From 584d95197ffb3f0855629348467d5216bb4bc4fc Mon Sep 17 00:00:00 2001 From: Brian Flad Date: Wed, 10 Jul 2019 13:37:04 -0400 Subject: [PATCH] =?UTF-8?q?resource/aws=5Fbackup=5Fselection:=20IAM=20retr?= =?UTF-8?q?ies,=20test=20fix,=20documenta=E2=80=A6=20(#9298)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * resource/aws_backup_selection: Retry creation for IAM eventual consistency error Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/9297 Output from acceptance testing (failure present on master): ``` --- FAIL: TestAccAwsBackupSelection_withResources (12.00s) testing.go:568: Step 0 error: errors during apply: Error: error creating Backup Selection: InvalidParameterValueException: Invalid ARN: arn:aws:elasticfilesystem:us-west-2:--OMITTED--:file-system/. Specified resource is not supported status code: 400, request id: 2f845d03-51d3-48df-b853-46c077f85780 on /var/folders/v0/_d108fkx1pbbg4_sh864_7740000gn/T/tf-test308326165/main.tf line 22: (source code not available) --- PASS: TestAccAwsBackupSelection_disappears (17.20s) --- PASS: TestAccAwsBackupSelection_basic (18.44s) --- PASS: TestAccAwsBackupSelection_withTags (18.47s) --- PASS: TestAccAwsBackupSelection_updateTag (28.73s) ``` * tests/resource/aws_backup_selection: Remove wildcard usage in withResources acceptance test The usage of wildcards differs between AWS Regions while ARNs are supported everywhere. Previously from acceptance testing: ``` --- FAIL: TestAccAwsBackupSelection_withResources (12.00s) testing.go:568: Step 0 error: errors during apply: Error: error creating Backup Selection: InvalidParameterValueException: Invalid ARN: arn:aws:elasticfilesystem:us-west-2:--OMITTED--:file-system/. Specified resource is not supported ``` Output from acceptance testing: ``` --- PASS: TestAccAwsBackupSelection_withResources (29.35s) ``` * docs/resource/aws_backup_selection: Expand example documentation to show IAM Role creation and show using resource ARNs The support for wildcard resource selection does not work in all AWS Regions while ARN support is consistent. Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/9269 --- aws/resource_aws_backup_selection.go | 28 +++++++++- aws/resource_aws_backup_selection_test.go | 15 ++++- website/docs/r/backup_selection.html.markdown | 56 ++++++++++++++++++- 3 files changed, 92 insertions(+), 7 deletions(-) diff --git a/aws/resource_aws_backup_selection.go b/aws/resource_aws_backup_selection.go index 8e8d26e068a..21062861c47 100644 --- a/aws/resource_aws_backup_selection.go +++ b/aws/resource_aws_backup_selection.go @@ -5,9 +5,11 @@ import ( "log" "regexp" "strings" + "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/backup" + "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/helper/schema" "github.com/hashicorp/terraform/helper/validation" ) @@ -94,12 +96,34 @@ func resourceAwsBackupSelectionCreate(d *schema.ResourceData, meta interface{}) BackupSelection: selection, } - resp, err := conn.CreateBackupSelection(input) + // Retry for IAM eventual consistency + var output *backup.CreateBackupSelectionOutput + err := resource.Retry(1*time.Minute, func() *resource.RetryError { + var err error + output, err = conn.CreateBackupSelection(input) + + // Retry on the following error: + // InvalidParameterValueException: IAM Role arn:aws:iam::123456789012:role/XXX cannot be assumed by AWS Backup + if isAWSErr(err, backup.ErrCodeInvalidParameterValueException, "cannot be assumed") { + return resource.RetryableError(err) + } + + if err != nil { + return resource.NonRetryableError(err) + } + + return nil + }) + + if isResourceTimeoutError(err) { + output, err = conn.CreateBackupSelection(input) + } + if err != nil { return fmt.Errorf("error creating Backup Selection: %s", err) } - d.SetId(*resp.SelectionId) + d.SetId(aws.StringValue(output.SelectionId)) return resourceAwsBackupSelectionRead(d, meta) } diff --git a/aws/resource_aws_backup_selection_test.go b/aws/resource_aws_backup_selection_test.go index 05165ec63a1..3a6095359ec 100644 --- a/aws/resource_aws_backup_selection_test.go +++ b/aws/resource_aws_backup_selection_test.go @@ -304,6 +304,17 @@ resource "aws_backup_selection" "test" { func testAccBackupSelectionConfigWithResources(rInt int) string { return testAccBackupSelectionConfigBase(rInt) + fmt.Sprintf(` +data "aws_availability_zones" "available" { + state = "available" +} + +resource "aws_ebs_volume" "test" { + count = 2 + + availability_zone = "${data.aws_availability_zones.available.names[0]}" + size = 1 +} + resource "aws_backup_selection" "test" { plan_id = "${aws_backup_plan.test.id}" @@ -317,8 +328,8 @@ resource "aws_backup_selection" "test" { } resources = [ - "arn:${data.aws_partition.current.partition}:elasticfilesystem:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:file-system/", - "arn:${data.aws_partition.current.partition}:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/" + "${aws_ebs_volume.test.0.arn}", + "${aws_ebs_volume.test.1.arn}", ] } `, rInt) diff --git a/website/docs/r/backup_selection.html.markdown b/website/docs/r/backup_selection.html.markdown index 50ea4647104..c6e98d9bc4a 100644 --- a/website/docs/r/backup_selection.html.markdown +++ b/website/docs/r/backup_selection.html.markdown @@ -12,21 +12,71 @@ Manages selection conditions for AWS Backup plan resources. ## Example Usage +### IAM Role + +-> For more information about creating and managing IAM Roles for backups and restores, see the [AWS Backup Developer Guide](https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html). + +The below example creates an IAM role with the default managed IAM Policy for allowing AWS Backup to create backups. + ```hcl +resource "aws_iam_role" "example" { + name = "example" + assume_role_policy = <