The CloudWatch Log Groups are apparenlty created too soon after the account is created and CloudWatch subscriptions initialised, causing two errors to occur simultaneously when the account is first created:
Error: Creating CloudWatch Log Group failed: SubscriptionRequiredException: The AWS Access Key Id needs a subscription for the service
status code: 400, request id: f1b449ee-e6d3-4e57-94ce-6821214e9372 'management-default-vpc-flow-logs'
on .terraform/modules/harden_default_vpc.vpc_baseline_us-west-2/modules/vpc-baseline/main.tf line 5, in resource "aws_cloudwatch_log_group" "default_vpc_flow_logs":
5: resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" {
Error: OptInRequired: You are not subscribed to this service. Please go to http://aws.amazon.com to subscribe.
status code: 401, request id: 8c5ddf12-1280-4a4b-ada3-4b8811bce4b5
on .terraform/modules/harden_default_vpc.vpc_baseline_us-west-2/modules/vpc-baseline/main.tf line 18, in resource "aws_default_vpc" "default":
18: resource "aws_default_vpc" "default" {
The error no longer shows when the account creation is re-attempted shortly after (i.e. re-running the account-init.sh script from https://github.com/RootPrivileges/terragrunt-aws down to the same point).
These are probably better to be fixed upstream (need to find out if it's better in Terraform or Terragrunt) by catching the error and retrying after a short delay.
The CloudWatch Log Groups are apparenlty created too soon after the account is created and CloudWatch subscriptions initialised, causing two errors to occur simultaneously when the account is first created:
The error no longer shows when the account creation is re-attempted shortly after (i.e. re-running the
account-init.shscript from https://github.com/RootPrivileges/terragrunt-aws down to the same point).These are probably better to be fixed upstream (need to find out if it's better in Terraform or Terragrunt) by catching the error and retrying after a short delay.