"dome9_attach_iam_safe" fails with "context deadline exceed" error

[teajsshekokar]

When creating the dome9_attach_iam_safe resource it fails with "context deadline exceed" error first time.

module.dome9-xxxxxxxxxx.time_sleep.wait_for_org_unit: Creation complete after 5m0s [id=2022-08-12T14:11:54Z]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Creating...
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [10s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [20s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [30s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [40s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [50s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [1m0s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [1m10s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [1m20s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [1m30s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [1m40s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [1m50s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [2m0s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [2m10s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [2m20s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [2m30s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [2m40s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [2m50s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [3m0s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [3m10s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [3m20s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [3m30s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [3m40s elapsed]
module.dome9-xxxxxxxxxx.dome9_attach_iam_safe.this: Still creating... [3m50s elapsed]
|
│ Error: Put "https://api.dome9.com/v2/cloudaccounts/iam-safe": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
│ 
│   with module.dome9-xxxxxxxx.dome9_attach_iam_safe.this,
│   on .terraform/modules/dome9-xxxxxxxx/main.tf line 30, in resource "dome9_attach_iam_safe" "this":
│   30: resource "dome9_attach_iam_safe" "this" {
│ 
╵

We tried with some sleep as well. After retrying (re-plan and apply) it works.

D9 TF Provider Version: 1.28.0

[dolevh-d9]

@teajsshekokar I am working on this problem, but I need more details from you.

Can you please send me the exact data with which you created the resource in Terraform?

I can't reproduce the problem, everything is fine when I run it, and there is no problem with your account logs.

[teajsshekokar]

@dolevh-d9 We are creating these resources. Let me know if you need more details

resource "dome9_cloudaccount_aws" "aws_ca" {
  name = var.environment_name

  credentials {
    arn    = "arn:aws:iam::${var.aws_account_id}:role/Dome9-Connect"
    secret = var.dome9_external_id
    type   = "RoleBased"
  }

  organizational_unit_id = var.organizational_unit_id
}

resource "time_sleep" "wait_for_org_unit" {
  depends_on      = [dome9_cloudaccount_aws.aws_ca]
  create_duration = "5m"
}

resource "dome9_attach_iam_safe" "this" {
  depends_on           = [time_sleep.wait_for_org_unit]
  aws_cloud_account_id = dome9_cloudaccount_aws.aws_ca.id
  aws_group_arn        = "arn:aws:iam::${var.aws_account_id}:group/Dome9-Group-ARN"
  aws_policy_arn       = "arn:aws:iam::${var.aws_account_id}:policy/Dome9-Policy-ARN"
}

[dolevh-d9]

@teajsshekokar depends_on = [time_sleep.wait_for_org_unit] I think this line creates the problem. Where do you create the organizational_unit_id resource?

[dolevh-d9]

@teajsshekokar Try this:

resource "dome9_attach_iam_safe" "this" { aws_cloud_account_id = dome9_cloudaccount_aws.aws_ca.id aws_group_arn = "arn:aws:iam::${var.aws_account_id}:group/Dome9-Group-ARN" aws_policy_arn = "arn:aws:iam::${var.aws_account_id}:policy/Dome9-Policy-ARN" depends_on = [dome9_cloudaccount_aws.aws_ca] }

[dolevh-d9]

@teajsshekokar worked?

[Xyders]

@dolevh-d9 Allow me to interrupt here, I had the same error message when did onboarding. The code I'm using is similar to your suggestion. But I can see both environment and IAM Safety are onboarded in the portal GUI. Any idea about the cause?

resource "dome9_attach_iam_safe" "self" {
  count                = var.connect_iam_safety == true ? 1 : 0
  aws_cloud_account_id = dome9_cloudaccount_aws.my_test_dome9.id
  aws_group_arn        = aws_iam_group.CloudGuard-Restricted-Group[count.index].arn
  aws_policy_arn       = aws_iam_policy.CloudGuard-Restricted-Policy[count.index].arn
  depends_on           = [aws_iam_group_policy_attachment.this, dome9_cloudaccount_aws.my_test_dome9]
}