From 07e3191f9001abf83190a224478cb5c58515c037 Mon Sep 17 00:00:00 2001
From: velom <velom@yandex-team.ru>
Date: Fri, 29 Sep 2023 12:43:19 +0200
Subject: [PATCH] ORION-3647: sleep after IAM role creation to avoid
 AccessDenied error (#2)

Avoid this issue: hashicorp/terraform-provider-aws#6566
---
 README.md   | 2 ++
 iam.tf      | 8 ++++++++
 outputs.tf  | 2 ++
 versions.tf | 3 +++
 4 files changed, 15 insertions(+)

diff --git a/README.md b/README.md
index a2b17ce..a496f83 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ resource "doublecloud_network" "aws" {
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.51.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | n/a |
 
 ## Modules
 
@@ -48,6 +49,7 @@ No modules.
 | [aws_iam_policy.doublecloud](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.doublecloud](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_vpc.doublecloud](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
+| [time_sleep.sleep_to_avoid_iam_race](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [aws_caller_identity.self](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.doublecloud_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.trusted_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/iam.tf b/iam.tf
index 819189f..63a3152 100644
--- a/iam.tf
+++ b/iam.tf
@@ -321,3 +321,11 @@ data "aws_iam_policy_document" "doublecloud_permissions" {
     }
   }
 }
+
+# AWS IAM returns AccessDenied error right after Role creation.
+# We have to wait some time to make this role assumable.
+# https://github.com/hashicorp/terraform-provider-aws/issues/6566
+resource "time_sleep" "sleep_to_avoid_iam_race" {
+  depends_on      = [aws_iam_role.doublecloud]
+  create_duration = "30s"
+}
diff --git a/outputs.tf b/outputs.tf
index daf0807..1c620a8 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -6,6 +6,8 @@ output "vpc_id" {
 output "iam_role_arn" {
   value       = aws_iam_role.doublecloud.arn
   description = "ARN of the IAM Role that has permissions to create resources in the VPC."
+
+  depends_on = [time_sleep.sleep_to_avoid_iam_race]
 }
 
 output "region_id" {
diff --git a/versions.tf b/versions.tf
index e95f422..a4e5e13 100644
--- a/versions.tf
+++ b/versions.tf
@@ -5,5 +5,8 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.51.0"
     }
+    time = {
+      source = "hashicorp/time"
+    }
   }
 }