AWS Cloud Integration is not always created

[rfisher-centrica]

We often see this error in our pipeline.

Error: error creating Cloud Integration for service EC2. got server returned 400 Bad Request
{"status":{"result":"ERROR","message":"Errors while saving credential with id null :Unable to access Amazon EC2 Instances. Please check that the role ARN is correct and Amazon account is authorized for access by the Wavefront AWS Account ID and External ID., Unable to access Amazon EBS Volumes. Please check that the role ARN is correct and Amazon account is authorized for access by the Wavefront AWS Account ID and External ID.","code":400}}

This appears to be because Terraform is trying to create the integration before the job to create the IAM role is complete in AWS.

[keep94]

Dear rfisher-centrica. Would you kindly send the main.tf you are using? Having your main.tf file will help me reproduce this issue.

[rfisher-centrica]

Here it is. I think you should be able to work out suitable variables. The sleep is there to give the IAM consistency time to settle. Without it we get a lot more (similar) errors.

  name = var.iam_role_name
  tags = {
    "Environment"  = terraform.workspace
    "ServiceName"  = "Cloud Management",
    "ServiceOwner" = "Sre",
    "ServiceRole"  = "WavefrontIntegration"
  }
  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${var.wavefront_aws_account_id}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "${wavefront_cloud_integration_aws_external_id.external_id.id}"
        }
      }
    }
  ]
}
POLICY
}

resource aws_iam_role_policy_attachment read-only {
  role       = aws_iam_role.wavefront.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

resource wavefront_cloud_integration_aws_external_id external_id {}

resource time_sleep sleep {
  create_duration = "60s"
  triggers = {
    wavefront_role_arn    = aws_iam_role.wavefront.arn
    wavefront_role_policy = aws_iam_role.wavefront.assume_role_policy
  }
}

resource wavefront_cloud_integration_cloudwatch cloudwatch {
  name                            = var.cloud_integration_name
  role_arn                        = time_sleep.sleep.triggers["wavefront_role_arn"]
  external_id                     = wavefront_cloud_integration_aws_external_id.external_id.id
  metric_filter_regex             = var.metric_filter_regex
  point_tag_filter_regex          = var.point_tag_filter_regex
  service_refresh_rate_in_minutes = var.service_refresh_rate_in_mins
  force_save                      = false
}

resource wavefront_cloud_integration_ec2 ec2 {
  external_id                     = wavefront_cloud_integration_aws_external_id.external_id.id
  name                            = var.cloud_integration_name
  role_arn                        = time_sleep.sleep.triggers["wavefront_role_arn"]
  service_refresh_rate_in_minutes = var.service_refresh_rate_in_mins
  hostname_tags                   = ["host", "source", "name"]
  force_save                      = false
}