From 99d0895795560fd917af0b32e51ea25d4861d116 Mon Sep 17 00:00:00 2001
From: Ivan Besinovic <ivan.besinovic@sysdig.com>
Date: Wed, 10 Dec 2025 12:19:53 +0100
Subject: [PATCH] SSPROD-57377 - Add extra time to CIEM advanced in order to
 avoid race condition with CIEM basic

---
 modules/integrations/cloud-logs/main.tf          | 14 ++++++++++++++
 modules/integrations/cloud-logs/variables.tf     |  6 ++++++
 modules/integrations/cloud-logs/versions.tf      |  4 ++++
 modules/integrations/event-bridge/main.tf        | 14 ++++++++++++++
 modules/integrations/event-bridge/variables.tf   |  6 ++++++
 modules/integrations/event-bridge/versions.tf    |  4 ++++
 test/examples/single_account/cloud_logs.tf       |  5 ++++-
 test/examples/single_account/cloud_logs_gov.tf   |  7 +++++--
 test/examples/single_account/event_bridge.tf     |  7 +++++--
 test/examples/single_account/event_bridge_gov.tf |  7 +++++--
 10 files changed, 67 insertions(+), 7 deletions(-)

diff --git a/modules/integrations/cloud-logs/main.tf b/modules/integrations/cloud-logs/main.tf
index fb7caf1..4124c00 100644
--- a/modules/integrations/cloud-logs/main.tf
+++ b/modules/integrations/cloud-logs/main.tf
@@ -338,3 +338,17 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_cloud_logs" {
     aws_cloudformation_stack_set_instance.cloudlogs_s3_access_topic
   ]
 }
+
+locals {
+  wait_duration = format("%ds", var.wait_after_basic_seconds)
+}
+
+resource "time_sleep" "wait_after_ciem_basic" {
+  count           = var.wait_after_basic_seconds > 0 ? 1 : 0
+  create_duration = local.wait_duration
+}
+
+output "wait_after_basic" {
+  value       = var.wait_after_basic_seconds > 0 ? time_sleep.wait_after_ciem_basic : null
+  description = "Wait handle to delay downstream operations after basic by the configured seconds."
+}
diff --git a/modules/integrations/cloud-logs/variables.tf b/modules/integrations/cloud-logs/variables.tf
index 8675ec1..d310e27 100644
--- a/modules/integrations/cloud-logs/variables.tf
+++ b/modules/integrations/cloud-logs/variables.tf
@@ -100,3 +100,9 @@ variable "kms_key_arn" {
   type        = string
   default     = null
 }
+
+variable "wait_after_basic_seconds" {
+  type        = number
+  description = "Number of seconds to wait after CIEM basic before proceeding (set to 0 to disable)."
+  default     = 30
+}
diff --git a/modules/integrations/cloud-logs/versions.tf b/modules/integrations/cloud-logs/versions.tf
index 7bb98df..167eeca 100644
--- a/modules/integrations/cloud-logs/versions.tf
+++ b/modules/integrations/cloud-logs/versions.tf
@@ -15,5 +15,9 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
   }
 }
diff --git a/modules/integrations/event-bridge/main.tf b/modules/integrations/event-bridge/main.tf
index 29b5922..b49fe78 100644
--- a/modules/integrations/event-bridge/main.tf
+++ b/modules/integrations/event-bridge/main.tf
@@ -295,3 +295,17 @@ resource "sysdig_secure_cloud_auth_account_component" "aws_event_bridge" {
     }
   })
 }
+
+locals {
+  wait_duration = format("%ds", var.wait_after_basic_seconds)
+}
+
+resource "time_sleep" "wait_after_ciem_basic" {
+  count           = var.wait_after_basic_seconds > 0 ? 1 : 0
+  create_duration = local.wait_duration
+}
+
+output "wait_after_basic" {
+  value       = var.wait_after_basic_seconds > 0 ? time_sleep.wait_after_ciem_basic : null
+  description = "Wait handle to delay downstream operations after basic (e.g., CIEM) by the configured seconds."
+}
diff --git a/modules/integrations/event-bridge/variables.tf b/modules/integrations/event-bridge/variables.tf
index f1ef09f..10a61e6 100644
--- a/modules/integrations/event-bridge/variables.tf
+++ b/modules/integrations/event-bridge/variables.tf
@@ -131,3 +131,9 @@ variable "api_dest_rate_limit" {
   default     = 300
   description = "Rate limit for API Destinations"
 }
+
+variable "wait_after_basic_seconds" {
+  type        = number
+  description = "Number of seconds to wait after CIEM basic before proceeding (set to 0 to disable)."
+  default     = 30
+}
diff --git a/modules/integrations/event-bridge/versions.tf b/modules/integrations/event-bridge/versions.tf
index b543f52..eaf2103 100644
--- a/modules/integrations/event-bridge/versions.tf
+++ b/modules/integrations/event-bridge/versions.tf
@@ -13,5 +13,9 @@ terraform {
       source  = "hashicorp/random"
       version = ">= 3.1"
     }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
   }
 }
diff --git a/test/examples/single_account/cloud_logs.tf b/test/examples/single_account/cloud_logs.tf
index 93cb053..93b0ca9 100644
--- a/test/examples/single_account/cloud_logs.tf
+++ b/test/examples/single_account/cloud_logs.tf
@@ -45,7 +45,10 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
     sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components,
     [module.cloud-logs.cloud_logs_component_id]
   )
-  depends_on = [module.cloud-logs]
+  depends_on = [
+    module.cloud-logs,
+    module.cloud-logs.wait_after_basic
+  ]
   flags = {
     "CIEM_FEATURE_MODE" = "advanced"
   }
diff --git a/test/examples/single_account/cloud_logs_gov.tf b/test/examples/single_account/cloud_logs_gov.tf
index 1adec94..e427473 100644
--- a/test/examples/single_account/cloud_logs_gov.tf
+++ b/test/examples/single_account/cloud_logs_gov.tf
@@ -23,8 +23,11 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.cloud-logs.cloud_logs_component_id])
-  depends_on = [module.cloud-logs]
-  flags      = { "CIEM_FEATURE_MODE" : "advanced" }
+  depends_on = [
+    module.cloud-logs,
+    module.cloud-logs.wait_after_basic
+  ]
+  flags = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {
     ignore_changes = [flags, components]
diff --git a/test/examples/single_account/event_bridge.tf b/test/examples/single_account/event_bridge.tf
index cac7f75..49aa4ff 100644
--- a/test/examples/single_account/event_bridge.tf
+++ b/test/examples/single_account/event_bridge.tf
@@ -22,8 +22,11 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id])
-  depends_on = [module.event-bridge]
-  flags      = { "CIEM_FEATURE_MODE" : "advanced" }
+  depends_on = [
+    module.event-bridge,
+    module.event-bridge.wait_after_basic
+  ]
+  flags = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {
     ignore_changes = [flags, components]
diff --git a/test/examples/single_account/event_bridge_gov.tf b/test/examples/single_account/event_bridge_gov.tf
index cada8b5..1ba1493 100644
--- a/test/examples/single_account/event_bridge_gov.tf
+++ b/test/examples/single_account/event_bridge_gov.tf
@@ -23,8 +23,11 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.event-bridge.event_bridge_component_id])
-  depends_on = [module.event-bridge]
-  flags      = { "CIEM_FEATURE_MODE" : "advanced" }
+  depends_on = [
+    module.event-bridge,
+    module.event-bridge.wait_after_basic
+  ]
+  flags = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {
     ignore_changes = [flags, components]