Allow time for propagation of new IAM resources on KMS policy update #24696
Labels
bug
Addresses a defect in current functionality.
service/iam
Issues and PRs that pertain to the iam service.
service/kms
Issues and PRs that pertain to the kms service.
Milestone
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v1.1.5
Provider v4.14.0 (HEAD: cffbd38)
Affected Resource(s)
aws_kms_key
Terraform Configuration Files
Given the distributed nature of AWS, IAM changes take time to propagate. During the creation of KMS keys and their resource policies, a
MalformedPolicyDocumentException
indicates that IAM changes might not have propagated, and this is handled by the provider, which retries for up to two minutes.However, when updating the resource policy of an already existing key, the provider fails to handle the same error.
Debug Output
Expected Behavior
As with key creation, the provider should retry the key update until the timeout allowed for IAM propagation (two minutes) is reached.
Actual Behavior
The provider doesn't retry, instead failing on the first
MalformedPolicyDocumentException
.Steps to Reproduce
terraform apply
the Terraform configuration from above to create a KMS keyterraform apply
again to create a new IAM role and reference it in the policyReferences
The text was updated successfully, but these errors were encountered: