Skip to content

Commit

Permalink
retry on ResourceConflictException during creation
Browse files Browse the repository at this point in the history
  • Loading branch information
@anGie44
anGie44 committed Mar 23, 2021
1 parent 7141d1c commit d34aca9
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 3 deletions.
3 changes: 3 additions & 0 deletions .changelog/18341.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
resource/aws_securityhub_organization_admin_account: Retry on `ResourceConflictException` error during creation
```
18 changes: 17 additions & 1 deletion aws/resource_aws_securityhub_organization_admin_account.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,11 @@ import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/hashicorp/aws-sdk-go-base/tfawserr"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/securityhub/finder"
"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/securityhub/waiter"
"github.com/terraform-providers/terraform-provider-aws/aws/internal/tfresource"
)

func resourceAwsSecurityHubOrganizationAdminAccount() *schema.Resource {
Expand Down Expand Up @@ -42,7 +44,21 @@ func resourceAwsSecurityHubOrganizationAdminAccountCreate(d *schema.ResourceData
AdminAccountId: aws.String(adminAccountID),
}

_, err := conn.EnableOrganizationAdminAccount(input)
err := resource.Retry(waiter.AdminAccountEnabledTimeout, func() *resource.RetryError {
_, err := conn.EnableOrganizationAdminAccount(input)

if err != nil {
if tfawserr.ErrCodeEquals(err, securityhub.ErrCodeResourceConflictException) {
return resource.RetryableError(err)
}
return resource.NonRetryableError(err)
}
return nil
})

if tfresource.TimedOut(err) {
_, err = conn.EnableOrganizationAdminAccount(input)
}

if err != nil {
return fmt.Errorf("error enabling Security Hub Organization Admin Account (%s): %w", adminAccountID, err)
Expand Down
69 changes: 69 additions & 0 deletions aws/resource_aws_securityhub_organization_admin_account_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/hashicorp/aws-sdk-go-base/tfawserr"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
"github.com/terraform-providers/terraform-provider-aws/aws/internal/service/securityhub/finder"
)
Expand Down Expand Up @@ -63,6 +64,35 @@ func testAccAwsSecurityHubOrganizationAdminAccount_disappears(t *testing.T) {
})
}

func testAccAwsSecurityHubOrganizationAdminAccount_MultiRegion(t *testing.T) {
var providers []*schema.Provider

resourceName := "aws_securityhub_organization_admin_account.test"
altResourceName := "aws_securityhub_organization_admin_account.alternate"
thirdResourceName := "aws_securityhub_organization_admin_account.third"

resource.Test(t, resource.TestCase{
PreCheck: func() {
testAccPreCheck(t)
testAccOrganizationsAccountPreCheck(t)
testAccMultipleRegionPreCheck(t, 3)
},
ErrorCheck: testAccErrorCheck(t, securityhub.EndpointsID),
ProviderFactories: testAccProviderFactoriesMultipleRegion(&providers, 3),
CheckDestroy: testAccCheckAwsSecurityHubOrganizationAdminAccountDestroy,
Steps: []resource.TestStep{
{
Config: testAccSecurityHubOrganizationAdminAccountConfigMultiRegion(),
Check: resource.ComposeTestCheckFunc(
testAccCheckAwsSecurityHubOrganizationAdminAccountExists(resourceName),
testAccCheckAwsSecurityHubOrganizationAdminAccountExists(altResourceName),
testAccCheckAwsSecurityHubOrganizationAdminAccountExists(thirdResourceName),
),
},
},
})
}

func testAccCheckAwsSecurityHubOrganizationAdminAccountDestroy(s *terraform.State) error {
conn := testAccProvider.Meta().(*AWSClient).securityhubconn

Expand Down Expand Up @@ -136,3 +166,42 @@ resource "aws_securityhub_organization_admin_account" "test" {
}
`
}

func testAccSecurityHubOrganizationAdminAccountConfigMultiRegion() string {
return composeConfig(
testAccMultipleRegionProviderConfig(3),
`
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
resource "aws_organizations_organization" "test" {
aws_service_access_principals = ["securityhub.${data.aws_partition.current.dns_suffix}"]
feature_set = "ALL"
}
resource "aws_securityhub_account" "test" {}
resource "aws_securityhub_organization_admin_account" "test" {
depends_on = [aws_organizations_organization.test]
admin_account_id = data.aws_caller_identity.current.account_id
}
resource "aws_securityhub_organization_admin_account" "alternate" {
provider = awsalternate
depends_on = [aws_organizations_organization.test]
admin_account_id = data.aws_caller_identity.current.account_id
}
resource "aws_securityhub_organization_admin_account" "third" {
provider = awsthird
depends_on = [aws_organizations_organization.test]
admin_account_id = data.aws_caller_identity.current.account_id
}
`)
}
5 changes: 3 additions & 2 deletions aws/resource_aws_securityhub_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,9 @@ func TestAccAWSSecurityHub_serial(t *testing.T) {
"basic": testAccAWSSecurityHubInviteAccepter_basic,
},
"OrganizationAdminAccount": {
"basic": testAccAwsSecurityHubOrganizationAdminAccount_basic,
"disappears": testAccAwsSecurityHubOrganizationAdminAccount_disappears,
"basic": testAccAwsSecurityHubOrganizationAdminAccount_basic,
"disappears": testAccAwsSecurityHubOrganizationAdminAccount_disappears,
"MultiRegion": testAccAwsSecurityHubOrganizationAdminAccount_MultiRegion,
},
"ProductSubscription": {
"basic": testAccAWSSecurityHubProductSubscription_basic,
Expand Down

0 comments on commit d34aca9

Please sign in to comment.