search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.85k stars 9.19k forks source link

EntityAlreadyExists: Instance Profile already exists #8041

Closed kenorb closed 7 months ago

kenorb commented 5 years ago

Community Note

Terraform Version

Terraform version: 0.11.13  
Go runtime version: go1.11.5

Affected Resource(s)

Terraform Configuration Files

This is only part of my configuration:

resource "aws_iam_instance_profile" "instance" {
  provider = "aws.auto-scale-group"
  name     = "${var.application}-${var.environment}-${var.purpose}-instance-profile"
  role     = "${aws_iam_role.instance.name}"

  lifecycle {
    create_before_destroy = true # or false
  }
}

Error Output

  + module.project-ecs-cluster.aws_iam_instance_profile.instance
      id:                                        <computed>
      arn:                                       <computed>
      create_date:                               <computed>
      name:                                      "myproject-ecs-cluster-instance-profile"
      path:                                      "/"
      role:                                      "myproject-ecs-cluster-role"
      roles.#:                                   <computed>
      unique_id:                                 <computed>

  + module.project-ecs-cluster.aws_launch_configuration.instance
      id:                                        <computed>
      associate_public_ip_address:               "false"
      ebs_block_device.#:                        <computed>
      ebs_optimized:                             <computed>
      enable_monitoring:                         "true"
      iam_instance_profile:                      "myproject-ecs-cluster-instance-profile"
      image_id:                                  "ami-00921cd1ce43d567a"
      instance_type:                             "t3.medium"
      key_name:                                  "ec2-user-docker-cluster-host"
      name:                                      <computed>
      name_prefix:                               "myproject-ecs-cluster-lc-"
      root_block_device.#:                       "1"
      root_block_device.0.delete_on_termination: "true"
      root_block_device.0.iops:                  <computed>
      root_block_device.0.volume_size:           "8"
      root_block_device.0.volume_type:           <computed>
      security_groups.#:                         "1"
      security_groups.2794183374:                "sg-0d13250a2c3caeaf5"
      user_data:                                 "f128dd1a4d74456830249c3f2a22de9ed7ebdb8b"
Plan: 8 to add, 1 to change, 0 to destroy.

...

1 error(s) occurred:

* module.project-ecs-cluster.aws_iam_instance_profile.instance: 1 error(s) occurred:

2019-03-21T16:36:41.155Z [DEBUG] plugin.terraform-provider-aws_v1.60.0_x4: 2019/03/21 16:36:41 [ERR] plugin: plugin server: accept unix /tmp/plugin186793848: use of closed network connection
* aws_iam_instance_profile.instance: Error creating IAM instance profile myproject-ecs-cluster-instance-profile: EntityAlreadyExists: Instance Profile myproject-ecs-cluster-instance-profile already exists.
    status code: 409, request id: 7db379b7-4bf7-11e9-b286-e78361536fef

Despite myproject-ecs-cluster-instance-profile doesn't exist (verified by aws iam list-instance-profiles), before and after the run.

Expected Behavior

It should work without the error.

Actual Behavior

It errors on EntityAlreadyExists despite myproject-ecs-cluster-instance-profile instance doesn't exist.

Steps to Reproduce

  1. terraform plan
  2. terraform apply

Check the logs in the attachment.

References

Logs

kenorb commented 5 years ago

Ok, the profile existed, but in another role.

I've followed the following steps:

  1. Check the failing request in CloudTrail and note the userIdentity/sessionIssuer/sessionIssuer/arn.
  2. Switch to that role via: aws sts assume-role --role-arn arn:aws:iam::12345:role/DevOps --role-session-name cli.
  3. Confirm the role by aws sts get-caller-identity.
  4. If role not switched, export profile name, e.g. export AWS_PROFILE=DevOps, where your ~/.aws/credentials can look like:
$ cat ~/.aws/credentials 
[default]
aws_access_key_id = KEYID
aws_secret_access_key = SECRETKEY

[DevOps]
role_arn = arn:aws:iam::12345:role/DevOps
source_profile = default
region = eu-west-1
  1. Confirm the role again by aws sts get-caller-identity.
  2. List instance profiles by: aws iam list-instance-profiles.
  3. Filter out by: aws iam list-instance-profiles | grep your-profile-name
  4. Delete it: aws iam delete-instance-profile --instance-profile-name your-profile-name.

Then after removal, I've run plan and apply, but the problem repeats.

