In response to this:

What this PR does / why we need it:

hcp create cluster aws fails with InvalidRouteTableID.NotFound due to a race condition with AWS eventual consistency. The CLI creates a route table and immediately tries to add routes before AWS has propagated the resource. This results in a 100% failure rate with no retry logic to handle the transient error.

This PR adds retry with exponential backoff on InvalidRouteTableId.NotFound errors when creating routes after route table creation, matching the existing pattern already used in CreateVPCS3Endpoint.

Files changed:

• cmd/infra/aws/ec2.go — CreatePrivateRouteTable and CreatePublicRouteTable

Changes:

• CreatePrivateRouteTable: Added invalidRouteTableID to the existing retriable error check alongside invalidNATGatewayError
• CreatePublicRouteTable: Wrapped the CreateRoute call in retry.OnError with backoff on invalidRouteTableID

Both use the existing retryBackoff (5 steps, 3s base, 3x factor) already defined and proven in production via CreateVPCS3Endpoint.

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/CNTRLPLANE-3523

Special notes for your reviewer:

• The retry is idempotent — CreateRoute with the same destination CIDR on the same route table either succeeds or returns RouteAlreadyExists.
• The retry is narrowly scoped to only InvalidRouteTableId.NotFound — any other error fails immediately.
• The exact same pattern (retry on invalidRouteTableID with retryBackoff) is already used in CreateVPCS3Endpoint in the same file.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Walkthrough

In cmd/infra/aws/ec2.go, two functions receive targeted retry improvements for AWS route creation. CreatePrivateRouteTable expands its existing retry.OnError predicate to treat InvalidRouteTableId.NotFound as retriable alongside the already-handled InvalidNatGatewayID.NotFound. CreatePublicRouteTable gains a new retry.OnError wrapper around its internet-gateway CreateRoute call, with a predicate that retries exclusively on InvalidRouteTableId.NotFound; previously this call had no targeted retry behavior.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

• X
• Mastodon
• Reddit
• LinkedIn

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@@            Coverage Diff             @@
##             main    #8747      +/-   ##
==========================================
- Coverage   41.79%   41.79%   -0.01%     
==========================================
  Files         759      759              
  Lines       94037    94047      +10     
==========================================
  Hits        39304    39304              
- Misses      51983    51993      +10     
  Partials     2750     2750              

Flags with carried forward coverage won't be shown. Click here to find out more.

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

The root cause is straightforward: the modified file cmd/infra/aws/ec2.go has zero unit test coverage on the main branch — no ec2_test.go exists. The file contains AWS infrastructure provisioning functions (CreatePrivateRouteTable, CreatePublicRouteTable, CreateVPC, etc.) that make real AWS API calls, making them difficult to unit test without mocking the AWS EC2 client.

Specifically:

1. codecov/patch failure: The patch coverage check compares new/modified lines against the project-wide target (41.79%). Since 0 of 15 changed lines are exercised by any test, patch coverage is 0.00%, falling below the default Codecov threshold.
2. codecov/project failure: The project added 10 net new uncovered lines (94,037 → 94,047 total lines, misses 51,983 → 51,993), causing overall coverage to drop from 41.80% to 41.79% — a 0.01% decrease. Codecov's default project check fails when coverage decreases compared to the base commit.

The codecov.yml configuration has no explicit coverage.status section, so Codecov applies its defaults: project coverage must not decrease, and patch coverage must meet the project target. Both conditions fail for this PR.

Critically, these checks are not required for merge. The repository's branch protection does not list codecov/patch or codecov/project as required status checks. Recently merged PR #8744 shows both codecov checks passing, but the codecov action bump PR #8727 merged without codecov results at all — confirming they are advisory.

1. These failures are safe to ignore for merging — codecov checks are not required status checks on the main branch. The PR can proceed through the normal review/approval/merge process.

2. If the team wants to fix the codecov status (optional), add unit tests for the retry logic in CreatePrivateRouteTable and CreatePublicRouteTable. This would require:

   • Creating cmd/infra/aws/ec2_test.go
   • Introducing an interface for the EC2 client (or using the existing ec2iface / mock pattern from support/awsapi/)
   • Testing that isRetriable() returns true for InvalidRouteTableId.NotFound and false for other errors
   • Testing that retry.OnError retries correctly on retriable errors

3. Consider adding cmd/infra/aws/ec2.go to the codecov ignore list in codecov.yml if the team decides this infrastructure-provisioning code should not be subject to coverage requirements (similar to how cmd/infra/azure/types.go and cmd/infra/gcp/constants.go are already ignored).

4. No code changes needed in the PR itself — the retry logic is correct, idempotent, and follows the exact same pattern already used in CreateVPCS3Endpoint in the same file.