kms CreateKey: retry if arn in policy not yet seen (#11509)

if KMS service doesn't think a resource exists which is listed in a Key policy, then CreateKey fails. so retry until it's seen by KMS service.
2017-01-30 06:23:43 -05:00 · 2017-01-30 06:23:43 -05:00 · 747ca75bfe
parent 9183be4c83
commit 747ca75bfe
1 changed files with 13 additions and 1 deletions
--- a/builtin/providers/aws/resource_aws_kms_key.go
+++ b/builtin/providers/aws/resource_aws_kms_key.go
@ -99,7 +99,19 @@ func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
 		req.Policy = aws.String(v.(string))
 	}

-	resp, err := conn.CreateKey(&req)
+	var resp *kms.CreateKeyOutput
+	// AWS requires any principal in the policy to exist before the key is created.
+	// The KMS service's awareness of principals is limited by "eventual consistency".
+	// They acknowledge this here:
+	// http://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html
+	err := resource.Retry(30*time.Second, func() *resource.RetryError {
+		var err error
+		resp, err = conn.CreateKey(&req)
+		if isAWSErr(err, "MalformedPolicyDocumentException", "") {
+			return resource.RetryableError(err)
+		}
+		return resource.NonRetryableError(err)
+	})
 	if err != nil {
 		return err
 	}