SSPROD-57377 - Add extra time to CIEM advanced in order to avoid race condition with CIEM basic (#86)

Author: ivanbesinovic-sysdig

modules/integrations/pub-sub/main.tf

@@ -278,3 +278,12 @@ resource "sysdig_secure_cloud_auth_account_component" "gcp_pubsub_datasource" {
     }
   })
 }
+
+locals {
+  wait_duration = format("%ds", var.wait_after_basic_seconds)
+}
+
+resource "time_sleep" "wait_after_ciem_basic" {
+  count           = var.wait_after_basic_seconds > 0 ? 1 : 0
+  create_duration = local.wait_duration
+}

modules/integrations/pub-sub/outputs.tf

@@ -3,3 +3,8 @@ output "pubsub_datasource_component_id" {
   description = "Component identifier of Webhook Datasource integration created in Sysdig Backend for Log Ingestion"
   depends_on  = [sysdig_secure_cloud_auth_account_component.gcp_pubsub_datasource]
 }
+
+output "post_ciem_basic_delay" {
+  value       = var.wait_after_basic_seconds > 0 ? time_sleep.wait_after_ciem_basic : null
+  description = "Wait handle to delay downstream operations after basic by the configured seconds."
+}

modules/integrations/pub-sub/variables.tf

@@ -122,3 +122,9 @@ variable "sysdig_secure_account_id" {
   type        = string
   description = "ID of the Sysdig Cloud Account to enable to enable Pub Sub integration for (incase of organization, ID of the Sysdig management account)"
 }
+
+variable "wait_after_basic_seconds" {
+  type        = number
+  description = "Number of seconds to wait after CIEM basic before proceeding (set to 0 to disable)."
+  default     = 30
+}

test/examples/modular_organization/pub-sub-admin-write-only1.tf

@@ -32,7 +32,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id])
-  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic]
+  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic, module.pub-sub.post_ciem_basic_delay]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {

test/examples/modular_organization/pub-sub-admin-write-only2.tf

@@ -27,7 +27,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id])
-  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic]
+  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic, module.pub-sub.post_ciem_basic_delay]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {

test/examples/modular_organization/pub-sub.tf

@@ -58,7 +58,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id])
-  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic]
+  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic, module.pub-sub.post_ciem_basic_delay]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {

test/examples/modular_single_project/pub-sub-admin-write-only1.tf

@@ -30,7 +30,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id])
-  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic]
+  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic, module.pub-sub.post_ciem_basic_delay]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {

test/examples/modular_single_project/pub-sub-admin-write-only2.tf

@@ -25,7 +25,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id])
-  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic]
+  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic, module.pub-sub.post_ciem_basic_delay]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {

test/examples/modular_single_project/pub-sub.tf

@@ -56,7 +56,7 @@ resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement_advanc
   type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
   enabled    = true
   components = concat(sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic.components, [module.pub-sub.pubsub_datasource_component_id])
-  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic]
+  depends_on = [module.pub-sub, sysdig_secure_cloud_auth_account_feature.identity_entitlement_basic, module.pub-sub.post_ciem_basic_delay]
   flags      = { "CIEM_FEATURE_MODE" : "advanced" }
 
   lifecycle {