feat(aws-connection): Improves retry logic and makes timeout configurable

d0weinberger · d0weinberger · commit 182c43df3984 · 2025-10-21T17:01:17.000+02:00
With the changes in this commit, users of the Terraform provider can configure the timeout for the `create` operation for the `role_arn` resource by adding the following block to the resource:

```
timeouts {
  create = "&lt;x&gt;m"
}
``
where &lt;x&gt; is the max amount of minutes the user wants to wait.
diff --git a/dynatrace/api/builtin/hyperscalerauthentication/connections/aws/role_arn/service.go b/dynatrace/api/builtin/hyperscalerauthentication/connections/aws/role_arn/service.go
@@ -20,6 +20,7 @@ package role_arn
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"
 
 	"github.com/dynatrace-oss/terraform-provider-dynatrace/dynatrace/api"
@@ -29,8 +30,12 @@ import (
 	"github.com/dynatrace-oss/terraform-provider-dynatrace/dynatrace/rest"
 	"github.com/dynatrace-oss/terraform-provider-dynatrace/dynatrace/settings"
 	"github.com/dynatrace-oss/terraform-provider-dynatrace/dynatrace/settings/services/settings20"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
 )
 
+const (
+	timeoutDeadlineBuffer = time.Minute
+)
 const SchemaID = "builtin:hyperscaler-authentication.connections.aws"
 const SchemaVersion = "0.0.15"
 
@@ -80,16 +85,71 @@ func (me *service) Create(ctx context.Context, v *role_arn.Settings) (*api.Stub,
 		connValue.AWSWebIdentity.RoleARN = v.RoleARN
 	}
 
-	var err error
-	var retry = 10
-	for i := 0; i < retry; i++ {
-		if err = me.connService.Update(ctx, v.AWSConnectionID, &connValue); err == nil {
-			return &api.Stub{ID: v.AWSConnectionID, Name: v.AWSConnectionID}, nil
+	ctxRetry, cancel, retryTimeout, err := computeRetryContext(ctx, timeoutDeadlineBuffer, role_arn.DefaultCreateTimeout)
+	if err != nil {
+		return nil, err
+	}
+	defer cancel()
+
+	if err = retry.RetryContext(ctxRetry, retryTimeout, func() *retry.RetryError {
+		return classifyRetryError(me.connService.Update(ctxRetry, v.AWSConnectionID, &connValue))
+	}); err != nil {
+		return nil, err
+	}
+
+	return &api.Stub{ID: v.AWSConnectionID, Name: v.AWSConnectionID}, nil
+}
+
+// computeRetryContext computes a safe retry timeout based on the incoming ctx deadline.
+// - timeoutDeadlineBuffer: amount of time to reserve for finalization (e.g. 1 minute).
+// - defaultTimeout: fallback when caller didn't provide a deadline.
+// Returns the derived ctx (with timeout), its cancel func, the retryTimeout, or an error
+// if the caller's deadline already expired.
+func computeRetryContext(ctx context.Context, timeoutDeadlineBuffer time.Duration, defaultTimeout time.Duration) (context.Context, context.CancelFunc, time.Duration, error) {
+	if dl, ok := ctx.Deadline(); ok {
+		remaining := time.Until(dl)
+		if remaining <= 0 {
+			return nil, nil, 0, context.DeadlineExceeded
+		}
+		var retryTimeout time.Duration
+		if remaining > timeoutDeadlineBuffer {
+			retryTimeout = remaining - timeoutDeadlineBuffer
+		} else {
+			retryTimeout = remaining
 		}
+		ctxRetry, cancel := context.WithTimeout(ctx, retryTimeout)
+		return ctxRetry, cancel, retryTimeout, nil
+	}
+	// no deadline: use conservative default
+	ctxRetry, cancel := context.WithTimeout(ctx, defaultTimeout)
+	return ctxRetry, cancel, defaultTimeout, nil
+}
 
-		time.Sleep(time.Second * 2)
+// classifyRetryError encapsulates which errors should be retried.
+// - 400 and 404 are considered retryable due to eventual consistency.
+// - other 4xx are non-retryable.
+// - 5xx and non-HTTP (network) errors are retryable.
