kms CreateKey: retry if arn in policy not yet seen (#11509)

if KMS service doesn't think a resource exists which is listed in
a Key policy, then CreateKey fails. so retry until it's seen
by KMS service.
This commit is contained in:
snakeb1t 2017-01-30 06:23:43 -05:00 committed by Paul Stack
parent 9183be4c83
commit 747ca75bfe
1 changed files with 13 additions and 1 deletions

View File

@ -99,7 +99,19 @@ func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
req.Policy = aws.String(v.(string))
}
resp, err := conn.CreateKey(&req)
var resp *kms.CreateKeyOutput
// AWS requires any principal in the policy to exist before the key is created.
// The KMS service's awareness of principals is limited by "eventual consistency".
// They acknowledge this here:
// http://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html
err := resource.Retry(30*time.Second, func() *resource.RetryError {
var err error
resp, err = conn.CreateKey(&req)
if isAWSErr(err, "MalformedPolicyDocumentException", "") {
return resource.RetryableError(err)
}
return resource.NonRetryableError(err)
})
if err != nil {
return err
}