ASG creation failure due to invalid IAM instance profile error

[riddhi89]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform version: 0.12.23 Terraform AWS Provider Version: v2.70.0

Affected Resource(s)

aws_iam_instance_profile aws_launch_template aws_autoscaling_group

Repeat of an earlier reported issue

Similar Terraform configuration, behavior and error as reported in https://github.com/hashicorp/terraform-provider-aws/issues/5217

The issue was fixed in 1.34.0 (https://github.com/hashicorp/terraform-provider-aws/pull/5633)

Could we consider bumping the propagation timeout to mitigate this further? https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/autoscaling/consts.go#L10

[justinretzolk]

Hey @riddhi89 👋 Thank you for taking the time to raise this! I noticed you mentioned you're using AWS Provider version 2.70.0. In that version of the provider, the timeout was still 1 * time.Minute, however, in subsequent versions, it uses 2 * time.Minute, as seen in the link you provided to the propagationTimeout constant. This change happened in AWS Provider version 3.35.0 with https://github.com/hashicorp/terraform-provider-aws/pull/17811. Can you upgrade to a later version that has this change and see if that improves the behavior?

[stevehipwell]

This is still an issue (or has regressed) in v4.56.0.

I'm seeing the error below when changing the instance profile for an ASG via a launch template.

│ Error: updating Auto Scaling Group (system-v1-uda-20230302115118570900000047): ValidationError: You must use a valid fully-formed launch template. Value (arn:aws:iam::0000000000000:instance-profile/node-20230303153940014700000002) for parameter iamInstanceProfile.arn is invalid. Invalid IAM Instance Profile ARN │ status code: 400, request id: 2d722a90-33dc-40e7-b7ef-ad9996399e30 │ │ with module.eks.module.node_groups.module.self_managed_system_node_groups["system-v1-uda"].aws_autoscaling_group.default, │ on .terraform/modules/eks/modules/node-groups/modules/self-managed-node-group/main.tf line 34, in resource "aws_autoscaling_group" "default": │ 34: resource "aws_autoscaling_group" "default" {

[arianvp]

This is still an issue in 5.1.0:

updating Auto Scaling Group (hub-asg-example): ValidationError: You must use a valid fully-formed launch template. Value (arn:aws:iam::0000000000:instance-profile/instance_hub-asg-example) for parameter iamInstanceProfile.arn is invalid. Invalid IAM Instance Profile ARN

[arianvp]

Reproducer that doesn't work:

data "aws_iam_policy_document" "assume" {
    statement {
        actions = [ "sts:AssumeRole" ]
        principals {
            type = "Service"
            identifiers = [ "ec2.amazonaws.com" ]
        }
    }
}

resource "aws_iam_role" "this" {
    name = "my-role"
    assume_role_policy = data.aws_iam_policy_document.assume.json
}

resource "aws_iam_instance_profile" "this" {
    name = "my-instance-profile"
    role = aws_iam_role.this.name
}

resource "aws_launch_template" "this" {
    name = "my-launch-template"
    image_id = "ami-0ff8a91507f77f867"
    instance_type = "t2.micro"
    iam_instance_profile { name = aws_iam_instance_profile.this.name }
}

resource "aws_autoscaling_group" "this" {
    name = "my-autoscaling-group"
    min_size = 1
    max_size = 1
    desired_capacity = 1
    launch_template { id = aws_launch_template.this.id }
    vpc_zone_identifier = [ "subnet-12345678" ]
}

The equivalent Amazon CDK works fine and is able to create the auto scaling group fine and attach the instance profile:

    const vpc = new ec2.Vpc(this, "Vpc")
    new autoscaling.AutoScalingGroup(this, "AutoScalingGroup", {
      vpc,
      launchTemplate: new ec2.LaunchTemplate(this, "LaunchTemplate", {
        machineImage: new ec2.AmazonLinuxImage(),
        instanceType: new ec2.InstanceType("t2.micro"),
        instanceProfile: new iam.InstanceProfile(this, "InstanceProfile"),
      }),
    })

[stevehipwell]

@justinretzolk 👀

[hbjydev]

@justinretzolk Bump on this please, this is preventing us from fixing issues currently