search

databricks / terraform-provider-databricks

Databricks Terraform Provider
https://registry.terraform.io/providers/databricks/databricks/latest
Other
456 stars 393 forks source link

[ISSUE] Issue with `databricks_instance_profile` resource (cannot be updated in place) #4210

Open LittleWat opened 1 week ago

LittleWat commented 1 week ago

Configuration

locals {
  role_name = "${var.workspace_name}-${var.environment}_${var.role_subname}-instance-role"
  role_arn  = "arn:aws:iam::${var.aws_account_id}:role/${local.role_name}"
}

# Create Role
resource "aws_iam_role" "this" {
  name               = local.role_name
  description        = "Role that has access to the AWS resources for databricks ec2 instances in ${var.workspace_name} workspace"
  assume_role_policy = data.aws_iam_policy_document.assume_role_for_ec2.json
}

data "aws_iam_policy_document" "assume_role_for_ec2" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      identifiers = ["ec2.amazonaws.com"]
      type        = "Service"
    }
  }
}

# attach kafka access policy if it exists
resource "aws_iam_role_policy_attachment" "kafka_access_policy" {
  count      = contains(keys(var.kafka_access_control_role_arn_to_policy_arn), local.role_arn) ? 1 : 0
  policy_arn = var.kafka_access_control_role_arn_to_policy_arn[aws_iam_role.this.arn]
  role       = aws_iam_role.this.name
  depends_on = [aws_iam_role.this]
}

# Create instance profile
resource "aws_iam_instance_profile" "this" {
  name = local.role_name
  role = aws_iam_role.this.name
}

# Attach PassRole to the cross account role
data "aws_iam_policy_document" "pass_role" {
  statement {
    effect    = "Allow"
    actions   = ["iam:PassRole"]
    resources = [aws_iam_role.this.arn]
  }
}
resource "aws_iam_policy" "pass_role" {
  name   = "pass-role-for-${local.role_name}"
  path   = "/"
  policy = data.aws_iam_policy_document.pass_role.json
}

resource "aws_iam_role_policy_attachment" "cross_account_to_workspace_level_instance_profile_pass_role_policy" {
  policy_arn = aws_iam_policy.pass_role.arn
  role       = var.cross_account_role_name
}

# Enable instance_profile for the target workspace admins
resource "databricks_instance_profile" "this" {
  provider             = databricks.workspace
  instance_profile_arn = aws_iam_instance_profile.this.arn
  iam_role_arn         = aws_iam_role.this.arn

  # to address [\[ISSUE\] databricks_instance_profile Fails with AWS · Issue #1226 · databricks/terraform-provider-databricks](https://github.com/databricks/terraform-provider-databricks/issues/1226)
  skip_validation = true
}

I have updated the var.role_subname from test to default.

but I cannot update databricks_instance_profile.

Expected Behavior

it can update databricks_instance_profile as it planed:

Actual Behavior

╷
│ Error: cannot update instance profile: Instance profile InstanceProfileARN(arn:aws:iam::[AWS_ACCOUNT_ID]:instance-profile/[workspace]-[env]_default-instance-role) does not exist for 787476556362075
│ 
│   with databricks_instance_profile.this,
│   on main.tf line 62, in resource "databricks_instance_profile" "this":
│   62: resource "databricks_instance_profile" "this" {
│ 
╵

10:24:46.158 ERROR  1 error occurred:
        * [./.terragrunt-cache/beqrFmvSH1IvJI0u_1uHjo0IzY0/2mVsl9dBhCfAXYk1zWsz2C82RD0/terraform/dbx_instance_profile] exit status 1

I have to destroy all the resource in this module and recreate all of them to fix this....

Steps to Reproduce

Just update the var.role_subname from test to default.

Terraform and provider versions

Is it a regression?

Debug Output

Important Factoids

Would you like to implement a fix?

alexott commented 1 week ago

Collect debug logs - from the error message it looks like some substitutions weren't done correctly