Error: creating EC2 Instance: InvalidParameterValue: Value (s3-access-for-ec2) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name

[audacious-lab]

config.yaml

aws:
  region: us-east-1
  bucket: my-s3-aws-bucket
  flavor: m5zn.metal
  profile: s3-access-for-ec2
  key_name: cml-aws-key-pair
  disk_size: 64

hostname: cml-controller

app:
  user: admin
...

Modify permissions in allow-role-assignment

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::**Account_ID**::role/s3-access-for-ec2"
        }
    ]
}

terraform apply -auto-approve

module.deploy.random_id.id: Refreshing state... [id=pSs0tg]
module.deploy.data.aws_ami.ubuntu: Reading...
module.deploy.aws_security_group.sg-tf: Refreshing state... [id=sg-089a9b1a7a5755311]
module.deploy.data.aws_ami.ubuntu: Read complete after 0s [id=ami-05bfc1ab11bfbf484]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.deploy.aws_instance.cml will be created
  + resource "aws_instance" "cml" {
      + ami                                  = "ami-05bfc...."
      + arn                                  = (known after apply)
      + associate_public_ip_address          = (known after apply)
      + availability_zone                    = (known after apply)
      + cpu_core_count                       = (known after apply)
      + cpu_threads_per_core                 = (known after apply)
      + disable_api_stop                     = (known after apply)
      + disable_api_termination              = (known after apply)
      + ebs_optimized                        = (known after apply)
      + get_password_data                    = false
      + host_id                              = (known after apply)
      + host_resource_group_arn              = (known after apply)
      + iam_instance_profile                 = "s3-access-for-ec2"
      + id                                   = (known after apply)
      + instance_initiated_shutdown_behavior = (known after apply)
      + instance_lifecycle                   = (known after apply)
      + instance_state                       = (known after apply)
      + instance_type                        = "m5zn.metal"
      + ipv6_address_count                   = (known after apply)
      + ipv6_addresses                       = (known after apply)
      + key_name                             = "cml-aws-key-pair"
      + monitoring                           = (known after apply)
      + outpost_arn                          = (known after apply)
      + password_data                        = (known after apply)
      + placement_group                      = (known after apply)
      + placement_partition_number           = (known after apply)
      + primary_network_interface_id         = (known after apply)
      + private_dns                          = (known after apply)
      + private_ip                           = (known after apply)
      + public_dns                           = (known after apply)
      + public_ip                            = (known after apply)
      + secondary_private_ips                = (known after apply)
      + security_groups                      = (known after apply)
      + source_dest_check                    = true
      + spot_instance_request_id             = (known after apply)
      + subnet_id                            = (known after apply)
      + tags_all                             = (known after apply)
      + tenancy                              = (known after apply)
      + user_data                            = "2fb8......"
      + user_data_base64                     = (known after apply)
      + user_data_replace_on_change          = false
      + vpc_security_group_ids               = [
          + "sg-089a....",
        ]

      + root_block_device {
          + delete_on_termination = true
          + device_name           = (known after apply)
          + encrypted             = (known after apply)
          + iops                  = (known after apply)
          + kms_key_id            = (known after apply)
          + throughput            = (known after apply)
          + volume_id             = (known after apply)
          + volume_size           = 64
          + volume_type           = (known after apply)
        }
    }

  # module.ready.data.cml2_system.state will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "cml2_system" "state" {
      + id            = (known after apply)
      + ignore_errors = true
      + timeout       = "10m"
      + version       = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + cml2info = {
      + address = (known after apply)
      + del     = (known after apply)
      + url     = (known after apply)
      + version = (known after apply)
    }
module.deploy.aws_instance.cml: Creating...
module.deploy.aws_instance.cml: Still creating... [10s elapsed]
module.deploy.aws_instance.cml: Still creating... [20s elapsed]
module.deploy.aws_instance.cml: Still creating... [30s elapsed]
module.deploy.aws_instance.cml: Still creating... [40s elapsed]
module.deploy.aws_instance.cml: Still creating... [50s elapsed]
module.deploy.aws_instance.cml: Still creating... [1m0s elapsed]
module.deploy.aws_instance.cml: Still creating... [1m10s elapsed]
module.deploy.aws_instance.cml: Still creating... [1m20s elapsed]
module.deploy.aws_instance.cml: Still creating... [1m30s elapsed]
module.deploy.aws_instance.cml: Still creating... [1m40s elapsed]
module.deploy.aws_instance.cml: Still creating... [1m50s elapsed]
module.deploy.aws_instance.cml: Still creating... [2m0s elapsed]

│ Error: creating EC2 Instance: InvalidParameterValue: Value (s3-access-for-ec2) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
│   status code: 400, request id: cab00439-5237-4e54-a6ac-44ee5f249f8e
│
│   with module.deploy.aws_instance.cml,
│   on module-cml2-deploy-aws/main.tf line 125, in resource "aws_instance" "cml":
│  125: resource "aws_instance" "cml" {

[rschmied]

Thanks for raising this, @audacious-lab . Can you confirm that you replaced Account_ID in the policy JSON with your valid account ID?

[rschmied]

To answer my own question: most likely yes (as you redacted other parts and it's also different from the README). Could this https://github.com/hashicorp/terraform-provider-aws/issues/27516 be related? Did you try a different region / flavor or zone?

[audacious-lab]

Yes, correct Account_ID was replaced intentionally.

I don't have a lot of AWS experience, so It wasn't very clear from the documentation how to create an AIM Instance profile and how to assign the role to it. That did the trick, I hope that helps anyone else.

AWS CloudShell

aws iam create-instance-profile --instance-profile-name s3-access-for-ec aws iam add-role-to-instance-profile --instance-profile-name s3-access-for-ec2 --role-name s3-access-for-ec2

[rschmied]

So, with the above AWS CLI changes it works now? At least you don't get the 400 error anymore and the provisioning continues? If so, then either close this issue or let me know so that I can close it.

[audacious-lab]

HI @rschmied, Thank you for your prompt responses.

Yes, AWS instance has been created.

module.deploy.aws_instance.cml: Creating...
module.deploy.aws_instance.cml: Still creating... [10s elapsed]
module.deploy.aws_instance.cml: Creation complete after 13s [id=i-021c1660e9bbc33c0]

I've opened a separate issue for the next step - module.ready.data.cml2_system.state