Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't require a role for aws_iam_instance_profile #10525

Merged
merged 1 commit into from
Nov 19, 2019
Merged

Don't require a role for aws_iam_instance_profile #10525

merged 1 commit into from
Nov 19, 2019

Conversation

daveadams
Copy link
Contributor

The IAM API does not require a role be attached to instance profiles,
and there are use cases (eg Vault EC2 authentication) where a bare
instance profile may be all that is required.

This PR:

  • Removes the requirement for role or roles attributes to exist and
    to be set to some value before creating an aws_iam_instance_profile
    resource.

  • Adjusts the acceptance tests to explicitly test and allow an instance
    profile with no specified role to be created.

  • Removes the notice that either role or roles is required from the
    website documentation for the aws_iam_instance_profile resource.

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #10522

Release note for CHANGELOG:

Removes requirement to specify a role when creating an instance profile to match the API.

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSIAMInstanceProfile_withoutRole'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -count 1 -parallel 20 -run=TestAccAWSIAMInstanceProfile_withoutRole -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestAccAWSIAMInstanceProfile_withoutRole
=== PAUSE TestAccAWSIAMInstanceProfile_withoutRole
=== CONT  TestAccAWSIAMInstanceProfile_withoutRole
--- PASS: TestAccAWSIAMInstanceProfile_withoutRole (18.86s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	18.894s
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/flatmap	0.056s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags	0.004s [no tests to run]

fixes #10522

The IAM API does not require a role be attached to instance profiles,
and there are use cases (eg Vault EC2 authentication) where a bare
instance profile may be all that is required.

This PR:

* Removes the requirement for `role` or `roles` attributes to exist and
  to be set to some value before creating an `aws_iam_instance_profile`
  resource.

* Adjusts the acceptance tests to explicitly test and allow an instance
  profile with no specified role to be created.

* Removes the notice that either `role` or `roles` is required from the
  website documentation for the `aws_iam_instance_profile` resource.
@daveadams daveadams requested a review from a team October 16, 2019 19:34
@ghost ghost added size/XS Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Oct 16, 2019
@aeschright aeschright self-assigned this Oct 24, 2019
@aeschright
Copy link
Contributor

Hi @daveadams! I'm reading through the docs and trying to understand the use case better. It seems like the AWS expectation is that the roles attribute can be initially empty, with the role added and assigned later. Is that also how it appears to you? I'm wondering if allowing this to be empty is going to cause other unexpected behaviors.

@daveadams
Copy link
Contributor Author

Hey Audrey, yes, the AWS documentation does assume you will add a role to the instance profiles. But I haven't run into any issues with EC2 when it's left out. If there's no role attached, then there are no IAM credentials available from the instance via the EC2 metadata service, but in my case, I'm only interested in having an instance-profile so that I can authenticate to Vault.

@aeschright aeschright added this to the v2.39.0 milestone Nov 19, 2019
Copy link
Contributor

@aeschright aeschright left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, let's do it!

--- PASS: TestAccAWSIAMInstanceProfile_withoutRole (14.74s)

@aeschright aeschright merged commit c078445 into hashicorp:master Nov 19, 2019
aeschright added a commit that referenced this pull request Nov 19, 2019
@ghost
Copy link

ghost commented Nov 21, 2019

This has been released in version 2.39.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 29, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 29, 2020
@daveadams daveadams deleted the b-instance-profile-without-role branch January 22, 2021 20:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. service/iam Issues and PRs that pertain to the iam service. size/XS Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws_iam_instance_profile incorrectly requires a role to be specified
2 participants