Terraform-provider-aws: aws_flow_log has no deprecation path compatible with GovCloud?

Created on 28 Nov 2018 · 8Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.10
├── provider.aws ~> 1.49

Affected Resource(s)

aws_flow_log

Terraform Configuration Files

Prints deprecation warning but otherwise creates the flow log. However, subsequent applies always delete and recreate the flow flog:

resource "aws_flow_log" "this" {
  log_group_name       = "${aws_cloudwatch_log_group.this.name}"
  iam_role_arn         = "${aws_iam_role.this.arn}"
  vpc_id               = "${var.vpc_id}"
  traffic_type         = "ALL"
}

Errors because logGroupName is null:

resource "aws_flow_log" "this" {
  log_destination      = "${aws_cloudwatch_log_group.this.arn}"
  log_destination_type = "cloud-watch-logs"
  iam_role_arn         = "${aws_iam_role.this.arn}"
  vpc_id               = "${var.vpc_id}"
  traffic_type         = "ALL"
}

Above config results in:

* aws_flow_log.this: Error creating Flow Log for (vpc-xxxxxxxx), error: InvalidParameterValue: 1 validation error detected: Value null at 'logGroupName' has an invalid format
        status code: 400, request id: e7873678-1286-45fd-8249-9fd8c0ba8844

Errors because log_destination and log_group_name conflict:

resource "aws_flow_log" "this" {
  log_destination      = "${aws_cloudwatch_log_group.this.arn}"
  log_destination_type = "cloud-watch-logs"
  log_group_name       = "${aws_cloudwatch_log_group.this.name}"
  iam_role_arn         = "${aws_iam_role.this.arn}"
  vpc_id               = "${var.vpc_id}"
  traffic_type         = "ALL"
}

Above config results in:

Error: aws_flow_log.this: "log_destination": conflicts with log_group_name

Error: aws_flow_log.this: "log_group_name": conflicts with log_destination

Expected Behavior

Terraform should create the flow log, and subsequent applies should not result in a destroy/create cycle on the resource.

Preferably, to me anyway, the new syntax would continue sending the logGroupName parameter to the API.

Actual Behavior

See notes on HCL configs.

Steps to Reproduce

Attempt to apply/re-apply a config managing a VPC flow log in the us-gov-west-1 region.

partitioaws-cn partitioaws-us-gov servicec2

Source

lorengordon

👍6

Most helpful comment

Exact same issue observed in cn-north-1

aws_flow_log.vpc_flow_log: Error creating Flow Log for (vpc-XXX), error: InvalidParameterValue: 1 validation error detected: Value null at 'logGroupName' has an invalid format

sekarnaren on 3 Dec 2018

👍2

All 8 comments

Exact same issue observed in cn-north-1

aws_flow_log.vpc_flow_log: Error creating Flow Log for (vpc-XXX), error: InvalidParameterValue: 1 validation error detected: Value null at 'logGroupName' has an invalid format

sekarnaren on 3 Dec 2018

👍2

Testing against the AWS API, you get an error providing both log group name and log destination.

InvalidParameter: Please only provide LogGroupName or only provide LogDestination.

However, I have not found any documentation supporting log group name being deprecated. The API docs do not mention deprecation of the request parameter.

YakDriver on 27 Dec 2018

Turns out that the API in certain regions, at least us-gov-west-1 and cn-north-1, does not return LogDestinationType even if it was set previously. Most regions it is correctly set. PR #6989 fixes this issue.

YakDriver on 27 Dec 2018

You can reproduce the error with the config below: Apply and then re-apply.

In us-east-1, it will work fine, and report No changes. Infrastructure is up-to-date. However, in us-gov-west-1 it will ForceNew because the refreshed state differs from the config - the AWS API response does not include LogDestinationType yet the config does include LogDestinationType.

I've submitted a request directly to AWS. They said that since only one LogDestinationType is possible in us-gov-west-1, they simply don't return LogDestinationType in responses. They've added a ticket to their internal system to improve consistency across regions by always returning LogDestinationType. It will probably be a while before that is implemented.