+func classifyRetryError(err error) *retry.RetryError {
+	if err == nil {
+		return nil
+	}
+
+	var restError rest.Error
+	if errors.As(err, &restError) {
+		code := restError.Code
+		// Retry on specific client errors that can be transient (eventual consistency).
+		if code == 400 || code == 404 {
+			return retry.RetryableError(fmt.Errorf("IAM role not yet usable (HTTP %d): %w", code, err))
+		}
+		// Treat other 4xx as non-retryable client errors.
+		if code >= 400 && code < 500 {
+			return retry.NonRetryableError(fmt.Errorf("IAM role unusable (HTTP %d): %w", code, err))
+		}
+		// 5xx and others -> retryable
+		return retry.RetryableError(fmt.Errorf("IAM role not yet usable (HTTP %d): %w", code, err))
 	}
-	return nil, err
+	// Non-HTTP errors (network, timeouts, context) -> retryable
+	return retry.RetryableError(fmt.Errorf("IAM role not yet usable: %w", err))
 }
 
 func (me *service) Update(_ context.Context, _ string, _ *role_arn.Settings) error {
diff --git a/dynatrace/api/builtin/hyperscalerauthentication/connections/aws/role_arn/service_test.go b/dynatrace/api/builtin/hyperscalerauthentication/connections/aws/role_arn/service_test.go
@@ -0,0 +1,73 @@
+package role_arn
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/dynatrace-oss/terraform-provider-dynatrace/dynatrace/rest"
+	"github.com/stretchr/testify/assert"
+)
+
+func approx(d1, d2 time.Duration) bool {
+	delta := d1 - d2
+	if delta < 0 {
+		delta = -delta
+	}
+	return delta <= 200*time.Millisecond
+}
+
+func TestComputeRetryContext_NoDeadline(t *testing.T) {
+	ctx := context.Background()
+	_, cancel, retryTimeout, _ := computeRetryContext(ctx, time.Minute, 2*time.Minute)
+	defer cancel()
+
+	assert.Equal(t, 2*time.Minute, retryTimeout)
+}
+
+func TestComputeRetryContext_WithDeadline_Plenty(t *testing.T) {
+	// caller provides 5 minutes; timeoutDeadlineBuffer is 1 minute -> retryTimeout should be ~4 minutes
+	parent := context.Background()
+	deadline := time.Now().Add(5 * time.Minute)
+	ctxWithDL, cancelParent := context.WithDeadline(parent, deadline)
+	defer cancelParent()
+
+	_, cancel, retryTimeout, _ := computeRetryContext(ctxWithDL, time.Minute, 2*time.Minute)
+	defer cancel()
+
+	// expect ~4 minutes
+	expected := 4 * time.Minute
+	assert.True(t, approx(expected, retryTimeout), "expected approximately %v, got %v", expected, retryTimeout)
+}
+
+func TestComputeRetryContext_ExpiredDeadline(t *testing.T) {
+	ctxWithExpiredDL, cancel := context.WithDeadline(context.Background(), time.Now().Add(-time.Second))
+	defer cancel()
+
+	_, _, _, err := computeRetryContext(ctxWithExpiredDL, time.Minute, 2*time.Minute)
+
+	assert.ErrorIs(t, err, context.DeadlineExceeded)
+}
+
+func TestClassifyRetryError(t *testing.T) {
+	tests := []struct {
+		err            error
+		expectedSubstr string
+	}{
+		{err: rest.Error{Code: 400, Message: "bad"}, expectedSubstr: "not yet usable (HTTP 400)"},
+		{err: rest.Error{Code: 404, Message: "notfound"}, expectedSubstr: "not yet usable (HTTP 404)"},
+		{err: rest.Error{Code: 401, Message: "unauth"}, expectedSubstr: "unusable (HTTP 401)"},
+		{err: rest.Error{Code: 500, Message: "server"}, expectedSubstr: "not yet usable (HTTP 500)"},
