fix: force vpc flow logs to wait for auth policy (#949)

toddgiguere · web-flow · commit ebeabf331dab · 2025-02-11T09:39:50.000Z
diff --git a/atracker.tf b/atracker.tf
@@ -24,14 +24,11 @@ resource "ibm_atracker_target" "atracker_target" {
   cos_endpoint {
     endpoint                   = "s3.private.${var.region}.cloud-object-storage.appdomain.cloud"
     target_crn                 = local.bucket_to_instance_map[var.atracker.collector_bucket_name].id
-    bucket                     = ibm_cos_bucket.buckets[replace(var.atracker.collector_bucket_name, var.prefix, "")].bucket_name
+    bucket                     = time_sleep.wait_for_authorization_policy_buckets[replace(var.atracker.collector_bucket_name, var.prefix, "")].triggers["bucket_name"]
     service_to_service_enabled = true
   }
   name        = "${var.prefix}-atracker"
   target_type = "cloud_object_storage"
-
-  # Wait for buckets and auth policies to ensure successful provision
-  depends_on = [ibm_cos_bucket.buckets, ibm_iam_authorization_policy.policy, ibm_iam_authorization_policy.cos_bucket_policy]
 }
 
 resource "ibm_atracker_route" "atracker_route" {
diff --git a/main.tf b/main.tf
@@ -58,7 +58,7 @@ module "vpc" {
   existing_subnets                       = each.value.existing_subnets
   enable_vpc_flow_logs                   = (each.value.flow_logs_bucket_name != null) ? true : false
   create_authorization_policy_vpc_to_cos = false
-  existing_storage_bucket_name           = (each.value.flow_logs_bucket_name != null) ? ibm_cos_bucket.buckets[each.value.flow_logs_bucket_name].bucket_name : null
+  existing_storage_bucket_name           = (each.value.flow_logs_bucket_name != null) ? time_sleep.wait_for_authorization_policy_buckets[each.value.flow_logs_bucket_name].triggers["bucket_name"] : null
   clean_default_sg_acl                   = (each.value.clean_default_sg_acl == null) ? false : each.value.clean_default_sg_acl
   dns_binding_name                       = each.value.dns_binding_name
   dns_instance_name                      = each.value.dns_instance_name
diff --git a/service_authorizations.tf b/service_authorizations.tf
@@ -168,9 +168,20 @@ resource "time_sleep" "wait_for_authorization_policy" {
   create_duration = "30s"
 }
 
+# This time_sleep is a for_each, and will have one instance per bucket we are creating,
+# and dependent (timer start) on the bucket authorization creations.
+# The triggers serve two purposes:
+#   - the create timer will be used again if the bucket itself is changed (the crn changes)
+#   - if we need to reference any bucket attributes from this sleep directly, to create implicity dependency on this wait
 resource "time_sleep" "wait_for_authorization_policy_buckets" {
+  for_each   = ibm_cos_bucket.buckets
   depends_on = [ibm_iam_authorization_policy.cos_bucket_policy]
 
+  triggers = {
+    bucket_name = each.value.bucket_name
+    bucket_crn  = each.value.crn
+  }
+
   create_duration = "30s"
 }
 
