i m beginner with terraform and trying to create simple iam role using terra form
terraform init : successful
terraform plan : successful
terraform apply : ask for yes however when i apply “yes” the creation of iam user role go in to loop without getting completed for hours and it has never completed.
whats could be the reason , i can crate ec2 and do other stuff but only issue with creating iam user role.
please note , i can manually create iam role in aws using my credentials but not using terraform
Can you share your Terraform configuration and the log (showing the exact resource that’s taking forever to create) so someone can provide more assistance?
i m able to deploy the same from laptop exposed to full internet access, my doubt is how do i check if its getting stuck somewhere and may be firewall of my office is not allowing it
because i can deploy other services from same infra which is having limited internet access but not able to create even simple iam role
logs below
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
e[32m+e[0m createe[0m
Terraform will perform the following actions:
e[1m # aws_iam_role.example_rolee[0m will be created
e[0m e[32m+e[0me[0m resource “aws_iam_role” “example_role” {
e[32m+e[0me[0m arn = (known after apply)
e[32m+e[0me[0m assume_role_policy = jsonencode(
{
e[32m+e[0me[0m Statement = [
e[32m+e[0me[0m {
e[32m+e[0me[0m Action = “sts:AssumeRole”
e[32m+e[0me[0m Effect = “Allow”
e[32m+e[0me[0m Principal = {
e[32m+e[0me[0m Service = “ec2.amazonaws.com”
}
},
]
e[32m+e[0me[0m Version = “2012-10-17”
}
)
e[32m+e[0me[0m create_date = (known after apply)
e[32m+e[0me[0m force_detach_policies = false
e[32m+e[0me[0m id = (known after apply)
e[32m+e[0me[0m managed_policy_arns = (known after apply)
e[32m+e[0me[0m max_session_duration = 3600
e[32m+e[0me[0m name = “example-role”
e[32m+e[0me[0m name_prefix = (known after apply)
e[32m+e[0me[0m path = “/”
e[32m+e[0me[0m tags_all = (known after apply)
e[32m+e[0me[0m unique_id = (known after apply)
}
e[1mPlan:e[0m 1 to add, 0 to change, 0 to destroy.
e[0me[0me[1maws_iam_role.example_role: Creating…e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [10s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [20s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [30s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [40s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [50s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [1m0s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [1m10s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [1m20s elapsed]e[0me[0m
e[0me[1maws_iam_role.example_role: Still creating… [1m30s elapsed]e[0me[0m
If you suspect it’s a network connectivity issue, you can always try to call an AWS API directly and see if it returns a response. The provider interacts with AWS using the AWS Go SDK which is ultimately calling the AWS APIs in all cases. Even running AWS CLI would do if you have it installed on the system.
For example, you can probably run curl https://ec2.amazonaws.com/?Action=DescribeVpcs and see if it returns a response even if it’s an error response for missing parameters. More info to call it properly can be found in the API Reference. I think you can also add a region to the URL, e.g. https://ec2.us-east-1.amazonaws.com.
Otherwise you can consider setting the TF_LOG env var to DEBUG or TRACE, and TF_LOG_PATH to a local file for the log file (e.g., ./tf_debug.log). The log might give you a bit more information on where it is hanging. It should have info on the provider settings in case it’s a credentials issue.
Lastly, sometimes if you kill the terraform process, it might still give you an error message indicating what the problem is. I am not sure if network connectivity falls under this category, but something like a bad state of a stateful resource might cause an unnecessary long wait before it fails.
