-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_iam_instance_profile resource can't be deleted without refresh #1777
Comments
Hi @mmdriley
generally speaking I would expect Do you mind explaining why do you do that? |
@radeksimko I can speak to that some from my own experience, though I can't speak for @mmdriley, of course. :-) Terraform with (This is also the only Terraform AWS resource that I have found where it's impossible to delete it while setting |
Thanks @handlerbot. Our use case is similar -- we have a process that owns and serializes all changes to our environment, so it seemed sane to disable |
I understand the need to use it occasionally, but I'd discourage anyone from disabling refresh for routine operations. Working with an up-to-date state is quite essential for Terraform. Most, if not all I hope the reasoning makes sense. That said #2983 is fairly innocent and will be partially removed (or reworked) in the next major version (2.0.0) of the provider along with the removal of the deprecated field ( |
This has been released in terraform-provider-aws version 1.7.1. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
If an
aws_iam_instance_profile
resource is created withrole
set (vs.roles
, which is deprecated) then the resulting resource is written to the state file with onlyrole
populated.An IAM instance profile cannot be deleted as long as there is a role attached.
If an attempt is made to delete the instance profile resource without an intervening refresh, the provider will read the (empty)
roles
property, detach no roles, then try to delete the resource. The delete will fail.Most users won't see this because
apply
andplan
refresh first, and the code for Get always setsroles
.I think the solution here is for
instanceProfileRemoveAllRoles
to consider the value ofrole
as well asroles
, without going so far as to try to detach the same role twice.The text was updated successfully, but these errors were encountered: