hashicorp · bflad · Mar 26, 2021 · Mar 24, 2021 · Mar 24, 2021 · gdavison
@@ -0,0 +1,7 @@
+```release-note:bug
+resource/aws_network_acl: Handle EC2 eventual consistency errors on creation
+```
+
+```release-note:bug
+resource/aws_network_acl_rule: Handle EC2 eventual consistency errors on creation
+```
@@ -98,6 +98,88 @@ func InstanceByID(conn *ec2.EC2, id string) (*ec2.Instance, error) {
 	return output.Reservations[0].Instances[0], nil
 }
 
+// NetworkAclByID looks up a NetworkAcl by ID. When not found, returns nil and potentially an API error.
+func NetworkAclByID(conn *ec2.EC2, id string) (*ec2.NetworkAcl, error) {
+	input := &ec2.DescribeNetworkAclsInput{
+		NetworkAclIds: aws.StringSlice([]string{id}),
+	}
+
+	output, err := conn.DescribeNetworkAcls(input)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if output == nil {
+		return nil, nil
+	}
+
+	for _, networkAcl := range output.NetworkAcls {
+		if networkAcl == nil {
+			continue
+		}
+
+		if aws.StringValue(networkAcl.NetworkAclId) != id {
+			continue
+		}
+
+		return networkAcl, nil
+	}
+
+	return nil, nil
+}
+
+// NetworkAclEntry looks up a NetworkAclEntry by Network ACL ID, Egress, and Rule Number. When not found, returns nil and potentially an API error.
+func NetworkAclEntry(conn *ec2.EC2, networkAclID string, egress bool, ruleNumber int) (*ec2.NetworkAclEntry, error) {
+	input := &ec2.DescribeNetworkAclsInput{
+		Filters: []*ec2.Filter{
+			{
+				Name:   aws.String("entry.egress"),
+				Values: aws.StringSlice([]string{fmt.Sprintf("%t", egress)}),
+			},
+			{
+				Name:   aws.String("entry.rule-number"),
+				Values: aws.StringSlice([]string{fmt.Sprintf("%d", ruleNumber)}),
+			},
+		},
+		NetworkAclIds: aws.StringSlice([]string{networkAclID}),
+	}
+
+	output, err := conn.DescribeNetworkAcls(input)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if output == nil {
+		return nil, nil
+	}
+
+	for _, networkAcl := range output.NetworkAcls {
+		if networkAcl == nil {
+			continue
+		}
+
+		if aws.StringValue(networkAcl.NetworkAclId) != networkAclID {
+			continue
+		}
+
+		for _, entry := range output.NetworkAcls[0].Entries {
+			if entry == nil {
+				continue
+			}
+
+			if aws.BoolValue(entry.Egress) != egress || aws.Int64Value(entry.RuleNumber) != int64(ruleNumber) {
+				continue
+			}
+
+			return entry, nil
+		}
+	}
+
+	return nil, nil
+}
+
 // RouteTableByID returns the route table corresponding to the specified identifier.
 // Returns NotFoundError if no route table is found.
 func RouteTableByID(conn *ec2.EC2, routeTableID string) (*ec2.RouteTable, error) {

@@ -252,6 +252,11 @@ func InstanceIamInstanceProfileUpdated(conn *ec2.EC2, instanceID string, expecte
 	return nil, err
 }
 
+const (
+	NetworkAclPropagationTimeout      = 2 * time.Minute
+	NetworkAclEntryPropagationTimeout = 5 * time.Minute
+)
+
 func SecurityGroupCreated(conn *ec2.EC2, id string, timeout time.Duration) (*ec2.SecurityGroup, error) {
 	stateConf := &resource.StateChangeConf{
 		Pending: []string{SecurityGroupStatusNotFound},

@@ -11,11 +11,15 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/hashcode"
 	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2/finder"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2/waiter"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/tfresource"
 )
 
 func resourceAwsNetworkAcl() *schema.Resource {
@@ -196,39 +200,119 @@ func resourceAwsNetworkAclCreate(d *schema.ResourceData, meta interface{}) error
 
