The AWS resource is not applied in real-time. For some, the provider can wait for resource created, or poll the resource until it is created. But even provider and the service agreed, another resource may still hold an older view.
The document calls it "eventual consistency". The end result is that some "tf apply" may fail first but become successful in a second or later run.
Two resources have this issue so far:
— IAM role and policy attachment. When created role, attaching policy usually also works, but a user of the policy will likely see a role created but policy is not yet attached. The user should have "depends_on" to the attachment, and the attachment should have some sleep. Currently I set it to sleep 15s, which is acceptable.
— cloudwatch alarms also depends on policy being created. Similarly add depends_on and add 15s sleep. There is a bug reporting that policy not created after the target is re-created, and the workaround was to use interpolation in policy's name. But then that ticket did not mention the sleeping part.