Open drobtravels opened 6 years ago
Running into the same issue.
I found that this works: Edit the terraform.tfstate file to change the "get_password_data" attribute to "false" on that instance. Then run the terraform plan again. It should proceed without error.
thats not really a solution if you need the windows password though
I have similar issue and i am receiving this error at the end of creation phase with terraform: Password data is blank for instance ID.
Worth to mention that I had output key-value for receiving password at the end.
I found that this works: Edit the terraform.tfstate file to change the "get_password_data" attribute to "false" on that instance. Then run the terraform plan again. It should proceed without error.
Didn't work for me. Still getting the same error.
Did anyone find a solution to this? I only get this error when using a CIS hardened image the I prep with packer.
Having the same issue
My issue was caused by the local administrator account being renamed, which is a checklist on the CIS benchmark. It is a really dumb security item. As the admin always shows a -500 SID. I added this to the beginning of my startup script.
$500=Get-LocalUser | Where-Object {$_.SID -Like "*-500"} echo $500.Name Rename-LocalUser -Name $500.Name -NewName "Administrator"
The issue @davidlbyrne was experiencing was also experienced by me. The way I fixed this issue was by providing a key pair resource.
Getting the same issue here, terraform state became poisoned, unable to plan, apply, destroy, locking state.. using remote state only solution was:
terraform state pull > backup.tfstate
Edit to as mentioned by @laustintime
"get_password_data": false,
terraform state push -lock=false backup.tfstate
My goal was to destroy resources after first creation failure, so I can focus on the reason why it fails on the first place, so by now, synced tf files with the edited plan and:
terraform destroy -lock=false
Using the following versions:
Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.16.0
Wanted to list my fix here in case it helps anyone. Though @Ilhicas solution works around the terraform bug, the root cause of aws never reporting a password for the windows ec2 after it was spun up was that I was adding a couple of large files to the AMI during the packer build process. After I removed that part of the provisioning and built a new ami, the password was properly being reported.
I suppose that explains how it works when I'm building a new image but after I get it all set up and use the AMI to deploy fully-formed instances, TF is getting stuck.
It doesn't seem to be a terraform bug, as any instance created manually out of the same AMI also had this problem. I eventually solved this issue with a new AMI image that has the following fix.
For anyone up against this, another thing that worked for me was to manually remove the offending instance from my terraform state with terraform state rm
, update the resource config so get_password_data
was either not present (false by default) or false, and then import the new resource config with terraform import
.
In my case, the offending EC2 was launched from a custom AMI I made to move an instance to a different subnet. Therefore, I already had the password data and didn't need that option.
Has anybody figured out a resolution if you have an image that has CIS Benchmark or other "hardening" in place which renames the built-in Administrator account?
https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-732274973
Worked for me 👍 ( Terraform v1.3.7)
Also had to update the serial
to the next number to avoid error
Failed to write state: cannot overwrite existing state with serial 1 with a different state that has the same serial
For me, the ami used was a public image and I had used key pairs for the Windows server instance but the section to decrypt passwords using a key on aws console was giving an error.
So I searched online and added the get_password_data = true
in my terraform configuration. And since then I started getting the issue Password data is blank and terraform command got stuck no matter what I did.
https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-732274973 helped me as well.
But the issue was the key-pair I used had an encryption type ED25519. I changed it to RSA and redeploy the instances with this new key-pair. This worked for me and now I can get my Windows Password from the aws console by decrypting the key-pair used.
For me, the ami used was a public image and I had used key pairs for the Windows server instance but the section to decrypt passwords using a key on aws console was giving an error. So I searched online and added the
get_password_data = true
in my terraform configuration. And since then I started getting the issue Password data is blank and terraform command got stuck no matter what I did. #4417 (comment) helped me as well. But the issue was the key-pair I used had an encryption type ED25519. I changed it to RSA and redeploy the instances with this new key-pair. This worked for me and now I can get my Windows Password from the aws console by decrypting the key-pair used.
Yep it worked , weird why shouldn't ED25519 work and we must use RSA instead?
I tried the suggestions mentioned in https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-732274973 and https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-1605326381, but unfortunately I'm still blocked at the persistent error log Password data is blank for instance ID
.
I ended up creating the instances using the console UI and importing them using terraform import
. Not sure if this is dependent on the AMI.
I've encountered a situation where I seem to be "stuck" and can't do any terraform plans due to the
ec2/GetPasswordData
failing. I initially hadget_password_data
of a Windows EC2 Instance set totrue
. The current AMI does not support getting the password, but even if I changeget_password_data
tofalse
,terraform plan
will fail with the following error:aws_instance.windows_instance: aws_instance.windows_instance: Password data is blank for instance ID: i-027d0bca13295f548
Is there anyway to move forward from this situation? I can't seem to destroy the instances either, due to
terraform plan
failing.Terraform Version
Terraform version: v0.11.7
Affected Resource(s)
Terraform Configuration Files
See full setup
Debug Output
https://gist.github.com/droberts84/acbc94ab8cfd925dd468a9c29215b216#file-tf_logs-txt
Expected Behavior
terraform plan
orterraform apply
is successful with a blankpassword_data
attributeAlternatively it would be acceptable if the error went away by specifying
get_password_data = false
Actual Behavior
terraform plan
orterraform apply
fail with error:Steps to Reproduce
terraform apply
aws_instance.windows_instance.ami
to newly created AMIterraform apply
.terraform plan
seems to fail no matter what you do after this