aws_apprunner_service instance_configuration.instance_role_arn is required

[evantbyrne]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.2
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.49.0

Affected Resource(s)

• aws_apprunner_service

Terraform Configuration Files

resource "aws_apprunner_auto_scaling_configuration_version" "scratch" {
  auto_scaling_configuration_name = "scratch"
  min_size = 1
  max_size = 1
}

resource "aws_apprunner_service" "scratch" {
  auto_scaling_configuration_arn = aws_apprunner_auto_scaling_configuration_version.scratch.arn

  instance_configuration {
    cpu = 1024
    memory = 2048
  }

  service_name = "scratch"

  source_configuration {
    authentication_configuration {
      access_role_arn = "arn:aws:iam::[REDACTED]:role/service-role/AppRunnerECRAccessRole"
    }
    auto_deployments_enabled = false
    image_repository {
      image_configuration {
        port = "8080"
        start_command = "[REDACTED]"
      }
      image_identifier = "[REDAACTED].dkr.ecr.us-east-1.amazonaws.com/[REDACTED]:latest"
      image_repository_type = "ECR"
    }
  }
}

Debug Output

Creating terraform_terraform_run ... done
╷
│ Error: Missing required argument
│
│   on main.tf line 16, in resource "aws_apprunner_service" "scratch":
│   16:   instance_configuration {
│
│ The argument "instance_role_arn" is required, but no definition was found.
╵
ERROR: 1

Expected Behavior

Expected to create App Runner service, because the InstanceConfiguration documentation indicates that InstanceRoleArn is optional.

As an aside question: If I were to create a role for this, what would that look like? I'm having difficulty finding documentation on what a minimal role for this looks like.

Actual Behavior

App Runner service is not created, because instance_configuration.instance_role_arn is marked as required. Additionally, if I remove instance_configuration entirely then Terraform succeeds in creating the service.

Steps to Reproduce

1. terraform apply

Thanks,
–Evan

[gdavison]

AWS has some documentation on the instance role at https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles. The permissions needed will basically depend on what your application does.

[ludofischer]

AWS has some documentation on the instance role at https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles. The permissions needed will basically depend on what your application does.

From reading that documentation, it does seem to me that the instance role is optional. Under the Instance Role heading it says

The instance role is an optional role that App Runner uses to provide permissions to AWS service actions

[github-actions]

This functionality has been released in v3.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.