In the meanwhile, PR #6989 will resolve the issue.

locals {
  region = "us-gov-west-1"
}

resource "aws_vpc" "test" {
  cidr_block = "10.0.0.0/24"

  tags {
    Name = "yak-testing"
  }
}

resource "aws_internet_gateway" "test" {
  vpc_id = "${aws_vpc.test.id}"

  tags {
    Name = "yak-testing"
  }
}

resource "aws_cloudwatch_log_group" "upagro" {
  name = "yak"

  tags = {
    Name = "yak-testing"
  }
}

resource "aws_flow_log" "test" {
  iam_role_arn         = "${aws_iam_role.test.arn}"
  log_group_name       = "${aws_cloudwatch_log_group.upagro.name}"
  vpc_id               = "${aws_vpc.test.id}"
  traffic_type         = "ALL"
  log_destination_type = "cloud-watch-logs"
}

resource "aws_iam_role" "test" {
  name               = "yak-test-role"
  assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
}

data "aws_iam_policy_document" "assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["logs.${local.region}.amazonaws.com"]
    }
  }
}

resource "aws_iam_role_policy" "test" {
  name   = "yak-test-policy"
  role   = "${aws_iam_role.test.id}"
  policy = "${data.aws_iam_policy_document.policy.json}"
}

data "aws_iam_policy_document" "policy" {
  statement {
    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]

    resources = ["${aws_cloudwatch_log_group.upagro.arn}"]
  }
}

YakDriver on 27 Dec 2018

Seems like they may have turned it on in us-gov-west-1 at least? I'm not seeing any errors when omitting logGroupName with TestAccAWSFlowLog_LogDestinationType_CloudWatchLogs on master:

resource "aws_flow_log" "test" {
  iam_role_arn         = "${aws_iam_role.test.arn}"
  log_destination      = "${aws_cloudwatch_log_group.test.arn}"
  log_destination_type = "cloud-watch-logs"
  traffic_type         = "ALL"
  vpc_id               = "${aws_vpc.test.id}"
}

2019/01/08 00:53:48 [DEBUG] Flow Log Create configuration: {
  DeliverLogsPermissionArn: "arn:aws-us-gov:iam::--OMITTED--:role/tf-acc-test-3253386810654212843",
  LogDestination: "arn:aws-us-gov:logs:us-gov-west-1:--OMITTED--:log-group:tf-acc-test-3253386810654212843",
  LogDestinationType: "cloud-watch-logs",
  ResourceIds: ["vpc-b1b7afd4"],
  ResourceType: "VPC",
  TrafficType: "ALL"
}
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/CreateFlowLogs Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.us-gov-west-1.amazonaws.com
User-Agent: aws-sdk-go/1.16.14 (go1.11.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.9-beta1
...
Action=CreateFlowLogs&DeliverLogsPermissionArn=arn%3Aaws-us-gov%3Aiam%3A%3A--OMITTED--%3Arole%2Ftf-acc-test-3253386810654212843&LogDestination=arn%3Aaws-us-gov%3Alogs%3Aus-gov-west-1%3A--OMITTED--%3Alog-group%3Atf-acc-test-3253386810654212843&LogDestinationType=cloud-watch-logs&ResourceId.1=vpc-b1b7afd4&ResourceType=VPC&TrafficType=ALL&Version=2016-11-15
-----------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/CreateFlowLogs Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
...
-----------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<CreateFlowLogsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>dfbf455c-1507-482b-8b09-58e4607ec1a0</requestId>
    <unsuccessful/>
    <clientToken>mowk02q/z3X+Ym8LZ+fTpcDjSDKRh5LowxRa3cAKvfw=</clientToken>
    <flowLogIdSet>
        <item>fl-8ba755e2</item>
    </flowLogIdSet>
</CreateFlowLogsResponse>
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeFlowLogs Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.us-gov-west-1.amazonaws.com
User-Agent: aws-sdk-go/1.16.14 (go1.11.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.9-beta1
...
Action=DescribeFlowLogs&FlowLogId.1=fl-8ba755e2&Version=2016-11-15
-----------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeFlowLogs Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
...
-------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<DescribeFlowLogsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>918cc148-1ad7-4850-9d16-8d37bd2a9456</requestId>
    <flowLogSet>
        <item>
            <logDestination>arn:aws-us-gov:logs:us-gov-west-1:--OMITTED--:log-group:tf-acc-test-3253386810654212843</logDestination>
            <resourceId>vpc-b1b7afd4</resourceId>
            <deliverLogsPermissionArn>arn:aws-us-gov:iam::--OMITTED--:role/tf-acc-test-3253386810654212843</deliverLogsPermissionArn>
            <logDestinationType>cloud-watch-logs</logDestinationType>
            <creationTime>2019-01-08T00:53:48.280Z</creationTime>
            <trafficType>ALL</trafficType>
            <deliverLogsStatus>SUCCESS</deliverLogsStatus>
            <flowLogStatus>ACTIVE</flowLogStatus>
            <logGroupName>tf-acc-test-3253386810654212843</logGroupName>
            <flowLogId>fl-8ba755e2</flowLogId>
        </item>
    </flowLogSet>
</DescribeFlowLogsResponse>

