Terraform-provider-aws: EntityAlreadyExists: Instance Profile already exists

Created on 21 Mar 2019 · 12Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform version: 0.11.13  
Go runtime version: go1.11.5

Affected Resource(s)

aws_v1.60.0_x4

Terraform Configuration Files

This is only part of my configuration:

resource "aws_iam_instance_profile" "instance" {
  provider = "aws.auto-scale-group"
  name     = "${var.application}-${var.environment}-${var.purpose}-instance-profile"
  role     = "${aws_iam_role.instance.name}"

  lifecycle {
    create_before_destroy = true # or false
  }
}

Error Output

  + module.project-ecs-cluster.aws_iam_instance_profile.instance
      id:                                        <computed>
      arn:                                       <computed>
      create_date:                               <computed>
      name:                                      "myproject-ecs-cluster-instance-profile"
      path:                                      "/"
      role:                                      "myproject-ecs-cluster-role"
      roles.#:                                   <computed>
      unique_id:                                 <computed>

  + module.project-ecs-cluster.aws_launch_configuration.instance
      id:                                        <computed>
      associate_public_ip_address:               "false"
      ebs_block_device.#:                        <computed>
      ebs_optimized:                             <computed>
      enable_monitoring:                         "true"
      iam_instance_profile:                      "myproject-ecs-cluster-instance-profile"
      image_id:                                  "ami-00921cd1ce43d567a"
      instance_type:                             "t3.medium"
      key_name:                                  "ec2-user-docker-cluster-host"
      name:                                      <computed>
      name_prefix:                               "myproject-ecs-cluster-lc-"
      root_block_device.#:                       "1"
      root_block_device.0.delete_on_termination: "true"
      root_block_device.0.iops:                  <computed>
      root_block_device.0.volume_size:           "8"
      root_block_device.0.volume_type:           <computed>
      security_groups.#:                         "1"
      security_groups.2794183374:                "sg-0d13250a2c3caeaf5"
      user_data:                                 "f128dd1a4d74456830249c3f2a22de9ed7ebdb8b"
Plan: 8 to add, 1 to change, 0 to destroy.

...

1 error(s) occurred:

* module.project-ecs-cluster.aws_iam_instance_profile.instance: 1 error(s) occurred:

2019-03-21T16:36:41.155Z [DEBUG] plugin.terraform-provider-aws_v1.60.0_x4: 2019/03/21 16:36:41 [ERR] plugin: plugin server: accept unix /tmp/plugin186793848: use of closed network connection
* aws_iam_instance_profile.instance: Error creating IAM instance profile myproject-ecs-cluster-instance-profile: EntityAlreadyExists: Instance Profile myproject-ecs-cluster-instance-profile already exists.
    status code: 409, request id: 7db379b7-4bf7-11e9-b286-e78361536fef

Despite myproject-ecs-cluster-instance-profile doesn't exist (verified by aws iam list-instance-profiles), before and after the run.

Expected Behavior

It should work without the error.

Actual Behavior

It errors on EntityAlreadyExists despite myproject-ecs-cluster-instance-profile instance doesn't exist.

Steps to Reproduce

terraform plan
terraform apply

Check the logs in the attachment.

References

Logs

bug serviciam

Source

kenorb

👍32

Most helpful comment

Exact same issue here.

bbuivn on 19 Sep 2019

👍4

All 12 comments

Ok, the profile existed, but in another role.

I've followed the following steps:

Check the failing request in _CloudTrail_ and note the userIdentity/sessionIssuer/sessionIssuer/arn.
Switch to that role via: aws sts assume-role --role-arn arn:aws:iam::12345:role/DevOps --role-session-name cli.
Confirm the role by aws sts get-caller-identity.
If role not switched, export profile name, e.g. export AWS_PROFILE=DevOps, where your ~/.aws/credentials can look like:

$ cat ~/.aws/credentials 
[default]
aws_access_key_id = KEYID
aws_secret_access_key = SECRETKEY

[DevOps]
role_arn = arn:aws:iam::12345:role/DevOps
source_profile = default
region = eu-west-1

Confirm the role again by aws sts get-caller-identity.
List instance profiles by: aws iam list-instance-profiles.
Filter out by: aws iam list-instance-profiles | grep your-profile-name
Delete it: aws iam delete-instance-profile --instance-profile-name your-profile-name.

Then after removal, I've run plan and apply, but the problem repeats.

I've tried to import role, it imports, but then it has problem reading it.

module.project-ecs-cluster.aws_iam_instance_profile.instance AIPAI55FATXTPKUXN5XIS
Project environment project
module.project-ecs-cluster.aws_iam_instance_profile.instance: Importing from ID "AIPAI55FATXTPKUXN5XIS"...
module.project-ecs-cluster.aws_iam_instance_profile.instance: Import complete!
  Imported aws_iam_instance_profile (ID: AIPAI55FATXTPKUXN5XIS)
module.project-ecs-cluster.aws_iam_instance_profile.instance: Refreshing state... (ID: AIPAI55FATXTPKUXN5XIS)

Error: module.project-ecs-cluster.aws_iam_instance_profile.instance (import id: AIPAI55FATXTPKUXN5XIS): 1 error(s) occurred:

* import module.project-ecs-cluster.aws_iam_instance_profile.instance result: AIPAI55FATXTPKUXN5XIS: import module.project-ecs-cluster.aws_iam_instance_profile.instance (id: AIPAI55FATXTPKUXN5XIS): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.


Releasing state lock. This may take a few moments...

Debug file: tf-import-instance-profile.log

2019/03/21 21:29:34 [DEBUG] [aws-sdk-go] DEBUG: Response iam/GetInstanceProfile Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 404 Not Found
Connection: close
Content-Length: 299
Content-Type: text/xml
Date: Thu, 21 Mar 2019 21:29:34 GMT
X-Amzn-Requestid: 6bcfb6f4-4c20-11e9-a9dc-034f8fd4cf2c

kenorb on 21 Mar 2019

👍1

Another example demonstrating this bug:

Point 1: I can't destroy the instance profile, because it doesn't exist:

$ terraform destroy module.project-ecs-cluster.aws_iam_instance_profile.instance 
Project environment project/env
data.aws_iam_policy_document.instance: Refreshing state...
aws_iam_role.instance: Refreshing state... (ID: myproject-ecs-cluster-role)

Destroy complete! Resources: 0 destroyed.
Releasing state lock. This may take a few moments...

Point 2: I can't apply either, as it claims the profile already exist:

$ terraform apply -target module.project-ecs-cluster.aws_iam_instance_profile.instance 
Project environment project/env
Releasing state lock. This may take a few moments...
module.project-ecs-cluster.aws_iam_instance_profile.instance: Creating...
  arn:         "" => "<computed>"
  create_date: "" => "<computed>"
  name:        "" => "myproject-ecs-cluster-instance-profile"
  path:        "" => "/"
  role:        "" => "myproject-ecs-cluster-role"
  roles.#:     "" => "<computed>"
  unique_id:   "" => "<computed>"
Releasing state lock. This may take a few moments...

Error: Error applying plan:

1 error(s) occurred:

* module.project-ecs-cluster.aws_iam_instance_profile.instance: 1 error(s) occurred:

* aws_iam_instance_profile.instance: Error creating IAM instance profile myproject-ecs-cluster-instance-profile: EntityAlreadyExists: Instance Profile myproject-ecs-cluster-instance-profile already exists.
  status code: 409, request id: 689321f1-4c23-11e9-b894-73b7f6be78e7

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

kenorb on 21 Mar 2019

Any ideas? This is now blocking us too.

shederman on 17 Jul 2019

Exact same issue here.

bbuivn on 19 Sep 2019

👍4

I found a good workaround for this problem
https://artem.services/?p=1105&lang=en

HieronyM on 7 Oct 2019

👎8

Yeah I'm seeing this as well. Is the only workaround really a manual deletion of the terraform-created instance profile?

edit: terraform destroy seems to take care of it if you want to go nuclear

artis3n on 17 Dec 2019

Yeah I'm seeing this as well. Is the only workaround really a manual deletion of the terraform-created instance profile?

edit: terraform destroy seems to take care of it if you want to go nuclear

Yup, ended up deleting manually the instance profile in some cases, can't really destroy all the manifest all the time :(

bbuivn on 24 Dec 2019

I'm seeing the same issue, manually deleting the profile in console then terraform apply does not resolve for me.

jonathanleek on 2 Mar 2020

Discovered that an interrupted terraform destroy had left the offending resource orphaned outside the statefile. Killing it from the AWS console was insufficient, but killing it via commandline restored expected behavior

jonathanleek on 5 Mar 2020

Encountered this today with:

terraform --version
Terraform v0.12.21

provider.aws v2.56.0

Interestingly I did NOT encounter this problem on terraform cloud free tier I stood up as a greenfield test - may be fixed in a subsequent release?

The only information I could glean from TFC:

Terraform v0.12.25
Initializing plugins and modules...
2020/05/20 01:05:54 [DEBUG] Using modified User-Agent: Terraform/0.12.25 TFC/d33daf519f

Disgruntled on 20 May 2020

After spending a day. i solved it as below:
run command
aws iam list-instance-profiles
then, use below command to delete profiles which you get from above command:
aws iam delete-instance-profile --instance-profile-name {InstanceProfileName-from-above-command}

vickyshah129 on 9 Jun 2020

👍2

When trouble-shooting, I found that it could have been handy to use taint:

TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform taint aws_iam_role.ecs_instance_role
TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform apply -target aws_iam_role.ecs_instance_role

.. but in this case, it wasn't enough.

This is how I was able to move forward:

TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform destroy -target aws_iam_role.ecs_instance_role
TF_VAR_environment=dr AWS_DEFAULT_REGION=us-east-1 terraform apply -target aws_iam_role.ecs_instance_role

I noticed that when I ran this, other resources were destroyed:

aws_iam_role_policy_attachment.ec2-policy-role-attachment: Destroying... [id=compeat-ecs-instances-role-20200808181214960100000002]
aws_iam_role_policy_attachment.ecs-policy-role-attachment: Destroying... [id=compeat-ecs-instances-role-20200808181214979000000003]
aws_launch_template.adv2_latest_launch_template: Destroying... [id=lt-0515d8b83a6f7645f]
aws_iam_role_policy_attachment.ec2-policy-role-attachment: Destruction complete after 0s
aws_iam_role_policy_attachment.ecs-policy-role-attachment: Destruction complete after 0s
aws_launch_template.adv2_latest_launch_template: Destruction complete after 0s
aws_iam_role.ecs_instance_role: Destroying... [id=compeat-ecs-instances-role]
aws_iam_role.ecs_instance_role: Destruction complete after 1s

In my case, I did not see the offending role when I listed the profiles.