The aws_cloudwatch_log_resource_policy fails on destroy when multiple TF resources with the same name exist.

mkielar commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

aws_cloudwatch_log_resource_policy

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

data "aws_iam_policy_document" "this" {
  statement {
    effect = "Allow"

    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]

    resources = ["arn:aws:logs:*:*:log-group:/aws/route53/*"]

    principals {
      type        = "Service"
      identifiers = ["route53.amazonaws.com"]
    }
  }
}

resource "aws_cloudwatch_log_resource_policy" "one" {
  policy_name     = "route53-query-logging-policy"
  policy_document = data.aws_iam_policy_document.this.json
}

resource "aws_cloudwatch_log_resource_policy" "two" {
  policy_name     = "route53-query-logging-policy"
  policy_document = data.aws_iam_policy_document.this.json
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

When I call terraform destroy, both TF resources should get destroyed succesfully. The "delete" operation should be idempotent, so if the resource does not exist when terraform tries to delete it, it should pass without errors.

Actual Behavior

This error is shown for one of the resources:

Error: Deleting CloudWatch log resource policy 'route53-query-logging-policy' failed: ResourceNotFoundException: Policy with name [route53-query-logging-policy] does not exist.

Steps to Reproduce

terraform apply
terraform destroy

Important Factoids

Because of the required depends_on between that resource and other resources we deploy, we initially put creation of aws_cloudwatch_log_resource_policy in a module, and then used the module multiple times. This led to a wrongful situation of having terraform thinking it deployed the policy twice, where in fact only one copy existed in AWS.

This can be solved in two ways:

When creating such policy, check if it already exists and fail - this would show us immediately that our terraform templates were badly designed and would have prevented the situation.
Make destroy opreration idempotent for this resource to avoid failures when multiple such resources get destroyed.

References

github-actions[bot] commented 5 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

mkielar commented 5 months ago

Bad bot :P

hashicorp / terraform-provider-aws