eli-383 adding in a wait of 10s to allow IAMS to propagate

eddalmond1 · eddalmond1 · commit f9fcbb49f7dc · 2025-11-05T11:35:41.000Z
diff --git a/infrastructure/stacks/api-layer/csoc_log_forwarding.tf b/infrastructure/stacks/api-layer/csoc_log_forwarding.tf
@@ -80,6 +80,17 @@ resource "aws_iam_role_policy_attachment" "cwl_to_csoc_destination" {
   policy_arn = aws_iam_policy.cwl_to_csoc_destination.arn
 }
 
+# Wait for IAM role to propagate across AWS
+# This prevents "Make sure you have given CloudWatch Logs permission to assume the provided role" errors
+resource "time_sleep" "wait_for_iam_propagation" {
+  depends_on = [
+    aws_iam_role.cwl_subscription_role,
+    aws_iam_role_policy_attachment.cwl_to_csoc_destination
+  ]
+
+  create_duration = "10s"
+}
+
 # Create the subscription filter to forward logs to CSOC
 # This forwards all logs from the existing API Gateway log group to the CSOC destination
 # Note: A log group can have up to 2 subscription filters
@@ -93,6 +104,6 @@ resource "aws_cloudwatch_log_subscription_filter" "csoc_forwarding" {
   depends_on = [
     module.eligibility_signposting_api_gateway,
     aws_iam_role.cwl_subscription_role,
-    aws_iam_role_policy_attachment.cwl_to_csoc_destination
+    time_sleep.wait_for_iam_propagation
   ]
 }
