search

rhythmictech / terraform-aws-imagebuilder-pipeline

Terraform module to create an EC2 Image Builder Pipeline
https://registry.terraform.io/modules/rhythmictech/imagebuilder-pipeline/aws
MIT License
19 stars 17 forks source link

[BUG] The value supplied for parameter 'instanceProfileName' is not valid #14

Open Frituurpanda opened 2 years ago

Frituurpanda commented 2 years ago

Describe the bug The latest module (v0.5.2) throws the following error: 

"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist.

The might be a race condition here as I can see the resource on a destroy:

  # aws_iam_instance_profile.this will be destroyed
  - resource "aws_iam_instance_profile" "this" {
      - arn         = "arn:aws:iam::123443211234:instance-profile/test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - create_date = "2021-09-14T08:34:52Z" -> null
      - id          = "test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - name        = "test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - name_prefix = "test-pipe-imagebuilder-instance-profile-" -> null
      - path        = "/" -> null
      - role        = "test-pijp-tg-imagebuilder-role-20210914083448508400000001" -> null
      - tags        = {} -> null
      - tags_all    = {} -> null
      - unique_id   = "AIPA3JAHVOPNQES7DJZNN" -> null
    }

There is probably something that I'm missing here. I can see the resource and as the name is a simple string, you'd suspect it to be valid.

To Reproduce terraform apply

Full Stacktrace

│ Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [distConfig, infraConfig]. Rollback requested by user." "Resource creation cancelled" "Resource handler returned message: \"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist. Please specify a different instance profile and try again. (Service: Imagebuilder, Status Code: 400, Request ID: 50600df7-a4fd-4eec-8b01-916d0405b38b, Extended Request ID: null)\" (RequestToken: c97e2aa0-68ca-0cb5-cc52-6bb03c098380, HandlerErrorCode: GeneralServiceException)"]
sblack4 commented 2 years ago

have you double-checked that the instance profile is there? terraform is pretty convinced that

The provided instance profile does not exist.

Frituurpanda commented 2 years ago

So this module currently creates: 

Plan: 5 to add, 0 to change, 0 to destroy.

and we can observe: 

  # aws_iam_instance_profile.this will be created
  + resource "aws_iam_instance_profile" "this" {
      + arn         = (known after apply)
      + create_date = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "test-pijp-imagebuilder-instance-profile-"
      + path        = "/"
      + role        = (known after apply)
      + tags_all    = (known after apply)
      + unique_id   = (known after apply)
    }

After applying it we can see it failing with the error message above but after running a destroy we can observe that the resource was created:

Plan: 0 to add, 0 to change, 5 to destroy.

  # aws_iam_instance_profile.this will be destroyed
  - resource "aws_iam_instance_profile" "this" {
      - arn         = "***" -> null
      - create_date = "2021-09-14T14:00:10Z" -> null
      - id          = "test-pijp-imagebuilder-instance-profile-20210914140010269300000002" -> null
      - name        = "test-pijp-imagebuilder-instance-profile-20210914140010269300000002" -> null
      - name_prefix = "test-pijp-imagebuilder-instance-profile-" -> null
      - path        = "/" -> null
      - role        = "test-pijp-imagebuilder-role-20210914140008181200000001" -> null
      - tags        = {} -> null
      - tags_all    = {} -> null
      - unique_id   = "AIPA5JAMNOVNVTPKXPF5O" -> null
    }
kddiji commented 2 years ago

Having the same issue. The resource is being created

  # aws_iam_instance_profile.this will be created
  + resource "aws_iam_instance_profile" "this" {
      + arn         = (known after apply)
      + create_date = (known after apply)
      + id          = (known after apply)
      + name        = (known after apply)
      + name_prefix = "Tf-pipeline-imagebuilder-instance-profile-"
      + path        = "/"
      + role        = (known after apply)
      + tags_all    = (known after apply)
      + unique_id   = (known after apply)
    }

and I can even see it after deployment running aws iam list-instance-profiles


    "Path": "/",
    "InstanceProfileName": "Tf-pipeline-imagebuilder-instance-profile-20210917132513598500000002",
    "InstanceProfileId": "AIPAQ6JXJPQVQI3IXZED6",
    "Arn": "arn:aws:iam::0XXXXXXXXXXX:instance-profile/Tf-pipeline-imagebuilder-instance-profile-20210917132513598500000002",
    "CreateDate": "2021-09-17T13:25:13+00:00",
    "Roles": [
        {
            "Path": "/",
            "RoleName": "Tf-pipeline-imagebuilder-role-20210917132512716700000001",
            "RoleId": "AROAQ6JXJPQVWYXSL2RDB",
            "Arn": "arn:aws:iam::0XXXXXXXXXXX:role/Tf-pipeline-imagebuilder-role-20210917132512716700000001",
            "CreateDate": "2021-09-17T13:25:12+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "",
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "ec2.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            }
        }
    ]
}

Do we have a fix on it? Will greatly appreciate any help as we have been stuck for a week?

kddiji commented 2 years ago

@sblack4 I would appreciate if you can assist on this as we have been stuck for weeks. thanks

sblack4 commented 2 years ago

This sounds like a race condition. I'm not the only one who has found that IAM can take a few minutes to update

Have you tried just waiting a few minutes and doing another apply?

Frituurpanda commented 2 years ago

We've tested this too, even up to an hour we can still observe the same stacktrace being thrown.

sblack4 commented 2 years ago

This is where the instance profile gets passed to cloudformation but the "i" in InstanceProfile is capitalized. I thought this was the line throwing the error, when it tried to create the InfrastructureConfiguration but I'm not so sure now. Does the error message give more information?

Frituurpanda commented 2 years ago

The full error after applying: 

aws_cloudformation_stack.this: Still creating... [1m20s elapsed]
aws_cloudformation_stack.this: Still creating... [1m30s elapsed]
╷
│ Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [distConfig, infraConfig]. Rollback requested by user." "Resource creation cancelled" "Resource handler returned message: \"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist. Please specify a different instance profile and try again. (Service: Imagebuilder, Status Code: 400, Request ID: xxx, Extended Request ID: null)\" (RequestToken: xxx, HandlerErrorCode: GeneralServiceException)"]
│
│   with aws_cloudformation_stack.this,
│   on main.tf line 125, in resource "aws_cloudformation_stack" "this":
│  125: resource "aws_cloudformation_stack" "this" {
│

Currently does not throw a lot more information. Is there anything else you want me to test?