plan fails with "Password data is blank for instance ID" if password_data is blank

[drobtravels]

I've encountered a situation where I seem to be "stuck" and can't do any terraform plans due to the ec2/GetPasswordData failing. I initially had get_password_data of a Windows EC2 Instance set to true. The current AMI does not support getting the password, but even if I change get_password_data to false, terraform plan will fail with the following error:

aws_instance.windows_instance: aws_instance.windows_instance: Password data is blank for instance ID: i-027d0bca13295f548

Is there anyway to move forward from this situation? I can't seem to destroy the instances either, due to terraform plan failing.

Terraform Version

Terraform version: v0.11.7

Affected Resource(s)

• aws_instance

Terraform Configuration Files

resource "aws_instance" "windows_instance" {
  ami = "${data.aws_ami.windows_full.id}" // original
  # ami = "ami-99328be6" // change to this before second apply
  instance_type = "t2.nano"
  key_name = "${var.key_pair_name}"
  tags = {
    "Name" = "windows-test"
  }
  vpc_security_group_ids = ["${aws_security_group.windows_security.id}"]
  subnet_id = "${var.public_subnet_id}"
  get_password_data = true
}

See full setup

Debug Output

https://gist.github.com/droberts84/acbc94ab8cfd925dd468a9c29215b216#file-tf_logs-txt

Expected Behavior

terraform plan or terraform apply is successful with a blank password_data attribute

Alternatively it would be acceptable if the error went away by specifying get_password_data = false

Actual Behavior

terraform plan or terraform apply fail with error:

aws_instance.windows_instance: aws_instance.windows_instance: Password data is blank for instance ID: i-027d0bca13295f548

Steps to Reproduce

1. terraform apply
2. Create an AMI of the machine
3. Change aws_instance.windows_instance.ami to newly created AMI
4. terraform apply.
5. Apply is carried out, but terraform ends with error
6. terraform plan seems to fail no matter what you do after this

[sykesjs]

Running into the same issue.

[laustintime]

I found that this works: Edit the terraform.tfstate file to change the "get_password_data" attribute to "false" on that instance. Then run the terraform plan again. It should proceed without error.

[saargrin]

thats not really a solution if you need the windows password though

[Ali-TW-London]

I have similar issue and i am receiving this error at the end of creation phase with terraform: Password data is blank for instance ID.

Worth to mention that I had output key-value for receiving password at the end.

[mrvladis]

I found that this works: Edit the terraform.tfstate file to change the "get_password_data" attribute to "false" on that instance. Then run the terraform plan again. It should proceed without error.

Didn't work for me. Still getting the same error.

[mo1090]

Did anyone find a solution to this? I only get this error when using a CIS hardened image the I prep with packer.

[davidlbyrne]

Having the same issue

[mo1090]

My issue was caused by the local administrator account being renamed, which is a checklist on the CIS benchmark. It is a really dumb security item. As the admin always shows a -500 SID. I added this to the beginning of my startup script.

$500=Get-LocalUser | Where-Object {$_.SID -Like "*-500"} echo $500.Name Rename-LocalUser -Name $500.Name -NewName "Administrator"

[mardinyadegar]

The issue @davidlbyrne was experiencing was also experienced by me. The way I fixed this issue was by providing a key pair resource.

[Ilhicas]

Getting the same issue here, terraform state became poisoned, unable to plan, apply, destroy, locking state.. using remote state only solution was:

terraform state pull > backup.tfstate

Edit to as mentioned by @laustintime

"get_password_data": false,

terraform state push -lock=false backup.tfstate

My goal was to destroy resources after first creation failure, so I can focus on the reason why it fails on the first place, so by now, synced tf files with the edited plan and:

terraform destroy -lock=false

Using the following versions:

Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.16.0

[edalford11]

Wanted to list my fix here in case it helps anyone. Though @Ilhicas solution works around the terraform bug, the root cause of aws never reporting a password for the windows ec2 after it was spun up was that I was adding a couple of large files to the AMI during the packer build process. After I removed that part of the provisioning and built a new ami, the password was properly being reported.

[Gary-Armstrong]

I suppose that explains how it works when I'm building a new image but after I get it all set up and use the AMI to deploy fully-formed instances, TF is getting stuck.

[mskutin]

It doesn't seem to be a terraform bug, as any instance created manually out of the same AMI also had this problem. I eventually solved this issue with a new AMI image that has the following fix.

[nadirsidi]

For anyone up against this, another thing that worked for me was to manually remove the offending instance from my terraform state with terraform state rm, update the resource config so get_password_data was either not present (false by default) or false, and then import the new resource config with terraform import.

In my case, the offending EC2 was launched from a custom AMI I made to move an instance to a different subnet. Therefore, I already had the password data and didn't need that option.

[chrissten]

Has anybody figured out a resolution if you have an image that has CIS Benchmark or other "hardening" in place which renames the built-in Administrator account?

[medichecks-subrata]

https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-732274973

Worked for me 👍 ( Terraform v1.3.7) Also had to update the serial to the next number to avoid error

Failed to write state: cannot overwrite existing state with serial 1 with a different state that has the same serial

[fr-gaurav]

For me, the ami used was a public image and I had used key pairs for the Windows server instance but the section to decrypt passwords using a key on aws console was giving an error. So I searched online and added the get_password_data = true in my terraform configuration. And since then I started getting the issue Password data is blank and terraform command got stuck no matter what I did. https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-732274973 helped me as well. But the issue was the key-pair I used had an encryption type ED25519. I changed it to RSA and redeploy the instances with this new key-pair. This worked for me and now I can get my Windows Password from the aws console by decrypting the key-pair used.

[abdolnabi]

For me, the ami used was a public image and I had used key pairs for the Windows server instance but the section to decrypt passwords using a key on aws console was giving an error. So I searched online and added the get_password_data = true in my terraform configuration. And since then I started getting the issue Password data is blank and terraform command got stuck no matter what I did. #4417 (comment) helped me as well. But the issue was the key-pair I used had an encryption type ED25519. I changed it to RSA and redeploy the instances with this new key-pair. This worked for me and now I can get my Windows Password from the aws console by decrypting the key-pair used.

Yep it worked , weird why shouldn't ED25519 work and we must use RSA instead?

[sabaimran]

I tried the suggestions mentioned in https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-732274973 and https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-1605326381, but unfortunately I'm still blocked at the persistent error log Password data is blank for instance ID.

I ended up creating the instances using the console UI and importing them using terraform import. Not sure if this is dependent on the AMI.