Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resource/aws_iam_instance_profile: Remove deprecated roles argument #14303

Merged
merged 1 commit into from
Jul 24, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions aws/resource_aws_appautoscaling_target_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -566,8 +566,8 @@ EOT
}
resource "aws_iam_instance_profile" "emr_profile" {
name = "emr_profile_%d"
roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
name = "emr_profile_%d"
role = aws_iam_role.iam_emr_profile_role.name
}
resource "aws_iam_role_policy_attachment" "profile-attach" {
Expand Down
4 changes: 2 additions & 2 deletions aws/resource_aws_autoscaling_group_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3677,8 +3677,8 @@ resource "aws_iam_role" "test" {
}
resource "aws_iam_instance_profile" "test" {
name = %q
roles = ["${aws_iam_role.test.name}"]
name = %q
role = aws_iam_role.test.name
}
resource "aws_launch_template" "test" {
Expand Down
4 changes: 2 additions & 2 deletions aws/resource_aws_elastic_beanstalk_environment_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -927,8 +927,8 @@ resource "aws_elastic_beanstalk_environment" "test" {
func testAccBeanstalkWorkerEnvConfig(rName string) string {
return testAccBeanstalkEnvConfigBase(rName) + fmt.Sprintf(`
resource "aws_iam_instance_profile" "test" {
name = %[1]q
roles = [aws_iam_role.test.name]
name = %[1]q
role = aws_iam_role.test.name
}
resource "aws_iam_role" "test" {
Expand Down
67 changes: 5 additions & 62 deletions aws/resource_aws_iam_instance_profile.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,21 +70,9 @@ func resourceAwsIamInstanceProfile() *schema.Resource {
ForceNew: true,
},

"roles": {
Type: schema.TypeSet,
Optional: true,
Computed: true,
ConflictsWith: []string{"role"},
Elem: &schema.Schema{Type: schema.TypeString},
Set: schema.HashString,
Deprecated: "Use `role` instead. Only a single role can be passed to an IAM Instance Profile",
},

"role": {
Type: schema.TypeString,
Optional: true,
Computed: true,
ConflictsWith: []string{"roles"},
Type: schema.TypeString,
Optional: true,
},
},
}
Expand Down Expand Up @@ -173,50 +161,14 @@ func instanceProfileRemoveRole(iamconn *iam.IAM, profileName, roleName string) e
return err
}

func instanceProfileSetRoles(d *schema.ResourceData, iamconn *iam.IAM) error {
oldInterface, newInterface := d.GetChange("roles")
oldRoles := oldInterface.(*schema.Set)
newRoles := newInterface.(*schema.Set)

currentRoles := schema.CopySet(oldRoles)

for _, role := range oldRoles.Difference(newRoles).List() {
err := instanceProfileRemoveRole(iamconn, d.Id(), role.(string))
if err != nil {
return fmt.Errorf("Error removing role %s from IAM instance profile %s: %s", role, d.Id(), err)
}
currentRoles.Remove(role)
d.Set("roles", currentRoles)
}

for _, role := range newRoles.Difference(oldRoles).List() {
err := instanceProfileAddRole(iamconn, d.Id(), role.(string))
if err != nil {
return fmt.Errorf("Error adding role %s to IAM instance profile %s: %s", role, d.Id(), err)
}
currentRoles.Add(role)
d.Set("roles", currentRoles)
}

return nil
}

func instanceProfileRemoveAllRoles(d *schema.ResourceData, iamconn *iam.IAM) error {
role, hasRole := d.GetOk("role")
roles, hasRoles := d.GetOk("roles")
if hasRole && !hasRoles { // "roles" will always be a superset of "role", if set
if role, ok := d.GetOk("role"); ok {
err := instanceProfileRemoveRole(iamconn, d.Id(), role.(string))
if err != nil {
return fmt.Errorf("Error removing role %s from IAM instance profile %s: %s", role, d.Id(), err)
}
} else {
for _, role := range roles.(*schema.Set).List() {
err := instanceProfileRemoveRole(iamconn, d.Id(), role.(string))
if err != nil {
return fmt.Errorf("Error removing role %s from IAM instance profile %s: %s", role, d.Id(), err)
}
}
}

