ASG create fail: ValidationError: valid fully-formed launch template Invalid IAM Instance Profile ARN

[riddhi89]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Error:

Error: updating Auto Scaling Group (xyz): ValidationError: You must use a valid fully-formed launch template. Value (arn:aws:iam::012345678901:instance-profile/node-xyz) for parameter iamInstanceProfile.arn is invalid. Invalid IAM Instance Profile ARN

Terraform CLI and Terraform AWS Provider Version

Terraform version: 0.12.23 Terraform AWS Provider Version: v2.70.0

Affected Resource(s)

aws_iam_instance_profile aws_launch_template aws_autoscaling_group

Repeat of an earlier reported issue

Similar Terraform configuration, behavior and error as reported in https://github.com/hashicorp/terraform-provider-aws/issues/5217

The issue was fixed in 1.34.0 (https://github.com/hashicorp/terraform-provider-aws/pull/5633)

Could we consider bumping the propagation timeout to mitigate this further? https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/autoscaling/consts.go#L10

[justinretzolk]

Hey @riddhi89 👋 Thank you for taking the time to raise this! I noticed you mentioned you're using AWS Provider version 2.70.0. In that version of the provider, the timeout was still 1 * time.Minute, however, in subsequent versions, it uses 2 * time.Minute, as seen in the link you provided to the propagationTimeout constant. This change happened in AWS Provider version 3.35.0 with https://github.com/hashicorp/terraform-provider-aws/pull/17811. Can you upgrade to a later version that has this change and see if that improves the behavior?

[stevehipwell]

This is still an issue (or has regressed) in v4.56.0.

I'm seeing the error below when changing the instance profile for an ASG via a launch template.

│ Error: updating Auto Scaling Group (system-v1-uda-20230302115118570900000047): ValidationError: You must use a valid fully-formed launch template. Value (arn:aws:iam::0000000000000:instance-profile/node-20230303153940014700000002) for parameter iamInstanceProfile.arn is invalid. Invalid IAM Instance Profile ARN │ status code: 400, request id: 2d722a90-33dc-40e7-b7ef-ad9996399e30 │ │ with module.eks.module.node_groups.module.self_managed_system_node_groups["system-v1-uda"].aws_autoscaling_group.default, │ on .terraform/modules/eks/modules/node-groups/modules/self-managed-node-group/main.tf line 34, in resource "aws_autoscaling_group" "default": │ 34: resource "aws_autoscaling_group" "default" {

[arianvp]

This is still an issue in 5.1.0:

updating Auto Scaling Group (hub-asg-example): ValidationError: You must use a valid fully-formed launch template. Value (arn:aws:iam::0000000000:instance-profile/instance_hub-asg-example) for parameter iamInstanceProfile.arn is invalid. Invalid IAM Instance Profile ARN

[arianvp]

Reproducer that doesn't work:

data "aws_iam_policy_document" "assume" {
    statement {
        actions = [ "sts:AssumeRole" ]
        principals {
            type = "Service"
            identifiers = [ "ec2.amazonaws.com" ]
        }
    }
}

resource "aws_iam_role" "this" {
    name = "my-role"
    assume_role_policy = data.aws_iam_policy_document.assume.json
}

resource "aws_iam_instance_profile" "this" {
    name = "my-instance-profile"
    role = aws_iam_role.this.name
}

resource "aws_launch_template" "this" {
    name = "my-launch-template"
    image_id = "ami-0ff8a91507f77f867"
    instance_type = "t2.micro"
    iam_instance_profile { name = aws_iam_instance_profile.this.name }
}

resource "aws_autoscaling_group" "this" {
    name = "my-autoscaling-group"
    min_size = 1
    max_size = 1
    desired_capacity = 1
    launch_template { id = aws_launch_template.this.id }
    vpc_zone_identifier = [ "subnet-12345678" ]
}

The equivalent Amazon CDK works fine and is able to create the auto scaling group fine and attach the instance profile:

    const vpc = new ec2.Vpc(this, "Vpc")
    new autoscaling.AutoScalingGroup(this, "AutoScalingGroup", {
      vpc,
      launchTemplate: new ec2.LaunchTemplate(this, "LaunchTemplate", {
        machineImage: new ec2.AmazonLinuxImage(),
        instanceType: new ec2.InstanceType("t2.micro"),
        instanceProfile: new iam.InstanceProfile(this, "InstanceProfile"),
      }),
    })

[stevehipwell]

@justinretzolk 👀

[hbjydev]

@justinretzolk Bump on this please, this is preventing us from fixing issues currently

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

This functionality has been released in v5.76.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!