From 6af47aaef245bdaa29b14f09bd4d992d135324cb Mon Sep 17 00:00:00 2001
From: Brian Flad <bflad417@gmail.com>
Date: Mon, 13 Aug 2018 16:16:44 -0400
Subject: [PATCH] resource/aws_kinesis_firehose_delivery_stream: Retry on
 additional IAM eventual consistency error

Found via daily acceptance testing:

--- FAIL: TestAccAWSKinesisFirehoseDeliveryStream_ElasticsearchConfigUpdates (771.49s)
	testing.go:518: Step 0 error: Error applying: 1 error occurred:
			* aws_kinesis_firehose_delivery_stream.test_stream_es: 1 error occurred:
			* aws_kinesis_firehose_delivery_stream.test_stream_es: error creating Kinesis Firehose Delivery Stream: InvalidArgumentException: Verify that the IAM role has access to the ElasticSearch domain.
			status code: 400, request id: e4f55f01-0e64-47ac-b8dd-ea6a7c43e7f1
---
 aws/resource_aws_kinesis_firehose_delivery_stream.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/aws/resource_aws_kinesis_firehose_delivery_stream.go b/aws/resource_aws_kinesis_firehose_delivery_stream.go
index c28512b4f61..74dedf576b2 100644
--- a/aws/resource_aws_kinesis_firehose_delivery_stream.go
+++ b/aws/resource_aws_kinesis_firehose_delivery_stream.go
@@ -2070,6 +2070,10 @@ func resourceAwsKinesisFirehoseDeliveryStreamCreate(d *schema.ResourceData, meta
 			if isAWSErr(err, firehose.ErrCodeInvalidArgumentException, "is not authorized to") {
 				return resource.RetryableError(err)
 			}
+			// InvalidArgumentException: Verify that the IAM role has access to the ElasticSearch domain.
+			if isAWSErr(err, firehose.ErrCodeInvalidArgumentException, "Verify that the IAM role has access") {
+				return resource.RetryableError(err)
+			}
 			// IAM roles can take ~10 seconds to propagate in AWS:
 			// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#launch-instance-with-role-console
 			if isAWSErr(err, firehose.ErrCodeInvalidArgumentException, "Firehose is unable to assume role") {
@@ -2195,6 +2199,10 @@ func resourceAwsKinesisFirehoseDeliveryStreamUpdate(d *schema.ResourceData, meta
 			if isAWSErr(err, firehose.ErrCodeInvalidArgumentException, "is not authorized to") {
 				return resource.RetryableError(err)
 			}
+			// InvalidArgumentException: Verify that the IAM role has access to the ElasticSearch domain.
+			if isAWSErr(err, firehose.ErrCodeInvalidArgumentException, "Verify that the IAM role has access") {
+				return resource.RetryableError(err)
+			}
 			// IAM roles can take ~10 seconds to propagate in AWS:
 			// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#launch-instance-with-role-console
 			if isAWSErr(err, firehose.ErrCodeInvalidArgumentException, "Firehose is unable to assume role") {