terraform-aws-imagebuilder-pipeline icon indicating copy to clipboard operation
terraform-aws-imagebuilder-pipeline copied to clipboard

Published 20 hours ago verified publisher icon rhythmictech

[BUG] The value supplied for parameter 'instanceProfileName' is not valid

Open Frituurpanda opened this issue 3 years ago • 8 comments

Describe the bug The latest module (v0.5.2) throws the following error:

"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist.

The might be a race condition here as I can see the resource on a destroy:

  # aws_iam_instance_profile.this will be destroyed
  - resource "aws_iam_instance_profile" "this" {
      - arn         = "arn:aws:iam::123443211234:instance-profile/test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - create_date = "2021-09-14T08:34:52Z" -> null
      - id          = "test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - name        = "test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - name_prefix = "test-pipe-imagebuilder-instance-profile-" -> null
      - path        = "/" -> null
      - role        = "test-pijp-tg-imagebuilder-role-20210914083448508400000001" -> null
      - tags        = {} -> null
      - tags_all    = {} -> null
      - unique_id   = "AIPA3JAHVOPNQES7DJZNN" -> null
    }

There is probably something that I'm missing here. I can see the resource and as the name is a simple string, you'd suspect it to be valid.

To Reproduce terraform apply

Full Stacktrace

│ Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [distConfig, infraConfig]. Rollback requested by user." "Resource creation cancelled" "Resource handler returned message: \"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist. Please specify a different instance profile and try again. (Service: Imagebuilder, Status Code: 400, Request ID: 50600df7-a4fd-4eec-8b01-916d0405b38b, Extended Request ID: null)\" (RequestToken: c97e2aa0-68ca-0cb5-cc52-6bb03c098380, HandlerErrorCode: GeneralServiceException)"]

Frituurpanda avatar Sep 14 '21 09:09 Frituurpanda

have you double-checked that the instance profile is there? terraform is pretty convinced that

The provided instance profile does not exist.

sblack4 avatar Sep 14 '21 12:09 sblack4

So this module currently creates:

Plan: 5 to add, 0 to change, 0 to destroy.

and we can observe:

  # aws_iam_instance_profile.this will be created
  + resource "aws_iam_instance_profile" "this" {
      + arn         = (known after apply)
      + create_date = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "test-pijp-imagebuilder-instance-profile-"
      + path        = "/"
      + role        = (known after apply)
      + tags_all    = (known after apply)
      + unique_id   = (known after apply)
    }

After applying it we can see it failing with the error message above but after running a destroy we can observe that the resource was created:

Plan: 0 to add, 0 to change, 5 to destroy.

  # aws_iam_instance_profile.this will be destroyed
  - resource "aws_iam_instance_profile" "this" {
      - arn         = "***" -> null
      - create_date = "2021-09-14T14:00:10Z" -> null
      - id          = "test-pijp-imagebuilder-instance-profile-20210914140010269300000002" -> null
      - name        = "test-pijp-imagebuilder-instance-profile-20210914140010269300000002" -> null
      - name_prefix = "test-pijp-imagebuilder-instance-profile-" -> null
      - path        = "/" -> null
      - role        = "test-pijp-imagebuilder-role-20210914140008181200000001" -> null
      - tags        = {} -> null
      - tags_all    = {} -> null
      - unique_id   = "AIPA5JAMNOVNVTPKXPF5O" -> null
    }

Frituurpanda avatar Sep 14 '21 14:09 Frituurpanda

Having the same issue. The resource is being created

  # aws_iam_instance_profile.this will be created
  + resource "aws_iam_instance_profile" "this" {
      + arn         = (known after apply)
      + create_date = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "Tf-pipeline-imagebuilder-instance-profile-"
      + path        = "/"
      + role        = (known after apply)
      + tags_all    = (known after apply)
      + unique_id   = (known after apply)
    }

and I can even see it after deployment running aws iam list-instance-profiles


    "Path": "/",
    "InstanceProfileName": "Tf-pipeline-imagebuilder-instance-profile-20210917132513598500000002",
    "InstanceProfileId": "AIPAQ6JXJPQVQI3IXZED6",
    "Arn": "arn:aws:iam::0XXXXXXXXXXX:instance-profile/Tf-pipeline-imagebuilder-instance-profile-20210917132513598500000002",
    "CreateDate": "2021-09-17T13:25:13+00:00",
    "Roles": [
        {
            "Path": "/",
            "RoleName": "Tf-pipeline-imagebuilder-role-20210917132512716700000001",
            "RoleId": "AROAQ6JXJPQVWYXSL2RDB",
            "Arn": "arn:aws:iam::0XXXXXXXXXXX:role/Tf-pipeline-imagebuilder-role-20210917132512716700000001",
            "CreateDate": "2021-09-17T13:25:12+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "ec2.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            }
        }
    ]
}

Do we have a fix on it? Will greatly appreciate any help as we have been stuck for a week?

kddiji avatar Sep 17 '21 14:09 kddiji

@sblack4 I would appreciate if you can assist on this as we have been stuck for weeks. thanks

kddiji avatar Sep 20 '21 11:09 kddiji

This sounds like a race condition. I'm not the only one who has found that IAM can take a few minutes to update

Have you tried just waiting a few minutes and doing another apply?

sblack4 avatar Sep 20 '21 21:09 sblack4

We've tested this too, even up to an hour we can still observe the same stacktrace being thrown.

Frituurpanda avatar Sep 21 '21 07:09 Frituurpanda

This is where the instance profile gets passed to cloudformation but the "i" in InstanceProfile is capitalized. I thought this was the line throwing the error, when it tried to create the InfrastructureConfiguration but I'm not so sure now. Does the error message give more information?

sblack4 avatar Sep 21 '21 15:09 sblack4

The full error after applying:

aws_cloudformation_stack.this: Still creating... [1m20s elapsed]
aws_cloudformation_stack.this: Still creating... [1m30s elapsed]
╷
│ Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [distConfig, infraConfig]. Rollback requested by user." "Resource creation cancelled" "Resource handler returned message: \"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist. Please specify a different instance profile and try again. (Service: Imagebuilder, Status Code: 400, Request ID: xxx, Extended Request ID: null)\" (RequestToken: xxx, HandlerErrorCode: GeneralServiceException)"]
│
│   with aws_cloudformation_stack.this,
│   on main.tf line 125, in resource "aws_cloudformation_stack" "this":
│  125: resource "aws_cloudformation_stack" "this" {
│

Currently does not throw a lot more information. Is there anything else you want me to test?

Frituurpanda avatar Oct 11 '21 10:10 Frituurpanda