Terraform: Odd error - Error Getting CloudWatch Logs Tag List: %s

Created on 6 Feb 2017  ยท  7Comments  ยท  Source: hashicorp/terraform

Good morning,

After upgrading from 0.8.4 to 0.8.5 everything is fine, except the following error.

Terraform Version

0.8.5
Note: With Terragrunt 0.9.9

Affected Resource(s)

aws_cloudwatch_log_group

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "aws_cloudwatch_log_group" "cloudtrail" {
  name              = "cloudtrail"
  retention_in_days = 90
}

Expected Behavior

It should just want to create a log grup called "cloudtrail" in AWS CloudWatch. (it's just a plan)

Actual Behavior

It errors out with:
* aws_cloudwatch_log_group.cloudtrail: Error Getting CloudWatch Logs Tag List: %s

Steps to Reproduce

terraform init-no-refresh
terraform plan

Important Factoids

IAM permissions are generic, arn:aws:iam:aws:policy/ReadOnlyAccess

If I run using full AWS permissions, it works fine. (even with init-no-refresh).

Nothing has changed except Terraform and Terragrunt versions.

bug provideaws
Source
picture james-gonzalez

Most helpful comment

0.8.6 also has this issue.

picture chhuang0123 on 8 Feb 2017
👍2

All 7 comments

0.8.6 also has this issue.

chhuang0123 picture chhuang0123 on 8 Feb 2017
👍2

Yep, still there.

james-gonzalez picture james-gonzalez on 8 Feb 2017

Same here but using the 'arn:aws-us-gov:iam:aws:policy/AdministratorAccess' policy.

st33v picture st33v on 12 Feb 2017

In my workaround, add the "logs:ListTagsLogGroup" permission, then it works fine.
(I think the ReadOnlyAccess permissons should include this permission...)

okzk picture okzk on 13 Feb 2017
👍1

@okzk Thanks, I'll try adding that. I can see the ReadOnly policy only includes:
"logs:Describe*", "logs:Get*", "logs:FilterLogEvents", "logs:TestMetricFilter",

Update: I can confirm that this does fix the problem. I've added logs:ListTagsLogGroup to my read-only role which I use on my CI tool and looks like I am back in business for code checks on commit.

james-gonzalez picture james-gonzalez on 15 Feb 2017

Hi @cultavix

Thanks for the issue report here - it looks like the specific error has been updated to not try and force a string

The error message was updated to 

return nil, errwrap.Wrapf("Error Getting CloudWatch Logs Tag List: {{err}}", err)

Please do let me know if you still get the same error going forward

Thanks

Paul

stack72 picture stack72 on 30 Mar 2017

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 14 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pawelsawicz picture pawelsawicz  ยท  3Comments
Seraf picture Seraf  ยท  3Comments
allomov picture allomov  ยท  3Comments
zeninfinity picture zeninfinity  ยท  3Comments
cpoole picture cpoole  ยท  3Comments