Missing Instance profile ARN(s) when creating role

1,408 views
Skip to first unread message

Jef Statham

unread,
Oct 30, 2015, 11:05:57 AM10/30/15
to Terraform
Try to create a role for ECS instance but I cannot attach the roles to the instance because the roles are missing Instance profile ARN(s) 

This is my terraform for creating the roles and launch config.

resource "aws_iam_role" "proxy" {
    name = "ecs-instance-role"
    assume_role_policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_policy_attachment" "proxy" {
    name = "proxy"
    roles = ["${aws_iam_role.proxy.name}"]
    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}

resource "aws_launch_configuration" "proxy" {
  name = "${aws_ecs_cluster.proxy.name}-lc"
  image_id = "${var.amazon_ecs_ami_id}"
  instance_type = "t2.small"
  iam_instance_profile = "${aws_iam_role.proxy.id}"
  key_name = "${var.target_env}"
  security_groups = ["${aws_security_group.proxy.id}"]
  depends_on = ["aws_iam_policy_attachment.proxy"]
  user_data = "#!/bin/bash\necho ECS_CLUSTER=${aws_ecs_cluster.proxy.name} > /etc/ecs/ecs.config"
}

Error applying plan:

1 error(s) occurred:

* aws_launch_configuration.es_proxy: Error creating launch configuration: ValidationError: Invalid IamInstanceProfile: ecs-instance-role
        status code: 400, request id: fcf58413-7f14-11e5-9973-cbbc2a46d390


Looking at the difference when I create an EC2 role in the console versus creating with the terraform script. There is no Instance profile ARN(s). Which means I cannot attach it to an launch config (it doesn't even show the role in the drop down list). 




Jef Statham

unread,
Oct 30, 2015, 11:42:31 AM10/30/15
to Terraform
Found the missing piece, need to add the instance profile arn separately

resource "aws_iam_instance_profile" "proxy" {
    name = "proxy"
    roles = ["${aws_iam_role.proxy.name}"]
}
Message has been deleted

Camilo Santana

unread,
Jun 6, 2017, 3:49:11 PM6/6/17
to Terraform
i ran into the same problem. this helped. Thank you.

here's my snippet, if it helps anyone else.

/*
create BaseIAMRole for instances deployed by spinnaker
*/
resource "aws_iam_role" "BaseIAMRole" {
name = "BaseIAMRole"
path = "/devops/deployment/spinnaker/"
description = "instances deployed with Spinnaker will assume this role"
assume_role_policy = "${data.aws_iam_policy_document.policy_instance_assumerole.json}"
}

data "aws_iam_policy_document" "policy_instance_assumerole" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}

resource "aws_iam_instance_profile" "BaseIAMRole" {
name = "BaseIAMRole"
role = "${aws_iam_role.BaseIAMRole.name}"
}
 
Reply all
Reply to author
Forward
0 new messages