Aws_instance instance_profile reference invalid value

oferziss-armis · October 13, 2022, 11:31am

Hello guys,
i am having a strange issue where i create a role, instance_profile and an EC2 instance all referencing each other like so: instance -> instance_profile -> role

i have recently upgraded my terraform code from 0.12.29 all the way up to 1.2.5.
during this upgrade i’ve upgraded the AWS provider to 4.22.0.

after the upgrade i started getting the following errors during terraform apply action to create new instances:

Error: creating EC2 Instance: InvalidParameterValue: Value (test-my-tenant-server) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name

my code originally looked like this:

resource "aws_iam_instance_profile" "tenant_server_profile" {
  name = "${var.tenant_name}-tenant-server"
  role = aws_iam_role.tenant_server_role.name
}

resource "aws_iam_role" "tenant_server_role" {
  name               = "${var.tenant_name}-iam-role"
  assume_role_policy = <<EOF
...<redacted>...
EOF
}

resource "aws_instance" "server_instance" {
  ami                                    = data.aws_ami.main_ami.id
  ebs_optimized                 = "true"
  instance_type                   = var.instance_type
  vpc_security_group_ids  = <redacted>
  subnet_id                          = <redacted>
  count                                 = <redacted>
  iam_instance_profile       = aws_iam_instance_profile.tenant_server_profile.name
}

I looked at the provider docs, it seems that 1 version above the one i had before, the name attribute was removed and we got left with the id attribute on the aws_instance_profile resource. so i changed my code to look like so:

resource "aws_instance" "server_instance" {
  ami                                    = data.aws_ami.main_ami.id
  ebs_optimized                 = "true"
  instance_type                   = var.instance_type
  vpc_security_group_ids  = <redacted>
  subnet_id                          = <redacted>
  count                                 = <redacted>
  iam_instance_profile       = aws_iam_instance_profile.tenant_server_profile.id
}

But i still get these errors. interestingly enough the errors are presented on the first run but if i try to run the tf apply again it works!

Also this doesn’t happen all the time but sporadically sometime. (this code is part of a module used multiple times in multiple regions and accounts and i happens in multiple regions and environment)

I looked into the API reference of EC2 RunInstance API and i see that they state that you should pass ARN to the call but in the provider reference of the aws_instance resource it states to pass it the simple name.

I’ve tried to change my code to pass the ARN but it fails again on invalid vale, at least consistently so i know ARN is not the answer here.

any advise will be much appreciated here,

thanks
regards