return nil
}

Expand All @@ -241,10 +193,6 @@ func resourceAwsIamInstanceProfileUpdate(d *schema.ResourceData, meta interface{
}
}

if d.HasChange("roles") {
return instanceProfileSetRoles(d, iamconn)
}

return nil
}

Expand Down Expand Up @@ -306,10 +254,5 @@ func instanceProfileReadResult(d *schema.ResourceData, result *iam.InstanceProfi
d.Set("role", result.Roles[0].RoleName) //there will only be 1 role returned
}

roles := &schema.Set{F: schema.HashString}
for _, role := range result.Roles {
roles.Add(*role.RoleName)
}
err := d.Set("roles", roles)
return err
return nil
}
46 changes: 3 additions & 43 deletions aws/resource_aws_iam_instance_profile_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,32 +37,6 @@ func TestAccAWSIAMInstanceProfile_basic(t *testing.T) {
})
}

func TestAccAWSIAMInstanceProfile_withRoleNotRoles(t *testing.T) {
var conf iam.GetInstanceProfileOutput
resourceName := "aws_iam_instance_profile.test"

rName := acctest.RandString(5)
resource.ParallelTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckAWSInstanceProfileDestroy,
Steps: []resource.TestStep{
{
Config: testAccAWSInstanceProfileWithRoleSpecified(rName),
Check: resource.ComposeTestCheckFunc(
testAccCheckAWSInstanceProfileExists(resourceName, &conf),
),
},
{
ResourceName: resourceName,
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"name_prefix"},
},
},
})
}

func TestAccAWSIAMInstanceProfile_withoutRole(t *testing.T) {
var conf iam.GetInstanceProfileOutput
resourceName := "aws_iam_instance_profile.test"
Expand Down Expand Up @@ -195,8 +169,8 @@ resource "aws_iam_role" "test" {
}
resource "aws_iam_instance_profile" "test" {
name = "test"
roles = ["${aws_iam_role.test.name}"]
name = "test-%[1]s"
role = aws_iam_role.test.name
}
`, rName)
}
Expand All @@ -218,21 +192,7 @@ resource "aws_iam_role" "test" {
resource "aws_iam_instance_profile" "test" {
name_prefix = "test-"
roles = ["${aws_iam_role.test.name}"]
}
`, rName)
}

func testAccAWSInstanceProfileWithRoleSpecified(rName string) string {
return fmt.Sprintf(`
resource "aws_iam_role" "test" {
name = "test-%s"
assume_role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}
resource "aws_iam_instance_profile" "test" {
name_prefix = "test-"
role = "${aws_iam_role.test.name}"
role = aws_iam_role.test.name
}
`, rName)
}
12 changes: 6 additions & 6 deletions aws/resource_aws_iam_role_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -745,9 +745,9 @@ EOF
}
resource "aws_iam_instance_profile" "role_update_test" {
name = "role_update_test_%s"
path = "/test/"
roles = ["${aws_iam_role.test.name}"]
name = "role_update_test_%s"
path = "/test/"
role = aws_iam_role.test.name
}
`, rName, rName, rName)
}
Expand Down Expand Up @@ -799,9 +799,9 @@ EOF
}
resource "aws_iam_instance_profile" "role_update_test" {
name = "role_update_test_%s"
path = "/test/"
roles = ["${aws_iam_role.test.name}"]
name = "role_update_test_%s"
path = "/test/"
role = aws_iam_role.test.name
}
`, rName, rName, rName)
}
Expand Down
4 changes: 2 additions & 2 deletions aws/resource_aws_instance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4134,8 +4134,8 @@ resource "aws_iam_role" "test" {
}
resource "aws_iam_instance_profile" "test" {
name = %[1]q
roles = ["${aws_iam_role.test.name}"]
name = %[1]q
role = aws_iam_role.test.name
}
resource "aws_instance" "test" {
Expand Down
4 changes: 2 additions & 2 deletions aws/resource_aws_launch_configuration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -888,8 +888,8 @@ EOF
}
resource "aws_iam_instance_profile" "profile" {
name = "tf-acc-test-%[1]d"
roles = ["${aws_iam_role.role.name}"]
name = "tf-acc-test-%[1]d"
role = aws_iam_role.role.name
}
resource "aws_launch_configuration" "test" {
Expand Down
27 changes: 27 additions & 0 deletions website/docs/guides/version-3-upgrade.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ Upgrade topics:
- [Resource: aws_elastic_transcoder_preset](#resource-aws_elastic_transcoder_preset)
- [Resource: aws_emr_cluster](#resource-aws_emr_cluster)
- [Resource: aws_iam_access_key](#resource-aws_iam_access_key)
- [Resource: aws_iam_instance_profile](#resource-aws_iam_instance_profile)
- [Resource: aws_instance](#resource-aws_instance)
- [Resource: aws_lambda_alias](#resource-aws_lambda_alias)
- [Resource: aws_launch_template](#resource-aws_launch_template)
Expand Down Expand Up @@ -769,6 +770,32 @@ resource "aws_emr_cluster" "example" {