+		{err: errors.New("network failure"), expectedSubstr: "not yet usable"},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.expectedSubstr, func(t *testing.T) {
+			re := classifyRetryError(tc.err)
+			msg := re.Err.Error()
+
+			assert.Contains(t, msg, tc.expectedSubstr)
+		})
+	}
+}
diff --git a/dynatrace/api/builtin/hyperscalerauthentication/connections/aws/role_arn/settings/settings.go b/dynatrace/api/builtin/hyperscalerauthentication/connections/aws/role_arn/settings/settings.go
@@ -18,17 +18,29 @@
 package role_arn
 
 import (
+	"time"
+
 	"github.com/dynatrace-oss/terraform-provider-dynatrace/terraform/hcl"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
+const (
+	DefaultCreateTimeout = 20 * time.Minute
+)
+
 type Settings struct {
 	Name            string
 	AWSConnectionID string
 	RoleARN         string `json:"roleArn"` // The ARN of the AWS role that should be assumed
 }
 
+func (me *Settings) Timeouts() *schema.ResourceTimeout {
+	return &schema.ResourceTimeout{
+		Create: schema.DefaultTimeout(DefaultCreateTimeout),
+	}
+}
+
 func (me *Settings) Schema() map[string]*schema.Schema {
 	return map[string]*schema.Schema{
 		"aws_connection_id": {
diff --git a/resources/generic.go b/resources/generic.go
@@ -120,6 +120,10 @@ type DiffCustomizer interface {
 	CustomizeDiff(ctx context.Context, rd *schema.ResourceDiff, i any) error
 }
 
+type TimeoutProvider interface {
+	Timeouts() *schema.ResourceTimeout
+}
+
 func (me *Generic) Resource() *schema.Resource {
 	stngs := me.Descriptor.NewSettings()
 	sch := VisitSchemaMap(stngs.Schema())
@@ -146,6 +150,9 @@ func (me *Generic) Resource() *schema.Resource {
 		if dc, ok := stngs.(DiffCustomizer); ok {
 			resRes.CustomizeDiff = dc.CustomizeDiff
 		}
+		if tp, ok := stngs.(TimeoutProvider); ok {
+			resRes.Timeouts = tp.Timeouts()
+		}
 		return resRes
 	}
 
@@ -162,6 +169,9 @@ func (me *Generic) Resource() *schema.Resource {
 	if dc, ok := stngs.(DiffCustomizer); ok {
 		resRes.CustomizeDiff = dc.CustomizeDiff
 	}
+	if tp, ok := stngs.(TimeoutProvider); ok {
+		resRes.Timeouts = tp.Timeouts()
+	}
 	return resRes
 }
 

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,10 @@ type DiffCustomizer interface {`
`120`	`120`	`CustomizeDiff(ctx context.Context, rd *schema.ResourceDiff, i any) error`
`121`	`121`	`}`
`122`	`122`
	`123`	`+type TimeoutProvider interface {`
	`124`	`+ Timeouts() *schema.ResourceTimeout`
	`125`	`+}`
	`126`	`+`
`123`	`127`	`func (me Generic) Resource() schema.Resource {`
`124`	`128`	`stngs := me.Descriptor.NewSettings()`
`125`	`129`	`sch := VisitSchemaMap(stngs.Schema())`
`@@ -146,6 +150,9 @@ func (me Generic) Resource() schema.Resource {`
`146`	`150`	`if dc, ok := stngs.(DiffCustomizer); ok {`
`147`	`151`	`resRes.CustomizeDiff = dc.CustomizeDiff`
`148`	`152`	`}`
	`153`	`+ if tp, ok := stngs.(TimeoutProvider); ok {`
	`154`	`+ resRes.Timeouts = tp.Timeouts()`
	`155`	`+ }`
`149`	`156`	`return resRes`
`150`	`157`	`}`
`151`	`158`
`@@ -162,6 +169,9 @@ func (me Generic) Resource() schema.Resource {`
`162`	`169`	`if dc, ok := stngs.(DiffCustomizer); ok {`
`163`	`170`	`resRes.CustomizeDiff = dc.CustomizeDiff`
`164`	`171`	`}`
	`172`	`+ if tp, ok := stngs.(TimeoutProvider); ok {`
	`173`	`+ resRes.Timeouts = tp.Timeouts()`
	`174`	`+ }`
`165`	`175`	`return resRes`
`166`	`176`	`}`
`167`	`177`