kms CreateKey: retry if arn in policy not yet seen (#11509)
if KMS service doesn't think a resource exists which is listed in a Key policy, then CreateKey fails. so retry until it's seen by KMS service.
This commit is contained in:
parent
9183be4c83
commit
747ca75bfe
|
@ -99,7 +99,19 @@ func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error {
|
|||
req.Policy = aws.String(v.(string))
|
||||
}
|
||||
|
||||
resp, err := conn.CreateKey(&req)
|
||||
var resp *kms.CreateKeyOutput
|
||||
// AWS requires any principal in the policy to exist before the key is created.
|
||||
// The KMS service's awareness of principals is limited by "eventual consistency".
|
||||
// They acknowledge this here:
|
||||
// http://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html
|
||||
err := resource.Retry(30*time.Second, func() *resource.RetryError {
|
||||
var err error
|
||||
resp, err = conn.CreateKey(&req)
|
||||
if isAWSErr(err, "MalformedPolicyDocumentException", "") {
|
||||
return resource.RetryableError(err)
|
||||
}
|
||||
return resource.NonRetryableError(err)
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue