-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_launch_configuration does not wait for aws_iam_instance_profile #2349
Comments
Should add that only two items are created on the second apply, the launch configuration and the then dependent autoscaling group. |
Can confirm, I've run into this issue numerous times - just seems to be a timing issue with the IAM profile and re-running terraform a second times allows the ASG to be setup. |
+1 Terraform v. 0.5.3: same issue here. I have to run plan and then apply a second time. |
I should add for other people having this issue that I've worked around this by adding
to the launch configuration resource. |
Adding @jedineeper's solution above did not resolve the issue for me. I still had to wait a few seconds then run apply again. |
depends_on, does not work for me in 0.5.3. Tried that previously to force proper graph mapping, but didn't work. Putting the following local-exec provisioner in aws_iam_instance_profile resource works for me in 0.5.3:
|
In my opinion, the real issue here is that AWS is "eventually consistent". Just because the IAM instance profile is created and an ID is returned is no guarantee that the subsequent call to create the LC which references the IAM profile will be able to access that profile. Terraform needs to be able to detect that issue, wait and then retry. |
Hey folks, In similar scenarios with other resources, we've added logic at the end of So in this case, we could try polling on I'll try to follow up with a PR, but describing the strategy here in case somebody else beats me to it. 😀 |
Normally I would agree with your approach but my understanding is the AWS API can report the profile created, but it's permissions have not been propagated to the EC2 infrastructure yet (~10 seconds). For example, the Response to
From: (http://docs.aws.amazon.com/cli/latest/reference/iam/create-instance-profile.html) |
Awesome! Thanks @phinze. You guys are doing an amazing job. I'm really exited to use it. :) |
@zollie Ah gotchya - sounds like you've got good domain knowledge in this area. 👍 I still believe the responsibility should fall on the In general I'm trying to maintain the policy of "don't return from Create until the resource is truly ready to use" so we can avoid leaking resource details across dependencies. And then maybe somebody from the community can make noise upstream to see if AWS will yield a better API for guaranteeing that permissions propagation has occurred. 😀 Let me know if this all makes sense to you. Happy to continue to discuss. |
Ya, I get what your saying. :) But a few things to think about ... How long to sleep before returning from Create? Too short, and the profile may not be ready, too long and the By using the exponential back off of Also, I can only think of two places an instance profile is used, launch configs, and creating a standalone EC2 instance? I get not leaking the abstraction though so ...tough call. |
If it is relevant, I think it might be related to the AWS API, I've seen a similar situation in cloudformation, a two minute (exactly) delay in the creation of IAM roles. |
Yeah I totally agree that a Here are the scenarios I'm worried about:
resource "aws_iam_instance_profile" "foo" { /* ... */ }
resource "null_resource" "kick-off-homegrown-autoscaler" {
provisioner "local-exec" {
command = "./launch-instances-with-profile ${aws_iam_instance_profile.foo.id}"
}
} For all of these reasons I think even though it's the less efficient solution, it's better to have I'm willing to revisit if we find it difficult to land on a stable / reasonable sleep time, but can we pursue that first? Happy to do the leg work to cook up a PR implementing it. (FWIW I also did experimentation on (p.s. Just thought of a crazy idea that might be worth exploring - the iam_instance_profile resource could block until a dummy LaunchConfiguration creates successfully, at which point it immediately removes it and continues.) |
Sure, sleep may just work every time :) Also, to @jedineeper's point, if the AWS API exhibits this behavior in other areas, it would be good to handle it consistently. |
Fixed by #2136. |
@mitchellh This issue is back in v0.6.14. Examples are given in #2136 |
Thanks for the ping @mtougeron - tracking new fix in #5862. 👍 |
I've been fighting with this issue for a month now and the "local-exec" solution, although not beautiful, solved the problem. During this period I used versions |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I've created a launch configuration and instance profile as below;
When I run an apply, the instance profile is not created in time to create the launch configuration and the apply fails. Running the apply again immediately causes it to succeed.
Sounds like something is missing in a dependency graph?
I've not included all of the template dependencies to keep the issue tidy, but if you need a stronger example then please let me know.
The text was updated successfully, but these errors were encountered: