Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test if iam profile alread was destroyed by terraform #6048

Closed
wants to merge 1 commit into from
Closed

test if iam profile alread was destroyed by terraform #6048

wants to merge 1 commit into from

Conversation

thiagonache
Copy link

Summary

When terraform try to destroy an IAM role. It loops for every IAM Instance Profile attached and try to delete the attachment.

// Roles cannot be destroyed when attached to an existing Instance Profile
    resp, err := iamconn.ListInstanceProfilesForRole(&iam.ListInstanceProfilesForRoleInput{
        RoleName: aws.String(d.Id()),
    })
    if err != nil {
        return fmt.Errorf("Error listing Profiles for IAM Role (%s) when trying to delete: %s", d.Id(), err)
    }

    // Loop and remove this Role from any Profiles
    if len(resp.InstanceProfiles) > 0 {
        for _, i := range resp.InstanceProfiles {
            _, err := iamconn.RemoveRoleFromInstanceProfile(&iam.RemoveRoleFromInstanceProfileInput{
                InstanceProfileName: i.InstanceProfileName,
                RoleName:            aws.String(d.Id()),
            })
            if err != nil {
                return fmt.Errorf("Error deleting IAM Role %s: %s", d.Id(), err)
            }
        }
    }

But here, if you create IAM Instance Profile by terraform it will be deleted before and cause exception here.

Fix

I check if IAM Instance profile still exists before removing the attachment.

    // Loop and remove this Role from any Profiles
    if len(resp.InstanceProfiles) > 0 {
        for _, i := range resp.InstanceProfiles {
            // Test if profile was already deleted by terraform
            _, err := iamconn.GetInstanceProfile(&iam.GetInstanceProfileInput{
                InstanceProfileName: i.InstanceProfileName,
            })
            if err != nil {
                _, err := iamconn.RemoveRoleFromInstanceProfile(&iam.RemoveRoleFromInstanceProfileInput{
                    InstanceProfileName: i.InstanceProfileName,
                    RoleName:            aws.String(d.Id()),
                })
                if err != nil {
                    return fmt.Errorf("Error deleting IAM Role %s: %s", d.Id(), err)
                }
            }
        }
    }

Note

You can also fix it using depends_on. But I guess it's a bug. Please let me know what you guys think.

@thiagonache
test if iam profile alread was destroyed by terraform
3724c67 
Signed-off-by: Thiago Nache <thiagonbcarvalho@gmail.com>
@thiagonache thiagonache mentioned this pull request Apr 6, 2016
Closed
@thiagonache
Copy link
Author

Moved to issue #6082 for evaluation

@thiagonache thiagonache closed this Apr 8, 2016
@ghost
Copy link

ghost commented Apr 26, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@thiagonache