Don't require a role for aws_iam_instance_profile

[daveadams]

The IAM API does not require a role be attached to instance profiles,
and there are use cases (eg Vault EC2 authentication) where a bare
instance profile may be all that is required.

This PR:

• Removes the requirement for role or roles attributes to exist and
  to be set to some value before creating an aws_iam_instance_profile
  resource.

• Adjusts the acceptance tests to explicitly test and allow an instance
  profile with no specified role to be created.

• Removes the notice that either role or roles is required from the
  website documentation for the aws_iam_instance_profile resource.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #10522

Release note for CHANGELOG:

Removes requirement to specify a role when creating an instance profile to match the API.

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSIAMInstanceProfile_withoutRole'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -count 1 -parallel 20 -run=TestAccAWSIAMInstanceProfile_withoutRole -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSIAMInstanceProfile_withoutRole
=== PAUSE TestAccAWSIAMInstanceProfile_withoutRole
=== CONT  TestAccAWSIAMInstanceProfile_withoutRole
--- PASS: TestAccAWSIAMInstanceProfile_withoutRole (18.86s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	18.894s
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/flatmap	0.056s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags	0.004s [no tests to run]

[aeschright]

Hi @daveadams! I'm reading through the docs and trying to understand the use case better. It seems like the AWS expectation is that the roles attribute can be initially empty, with the role added and assigned later. Is that also how it appears to you? I'm wondering if allowing this to be empty is going to cause other unexpected behaviors.

[daveadams]

Hey Audrey, yes, the AWS documentation does assume you will add a role to the instance profiles. But I haven't run into any issues with EC2 when it's left out. If there's no role attached, then there are no IAM credentials available from the instance via the EC2 metadata service, but in my case, I'm only interested in having an instance-profile so that I can authenticate to Vault.

[aeschright]

Ok, let's do it!

--- PASS: TestAccAWSIAMInstanceProfile_withoutRole (14.74s)

[ghost]

This has been released in version 2.39.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!