diff --git a/aws/resource_aws_kms_grant.go b/aws/resource_aws_kms_grant.go index cf5fd72bb679..9cf41fb39542 100644 --- a/aws/resource_aws_kms_grant.go +++ b/aws/resource_aws_kms_grant.go @@ -149,7 +149,6 @@ func resourceAwsKmsGrantCreate(d *schema.ResourceData, meta interface{}) error { err := resource.Retry(3*time.Minute, func() *resource.RetryError { var err error - out, err = conn.CreateGrant(&input) if err != nil { @@ -169,8 +168,12 @@ func resourceAwsKmsGrantCreate(d *schema.ResourceData, meta interface{}) error { return nil }) + if isResourceTimeoutError(err) { + out, err = conn.CreateGrant(&input) + } + if err != nil { - return err + return fmt.Errorf("Error creating KMS grant: %s", err) } log.Printf("[DEBUG] Created new KMS Grant: %s", *out.GrantId) @@ -333,14 +336,19 @@ func findKmsGrantByIdWithRetry(conn *kms.KMS, keyId string, grantId string) (*km return nil }) + if isResourceTimeoutError(err) { + grant, err = findKmsGrantById(conn, keyId, grantId, nil) + } return grant, err } // Used by the tests as well func waitForKmsGrantToBeRevoked(conn *kms.KMS, keyId string, grantId string) error { + var grant *kms.GrantListEntry err := resource.Retry(3*time.Minute, func() *resource.RetryError { - grant, err := findKmsGrantById(conn, keyId, grantId, nil) + var err error + grant, err = findKmsGrantById(conn, keyId, grantId, nil) if isResourceNotFoundError(err) { return nil @@ -354,6 +362,9 @@ func waitForKmsGrantToBeRevoked(conn *kms.KMS, keyId string, grantId string) err return resource.NonRetryableError(err) }) + if isResourceTimeoutError(err) { + grant, err = findKmsGrantById(conn, keyId, grantId, nil) + } return err } @@ -387,6 +398,10 @@ func findKmsGrantById(conn *kms.KMS, keyId string, grantId string, marker *strin return nil }) + if isResourceTimeoutError(err) { + out, err = conn.ListGrants(&input) + } + if err != nil { return nil, fmt.Errorf("error listing KMS Grants: %s", err) } diff --git a/aws/resource_aws_kms_grant_test.go b/aws/resource_aws_kms_grant_test.go index d87614f8bec9..8d7c032c30fa 100644 --- a/aws/resource_aws_kms_grant_test.go +++ b/aws/resource_aws_kms_grant_test.go @@ -5,6 +5,7 @@ import ( "testing" "time" + "github.com/hashicorp/terraform/helper/acctest" "github.com/hashicorp/terraform/helper/resource" "github.com/hashicorp/terraform/terraform" ) @@ -169,18 +170,18 @@ resource "aws_kms_key" "tf-acc-test-key" { %s resource "aws_iam_role" "tf-acc-test-role" { - name = "tf-acc-test-kms-grant-role-%s" + name = "%s" path = "/service-role/" assume_role_policy = "${data.aws_iam_policy_document.assumerole-policy-template.json}" } -resource "aws_kms_grant" "%s" { - name = "%s" +resource "aws_kms_grant" "%[4]s" { + name = "%[4]s" key_id = "${aws_kms_key.tf-acc-test-key.key_id}" grantee_principal = "${aws_iam_role.tf-acc-test-role.arn}" - operations = [ %s ] + operations = [ %[5]s ] } -`, timestamp, staticAssumeRolePolicyString, rName, rName, rName, operations) +`, timestamp, staticAssumeRolePolicyString, acctest.RandomWithPrefix("tf-acc-test-kms-grant-role"), rName, operations) } func testAccAWSKmsGrant_withConstraints(rName string, timestamp string, constraintName string, encryptionContext string) string { @@ -193,23 +194,23 @@ resource "aws_kms_key" "tf-acc-test-key" { %s resource "aws_iam_role" "tf-acc-test-role" { - name = "tf-acc-test-kms-grant-role-%s" + name = "%s" path = "/service-role/" assume_role_policy = "${data.aws_iam_policy_document.assumerole-policy-template.json}" } -resource "aws_kms_grant" "%s" { - name = "%s" +resource "aws_kms_grant" "%[4]s" { + name = "%[4]s" key_id = "${aws_kms_key.tf-acc-test-key.key_id}" grantee_principal = "${aws_iam_role.tf-acc-test-role.arn}" operations = [ "RetireGrant", "DescribeKey" ] constraints { - %s = { - %s + %[5]s = { + %[6]s } } } -`, timestamp, staticAssumeRolePolicyString, rName, rName, rName, constraintName, encryptionContext) +`, timestamp, staticAssumeRolePolicyString, acctest.RandomWithPrefix("tf-acc-test-kms-grant-role"), rName, constraintName, encryptionContext) } func testAccAWSKmsGrant_withRetiringPrincipal(rName string, timestamp string) string { @@ -222,19 +223,19 @@ resource "aws_kms_key" "tf-acc-test-key" { %s resource "aws_iam_role" "tf-acc-test-role" { - name = "tf-acc-test-kms-grant-role-%s" + name = "%s" path = "/service-role/" assume_role_policy = "${data.aws_iam_policy_document.assumerole-policy-template.json}" } -resource "aws_kms_grant" "%s" { - name = "%s" +resource "aws_kms_grant" "%[4]s" { + name = "%[4]s" key_id = "${aws_kms_key.tf-acc-test-key.key_id}" grantee_principal = "${aws_iam_role.tf-acc-test-role.arn}" operations = ["ReEncryptTo", "CreateGrant"] retiring_principal = "${aws_iam_role.tf-acc-test-role.arn}" } -`, timestamp, staticAssumeRolePolicyString, rName, rName, rName) +`, timestamp, staticAssumeRolePolicyString, acctest.RandomWithPrefix("tf-acc-test-kms-grant-role"), rName) } func testAccAWSKmsGrant_bare(rName string, timestamp string) string { @@ -247,7 +248,7 @@ resource "aws_kms_key" "tf-acc-test-key" { %s resource "aws_iam_role" "tf-acc-test-role" { - name = "tf-acc-test-kms-grant-role-%s" + name = "%s" path = "/service-role/" assume_role_policy = "${data.aws_iam_policy_document.assumerole-policy-template.json}" } @@ -257,7 +258,7 @@ resource "aws_kms_grant" "%s" { grantee_principal = "${aws_iam_role.tf-acc-test-role.arn}" operations = ["ReEncryptTo", "CreateGrant"] } -`, timestamp, staticAssumeRolePolicyString, rName, rName) +`, timestamp, staticAssumeRolePolicyString, acctest.RandomWithPrefix("tf-acc-test-kms-grant-role"), rName) } const staticAssumeRolePolicyString = ` @@ -283,16 +284,16 @@ resource "aws_kms_key" "tf-acc-test-key" { %s resource "aws_iam_role" "tf-acc-test-role" { - name = "tf-acc-test-kms-grant-role-%s" + name = "%s" path = "/service-role/" assume_role_policy = "${data.aws_iam_policy_document.assumerole-policy-template.json}" } -resource "aws_kms_grant" "%s" { - name = "%s" +resource "aws_kms_grant" "%[4]s" { + name = "%[4]s" key_id = "${aws_kms_key.tf-acc-test-key.arn}" grantee_principal = "${aws_iam_role.tf-acc-test-role.arn}" - operations = [ %s ] + operations = [ %[5]s ] } -`, timestamp, staticAssumeRolePolicyString, rName, rName, rName, operations) +`, timestamp, staticAssumeRolePolicyString, acctest.RandomWithPrefix("tf-acc-test-kms-grant-role"), rName, operations) } diff --git a/aws/resource_aws_kms_key.go b/aws/resource_aws_kms_key.go index 477ac628ca67..2439268151ef 100644 --- a/aws/resource_aws_kms_key.go +++ b/aws/resource_aws_kms_key.go @@ -108,6 +108,9 @@ func resourceAwsKmsKeyCreate(d *schema.ResourceData, meta interface{}) error { } return resource.NonRetryableError(err) }) + if isResourceTimeoutError(err) { + resp, err = conn.CreateKey(&req) + } if err != nil { return err } @@ -335,18 +338,7 @@ func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error { shouldEnableRotation := d.Get("enable_key_rotation").(bool) err := resource.Retry(10*time.Minute, func() *resource.RetryError { - var err error - if shouldEnableRotation { - log.Printf("[DEBUG] Enabling key rotation for KMS key %q", d.Id()) - _, err = conn.EnableKeyRotation(&kms.EnableKeyRotationInput{ - KeyId: aws.String(d.Id()), - }) - } else { - log.Printf("[DEBUG] Disabling key rotation for KMS key %q", d.Id()) - _, err = conn.DisableKeyRotation(&kms.DisableKeyRotationInput{ - KeyId: aws.String(d.Id()), - }) - } + err := handleKeyRotation(conn, shouldEnableRotation, aws.String(d.Id())) if err != nil { awsErr, ok := err.(awserr.Error) @@ -362,6 +354,9 @@ func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error { return nil }) + if isResourceTimeoutError(err) { + err = handleKeyRotation(conn, shouldEnableRotation, aws.String(d.Id())) + } if err != nil { return fmt.Errorf("Failed to set key rotation for %q to %t: %q", @@ -404,6 +399,22 @@ func updateKmsKeyRotationStatus(conn *kms.KMS, d *schema.ResourceData) error { return nil } +func handleKeyRotation(conn *kms.KMS, shouldEnableRotation bool, keyId *string) error { + var err error + if shouldEnableRotation { + log.Printf("[DEBUG] Enabling key rotation for KMS key %q", *keyId) + _, err = conn.EnableKeyRotation(&kms.EnableKeyRotationInput{ + KeyId: keyId, + }) + } else { + log.Printf("[DEBUG] Disabling key rotation for KMS key %q", *keyId) + _, err = conn.DisableKeyRotation(&kms.DisableKeyRotationInput{ + KeyId: keyId, + }) + } + return err +} + func resourceAwsKmsKeyExists(d *schema.ResourceData, meta interface{}) (bool, error) { conn := meta.(*AWSClient).kmsconn