Terraform-provider-aws: Access Error on resource aws_flow_log using log_destination
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
- Terraform v0.11.8
Affected Resource(s)
- aws_flow_logs
Terraform Configuration Files
resource "aws_flow_log" "default_flow_log" {
log_destination = "${aws_cloudwatch_log_group.vpc_flow_logs.arn}"
iam_role_arn = "${aws_iam_role.flow_logs_role.arn"
vpc_id = "${data.aws_vpc.aws-default-vpc.id}"
traffic_type = "ALL"
}
Expected Behavior
Actual Behavior
Steps to Reproduce
- Change from using log_group_name to log_destination
terraform apply
References
https://stackoverflow.com/questions/53150946/access-error-while-creating-an-aws-flow-log-using-terraform
https://github.com/terraform-providers/terraform-provider-aws/issues/6360
https://www.terraform.io/docs/providers/aws/r/flow_log.html
connor-tyndall
All 12 comments
Is this different from #6360?
bacoboy
on 6 Nov 2018
@bacoboy It is in the sense that it affects the resource aws_flow_log and the error we are seeing in the console and not specifically aws_cloudwatch_log_subscription_filter, although the argument could be made that they are essentially the same issue. I think it relates to the same issue you are seeing that :* is an invalid input.
connor-tyndall
on 6 Nov 2018
@bacoboy Are you seeing the above Access error... message in your flow logs configuration in the console after approx. 15 min?
connor-tyndall
on 6 Nov 2018
No in my case the additional characters fail the regex that field is supposed to conform to.
If you look at the bottom of my terraform code, there is a small transformation you can steal to trim the :* for now. But since the field is deprecated, it seems they should switch all the uses of log_group_name to using the arn like they did on the resource.
bacoboy
on 6 Nov 2018
So it seems as though the log_destination field is expecting the :* in the regex of that field ("^arn:[\\w-]+:([a-zA-Z0-9\\-])+:([a-z]{2}-(gov-)?[a-z]+-\\d{1})?:(\\d{12})?:(.*)$"). If log_destination is set with :* it seems as though the log_group_name is being set with :* as well, hence the following change when reverting back to using log_group_name:
log_destination: "arn:aws:logs:us-east-1:123456789012:log-group:vpc-flow-logs:*" => <computed>
log_destination_type: "cloud-watch-logs" => "cloud-watch-logs"
log_group_name: "vpc-flow-logs:*" => "vpc-flow-logs" (forces new resource)
I guess AWS does not recognize the :* that is being added to log_group_name.
connor-tyndall
on 6 Nov 2018
The reported Terraform version is v0.11.8. Not that it makes a significant difference, but I can confirm this is happening with Terraform v0.11.10 as well. Also running v1.42.0 of the AWS provider.
erikpaasonen
on 6 Nov 2018
Should we strings.TrimSuffix(":*") it when calling the API, and suppress the plan difference (either via StateFunc or DiffSuppressFunc)? We've done similar for aws_api_gateway_stage:
bflad
on 6 Nov 2018
@erikpaasonen I can confirm that as well. Upgraded to v0.11.10 and using v1.42.0 and same behavior after approx. 20 min:
connor-tyndall
on 6 Nov 2018
Pull request submitted to automatically trim :* suffix from log_destination: https://github.com/terraform-providers/terraform-provider-aws/pull/6377
bflad
on 6 Nov 2018
The above mentioned change has been merged and will release with version 1.43.0 of the AWS provider, likely later today or tomorrow. 👍
bflad
on 7 Nov 2018
This has been released in version 1.43.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 7 Nov 2018
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 2 Apr 2020
Related issues
hashibot
·
3Comments
andywirv
·
3Comments
dvishniakov
·
3Comments
carmas
·
3Comments
hashibot
·
3Comments
Most helpful comment
Should we
strings.TrimSuffix(":*")it when calling the API, and suppress the plan difference (either viaStateFuncorDiffSuppressFunc)? We've done similar foraws_api_gateway_stage:https://github.com/terraform-providers/terraform-provider-aws/blob/e7f9882f5ebfa3887cdb50cb1490a8cd183483d1/aws/resource_aws_api_gateway_stage.go#L49-L50