Instance profile doesn't attach to the instance

[globart]

I have the necessary parameters set to create instance role and instance profile:

create_iam_instance_profile      = true
iam_instance_profile_name        = "ssm"
iam_role_use_name_prefix         = false
iam_role_name                    = "ssm"
iam_role_policies = {
  AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

and these resources are created successfully, but the instance profile isn't getting automatically attached to the instances in the ASG

[globart]

@antonbabenko @bryantbiggs could you advise what can be done?

[bryantbiggs]

please provide a reproduction - the examples we provide are showing instance profiles being attached correctly

[globart]

@bryantbiggs here is complete reproduction:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.31.0"
    }
  }
}

provider "aws" {
  region = "eu-west-1"
}

locals {
  keypair_name  = "devops"
  instance_type = "t3a.nano"
  ami_id        = "ami-06f69317847054bb5"
  vpc_cidr      = "10.0.0.0/16"
  azs           = slice(data.aws_availability_zones.available.names, 0, 2)
  tags = {
    ManagedBy = "Terraform"
  }
}

data "aws_availability_zones" "available" {}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.4.0"

  name               = "alb-vpc"
  cidr               = local.vpc_cidr
  azs                = local.azs
  private_subnets    = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
  public_subnets     = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
  enable_nat_gateway = true
  single_nat_gateway = true
  tags               = local.tags
}

resource "aws_security_group" "ec2" {
  name   = "ec2-sg"
  vpc_id = module.vpc.vpc_id
  tags   = local.tags
}

module "ec2-sg-rules" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "5.1.0"

  create_sg          = false
  security_group_id  = aws_security_group.ec2.id
  egress_cidr_blocks = ["0.0.0.0/0"]
  egress_rules       = ["https-443-tcp"]
}

resource "aws_launch_template" "my_app" {
  name                   = "my-app"
  image_id               = local.ami_id
  instance_type          = local.instance_type
  key_name               = local.keypair_name
  vpc_security_group_ids = [aws_security_group.ec2.id]
  tags                   = local.tags
}

resource "aws_iam_service_linked_role" "autoscaling" {
  aws_service_name = "autoscaling.amazonaws.com"
  description      = "A service linked role for autoscaling"
  custom_suffix    = "ssm"

  provisioner "local-exec" {
    command = "sleep 10"
  }
  tags = local.tags
}

module "asg" {
  source  = "terraform-aws-modules/autoscaling/aws"
  version = "7.3.1"

  name                        = "asg"
  use_name_prefix             = false
  vpc_zone_identifier         = module.vpc.private_subnets
  min_size                    = 1
  max_size                    = 3
  create_launch_template      = false
  launch_template_id          = aws_launch_template.my_app.id
  launch_template_version     = "$Latest"
  service_linked_role_arn     = aws_iam_service_linked_role.autoscaling.arn
  create_iam_instance_profile = true
  iam_role_name               = "ssm-role"
  iam_role_path               = "/ec2/"
  iam_role_description        = "SSM role example"
  iam_role_tags               = local.tags
  iam_role_policies = {
    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  }
  block_device_mappings = [
    {
      # Root volume
      device_name = "/dev/xvda"
      no_device   = 0
      ebs = {
        delete_on_termination = true
        encrypted             = true
        volume_size           = 1
        volume_type           = "gp3"
      }
    }
  ]
  scaling_policies = {
    avg-cpu-policy-greater-than-80 = {
      policy_type               = "TargetTrackingScaling"
      estimated_instance_warmup = 300
      target_tracking_configuration = {
        predefined_metric_specification = {
          predefined_metric_type = "ASGAverageCPUUtilization"
        }
        target_value = 80.0
      }
    }
  }
  tags = local.tags
}

[bryantbiggs]

You're not passing the instance profile into *your launch template https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#iam_instance_profile

[globart]

Thanks, I was able to fix role attachment with this config:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "5.31.0"
    }
  }
}

provider "aws" {
  region = "eu-west-1"
}

locals {
  keypair_name  = "devops"
  instance_type = "t3a.nano"
  ami_id        = "ami-06f69317847054bb5"
  vpc_cidr      = "10.0.0.0/16"
  azs           = slice(data.aws_availability_zones.available.names, 0, 2)
  tags = {
    ManagedBy = "Terraform"
  }
}

data "aws_availability_zones" "available" {}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.4.0"

  name               = "alb-vpc"
  cidr               = local.vpc_cidr
  azs                = local.azs
  private_subnets    = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
  public_subnets     = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
  enable_nat_gateway = true
  single_nat_gateway = true
  tags               = local.tags
}

resource "aws_security_group" "ec2" {
  name   = "ec2-sg"
  vpc_id = module.vpc.vpc_id
  tags   = local.tags
}

module "ec2-sg-rules" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "5.1.0"

  create_sg          = false
  security_group_id  = aws_security_group.ec2.id
  egress_cidr_blocks = ["0.0.0.0/0"]
  egress_rules       = ["https-443-tcp"]
}

resource "aws_iam_service_linked_role" "autoscaling" {
  aws_service_name = "autoscaling.amazonaws.com"
  description      = "A service linked role for autoscaling"
  custom_suffix    = "ssm"

  provisioner "local-exec" {
    command = "sleep 10"
  }
  tags = local.tags
}

module "asg" {
  source  = "terraform-aws-modules/autoscaling/aws"
  version = "7.3.1"

  name                            = "asg"
  use_name_prefix                 = false
  vpc_zone_identifier             = module.vpc.private_subnets
  min_size                        = 1
  max_size                        = 3
  launch_template_name            = "my-app"
  launch_template_use_name_prefix = false
  update_default_version          = true
  image_id                        = local.ami_id
  instance_type                   = local.instance_type
  key_name                        = local.keypair_name
  security_groups                 = [aws_security_group.ec2.id]
  service_linked_role_arn         = aws_iam_service_linked_role.autoscaling.arn
  create_iam_instance_profile     = true
  iam_role_name                   = "ssm-role"
  iam_role_path                   = "/ec2/"
  iam_role_description            = "SSM role example"
  iam_role_tags                   = local.tags
  iam_role_policies = {
    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  }
  block_device_mappings = [
    {
      # Root volume
      device_name = "/dev/xvda"
      no_device   = 0
      ebs = {
        delete_on_termination = true
        encrypted             = true
        volume_size           = 1
        volume_type           = "gp3"
      }
    }
  ]
  scaling_policies = {
    avg-cpu-policy-greater-than-80 = {
      policy_type               = "TargetTrackingScaling"
      estimated_instance_warmup = 300
      target_tracking_configuration = {
        predefined_metric_specification = {
          predefined_metric_type = "ASGAverageCPUUtilization"
        }
        target_value = 80.0
      }
    }
  }
  tags = local.tags
}

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.