From d2d0b683ed5a2d32fe429d168eb771b0d7486d07 Mon Sep 17 00:00:00 2001
From: Brian Flad <bflad417@gmail.com>
Date: Fri, 10 Aug 2018 09:53:39 -0400
Subject: [PATCH] resource/aws_glue_crawler: Additional IAM eventual
 consistency retry logic for create and update

---
 aws/resource_aws_glue_crawler.go | 39 ++++++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/aws/resource_aws_glue_crawler.go b/aws/resource_aws_glue_crawler.go
index b97778f6506..957ba41a095 100644
--- a/aws/resource_aws_glue_crawler.go
+++ b/aws/resource_aws_glue_crawler.go
@@ -161,15 +161,20 @@ func resourceAwsGlueCrawlerCreate(d *schema.ResourceData, meta interface{}) erro
 	glueConn := meta.(*AWSClient).glueconn
 	name := d.Get("name").(string)
 
-	err := resource.Retry(1*time.Minute, func() *resource.RetryError {
-		crawlerInput, err := createCrawlerInput(name, d)
-		if err != nil {
-			return resource.NonRetryableError(err)
-		}
+	crawlerInput, err := createCrawlerInput(name, d)
+	if err != nil {
+		return err
+	}
 
+	// Retry for IAM eventual consistency
+	err = resource.Retry(1*time.Minute, func() *resource.RetryError {
 		_, err = glueConn.CreateCrawler(crawlerInput)
 		if err != nil {
-			if isAWSErr(err, "InvalidInputException", "Service is unable to assume role") {
+			if isAWSErr(err, glue.ErrCodeInvalidInputException, "Service is unable to assume role") {
+				return resource.RetryableError(err)
+			}
+			// InvalidInputException: Unable to retrieve connection tf-acc-test-8656357591012534997: User: arn:aws:sts::*******:assumed-role/tf-acc-test-8656357591012534997/AWS-Crawler is not authorized to perform: glue:GetConnection on resource: * (Service: AmazonDataCatalog; Status Code: 400; Error Code: AccessDeniedException; Request ID: 4d72b66f-9c75-11e8-9faf-5b526c7be968)
+			if isAWSErr(err, glue.ErrCodeInvalidInputException, "is not authorized") {
 				return resource.RetryableError(err)
 			}
 			return resource.NonRetryableError(err)
@@ -341,10 +346,26 @@ func resourceAwsGlueCrawlerUpdate(d *schema.ResourceData, meta interface{}) erro
 	if err != nil {
 		return err
 	}
+	updateCrawlerInput := glue.UpdateCrawlerInput(*crawlerInput)
 
-	crawlerUpdateInput := glue.UpdateCrawlerInput(*crawlerInput)
-	if _, err := glueConn.UpdateCrawler(&crawlerUpdateInput); err != nil {
-		return err
+	// Retry for IAM eventual consistency
+	err = resource.Retry(1*time.Minute, func() *resource.RetryError {
+		_, err := glueConn.UpdateCrawler(&updateCrawlerInput)
+		if err != nil {
+			if isAWSErr(err, glue.ErrCodeInvalidInputException, "Service is unable to assume role") {
+				return resource.RetryableError(err)
+			}
+			// InvalidInputException: Unable to retrieve connection tf-acc-test-8656357591012534997: User: arn:aws:sts::*******:assumed-role/tf-acc-test-8656357591012534997/AWS-Crawler is not authorized to perform: glue:GetConnection on resource: * (Service: AmazonDataCatalog; Status Code: 400; Error Code: AccessDeniedException; Request ID: 4d72b66f-9c75-11e8-9faf-5b526c7be968)
+			if isAWSErr(err, glue.ErrCodeInvalidInputException, "is not authorized") {
+				return resource.RetryableError(err)
+			}
+			return resource.NonRetryableError(err)
+		}
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("error updating Glue crawler: %s", err)
 	}
 
 	return resourceAwsGlueCrawlerRead(d, meta)