SSPROD-57377 - Add extra time to CIEM advanced in order to avoid race condition with CIEM basic

Author: ivanbesinovic-sysdig

modules/integrations/cloud-logs/main.tf

@@ -338,3 +338,17 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
     aws_cloudformation_stack_set_instance.cloudlogs_s3_access_topic
   ]
 }
+
+locals {
+  wait_duration = format("%ds", var.wait_after_basic_seconds)
+}
+
+resource "time_sleep" "wait_after_ciem_basic" {
+  count           = var.wait_after_basic_seconds > 0 ? 1 : 0
+  create_duration = local.wait_duration
+}
+
+output "wait_after_basic" {
+  value       = var.wait_after_basic_seconds > 0 ? time_sleep.wait_after_ciem_basic : null
+  description = "Wait handle to delay downstream operations after basic by the configured seconds."
+}

modules/integrations/cloud-logs/variables.tf

@@ -100,3 +100,9 @@ variable "kms_key_arn" {
   type        = string
   default     = null
 }
+
+variable "wait_after_basic_seconds" {
+  type        = number
+  description = "Number of seconds to wait after CIEM basic before proceeding (set to 0 to disable)."
+  default     = 30
+}

modules/integrations/cloud-logs/versions.tf

@@ -15,5 +15,9 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
   }
 }

modules/integrations/event-bridge/main.tf

@@ -295,3 +295,17 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_event_bridge" {
     }
   })
 }
+
+locals {
+  wait_duration = format("%ds", var.wait_after_basic_seconds)
+}
+
+resource "time_sleep" "wait_after_ciem_basic" {
+  count           = var.wait_after_basic_seconds > 0 ? 1 : 0
+  create_duration = local.wait_duration
+}
+
+output "wait_after_basic" {
+  value       = var.wait_after_basic_seconds > 0 ? time_sleep.wait_after_ciem_basic : null
+  description = "Wait handle to delay downstream operations after basic (e.g., CIEM) by the configured seconds."
+}

modules/integrations/event-bridge/variables.tf

@@ -131,3 +131,9 @@ variable "api_dest_rate_limit" {
   default     = 300
   description = "Rate limit for API Destinations"
 }
+
+variable "wait_after_basic_seconds" {
+  type        = number
+  description = "Number of seconds to wait after CIEM basic before proceeding (set to 0 to disable)."
+  default     = 30
+}

modules/integrations/event-bridge/versions.tf

@@ -13,5 +13,9 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
   }
 }

test/examples/single_account/cloud_logs.tf

@@ -45,7 +45,10 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
     sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components,
     [module.cloud-logs.cloud_logs_component_id]
   )
-  depends_on = [module.cloud-logs]
+  depends_on = [
+    module.cloud-logs,
+    module.cloud-logs.wait_after_basic
+  ]
   flags = {
     "CIEM_FEATURE_MODE" = "advanced"
   }

test/examples/single_account/cloud_logs_gov.tf

@@ -23,7 +23,10 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.cloud-logs.cloud_logs_component_id])
-  depends_on = [module.cloud-logs]
+  depends_on = [
+    module.cloud-logs,
+    module.cloud-logs.wait_after_basic
+  ]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {

test/examples/single_account/event_bridge.tf

@@ -22,7 +22,10 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id])
-  depends_on = [module.event-bridge]
+  depends_on = [
+    module.event-bridge,
+    module.event-bridge.wait_after_basic
+  ]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {

test/examples/single_account/event_bridge_gov.tf

@@ -23,7 +23,10 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id])
-  depends_on = [module.event-bridge]
+  depends_on = [
+    module.event-bridge,
+    module.event-bridge.wait_after_basic
+  ]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {