Instances fail to create with iamInstanceProfile.name is invalid when Placement Group is specified

[jw-maynard]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.aws: version = "~> 1.22"

Affected Resource(s)

• aws_instance

Terraform Configuration Files

provider "aws" {
  profile    = "us-east-2"
  region     = "us-east-2"
}

data "aws_subnet_ids" "subnet_ids"{
  vpc_id = "vpc-883b6fe0"
  tags = {
    environment = "devopssandbox"
    cassandra   = true
  }
}

data "aws_subnet" "subnets" {
  count = "${length(data.aws_subnet_ids.subnet_ids.ids)}"
  id = "${data.aws_subnet_ids.subnet_ids.ids[count.index]}"
}

data "aws_ami" "ami" {
  most_recent = true
  owners      = ["amazon"]
  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
  filter {
    name   = "name"
    values = ["amzn2-ami-hvm-2017.12.0.20180509-x86_64-gp2"]
  }
  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
}

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com"]
    }
  }
}

resource "aws_iam_instance_profile" "profile" {
  name = "${aws_iam_role.role.name}"
  role = "${aws_iam_role.role.name}"
}

resource "aws_iam_role" "role" {
  name               = "test_ec2_role"
  assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
}

resource "aws_iam_role_policy_attachment" "attachment" {
  role       = "${aws_iam_role.role.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_placement_group" "test" {
  count    = 1
  name     = "test_pg"
  strategy = "cluster"
}

resource "aws_instance" "test" {
  count                       = 3
  ami                         = "${data.aws_ami.ami.id}"
  placement_group             = "${aws_placement_group.test.id}"
  associate_public_ip_address = true
  iam_instance_profile        = "${aws_iam_instance_profile.profile.name}"
  instance_type               = "m5.large"
  key_name                    = "devopssandbox_us-east-2"
  subnet_id                   = "${data.aws_subnet.subnets.*.id[count.index % length(data.aws_subnet.subnets.*.id)]}"
  vpc_security_group_ids      = ["${list(aws_security_group.sg.id, aws_security_group.sg_intra.id)}"]
  root_block_device {
    volume_size = 8
    volume_type = "gp2"
    iops        = 0
  }
}

resource "aws_ebs_volume" "test_data_volume" {
  count             = 3
  availability_zone = "${aws_instance.test.*.availability_zone[count.index%length(data.aws_subnet.subnets.*.availability_zone)]}"
  size              = 8
  type              = "gp2"
  iops              = 0
}

resource "aws_volume_attachment" "test_data_att" {
  count        = 3
  device_name  = "/dev/sdf"
  volume_id    = "${aws_ebs_volume.test_data_volume.*.id[count.index]}"
  instance_id  = "${aws_instance.test.*.id[count.index]}"
  force_detach = true
}

resource "aws_security_group" "sg" {
  name   = "test-sg"
  vpc_id = "vpc-883b6fe0"
  ingress {
    from_port       = 9042
    to_port         = 9042
    protocol        = "tcp"
    cidr_blocks     = ["10.1.1.1/32"]
    self            = true
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_security_group" "sg_intra" {
  name   = "test-sg-intra"
  vpc_id = "vpc-883b6fe0"
  ingress {
    from_port   = 7000
    to_port     = 7001
    protocol    = "tcp"
    self        = true
  }
  ingress {
    from_port   = 7199
    to_port     = 7199
    protocol    = "tcp"
    self        = true
  }
  lifecycle {
    create_before_destroy = true
  }
}

Debug Output

https://gist.github.com/jw-maynard/1cd12403b132d65cdaaad0286d06670e

Expected Behavior

Terraform should wait for the IAM Instance Profile to be created and then attach it to all instances.

Actual Behavior

Terraform manages to bring up some of the instances but seems to always fail on one. Increasing the instance count seems to increase the number of instances that fail in this way. Error message:

Error: Error applying plan:

1 error(s) occurred:

* aws_instance.test[1]: 1 error(s) occurred:

* aws_instance.test.1: Error launching source instance: InvalidParameterValue: Value (test_ec2_role) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name
        status code: 400, request id: a20b0544-685b-48e3-a8bf-f7455ba198d9

Steps to Reproduce

1. terraform apply

Important Factoids

Interestingly I've tested the same config but simply changed the aws_instance resources so they do not use a Placement Group and this problems does not seem to occur.

References

[P05TPWND]

This even occurs when the role is already present, is properly configured and can be added to any EC2 (via console for example) even with the latest aws_provider 2.57.0

[mpearson117]

I have been using 1.60.0 for a long time due to stability issues, and all is working fine with EC2 creations. Now I am testing 2.70 and this issue is still there for some reason and builds break.

[scott-kausler]

I also encountered this error when creating an autoscaling group and aws_provider 3.40.0. The autoscaling group was created successfully after retrying.

Error: Error creating AutoScaling Group: ValidationError: You must use a valid fully-formed launch template. Value (scaling-group-profile) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name

[canadiancreed]

Also experiencing the same issue, with the value not matching the submitted name. This occurs when creating an autoscaling group from the teraform/autoscaling/aws module. Latest version of terraform and aws provider being used. Verified that name being shown isn't being used anywhere in code.