provider/aws: Wait for NACL rule to be visible

Fixes #4721. It seems there may be some eventual consistency in the API
for network ACLs. This fix doesn't use resource.WaitForState() as there
the NACL is not something that can be looked up by ID and has a
property which determines if it is present.

Instead we reuse the findNetworkAclRule function which the Read function
exhibiting the problem uses, and retry over a 3 minute period, returning
an error message informing the user that running `terraform apply` again
will likely allow them to continue.

builtin/providers/aws/resource_aws_network_acl_rule.go

@@ -5,10 +5,12 @@ import (
 	"fmt"
 	"log"
 	"strconv"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/hashicorp/terraform/helper/hashcode"
+	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/helper/schema"
 )
 
@@ -118,6 +120,22 @@ func resourceAwsNetworkAclRuleCreate(d *schema.ResourceData, meta interface{}) e
 		return fmt.Errorf("Error Creating Network Acl Rule: %s", err.Error())
 	}
 	d.SetId(networkAclIdRuleNumberEgressHash(d.Get("network_acl_id").(string), d.Get("rule_number").(int), d.Get("egress").(bool), d.Get("protocol").(string)))
+
+	// It appears it might be a while until the newly created rule is visible via the
+	// API (see issue GH-4721). Retry the `findNetworkAclRule` function until it is
+	// visible (which in most cases is likely immediately).
+	err = resource.Retry(3*time.Minute, func() error {
+		_, findErr := findNetworkAclRule(d, meta)
+		if findErr != nil {
+			return findErr
+		}
+
+		return nil
+	})
+	if err != nil {
+		return fmt.Errorf("Created Network ACL Rule was not visible in API within 3 minute period. Running 'terraform apply' again will resume infrastructure creation.")
+	}
+
 	return resourceAwsNetworkAclRuleRead(d, meta)
 }