From e0bc1f51b27c03777d1c97b67113358d29a81d38 Mon Sep 17 00:00:00 2001
From: Jared Baker <jared.baker@hashicorp.com>
Date: Tue, 26 Mar 2024 11:20:17 -0400
Subject: [PATCH] r/aws_opensearch_domain_policy: handle domain update
 propagation delays

This change adds logic to retry ValidationExceptions which indicate a domain change is in-progress. When a domain policy change immediately follows domain creation or modification, delays in propagation of the ACTIVE status can cause intermittent ValidationExceptions. These errors are now retried for a short interval (2 minutes), which should allow configurations pairing domain and domain policy resources to complete successfully on the first apply.

```console
% make testacc PKG=opensearch TESTS=TestAccOpenSearchDomainPolicy_
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go1.21.8 test ./internal/service/opensearch/... -v -count 1 -parallel 20 -run='TestAccOpenSearchDomainPolicy_'  -timeout 360m

--- PASS: TestAccOpenSearchDomainPolicy_basic (2148.30s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/opensearch 2153.767
```
---
 internal/service/opensearch/domain_policy.go | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/internal/service/opensearch/domain_policy.go b/internal/service/opensearch/domain_policy.go
index 10e6aefe2a0..9e8520bf501 100644
--- a/internal/service/opensearch/domain_policy.go
+++ b/internal/service/opensearch/domain_policy.go
@@ -90,10 +90,16 @@ func resourceDomainPolicyUpsert(ctx context.Context, d *schema.ResourceData, met
 		return sdkdiag.AppendErrorf(diags, "policy (%s) is invalid JSON: %s", policy, err)
 	}
 
-	_, err = conn.UpdateDomainConfigWithContext(ctx, &opensearchservice.UpdateDomainConfigInput{
-		DomainName:     aws.String(domainName),
-		AccessPolicies: aws.String(policy),
-	})
+	_, err = tfresource.RetryWhenAWSErrMessageContains(ctx, propagationTimeout,
+		func() (interface{}, error) {
+			return conn.UpdateDomainConfigWithContext(ctx, &opensearchservice.UpdateDomainConfigInput{
+				DomainName:     aws.String(domainName),
+				AccessPolicies: aws.String(policy),
+			})
+		},
+		opensearchservice.ErrCodeValidationException,
+		"A change/update is in progress",
+	)
 	if err != nil {
 		return sdkdiag.AppendErrorf(diags, "updating OpenSearch Domain Policy (%s): %s", d.Id(), err)
 	}