terraform-provider-aws: EntityAlreadyExists: Instance Profile already exists

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform version: 0.11.13  
Go runtime version: go1.11.5

Affected Resource(s)

  • aws_v1.60.0_x4

Terraform Configuration Files

This is only part of my configuration:

resource "aws_iam_instance_profile" "instance" {
  provider = "aws.auto-scale-group"
  name     = "${var.application}-${var.environment}-${var.purpose}-instance-profile"
  role     = "${aws_iam_role.instance.name}"

  lifecycle {
    create_before_destroy = true # or false
  }
}

Error Output

  + module.project-ecs-cluster.aws_iam_instance_profile.instance
      id:                                        <computed>
      arn:                                       <computed>
      create_date:                               <computed>
      name:                                      "myproject-ecs-cluster-instance-profile"
      path:                                      "/"
      role:                                      "myproject-ecs-cluster-role"
      roles.#:                                   <computed>
      unique_id:                                 <computed>

  + module.project-ecs-cluster.aws_launch_configuration.instance
      id:                                        <computed>
      associate_public_ip_address:               "false"
      ebs_block_device.#:                        <computed>
      ebs_optimized:                             <computed>
      enable_monitoring:                         "true"
      iam_instance_profile:                      "myproject-ecs-cluster-instance-profile"
      image_id:                                  "ami-00921cd1ce43d567a"
      instance_type:                             "t3.medium"
      key_name:                                  "ec2-user-docker-cluster-host"
      name:                                      <computed>
      name_prefix:                               "myproject-ecs-cluster-lc-"
      root_block_device.#:                       "1"
      root_block_device.0.delete_on_termination: "true"
      root_block_device.0.iops:                  <computed>
      root_block_device.0.volume_size:           "8"
      root_block_device.0.volume_type:           <computed>
      security_groups.#:                         "1"
      security_groups.2794183374:                "sg-0d13250a2c3caeaf5"
      user_data:                                 "f128dd1a4d74456830249c3f2a22de9ed7ebdb8b"
Plan: 8 to add, 1 to change, 0 to destroy.

...

1 error(s) occurred:

* module.project-ecs-cluster.aws_iam_instance_profile.instance: 1 error(s) occurred:

2019-03-21T16:36:41.155Z [DEBUG] plugin.terraform-provider-aws_v1.60.0_x4: 2019/03/21 16:36:41 [ERR] plugin: plugin server: accept unix /tmp/plugin186793848: use of closed network connection
* aws_iam_instance_profile.instance: Error creating IAM instance profile myproject-ecs-cluster-instance-profile: EntityAlreadyExists: Instance Profile myproject-ecs-cluster-instance-profile already exists.
	status code: 409, request id: 7db379b7-4bf7-11e9-b286-e78361536fef

Despite myproject-ecs-cluster-instance-profile doesn’t exist (verified by aws iam list-instance-profiles), before and after the run.

Expected Behavior

It should work without the error.

Actual Behavior

It errors on EntityAlreadyExists despite myproject-ecs-cluster-instance-profile instance doesn’t exist.

Steps to Reproduce

  1. terraform plan
  2. terraform apply

Check the logs in the attachment.

References

Logs

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Reactions: 44
  • Comments: 16 (1 by maintainers)

Most upvoted comments

After spending a day. i solved it as below: run command aws iam list-instance-profiles then, use below command to delete profiles which you get from above command: aws iam delete-instance-profile --instance-profile-name {InstanceProfileName-from-above-command}

+25
vickyshah129 on Jun 9, 2020

I found a good workaround for this problem https://artem.services/?p=1105&lang=en

+14
HieronyM on Oct 7, 2019

Exact same issue here.

+6
bbuivn on Sep 19, 2019

Ok, the profile existed, but in another role.

I’ve followed the following steps:

  1. Check the failing request in CloudTrail and note the userIdentity/sessionIssuer/sessionIssuer/arn.
  2. Switch to that role via: aws sts assume-role --role-arn arn:aws:iam::12345:role/DevOps --role-session-name cli.
  3. Confirm the role by aws sts get-caller-identity.
  4. If role not switched, export profile name, e.g. export AWS_PROFILE=DevOps, where your ~/.aws/credentials can look like:
$ cat ~/.aws/credentials 
[default]
aws_access_key_id = KEYID
aws_secret_access_key = SECRETKEY

[DevOps]
role_arn = arn:aws:iam::12345:role/DevOps
source_profile = default
region = eu-west-1
  1. Confirm the role again by aws sts get-caller-identity.
  2. List instance profiles by: aws iam list-instance-profiles.
  3. Filter out by: aws iam list-instance-profiles | grep your-profile-name
  4. Delete it: aws iam delete-instance-profile --instance-profile-name your-profile-name.

Then after removal, I’ve run plan and apply, but the problem repeats.

I’ve tried to import role, it imports, but then it has problem reading it.

module.project-ecs-cluster.aws_iam_instance_profile.instance AIPAI55FATXTPKUXN5XIS
Project environment project
module.project-ecs-cluster.aws_iam_instance_profile.instance: Importing from ID "AIPAI55FATXTPKUXN5XIS"...
module.project-ecs-cluster.aws_iam_instance_profile.instance: Import complete!
  Imported aws_iam_instance_profile (ID: AIPAI55FATXTPKUXN5XIS)
module.project-ecs-cluster.aws_iam_instance_profile.instance: Refreshing state... (ID: AIPAI55FATXTPKUXN5XIS)

Error: module.project-ecs-cluster.aws_iam_instance_profile.instance (import id: AIPAI55FATXTPKUXN5XIS): 1 error(s) occurred:

* import module.project-ecs-cluster.aws_iam_instance_profile.instance result: AIPAI55FATXTPKUXN5XIS: import module.project-ecs-cluster.aws_iam_instance_profile.instance (id: AIPAI55FATXTPKUXN5XIS): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.


Releasing state lock. This may take a few moments...

Debug file: tf-import-instance-profile.log

2019/03/21 21:29:34 [DEBUG] [aws-sdk-go] DEBUG: Response iam/GetInstanceProfile Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 404 Not Found
Connection: close
Content-Length: 299
Content-Type: text/xml
Date: Thu, 21 Mar 2019 21:29:34 GMT
X-Amzn-Requestid: 6bcfb6f4-4c20-11e9-a9dc-034f8fd4cf2c
+6
kenorb on Mar 21, 2019

Has there been any progress on the issue? I have been struggling with the same. I tried manually deleting the profile but there is no such profile.

+2
Rishikeshpal on Feb 15, 2023

This issue is very annoying. Still with terraform 1.1.7

+2
ricardobranco777 on May 3, 2022

Yeah I’m seeing this as well. Is the only workaround really a manual deletion of the terraform-created instance profile?

edit: terraform destroy seems to take care of it if you want to go nuclear

Yup, ended up deleting manually the instance profile in some cases, can’t really destroy all the manifest all the time 😦

+1
bbuivn on Dec 24, 2019

Another example demonstrating this bug:

Point 1: I can’t destroy the instance profile, because it doesn’t exist:

$ terraform destroy module.project-ecs-cluster.aws_iam_instance_profile.instance 
Project environment project/env
data.aws_iam_policy_document.instance: Refreshing state...
aws_iam_role.instance: Refreshing state... (ID: myproject-ecs-cluster-role)

Destroy complete! Resources: 0 destroyed.
Releasing state lock. This may take a few moments...

Point 2: I can’t apply either, as it claims the profile already exist:

$ terraform apply -target module.project-ecs-cluster.aws_iam_instance_profile.instance 
Project environment project/env
Releasing state lock. This may take a few moments...
module.project-ecs-cluster.aws_iam_instance_profile.instance: Creating...
  arn:         "" => "<computed>"
  create_date: "" => "<computed>"
  name:        "" => "myproject-ecs-cluster-instance-profile"
  path:        "" => "/"
  role:        "" => "myproject-ecs-cluster-role"
  roles.#:     "" => "<computed>"
  unique_id:   "" => "<computed>"
Releasing state lock. This may take a few moments...

Error: Error applying plan:

1 error(s) occurred:

* module.project-ecs-cluster.aws_iam_instance_profile.instance: 1 error(s) occurred:

* aws_iam_instance_profile.instance: Error creating IAM instance profile myproject-ecs-cluster-instance-profile: EntityAlreadyExists: Instance Profile myproject-ecs-cluster-instance-profile already exists.
  status code: 409, request id: 689321f1-4c23-11e9-b894-73b7f6be78e7

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.
+1
kenorb on Mar 21, 2019
Read more comments on GitHub
← terraform-provider-aws: Encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified
terraform-provider-aws: error associating RAM Resource Share →