rhythmictech / terraform-aws-imagebuilder-pipeline Goto Github PK

Describe the bug
The latest module (v0.5.2) throws the following error:

"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist.

The might be a race condition here as I can see the resource on a destroy:

  # aws_iam_instance_profile.this will be destroyed
  - resource "aws_iam_instance_profile" "this" {
      - arn         = "arn:aws:iam::123443211234:instance-profile/test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - create_date = "2021-09-14T08:34:52Z" -> null
      - id          = "test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - name        = "test-pipe-imagebuilder-instance-profile-20210914083450236900000002" -> null
      - name_prefix = "test-pipe-imagebuilder-instance-profile-" -> null
      - path        = "/" -> null
      - role        = "test-pijp-tg-imagebuilder-role-20210914083448508400000001" -> null
      - tags        = {} -> null
      - tags_all    = {} -> null
      - unique_id   = "AIPA3JAHVOPNQES7DJZNN" -> null
    }

There is probably something that I'm missing here. I can see the resource and as the name is a simple string, you'd suspect it to be valid.

To Reproduce
terraform apply

Full Stacktrace

│ Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [distConfig, infraConfig]. Rollback requested by user." "Resource creation cancelled" "Resource handler returned message: \"The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist. Please specify a different instance profile and try again. (Service: Imagebuilder, Status Code: 400, Request ID: 50600df7-a4fd-4eec-8b01-916d0405b38b, Extended Request ID: null)\" (RequestToken: c97e2aa0-68ca-0cb5-cc52-6bb03c098380, HandlerErrorCode: GeneralServiceException)"]

Is your feature request related to a problem? Please describe.
If you don't specify a log_prefix for the S3 logging bucket, each time the pipeline runs AWS generates a new prefix based on the pipeline name and SSM Execution hash, and the end result is that your logs go into unpredictably names prefixes that aren't easy to sort by date, and are maybe impossible to identify unless you get an error message from the pipeline explaining where the logs were sent.

Describe the solution you'd like
I don't know, maybe just override an empty log_prefix with the pipeline name? Anything is better than the default behavior I think.

Describe alternatives you've considered
I mean, we're technically taking away functionality by forcing a prefix, in case there's anyone out there who wants to do things the bad way? We could leave it as is and rely on making logs more easy to access another way (cloudwatch? I don't know)

Additional context
you told me to make this issue in slack! so i did.

I configured TF modules for (components and recipe) and pointed this module to the recipe module and it worked perfectly. Thanks for this project it's awesome. The question I have. Is it possible to automate the steps between component → recipe → imagebuilder-pipeline so I can just run it once instead of running the imagebuilder-pipeline module?

Describe the bug
I got the following error from the embedded cloudformation stack: "The value supplied for parameter 'instanceProfileName' is not valid. The provided instance profile does not exist. Please specify a different instance profile and try again".

The stack name is the same as the name I assigned to the module. I checked the role created from Terraform and found the role is there. Then I used the aws cli command to check if the instance profile has been created. From the output I can see the instance profile has been created. Please see below for verification:

I see the principle for this role is ""Service": "ec2.amazonaws.com"", it looks like the cloudformation service is not listed in the principle, this may cause the cloudformation cannot find this role or instance profile. (correct me if i am wrong)

{
           "Path": "/",
           "InstanceProfileName": "jason-pipeline-imagebuilder-instance-profile-20220922071727921200000002",
           "InstanceProfileId": "AIPAWF2ABWU5GN24MBMYM",
           "Arn": "arn:aws:iam::xxxxxxxxxxx:instance-profile/jason-pipeline-imagebuilder-instance-profile-20220922071727921200000002",
           "CreateDate": "2022-09-22T07:17:27+00:00",
           "Roles": [
               {
                   "Path": "/",
                   "RoleName": "jason-pipeline-imagebuilder-role-20220922071727266500000001",
                   "RoleId": "AROAWF2ABWU5FOMOKJO32",
                   "Arn": "arn:aws:iam::xxxxxxxx:role/jason-pipeline-imagebuilder-role-20220922071727266500000001",
                   "CreateDate": "2022-09-22T07:17:27+00:00",
                   "AssumeRolePolicyDocument": {
                       "Version": "2012-10-17",
                       "Statement": [
                           {
                               "Sid": "",
                               "Effect": "Allow",


                               "Principal": {
                                   "Service": "ec2.amazonaws.com"
                               },


                               "Action": "sts:AssumeRole"
                           }
                       ]
                   }
               }
           ]
       },

To Reproduce
Steps to reproduce the behavior:
Easy to reproduce by using the code below:

module "imagebuilder-pipeline" {
  source  = "rhythmictech/imagebuilder-pipeline/aws"
  version = "0.5.2"

  # insert the 2 required variables here
  description = "Jason Testing pipeline"
  name        = "jason-pipeline"
 # tags        = local.tags
   tags = {
    created_on = "09212022"
  }
  recipe_arn  = module.test_recipe.recipe_arn
  public      = false

}

Expected behavior
all the stack finishes successfully and the image build pipeline created successfully.

Screenshots
see attachment

Desktop (please complete the following information):
using Terraform newest version

Describe the bug
Trying to apply a log_bucket var to the configuration. Turns out, this variable is required. I set this up, but alas:

Error: Invalid count argument

  on .terraform/modules/al2_base_image_pipeline/main.tf line 22, in data "aws_iam_policy_document" "log_write":
  22:   count = var.log_bucket != null ? 1 : 0

The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.

To Reproduce
Steps to reproduce the behavior:

1. Create a logging bucket with the configuration
2. Supply the logging bucket name to var.log_bucket
3. Terraform plan produces the above error.

Expected behavior
It should apply the logging bucket to the configuration.

Desktop (please complete the following information):

• OS: macOS 13.2/Terraform 1.3.7
• Browser Arc
• Version 2.0.1