fix(gcp): improve stability (#51)

Signed-off-by: Salim Afiune Maya <afiune@lacework.net>
lacework · Jul 24, 2020 · a860120 · a860120
1 parent b938e9a
commit a860120
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 14 deletions.
diff --git a/gcp/modules/audit_log/main.tf b/gcp/modules/audit_log/main.tf
@@ -1,7 +1,9 @@
 locals {
 	resource_level = var.org_integration ? "ORGANIZATION" : "PROJECT"
 	resource_id    = var.org_integration ? var.organization_id : module.lacework_at_svc_account.project_id
-	bucket_name    = length(var.existing_bucket_name) > 0 ? var.existing_bucket_name : google_storage_bucket.lacework_bucket[0].name
+	bucket_name    = length(var.existing_bucket_name) > 0 ? var.existing_bucket_name : (
+		length(google_storage_bucket.lacework_bucket) > 0 ? google_storage_bucket.lacework_bucket[0].name : var.existing_bucket_name
+	)
 	project_id     = data.google_project.selected.project_id
 	project_number = data.google_project.selected.number
 	logging_sink_writer_identity = var.org_integration ? (
@@ -126,8 +128,8 @@ resource "google_storage_notification" "lacework_notification" {
 
 # wait for 5 seconds for things to settle down in the GCP side
 # before trying to create the Lacework external integration
-resource "time_sleep" "wait_5_seconds" {
-	create_duration = "5s"
+resource "time_sleep" "wait_10_seconds" {
+	create_duration = "10s"
 	depends_on      = [
 		google_storage_notification.lacework_notification,
 		google_pubsub_subscription_iam_binding.lacework,

diff --git a/gcp/modules/service_account/main.tf b/gcp/modules/service_account/main.tf
@@ -11,8 +11,12 @@ locals {
 	project_roles         = var.org_integration ? [] : (var.create ? local.default_project_roles : [])
 	organization_roles    = var.create && var.org_integration ? local.default_organization_roles : [] 
 	project_id            = data.google_project.selected.project_id
-	service_account_name  = var.create ? google_service_account.lacework[0].display_name  : data.google_service_account.selected.display_name
-	service_account_email = var.create ? google_service_account.lacework[0].email : data.google_service_account.selected.email
+	service_account_name  = var.create ? (
+		length(google_service_account.lacework) > 0 ? google_service_account.lacework[0].display_name :  ""
+	) : data.google_service_account.selected[0].display_name
+	service_account_email = var.create ? (
+		length(google_service_account.lacework) > 0 ? google_service_account.lacework[0].email :  ""
+	) : data.google_service_account.selected[0].email
 }
 
 data "google_project" "selected" {
@@ -29,6 +33,7 @@ resource "google_project_service" "required_apis" {
 
 resource "google_service_account" "lacework" {
 	count        = var.create ? 1 : 0
+	project      = local.project_id
 	account_id   = var.service_account_name
 	display_name = var.service_account_name
 	depends_on   = [google_project_service.required_apis]
@@ -52,21 +57,14 @@ resource "google_organization_iam_member" "for_lacework_service_account" {
 
 resource "google_service_account_key" "lacework" {
 	count              = var.create ? 1 : 0
-	service_account_id = local.service_account_name
+	service_account_id = google_service_account.lacework[count.index].name
 	depends_on         = [
 		google_organization_iam_member.for_lacework_service_account,
 		google_project_iam_member.for_lacework_service_account
 	]
 }
 
-# wait for 5 seconds for the role to be created before trying to query it
-resource "time_sleep" "wait_5_seconds" {
-	count           = var.create ? 1 : 0
-	create_duration = "5s"
-	depends_on      = [google_service_account.lacework]
-}
-
 data "google_service_account" "selected" {
+	count      = var.create ? 0 : 1
 	account_id = var.service_account_name
-	depends_on = [time_sleep.wait_5_seconds]
 }