iam_instance_profile, role assignment should not be an array #11575
Comments
|
Hi @misham, thanks for the issue! Unfortunately, how the Closing, as not an issue, but happy to discuss further! Thanks! |
|
@grubernaut any pointers for how to do so? I just spent a week going back and forth with them on this to finally get a reply of "it's hard coded we can't change anything" |
|
@misham I've submitted a limit increase via the Amazon Support panel, pending their response that should theoretically be the correct path for increasing that resource limit. I'll keep you posted, however. |
|
Thank you! If there's any info you need from my end or details on my interactions with them, let me know. |
|
@grubernaut were you able to get AWS support to increase your limit? |
|
@misham despite my best efforts I was unable to get a decent response or increase from AWS support. 😞 I'll re-open this and ping some folks internally for a discussion on this. Thank you for your patience with this while we get this sorted. |
|
I believe this is a case where the API mismatches with the underlying implementation. The API Terraform is calling also accepts an array, but rejects a request with more than one item in it. We generally try to follow the structure of underlying APIs because that way we are less likely to get caught out by assumptions changing in future. However in this case it probably wouldn't hurt to support an additional non-list attribute and deprecate the list; we can always flop back the other way (or accept both forms) if a future AWS API change creates a legitimate reason to pass a list. |
|
@grubernaut thank you. @apparentlymart I like the idea of both forms and updating the docs. Worst case, a clear explanation in the docs would be 80% (I think) |
|
Hey all – At the least, we should update the documentation and add a The discrepancy Martin points out is super weird, that the API expects an array but rejects if it has more than one element. Where are we seeing that, exactly? In the API docs I only see AddRole to InstanceProfile. The code we have loops the array and calls this endpoint for each item. What's the error shown? Right now, I'm in favor of providing a |
|
You're on the right side. 👍 The API doc for
Trying to add a second IAM role to an instance profile (aws-cli/1.11.38): |
|
Ahh yes, thanks to @Dominik-K's reference I see that I wasn't remembering this quite right in my earlier comment... it's not that the underlying API accepts an array, but rather that it has this "Add Role" operation that fails if you try to call it a second time without removing the first. Sorry I misled a bit there. I was a bit rusty on this from when I ran into this problem maybe a year ago. 😀 |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
After confirming from AWS support, there is a hard limit of 1 for number of roles that can be tied to an instance profile.
See more on defaults: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
The documentation shows it as an array https://www.terraform.io/docs/providers/aws/r/iam_instance_profile.html
The
roleattribute should just be an item to reduce confusion.The text was updated successfully, but these errors were encountered: