terraform-provider-aws: plan fails with "Password data is blank for instance ID" if password_data is blank

I’ve encountered a situation where I seem to be “stuck” and can’t do any terraform plans due to the ec2/GetPasswordData failing. I initially had get_password_data of a Windows EC2 Instance set to true. The current AMI does not support getting the password, but even if I change get_password_data to false, terraform plan will fail with the following error:

aws_instance.windows_instance: aws_instance.windows_instance: Password data is blank for instance ID: i-027d0bca13295f548

Is there anyway to move forward from this situation? I can’t seem to destroy the instances either, due to terraform plan failing.

Terraform Version

Terraform version: v0.11.7

Affected Resource(s)

  • aws_instance

Terraform Configuration Files

resource "aws_instance" "windows_instance" {
  ami = "${data.aws_ami.windows_full.id}" // original
  # ami = "ami-99328be6" // change to this before second apply
  instance_type = "t2.nano"
  key_name = "${var.key_pair_name}"
  tags = {
    "Name" = "windows-test"
  }
  vpc_security_group_ids = ["${aws_security_group.windows_security.id}"]
  subnet_id = "${var.public_subnet_id}"
  get_password_data = true
}

See full setup

Debug Output

https://gist.github.com/droberts84/acbc94ab8cfd925dd468a9c29215b216#file-tf_logs-txt

Expected Behavior

terraform plan or terraform apply is successful with a blank password_data attribute

Alternatively it would be acceptable if the error went away by specifying get_password_data = false

Actual Behavior

terraform plan or terraform apply fail with error:

aws_instance.windows_instance: aws_instance.windows_instance: Password data is blank for instance ID: i-027d0bca13295f548

Steps to Reproduce

  1. terraform apply
  2. Create an AMI of the machine
  3. Change aws_instance.windows_instance.ami to newly created AMI
  4. terraform apply.
  5. Apply is carried out, but terraform ends with error
  6. terraform plan seems to fail no matter what you do after this

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Reactions: 11
  • Comments: 19

Most upvoted comments

I found that this works: Edit the terraform.tfstate file to change the “get_password_data” attribute to “false” on that instance. Then run the terraform plan again. It should proceed without error.

+9
laustintime on Oct 4, 2018

Running into the same issue.

+6
sykesjs on Jul 23, 2018

For me, the ami used was a public image and I had used key pairs for the Windows server instance but the section to decrypt passwords using a key on aws console was giving an error. So I searched online and added the get_password_data = true in my terraform configuration. And since then I started getting the issue Password data is blank and terraform command got stuck no matter what I did. https://github.com/hashicorp/terraform-provider-aws/issues/4417#issuecomment-732274973 helped me as well. But the issue was the key-pair I used had an encryption type ED25519. I changed it to RSA and redeploy the instances with this new key-pair. This worked for me and now I can get my Windows Password from the aws console by decrypting the key-pair used.

+4
fr-gaurav on Jun 24, 2023

I have similar issue and i am receiving this error at the end of creation phase with terraform: Password data is blank for instance ID.

Worth to mention that I had output key-value for receiving password at the end.

+3
Ali-TW-London on Nov 12, 2019

Getting the same issue here, terraform state became poisoned, unable to plan, apply, destroy, locking state… using remote state only solution was:

terraform state pull > backup.tfstate

Edit to as mentioned by @laustintime

"get_password_data": false,

terraform state push -lock=false backup.tfstate

My goal was to destroy resources after first creation failure, so I can focus on the reason why it fails on the first place, so by now, synced tf files with the edited plan and:

terraform destroy -lock=false

Using the following versions:


Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.16.0
+2
Ilhicas on Nov 23, 2020

Having the same issue

+2
davidlbyrne on Aug 10, 2020

It doesn’t seem to be a terraform bug, as any instance created manually out of the same AMI also had this problem. I eventually solved this issue with a new AMI image that has the following fix.

+1
mskutin on Oct 25, 2021

Wanted to list my fix here in case it helps anyone. Though @Ilhicas solution works around the terraform bug, the root cause of aws never reporting a password for the windows ec2 after it was spun up was that I was adding a couple of large files to the AMI during the packer build process. After I removed that part of the provisioning and built a new ami, the password was properly being reported.

+1
edalford11 on Dec 18, 2020

thats not really a solution if you need the windows password though

+1
saargrin on Jun 12, 2019
Read more comments on GitHub
← terraform-provider-aws: Order is lost for data `aws_iam_policy_document` when applied to S3 buckets, iam roles, kms keys, etc
terraform-provider-aws: Plugin crashes when plan and apply →