Issues configuring log collection for aws account integration

[zhangHe58]

Datadog Terraform Provider Version

v3.30.0

Terraform Version

v1.5.4

What resources or data sources are affected?

datadog_integration_aws_lambda_arn datadog_integration_aws_log_collection

Terraform Configuration Files

resource "datadog_integration_aws_lambda_arn" "main" {
  account_id = aws_iam_access_key.main.id
  lambda_arn = aws_cloudformation_stack.main[0].outputs["DatadogForwarderArn"]
}

resource "datadog_integration_aws_log_collection" "main" {
  depends_on = [datadog_integration_aws.main]
  #   account_id = "account id"
  account_id = aws_iam_access_key.main.id
  services   = ["s3", "lambda"]
}

Relevant debug or panic output

╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to module.cn-dev.datadog_integration_aws_lambda_arn.main, provider │ "provider[\"registry.terraform.io/datadog/datadog\"]" produced an unexpected new value: Root resource was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker. ╵ ╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to module.cn-dev.datadog_integration_aws_log_collection.main, provider │ "provider[\"registry.terraform.io/datadog/datadog\"]" produced an unexpected new value: Root resource was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Expected Behavior

I can configure the log collection for the aws account I specified

Actual Behavior

The terraform apply command reports an error, but actually shows success on the datadog dashboard

In addition, this action seems to affect other integrated aws accounts whose log collection configuration is overwritten, even though I didn't specify them in the terraform code.

Steps to Reproduce

terraform apply

Important Factoids

• After the execution, the log collection configuration of other aws accounts is overwritten and modified
• I specified the access key id as account_id in the terraform code, because I wanted to configure the aws account in China
• Other aws accounts whose log collection configuration was changed unexpectedly were global

References

No response

[zhangHe58]

In addition, you may refer to another issue I raised： https://github.com/DataDog/terraform-provider-datadog/issues/2146

[zhangHe58]

The purpose of this bug is that I found that executing terraform seems to affect the log collection configuration of other global aws accounts

[zhangHe58]

Please note: The target aws account I want to configure through terraform is the China region

[zhangHe58]

I never specified the modified aws account ids in terraform, but their configurations were still overwritten

[zhangHe58]

Hi team,

Any update on this?

[nkzou]

We are still investigating the cause of this issue. Also, we are in the process of rolling out changes to both the backend and the terraform provider to provide a workaround for #2146

[nkzou]

Hi, can you open a ticket at https://help.datadoghq.com/hc/en-us/requests/new describing this issue, and linking this github issue in the ticket? That way we can investigate the issue directly in your Datadog org.

[zhangHe58]

Hi, Please check this: https://help.datadoghq.com/hc/en-us/requests/1399011

[andyshinn]

I have the same issue. Was there a workaround for this?

[nkzou]

Can you follow the instructions in https://github.com/DataDog/terraform-provider-datadog/issues/2146#issuecomment-1783372233 to see if that resolves the inconsistent apply error? Make sure you're on v3.32.0 of the provider. The bug affecting unrelated aws accounts by overwriting their log collection settings was fixed on the backend, so that issue should be resolved.

[andyshinn]

I think I solved it by changing account_id to the actual ID instead of the AWS user key ID. This is for gov site and previously we had to use the access key ID instead of account ID. Did this change recently in a version?

[nkzou]

I believe this was changed ~2 months ago due to a change to the backend behavior with access keys. Going to close this issue as the original issue was about unrelated aws accounts getting modified, which was resolved on the api side. Please open a new issue if you run into any more problems, thanks!