Add retry on MalformedPolicyDocumentException to wait for IAM propagation on KMS policy update

[neinkeinkaffee]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #24696

This PR proposes to retry KMS policy updates when a MalformedPolicyDocumentException occurs. The intention is to avoid failing when a KMS policy reference IAM resources that get created at the same time.

Output from acceptance testing:

$ make testacc TESTS=TestAccKMSKey_Policy PKG=kms
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/kms/... -v -count 1 -parallel 20 -run='TestAccKMSKey_Policy'  -timeout 180m
--- PASS: TestAccKMSKey_Policy_booleanCondition (68.99s)
--- PASS: TestAccKMSKey_Policy_iamRole (92.13s)
--- PASS: TestAccKMSKey_Policy_bypassUpdate (111.73s)
--- PASS: TestAccKMSKey_Policy_iamServiceLinkedRole (111.79s)
--- PASS: TestAccKMSKey_Policy_basic (120.11s)
--- PASS: TestAccKMSKey_Policy_iamRoleUpdate (125.12s)
--- PASS: TestAccKMSKey_Policy_iamRoleOrder (160.30s)
--- PASS: TestAccKMSKey_Policy_bypass (209.87s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/kms        212.464s

[github-actions]

Welcome @neinkeinkaffee 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

[ewbankkit]

LGTM 🚀.

% make testacc TESTS=TestAccKMSKey_Policy PKG=kms
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/kms/... -v -count 1 -parallel 20 -run='TestAccKMSKey_Policy'  -timeout 180m
=== RUN   TestAccKMSKey_Policy_basic
=== PAUSE TestAccKMSKey_Policy_basic
=== RUN   TestAccKMSKey_Policy_bypass
=== PAUSE TestAccKMSKey_Policy_bypass
=== RUN   TestAccKMSKey_Policy_bypassUpdate
=== PAUSE TestAccKMSKey_Policy_bypassUpdate
=== RUN   TestAccKMSKey_Policy_iamRole
=== PAUSE TestAccKMSKey_Policy_iamRole
=== RUN   TestAccKMSKey_Policy_iamRoleUpdate
=== PAUSE TestAccKMSKey_Policy_iamRoleUpdate
=== RUN   TestAccKMSKey_Policy_iamRoleOrder
=== PAUSE TestAccKMSKey_Policy_iamRoleOrder
=== RUN   TestAccKMSKey_Policy_iamServiceLinkedRole
=== PAUSE TestAccKMSKey_Policy_iamServiceLinkedRole
=== RUN   TestAccKMSKey_Policy_booleanCondition
=== PAUSE TestAccKMSKey_Policy_booleanCondition
=== CONT  TestAccKMSKey_Policy_basic
=== CONT  TestAccKMSKey_Policy_iamRoleUpdate
=== CONT  TestAccKMSKey_Policy_bypass
=== CONT  TestAccKMSKey_Policy_booleanCondition
=== CONT  TestAccKMSKey_Policy_bypassUpdate
=== CONT  TestAccKMSKey_Policy_iamRoleOrder
=== CONT  TestAccKMSKey_Policy_iamRole
=== CONT  TestAccKMSKey_Policy_iamServiceLinkedRole
--- PASS: TestAccKMSKey_Policy_booleanCondition (25.38s)
--- PASS: TestAccKMSKey_Policy_basic (37.70s)
--- PASS: TestAccKMSKey_Policy_bypassUpdate (38.07s)
--- PASS: TestAccKMSKey_Policy_iamServiceLinkedRole (54.02s)
--- PASS: TestAccKMSKey_Policy_iamRoleUpdate (52.93s)
--- PASS: TestAccKMSKey_Policy_iamRole (55.41s)
--- PASS: TestAccKMSKey_Policy_iamRoleOrder (70.39s)
--- PASS: TestAccKMSKey_Policy_bypass (151.56s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/kms	155.690s

[ewbankkit]

@neinkeinkaffee Thanks for the contribution 🎉 👏.

[ewbankkit]

@neinkeinkaffee Thanks for the contribution 🎉 👏.

[github-actions]

This functionality has been released in v4.14.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.