No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

If you have provided a dependsOn relationship in your code, the dependent resource will already wait. 

If you are seeing a case where a resource says it’s created but is still not usable (or can fail due to eventual consistency issues) then that is likely a bug in the provider. 

The more common issue with IAM is that you might not be depending on the policy attachments themselves, just the role, which would allow for creating other resources pointing at the role before the policies are attached. 


Thanks Luke, I am depending on the attachment here.

```
const dmsRole = new aws.iam.Role("dms-vpc-role", {
    name: "dms-vpc-role",
    assumeRolePolicy: `{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "Service": "<http://dms.amazonaws.com|dms.amazonaws.com>"
                  },
                  "Action": "sts:AssumeRole"
              }
          ]
}`,
    permissionsBoundary: config.require("iamPermissionsBoundaryArn"),
});

const dmsRolePolicy = new aws.iam.RolePolicyAttachment("dms-vpc-role-policy", {
    policyArn: "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole",
    role: dmsRole
})

const dmsSubnetGroup = new aws.dms.ReplicationSubnetGroup("dms", {
    replicationSubnetGroupDescription: "Test replication subnet group",
    replicationSubnetGroupId: "test-dms-replication-subnet-group",
    subnetIds: [
        config.require("az0SubnetPrivateId"),
        config.require("az1SubnetPrivateId"),
    ],
}, {
    dependsOn: dmsRolePolicy
});
```

the ReplicationSubnetGroup fails to create here in the initial run.  when i `pulumi up` again, it succeeds — i am guessing this is because of the eventual consistency issue, but have not proven that

Does Pulumi have some kind of before/after create hook that I can use to write a custom poll before the resource is considered ready?

In the case of AWS IAM there is also a delay between the API operation completing and the thing actually being done _at the provider_ - we saw it a lot on Terraform too.

right, I believe we are hitting this:

<https://github.com/terraform-providers/terraform-provider-aws/issues/7748>

are there any hooks in Pulumi we could leverage to write some workaround polling?