 	log.Printf("[DEBUG] Network Acl create config: %#v", createOpts)
 	resp, err := conn.CreateNetworkAcl(createOpts)
+
 	if err != nil {
-		return fmt.Errorf("Error creating network acl: %s", err)
+		return fmt.Errorf("error creating EC2 Network ACL: %w", err)
+	}
+
+	if resp == nil || resp.NetworkAcl == nil {
+		return fmt.Errorf("error creating EC2 Network ACL: empty response")
+	}
+
+	d.SetId(aws.StringValue(resp.NetworkAcl.NetworkAclId))
+
+	if v, ok := d.GetOk("egress"); ok && v.(*schema.Set).Len() > 0 {
+		err := updateNetworkAclEntries(d, "egress", conn)
+
+		if err != nil {
+			return fmt.Errorf("error updating EC2 Network ACL (%s) Egress Entries: %w", d.Id(), err)
+		}
+	}
+
+	if v, ok := d.GetOk("ingress"); ok && v.(*schema.Set).Len() > 0 {
+		err := updateNetworkAclEntries(d, "ingress", conn)
+
+		if err != nil {
+			return fmt.Errorf("error updating EC2 Network ACL (%s) Ingress Entries: %w", d.Id(), err)
+		}
 	}
 
-	// Get the ID and store it
-	networkAcl := resp.NetworkAcl
-	d.SetId(aws.StringValue(networkAcl.NetworkAclId))
+	if v, ok := d.GetOk("subnet_ids"); ok && v.(*schema.Set).Len() > 0 {
+		for _, subnetIDRaw := range v.(*schema.Set).List() {
+			subnetID, ok := subnetIDRaw.(string)
+
+			if !ok {
+				continue
+			}
+
+			association, err := findNetworkAclAssociation(subnetID, conn)
+
+			if err != nil {
+				return fmt.Errorf("error finding existing EC2 Network ACL association for Subnet (%s): %w", subnetID, err)
+			}
 
-	// Update rules and subnet association once acl is created
-	return resourceAwsNetworkAclUpdate(d, meta)
+			if association == nil {
+				return fmt.Errorf("error finding existing EC2 Network ACL association for Subnet (%s): empty response", subnetID)
+			}
+
+			input := &ec2.ReplaceNetworkAclAssociationInput{
+				AssociationId: association.NetworkAclAssociationId,
+				NetworkAclId:  aws.String(d.Id()),
+			}
+
+			_, err = conn.ReplaceNetworkAclAssociation(input)
+
+			if err != nil {
+				return fmt.Errorf("error replacing existing EC2 Network ACL association for Subnet (%s): %w", subnetID, err)
+			}
+		}
+	}
+
+	return resourceAwsNetworkAclRead(d, meta)
 }
 
 func resourceAwsNetworkAclRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).ec2conn
 	ignoreTagsConfig := meta.(*AWSClient).IgnoreTagsConfig
 
-	resp, err := conn.DescribeNetworkAcls(&ec2.DescribeNetworkAclsInput{
-		NetworkAclIds: []*string{aws.String(d.Id())},
+	var networkAcl *ec2.NetworkAcl
+
+	err := resource.Retry(waiter.NetworkAclPropagationTimeout, func() *resource.RetryError {
+		var err error
+
+		networkAcl, err = finder.NetworkAclByID(conn, d.Id())
+
+		if d.IsNewResource() && tfawserr.ErrCodeEquals(err, "InvalidNetworkAclID.NotFound") {
+			return resource.RetryableError(err)
+		}
+
+		if err != nil {
+			return resource.NonRetryableError(err)
+		}
+
+		if d.IsNewResource() && networkAcl == nil {
+			return resource.RetryableError(&resource.NotFoundError{
+				LastError: fmt.Errorf("EC2 Network ACL (%s) not found", d.Id()),
+			})
+		}
+
+		return nil
 	})
 
+	if tfresource.TimedOut(err) {
+		networkAcl, err = finder.NetworkAclByID(conn, d.Id())
+	}
+
+	if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, "InvalidNetworkAclID.NotFound") {
+		log.Printf("[WARN] EC2 Network ACL (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
 	if err != nil {
-		if isAWSErr(err, "InvalidNetworkAclID.NotFound", "") {
-			log.Printf("[WARN] Network ACL (%s) not found, removing from state", d.Id())
-			d.SetId("")
-			return nil
-		}
-		return err
+		return fmt.Errorf("error reading EC2 Network ACL (%s): %w", d.Id(), err)
 	}
-	if resp == nil {
+
+	if networkAcl == nil {
+		if d.IsNewResource() {
+			return fmt.Errorf("error reading EC2 Network ACL (%s): not found after creation", d.Id())
+		}
+
+		log.Printf("[WARN] EC2 Network ACL (%s) not found, removing from state", d.Id())
+		d.SetId("")
 		return nil
 	}
 
-	networkAcl := resp.NetworkAcls[0]
 	var ingressEntries []*ec2.NetworkAclEntry
 	var egressEntries []*ec2.NetworkAclEntry