Add eventual consistency protection to efs_file_system_policy

.changelog/21734.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_efs_file_system_policy: Retry IAM eventual consistency errors
+```

internal/service/efs/consts.go

@@ -0,0 +1,12 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package efs
+
+import (
+	"time"
+)
+
+const (
+	propagationTimeout = 2 * time.Minute
+)

internal/service/efs/file_system_policy.go

@@ -27,6 +27,7 @@ func ResourceFileSystemPolicy() *schema.Resource {
 		ReadWithoutTimeout:   resourceFileSystemPolicyRead,
 		UpdateWithoutTimeout: resourceFileSystemPolicyPut,
 		DeleteWithoutTimeout: resourceFileSystemPolicyDelete,
+
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
 		},
@@ -62,9 +63,8 @@ func resourceFileSystemPolicyPut(ctx context.Context, d *schema.ResourceData, me
 	conn := meta.(*conns.AWSClient).EFSConn(ctx)
 
 	policy, err := structure.NormalizeJsonString(d.Get("policy").(string))
-
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "policy (%s) is invalid JSON: %s", policy, err)
+		return sdkdiag.AppendFromErr(diags, err)
 	}
 
 	fsID := d.Get("file_system_id").(string)
@@ -74,15 +74,17 @@ func resourceFileSystemPolicyPut(ctx context.Context, d *schema.ResourceData, me
 		Policy:                         aws.String(policy),
 	}
 
-	log.Printf("[DEBUG] Putting EFS File System Policy: %s", input)
-
-	_, err = conn.PutFileSystemPolicyWithContext(ctx, input)
+	_, err = tfresource.RetryWhenAWSErrMessageContains(ctx, propagationTimeout, func() (interface{}, error) {
+		return conn.PutFileSystemPolicyWithContext(ctx, input)
+	}, efs.ErrCodeInvalidPolicyException, "Policy contains invalid Principal block")
 
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "putting EFS File System Policy (%s): %s", fsID, err)
 	}
 
-	d.SetId(fsID)
+	if d.IsNewResource() {
+		d.SetId(fsID)
+	}
 
 	return append(diags, resourceFileSystemPolicyRead(ctx, d, meta)...)
 }
@@ -106,15 +108,13 @@ func resourceFileSystemPolicyRead(ctx context.Context, d *schema.ResourceData, m
 	d.Set("file_system_id", output.FileSystemId)
 
 	policyToSet, err := verify.SecondJSONUnlessEquivalent(d.Get("policy").(string), aws.StringValue(output.Policy))
-
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "while setting policy (%s), encountered: %s", policyToSet, err)
+		return sdkdiag.AppendFromErr(diags, err)
 	}
 
 	policyToSet, err = structure.NormalizeJsonString(policyToSet)
-
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "policy (%s) is an invalid JSON: %s", policyToSet, err)
+		return sdkdiag.AppendFromErr(diags, err)
 	}
 
 	d.Set("policy", policyToSet)