[WIP] provider/aws: 60s instance profile creation retry

[snakeb1t]

fixes #9474

[catsby]

I think that if we need to ensure an instance profile is created, we should do so in the instance profile creation

• https://github.com/hashicorp/terraform/blob/master/builtin/providers/aws/resource_aws_iam_instance_profile.go#L98

I think line #123 would be a perfect place to use the AWS SDK's IAM waiter:

• https://github.com/aws/aws-sdk-go/blob/master/service/iam/waiters.go#L13

What do you think?

[snakeb1t]

@catsby : whoa, that's really neat! I'll give it a try. Though I wonder if there's a race condition here: suppose we keep trying the GetInstanceProfile until it succeeds, but then terraform moves on to creating a resource that relied on the instance profile resource (say, an EC2 instance). But when terraform tries to make that resource, the EC2 service's equivalent of GetInstanceProfile still returns nothing when it tries to make the resource, so the resource fails.

Even though there might not be any guarantees, using the Waiter would still be way better (and a general fix) than what we have now. KMS keys can't be created if any principal listed in its policy doesn't exist (from the perspective of the KMS service), so my original PR wouldn't do anything about that.

Thanks so much; I'll push something up soon.

[catsby]

but then terraform moves on to creating a resource that relied on the instance profile resource (say, an EC2 instance).

If we're waiting in the instance_profile then anything that depends on it should be themselves waiting. Assuming they are related correctly with interpolation in the config files, Terraform ensures that A comes before B.

Unfortunately IAM does sometime, seemingly, tell us directly that resource A is ready, but when trying to create resource B, resource B's service ask's IAM for A and IAM says it 'doesn't know what we're talking about 😄

[catsby]

I'm going to close this for now as we discussed I'm not sure this is the right fix. Please reopen (ping me if you can't) or open a new PR if/when the time comes. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.