In many regions today and in all regions after October 1, 2020, the [SES API will only accept version 4 signatures](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html). If referencing the `ses_smtp_password` attribute, switch your Terraform configuration to the `ses_smtp_password_v4` attribute instead. Please note that this signature is based on the region of the Terraform AWS Provider. If you need the SES v4 password in multiple regions, it may require using [multiple provider instances](/docs/configuration/providers.html#alias-multiple-provider-instances).

## Resource: aws_iam_instance_profile

### roles Argument Removal

Switch your Terraform configuration to the `role` argument instead.

For example, given this previous configuration:

```hcl
resource "aws_iam_instance_profile" "example" {
# ... other configuration ...

roles = [aws_iam_role.example.id]
}
```

An updated configuration:

```hcl
resource "aws_iam_instance_profile" "example" {
# ... other configuration ...

role = aws_iam_role.example.id
}
```

## Resource: aws_instance

### ebs_block_device.iops and root_block_device.iops Argument Apply-Time Validations
Expand Down
4 changes: 2 additions & 2 deletions website/docs/r/emr_cluster.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -642,8 +642,8 @@ EOF
}
resource "aws_iam_instance_profile" "emr_profile" {
name = "emr_profile"
roles = ["${aws_iam_role.iam_emr_profile_role.name}"]
name = "emr_profile"
role = aws_iam_role.iam_emr_profile_role.name
}
resource "aws_iam_role_policy" "iam_emr_profile_policy" {
Expand Down
4 changes: 0 additions & 4 deletions website/docs/r/iam_instance_profile.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,6 @@ The following arguments are supported:
* `name` - (Optional, Forces new resource) The profile's name. If omitted, Terraform will assign a random, unique name.
* `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with `name`.
* `path` - (Optional, default "/") Path in which to create the profile.
* `roles` - (**Deprecated**)
A list of role names to include in the profile. The current default is 1. If you see an error message similar to `Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1`, then you must contact AWS support and ask for a limit increase.
WARNING: This is deprecated since [version 0.9.3 (April 12, 2017)](https://github.com/hashicorp/terraform/blob/master/CHANGELOG.md#093-april-12-2017), as >= 2 roles are not possible. See [issue #11575](https://github.com/hashicorp/terraform/issues/11575).
* `role` - (Optional) The role name to include in the profile.

## Attribute Reference
Expand All @@ -60,7 +57,6 @@ A list of role names to include in the profile. The current default is 1. If y
* `name` - The instance profile's name.
* `path` - The path of the instance profile in IAM.
* `role` - The role assigned to the instance profile.
* `roles` - The list of roles assigned to the instance profile. (**Deprecated**)
* `unique_id` - The [unique ID][1] assigned by AWS.

[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html#GUIDs
Expand Down