From f9bee642bfe1868caaec96b503cea1a1030a4e79 Mon Sep 17 00:00:00 2001
From: Bo Huang <bo@takescoop.com>
Date: Tue, 17 Mar 2020 16:35:52 -0700
Subject: [PATCH] r/aws_iam_role - add retry for assume role policy update

---
 aws/resource_aws_iam_role.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/aws/resource_aws_iam_role.go b/aws/resource_aws_iam_role.go
index 60f03f8dc02..7d051bce3fd 100644
--- a/aws/resource_aws_iam_role.go
+++ b/aws/resource_aws_iam_role.go
@@ -248,7 +248,21 @@ func resourceAwsIamRoleUpdate(d *schema.ResourceData, meta interface{}) error {
 			RoleName:       aws.String(d.Id()),
 			PolicyDocument: aws.String(d.Get("assume_role_policy").(string)),
 		}
-		_, err := iamconn.UpdateAssumeRolePolicy(assumeRolePolicyInput)
+
+		err := resource.Retry(30*time.Second, func() *resource.RetryError {
+			var err error
+			_, err = iamconn.UpdateAssumeRolePolicy(assumeRolePolicyInput)
+			// IAM users (referenced in Principal field of assume policy)
+			// can take ~30 seconds to propagate in AWS
+			if isAWSErr(err, "MalformedPolicyDocument", "Invalid principal in policy") {
+				return resource.RetryableError(err)
+			}
+			return resource.NonRetryableError(err)
+		})
+		if isResourceTimeoutError(err) {
+			_, err = iamconn.UpdateAssumeRolePolicy(assumeRolePolicyInput)
+		}
+
 		if err != nil {
 			if isAWSErr(err, iam.ErrCodeNoSuchEntityException, "") {
 				d.SetId("")