EC2: Validate instance profile before creating Instances (#6905)

2023-10-12 21:25:56 +00:00 · 2023-10-12 21:25:56 +00:00 · de714eb4cc
commit de714eb4cc
parent 760e28bb7f
2 changed files with 35 additions and 4 deletions
--- a/moto/ec2/responses/instances.py
+++ b/moto/ec2/responses/instances.py
@ -5,6 +5,7 @@ from moto.ec2.exceptions import (
    InvalidParameterCombination,
    InvalidRequest,
 )
+from moto.ec2.utils import filter_iam_instance_profiles

 from copy import deepcopy

@ -98,20 +99,31 @@ class InstanceResponse(EC2BaseResponse):
        if mappings:
            kwargs["block_device_mappings"] = mappings

+        iam_instance_profile_name = kwargs.get("iam_instance_profile_name")
+        iam_instance_profile_arn = kwargs.get("iam_instance_profile_arn")
+        if iam_instance_profile_arn or iam_instance_profile_name:
+            # Validate the profile exists, before we error_on_dryrun and add_instances
+            filter_iam_instance_profiles(
+                self.current_account,
+                iam_instance_profile_arn=iam_instance_profile_arn,
+                iam_instance_profile_name=iam_instance_profile_name,
+            )
+
        self.error_on_dryrun()

        new_reservation = self.ec2_backend.add_instances(
            image_id, min_count, user_data, security_group_names, **kwargs
        )
-        if kwargs.get("iam_instance_profile_name"):
+        if iam_instance_profile_name:
            self.ec2_backend.associate_iam_instance_profile(
                instance_id=new_reservation.instances[0].id,
-                iam_instance_profile_name=kwargs.get("iam_instance_profile_name"),
+                iam_instance_profile_name=iam_instance_profile_name,
            )
-        if kwargs.get("iam_instance_profile_arn"):
+
+        if iam_instance_profile_arn:
            self.ec2_backend.associate_iam_instance_profile(
                instance_id=new_reservation.instances[0].id,
-                iam_instance_profile_arn=kwargs.get("iam_instance_profile_arn"),
+                iam_instance_profile_arn=iam_instance_profile_arn,
            )

        template = self.response_template(EC2_RUN_INSTANCES)
--- a/tests/test_ec2/test_instances.py
+++ b/tests/test_ec2/test_instances.py
@ -2616,6 +2616,25 @@ def test_instance_iam_instance_profile():
    assert "Id" in instance.iam_instance_profile
    assert profile["InstanceProfile"]["Arn"] == instance.iam_instance_profile["Arn"]

+    tag_key = str(uuid4())[0:6]
+    with pytest.raises(ClientError) as exc:
+        ec2_resource.create_instances(
+            ImageId=EXAMPLE_AMI_ID,
+            MinCount=1,
+            MaxCount=1,
+            IamInstanceProfile={"Arn": "unknown:instance:profile"},
+            TagSpecifications=[
+                {"ResourceType": "instance", "Tags": [{"Key": tag_key, "Value": "val"}]}
+            ],
+        )
+    err = exc.value.response["Error"]
+    assert err["Code"] == "NoSuchEntity"
+    assert err["Message"] == "Instance profile unknown:instance:profile not found"
+
+    ec2_client = boto3.client("ec2", "us-west-1")
+    filters = [{"Name": "tag-key", "Values": [tag_key]}]
+    assert retrieve_all_instances(ec2_client, filters) == []
+

 def retrieve_all_reservations(client, filters=[]):  # pylint: disable=W0102
    resp = client.describe_instances(Filters=filters)