I've tried to import role, it imports, but then it has problem reading it.

module.project-ecs-cluster.aws_iam_instance_profile.instance AIPAI55FATXTPKUXN5XIS
Project environment project
module.project-ecs-cluster.aws_iam_instance_profile.instance: Importing from ID "AIPAI55FATXTPKUXN5XIS"...
module.project-ecs-cluster.aws_iam_instance_profile.instance: Import complete!
  Imported aws_iam_instance_profile (ID: AIPAI55FATXTPKUXN5XIS)
module.project-ecs-cluster.aws_iam_instance_profile.instance: Refreshing state... (ID: AIPAI55FATXTPKUXN5XIS)

Error: module.project-ecs-cluster.aws_iam_instance_profile.instance (import id: AIPAI55FATXTPKUXN5XIS): 1 error(s) occurred:

* import module.project-ecs-cluster.aws_iam_instance_profile.instance result: AIPAI55FATXTPKUXN5XIS: import module.project-ecs-cluster.aws_iam_instance_profile.instance (id: AIPAI55FATXTPKUXN5XIS): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.

Releasing state lock. This may take a few moments...

Debug file: tf-import-instance-profile.log

2019/03/21 21:29:34 [DEBUG] [aws-sdk-go] DEBUG: Response iam/GetInstanceProfile Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 404 Not Found
Connection: close
Content-Length: 299
Content-Type: text/xml
Date: Thu, 21 Mar 2019 21:29:34 GMT
X-Amzn-Requestid: 6bcfb6f4-4c20-11e9-a9dc-034f8fd4cf2c
kenorb commented 5 years ago

Another example demonstrating this bug:

Point 1: I can't destroy the instance profile, because it doesn't exist:

$ terraform destroy module.project-ecs-cluster.aws_iam_instance_profile.instance 
Project environment project/env
data.aws_iam_policy_document.instance: Refreshing state...
aws_iam_role.instance: Refreshing state... (ID: myproject-ecs-cluster-role)

Destroy complete! Resources: 0 destroyed.
Releasing state lock. This may take a few moments...

Point 2: I can't apply either, as it claims the profile already exist:

$ terraform apply -target module.project-ecs-cluster.aws_iam_instance_profile.instance 
Project environment project/env
Releasing state lock. This may take a few moments...
module.project-ecs-cluster.aws_iam_instance_profile.instance: Creating...
  arn:         "" => "<computed>"
  create_date: "" => "<computed>"
  name:        "" => "myproject-ecs-cluster-instance-profile"
  path:        "" => "/"
  role:        "" => "myproject-ecs-cluster-role"
  roles.#:     "" => "<computed>"
  unique_id:   "" => "<computed>"
Releasing state lock. This may take a few moments...

Error: Error applying plan:

1 error(s) occurred:

* module.project-ecs-cluster.aws_iam_instance_profile.instance: 1 error(s) occurred:

* aws_iam_instance_profile.instance: Error creating IAM instance profile myproject-ecs-cluster-instance-profile: EntityAlreadyExists: Instance Profile myproject-ecs-cluster-instance-profile already exists.
  status code: 409, request id: 689321f1-4c23-11e9-b894-73b7f6be78e7

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
shederman commented 5 years ago

Any ideas? This is now blocking us too.

bbuivn commented 5 years ago

Exact same issue here.

HieronyM commented 5 years ago

I found a good workaround for this problem https://artem.services/?p=1105&lang=en

artis3n commented 4 years ago

Yeah I'm seeing this as well. Is the only workaround really a manual deletion of the terraform-created instance profile?

edit: terraform destroy seems to take care of it if you want to go nuclear

bbuivn commented 4 years ago

Yeah I'm seeing this as well. Is the only workaround really a manual deletion of the terraform-created instance profile?

edit: terraform destroy seems to take care of it if you want to go nuclear

Yup, ended up deleting manually the instance profile in some cases, can't really destroy all the manifest all the time :(

jonathanleek commented 4 years ago

I'm seeing the same issue, manually deleting the profile in console then terraform apply does not resolve for me.

jonathanleek commented 4 years ago

Discovered that an interrupted terraform destroy had left the offending resource orphaned outside the statefile. Killing it from the AWS console was insufficient, but killing it via commandline restored expected behavior

Disgruntled commented 4 years ago

Encountered this today with:

terraform --version Terraform v0.12.21

Interestingly I did NOT encounter this problem on terraform cloud free tier I stood up as a greenfield test - may be fixed in a subsequent release?

The only information I could glean from TFC:

Terraform v0.12.25 Initializing plugins and modules... 2020/05/20 01:05:54 [DEBUG] Using modified User-Agent: Terraform/0.12.25 TFC/d33daf519f

vickyshah129 commented 4 years ago

After spending a day. i solved it as below: run command aws iam list-instance-profiles then, use below command to delete profiles which you get from above command: aws iam delete-instance-profile --instance-profile-name {InstanceProfileName-from-above-command}

cognitiaclaeves commented 4 years ago

When trouble-shooting, I found that it could have been handy to use taint:

TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform taint aws_iam_role.ecs_instance_role TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform apply -target aws_iam_role.ecs_instance_role

.. but in this case, it wasn't enough.

