resource/aws_batch_compute_environment: IAM propagation error when waiting for deployment

[gdavison]

Terraform Core Version

N/A

AWS Provider Version

5.53.0

Affected Resource(s)

aws_batch_compute_environment

Expected Behavior

When a new IAM role is used with a new Batch Compute Environment, it should succeed

Actual Behavior

When a new IAM role is used with a new Batch Compute Environment, there is sometimes a race condition with IAM propagation, which returns the error

Error: waiting for Batch Compute Environment (tf-acc-test-3086423369041877539) create: unexpected state 'INVALID', wanted target 'VALID'. last error: CLIENT_ERROR - User: arn:aws:sts::123456789012:assumed-role/tf-acc-test-3086423369041877539-batch-service/aws-batch is not authorized to perform: ecs:DescribeClusters on resource: arn:aws:ecs:us-west-2: 123456789012:cluster/tf-acc-test-3086423369041877539_Batch_85c0db2f-9cd0-3d7b-805d-ec3a8681fd19 because no identity-based policy allows the ecs:DescribeClusters action

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Any Compute Environment acceptance test

Steps to Reproduce

Run any Compute Environment acceptance test

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[fwereade]

In the past I've addressed this by adding explicit dependencies to the aws_batch_compute_environment, e.g.

  depends_on = [
    aws_iam_role_policy_attachment.batch_service_role,
    aws_iam_role_policy_attachment.batch_service_ecs_policy,
  ]

…but recently I've been seeing this same failure intermittently even with those in place.