add test

Author: Sharon Nam

internal/service/backup/vault_policy.go

@@ -75,16 +75,15 @@ func resourceVaultPolicyPut(ctx context.Context, d *schema.ResourceData, meta in
 		Policy:          aws.String(policy),
 	}
 
-	outputRaw, err := tfresource.RetryWhenAWSErrMessageContains(ctx, iamPropagationTimeout,
+	_, err = tfresource.RetryWhenAWSErrMessageContains(ctx, iamPropagationTimeout,
 		func() (interface{}, error) {
 			return conn.PutBackupVaultAccessPolicyWithContext(ctx, input)
 		},
 		errCodeInvalidVaultPolicyConfig, "VaultPolicyyConfig.IamBackupRole",
 	)
 
 	if err != nil {
-		return sdkdiag.AppendErrorf(diags, "creating Backup Vault Policy (%s): %s", outputRaw.(d.)
-		, err)
+		return sdkdiag.AppendErrorf(diags, "creating Backup Vault Policy (%s): %s", name, err)
 	}
 
 	d.SetId(name)

internal/service/backup/vault_policy_test.go

@@ -54,6 +54,41 @@ func TestAccBackupVaultPolicy_basic(t *testing.T) {
 	})
 }
 
+func TestAccBackupVaultPolicy_eventual_consistency(t *testing.T) {
+	ctx := acctest.Context(t)
+	var vault backup.GetBackupVaultAccessPolicyOutput
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_backup_vault_policy.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, backup.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckVaultPolicyDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccVaultPolicyConfig_eventual_consistency(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckVaultPolicyExists(ctx, resourceName, &vault),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexache.MustCompile("^{\"Id\":\"default\".+"))),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccVaultPolicyConfig_updated(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckVaultPolicyExists(ctx, resourceName, &vault),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexache.MustCompile("^{\"Id\":\"default\".+")),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexache.MustCompile("backup:ListRecoveryPointsByBackupVault")),
+				),
+			},
+		},
+	})
+}
+
 func TestAccBackupVaultPolicy_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
 	var vault backup.GetBackupVaultAccessPolicyOutput
@@ -285,3 +320,33 @@ resource "aws_backup_vault_policy" "test" {
 }
 `, rName)
 }
+
+func testAccVaultPolicyConfig_eventual_consistency(rName string) string {
+	return acctest.ConfigCompose(
+		testAccVaultPolicyConfig_basic(rName),
+		fmt.Sprintf(`
+data "aws_partition" "current" {}
+
+resource "aws_iam_role" "test" {
+  name = %[1]q
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "backup.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "test" {
+  role       = aws_iam_role.test.name
+  policy_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_partition.current.partition}:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+}
+`, rName))
+}