM and EC2 APIs:

{
    "InstanceProfile": {
        "Path": "/",
        "InstanceProfileName": "testing",
        "InstanceProfileId": "AIPAABCD1234ABCD1234ABCD",
        "Arn": "arn:aws:iam::000011112222:instance-profile/testing",
        "CreateDate": "2019-10-16T16:22:05Z",
        "Roles": []
    }
}

This role-free instance-profile can be attached to an instance and used as metadata--to authenticate to Vault, for example.

Without this capability, I'm forced to create and attach a do-nothing role to my instance-profile instead.
@ghost ghost added the service/iam Issues and PRs that pertain to the iam service. label Oct 16, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Oct 16, 2019
@daveadams daveadams mentioned this issue Oct 16, 2019
Merged
@aeschright aeschright removed the needs-triage Waiting for first response or review from a maintainer. label Nov 19, 2019
@aeschright aeschright added this to the v2.39.0 milestone Nov 19, 2019
aeschright pushed a commit that referenced this issue Nov 19, 2019
@daveadams @aeschright
Don't require a role for aws_iam_instance_profile (#10525)
c078445 
Fixes #10522

The IAM API does not require a role be attached to instance profiles,
and there are use cases (eg Vault EC2 authentication) where a bare
instance profile may be all that is required.

This PR:

* Removes the requirement for `role` or `roles` attributes to exist and
  to be set to some value before creating an `aws_iam_instance_profile`
  resource.

* Adjusts the acceptance tests to explicitly test and allow an instance
  profile with no specified role to be created.

* Removes the notice that either `role` or `roles` is required from the
  website documentation for the `aws_iam_instance_profile` resource.
@ghost
Copy link

ghost commented Nov 21, 2019

This has been released in version 2.39.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@daveadams
Copy link
Contributor Author

Fantastic! Thanks, @aeschright !!

@ghost
Copy link

ghost commented Mar 29, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 29, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
service/iam Issues and PRs that pertain to the iam service.
Projects
None yet
Milestone
v2.39.0
Development

Successfully merging a pull request may close this issue.

Don't require a role for aws_iam_instance_profile
2 participants
@aeschright @daveadams