This is how I was able to move forward:

TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform destroy -target aws_iam_role.ecs_instance_role TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform apply -target aws_iam_role.ecs_instance_role

I noticed that when I ran this, other resources were destroyed:

aws_iam_role_policy_attachment.ec2-policy-role-attachment: Destroying... [id=compeat-ecs-instances-role-20200808181214960100000002] aws_iam_role_policy_attachment.ecs-policy-role-attachment: Destroying... [id=compeat-ecs-instances-role-20200808181214979000000003] aws_launch_template.adv2_latest_launch_template: Destroying... [id=lt-0515d8b83a6f7645f] aws_iam_role_policy_attachment.ec2-policy-role-attachment: Destruction complete after 0s aws_iam_role_policy_attachment.ecs-policy-role-attachment: Destruction complete after 0s aws_launch_template.adv2_latest_launch_template: Destruction complete after 0s aws_iam_role.ecs_instance_role: Destroying... [id=compeat-ecs-instances-role] aws_iam_role.ecs_instance_role: Destruction complete after 1s

In my case, I did not see the offending role when I listed the profiles.

ricardobranco777 commented 2 years ago

This issue is very annoying. Still with terraform 1.1.7

Rishikeshpal commented 1 year ago

Has there been any progress on the issue? I have been struggling with the same. I tried manually deleting the profile but there is no such profile.

tmpm697 commented 1 year ago

same with aws provider 5.0.1, you have to manually delete instance profile to fix this.

ChenTsungYu commented 11 months ago

Same with terraform version: 1.5.4 and aws provider 5.19.0

YakDriver commented 7 months ago

As maintainers of the Terraform AWS Provider, we’ve reached a decision to close this longstanding issue. We want to assure you that this decision was made after careful consideration, and we’re committed to transparency in our actions.

A few items to note:

  1. An instance profile name must be unique across roles regardless of path. Even though a role can be added to an instance profile, the instance profile cannot be unique only to that role but must be unique to the AWS account. This is simply a feature of how AWS works. I will add additional documentation to clarify this.
  2. See the configuration below that I used to try to reproduce the problem.
resource "aws_launch_configuration" "test" {
  name                 = "tf-acc-test-8675309"
  iam_instance_profile = aws_iam_instance_profile.test.name
  image_id             = data.aws_ami.amzn2-ami-minimal-hvm-ebs-x86_64.id
  instance_type        = "t2.micro"
}

resource "aws_iam_instance_profile" "test" {
  name = "tf-acc-test-8675309"
  role = aws_iam_role.test.name

  tags = {
    Name = "tf-acc-test-8675309"
  }
}

data "aws_ami" "amzn2-ami-minimal-hvm-ebs-x86_64" {
  most_recent = true
  owners      = ["amazon"]

  filter {
    name   = "name"
    values = ["amzn2-ami-minimal-hvm-*"]
  }

  filter {
    name   = "root-device-type"
    values = ["ebs"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}

resource "aws_iam_role" "test" {
  name = "tf-acc-test-8675309-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com"
        ]
      },
      "Action": [
        "sts:AssumeRole"
      ]
    }
  ]
}
EOF
}

At this time, I cannot reproduce the issue which may or may not mean it has been fixed in the interim. We lack clarity on how many users are still affected and the precise nature of the remaining issues. Given these uncertainties and our limited resources, it’s difficult for us to effectively address the problem in its current state.

However, we value community feedback immensely. If you’re still encountering issues (such as @tmpm697 and @ChenTsungYu), we encourage you to open a new, focused issue outlining the specific problems you’re facing. We especially need a minimal reproduction configuration. We understand the frustration of having to restart the discussion, but the long history of this particular issue necessitates a fresh approach. A new, well-defined problem statement will greatly increase the likelihood of prompt attention from maintainers or fellow community members.

Ultimately, our goal is to ensure that the Terraform AWS Provider remains a dependable tool for realizing your infrastructure goals. Regrettably, this prolonged issue no longer contributes to that objective. By closing it, we aim to clear the path for more effective problem-solving and a smoother experience for all users. We appreciate your understanding and continued support as we work towards a better future for your provider.

github-actions[bot] commented 7 months ago

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

github-actions[bot] commented 7 months ago

This functionality has been released in v5.43.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 6 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.