Or logDestinationType missing (causing recreation) with TestAccAWSFlowLog_VPCID on master:

resource "aws_flow_log" "test" {
  iam_role_arn   = "${aws_iam_role.test.arn}"
  log_group_name = "${aws_cloudwatch_log_group.test.name}"
  traffic_type   = "ALL"
  vpc_id         = "${aws_vpc.test.id}"
}

2019/01/08 00:53:48 [DEBUG] Flow Log Create configuration: {
  DeliverLogsPermissionArn: "arn:aws-us-gov:iam::--OMITTED--:role/tf-acc-test-5504509664445865044",
  LogDestinationType: "cloud-watch-logs",
  LogGroupName: "tf-acc-test-5504509664445865044",
  ResourceIds: ["vpc-2ca2ba49"],
  ResourceType: "VPC",
  TrafficType: "ALL"
}
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/CreateFlowLogs Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.us-gov-west-1.amazonaws.com
User-Agent: aws-sdk-go/1.16.14 (go1.11.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.9-beta1
...
Action=CreateFlowLogs&DeliverLogsPermissionArn=arn%3Aaws-us-gov%3Aiam%3A%3A--OMITTED--%3Arole%2Ftf-acc-test-5504509664445865044&LogDestinationType=cloud-watch-logs&LogGroupName=tf-acc-test-5504509664445865044&ResourceId.1=vpc-2ca2ba49&ResourceType=VPC&TrafficType=ALL&Version=2016-11-15
-----------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/CreateFlowLogs Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
...
-----------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<CreateFlowLogsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>1b5146dc-2785-45f1-8bd3-b1ff10adb888</requestId>
    <unsuccessful/>
    <clientToken>B7IJsIW7G/hxakU4UwQbEylCB1d8COya6T1QauPNNJc=</clientToken>
    <flowLogIdSet>
        <item>fl-8da755e4</item>
    </flowLogIdSet>
</CreateFlowLogsResponse>
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeFlowLogs Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.us-gov-west-1.amazonaws.com
User-Agent: aws-sdk-go/1.16.14 (go1.11.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.9-beta1
...
Action=DescribeFlowLogs&FlowLogId.1=fl-8da755e4&Version=2016-11-15
-----------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeFlowLogs Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
...
-----------------------------------------------------
2019/01/08 00:53:48 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<DescribeFlowLogsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>3d592933-7f75-4453-a8c1-36892b206ce8</requestId>
    <flowLogSet>
        <item>
            <resourceId>vpc-2ca2ba49</resourceId>
            <deliverLogsPermissionArn>arn:aws-us-gov:iam::--OMITTED--:role/tf-acc-test-5504509664445865044</deliverLogsPermissionArn>
            <logDestinationType>cloud-watch-logs</logDestinationType>
            <creationTime>2019-01-08T00:53:48.456Z</creationTime>
            <trafficType>ALL</trafficType>
            <deliverLogsStatus>SUCCESS</deliverLogsStatus>
            <flowLogStatus>ACTIVE</flowLogStatus>
            <logGroupName>tf-acc-test-5504509664445865044</logGroupName>
            <flowLogId>fl-8da755e4</flowLogId>
        </item>
    </flowLogSet>
</DescribeFlowLogsResponse>

bflad on 8 Jan 2019

If they did, that's very new, within the last few days. I'll give it a test again tomorrow!

lorengordon on 8 Jan 2019

👍1

Indeed, on Friday last week, I was still getting the resource cycle on v1.54.0, but today it is fine. Still seems I cannot use the S3 destination for VPC Flow Logs in GovCloud (at least in the Console), but at least the API returns are consistent!

lorengordon on 8 Jan 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 1 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

andywirv · 3Comments

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments

aws_elasticsearch_domain: vpc_options - subnet_ids asks for list but can only be a single value.

ccslamstack · 3Comments

Allow aws_acm_certificate to query the most recent certificate

hashibot · 3Comments

Please add support for default values in Cloudwatch Metric Filters

hazmeister · 3Comments