Ignore InvalidAction errors when tagging IAM Instance Profiles

cloudmock/aws/mockiam/iaminstanceprofile.go

@@ -92,6 +92,34 @@ func (m *MockIAM) CreateInstanceProfileRequest(*iam.CreateInstanceProfileInput)
 	panic("Not implemented")
 }
 
+func (m *MockIAM) TagInstanceProfile(request *iam.TagInstanceProfileInput) (*iam.TagInstanceProfileOutput, error) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	klog.Infof("CreateInstanceProfile: %v", request)
+
+	ip := m.InstanceProfiles[aws.StringValue(request.InstanceProfileName)]
+	if ip == nil {
+		return nil, fmt.Errorf("InstanceProfile not found")
+	}
+
+	for _, tag := range request.Tags {
+		key := *tag.Key
+		overwritten := false
+		for _, existingTag := range ip.Tags {
+			if *existingTag.Key == key {
+				existingTag.Value = tag.Value
+				overwritten = true
+				break
+			}
+		}
+		if !overwritten {
+			ip.Tags = append(ip.Tags, tag)
+		}
+	}
+	return &iam.TagInstanceProfileOutput{}, nil
+}
+
 func (m *MockIAM) AddRoleToInstanceProfile(request *iam.AddRoleToInstanceProfileInput) (*iam.AddRoleToInstanceProfileOutput, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

upup/pkg/fi/cloudup/awstasks/iaminstanceprofile.go

@@ -118,7 +118,6 @@ func (_ *IAMInstanceProfile) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAM
 
 		request := &iam.CreateInstanceProfileInput{
 			InstanceProfileName: e.Name,
-			Tags:                mapToIAMTags(e.Tags),
 		}
 
 		response, err := t.Cloud.IAM().CreateInstanceProfile(request)
@@ -126,6 +125,19 @@ func (_ *IAMInstanceProfile) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAM
 			return fmt.Errorf("error creating IAMInstanceProfile: %v", err)
 		}
 
+		tagRequest := &iam.TagInstanceProfileInput{
+			InstanceProfileName: e.Name,
+			Tags:                mapToIAMTags(e.Tags),
+		}
+		_, err = t.Cloud.IAM().TagInstanceProfile(tagRequest)
+		if err != nil {
+			if awsup.AWSErrorCode(err) == awsup.AWSErrCodeInvalidAction {
+				klog.Warningf("Ignoring unsupported IAMInstanceProfile tagging %v", *a.Name)
+			} else {
+				return fmt.Errorf("error tagging IAMInstanceProfile: %v", err)
+			}
+		}
+
 		e.ID = response.InstanceProfile.InstanceProfileId
 		e.Name = response.InstanceProfile.InstanceProfileName
 	} else {
@@ -151,14 +163,17 @@ func (_ *IAMInstanceProfile) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *IAM
 				}
 				_, err := t.Cloud.IAM().TagInstanceProfile(tagRequest)
 				if err != nil {
-					return fmt.Errorf("error tagging IAMInstanceProfile: %v", err)
+					if awsup.AWSErrorCode(err) == awsup.AWSErrCodeInvalidAction {
+						klog.Warningf("Ignoring unsupported IAMInstanceProfile tagging %v", *a.Name)
+					} else {
+						return fmt.Errorf("error tagging IAMInstanceProfile: %v", err)
+					}
 				}
 			}
 		}
 	}
 
-	// TODO: Should we use path as our tag?
+	return nil
-	return nil // No tags in IAM
 }
 
 func (_ *IAMInstanceProfile) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *IAMInstanceProfile) error {

upup/pkg/fi/cloudup/awsup/aws_cloud.go

@@ -115,6 +115,9 @@ const (
 	WellKnownAccountUbuntu       = "099720109477"
 )
 
+// AWSErrCodeInvalidAction is returned in AWS partitions that don't support certain actions
+const AWSErrCodeInvalidAction = "InvalidAction"
+
 type AWSCloud interface {
 	fi.Cloud
 	CloudFormation() *cloudformation.CloudFormation