Open killmepete opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Upgraded to the latest version of the provider (5.14.0) and still seeing the same problem.
Did further testing on this, I have the same issue if I'm importing a trail that I've manually provisioned.
I'm seeing this as well when trying to import an existing trail:
$ terraform import module.security_monitoring.aws_cloudtrail.security_monitoring_cloudtrail 'arn:aws:cloudtrail:us-west-2:<redacted>:trail/security_monitoring_cloudtrail'
module.security_monitoring.aws_cloudtrail.security_monitoring_cloudtrail: Import prepared!
Prepared aws_cloudtrail for import
Error: Cannot import non-existent remote object
$ terraform version
Terraform v0.12.31
+ provider.archive v2.4.0
+ provider.aws v4.67.0
$ aws cloudtrail list-trails | jq '.Trails[] | select(.Name == "security_monitoring_cloudtrail")'
{
"TrailARN": "arn:aws:cloudtrail:us-west-2:<redacted>:trail/security_monitoring_cloudtrail",
"Name": "security_monitoring_cloudtrail",
"HomeRegion": "us-west-2"
}
EDIT:
I think the problem here is that my provider is set to region eu-central-1
. Ya, that seemed to be it. All seems fixed now.
Did further testing on this, I have the same issue if I'm importing a trail that I've manually provisioned.
I also faced the error message reading AWS CloudTrail Trail (XXXXXX-cloudtrail): not found after creation
when trying to import an existing trail (terraform version 1.5.5 and aws provider 5.10).
After some fiddling, I figured the tf provider used a role that didn't have any permissions to CRUD on Cloudtrail resources (say the aws_cloudtrail of concern). After adding adequate permissions to the role, the error seems gone (I actually didn't execute the import, yet, since we have a two-step approach with tfmigrate cli, but the error disappeared).
Maybe the bug is that the missing permissions don't get detected and/or the error message misleads? I tried to find the correlating cloudtrail event for the tf initated API call but couldn't find.
@killmepete : maybe you have the same permission issue? This wouldn't change the fact that the cli errer statement seems misleading or buggy, but it could unblock your development.
@DominicBortmes Good suggestion! Will give that a go ASAP and give feedback.
@DominicBortmes Giving the IAM principal 'cloudtrail:*' seemed to do the trick so must be a permissions issue, I couldn't see what API call was responsible in cloudtrail unfortunately.
I can confirm the same issue of CloudTrail being created but terraform errors that resource not found Terraform v1.5.7 AWS provider 5.16.1
user used has administrator role.
setup we have includes organizational structure with multiple accounts.
We want to create CloudTrail in a separate account, not a main/root account.
I do suspect that
if resource's "aws_cloudtrail
" is_organization_trail
property is set to true then when you execute code to create Cloud Trail in that dedicated Cloud Trail account actuall Cloud trail resource is created in the root / main account.
And if is_organization_trail is set to false then Cloud trail is being created in that local account against which terraform is run.
How to verify:
if you have your setup with multi-account setup
run same some but change only is_organization_trail
and see the results. Go to UI and check what ARN is shown. for mw account id differs depending on this flag value. I suspect that this causes the issue because depending on the flag GET command should use differnet account id in the call.
I don't know if this helps @killmepete but I run into this issue and we ended up using the following permissions in the IAM role used by terrraform to be able to provision and to decommission AWS CloudTrails:
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:UpdateTrail",
"cloudtrail:StartLogging",
"cloudtrail:StopLogging",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:GetEventSelectors",
"cloudtrail:LookupEvents",
"cloudtrail:AddTags",
"cloudtrail:ListTags",
"cloudtrail:RemoveTags",
For us, the culprit for AWS CloudTrail Trail (XXXXXX-cloudtrail): not found after creation
was the cloudtrail:DescribeTrails
missing permission. Once we added that one, we started to get better error messages to add the others ones (i.e. GetTrailStatus, GetEventSelectors, ...)
I too have the terraform import issue. My workspace had multiple providers in different regions with assume_role{}
blocks, so I couldn't use the admin role.
As such I created a blank workspace and imported the cloudtrail. From there, I copied the resource object out of state and into my existing workspace's state manually
Terraform Core Version
1.5.6
AWS Provider Version
aws v5.0.1
Affected Resource(s)
Cloudtrail
Expected Behavior
The cloudtrail module I have created (based of the example) should be able to deploy without issue.
Actual Behavior
I currently have a simple module created to deploy cloudtrail (using the example provided), I'm running into an error which seems to be intermittent where after running a few deploys (with resources nothing to do with Cloudtrail) I'll encounter the error message:
"reading AWS CloudTrail Trail (dev-test-cloudtrail): not found after creation"
I can confirm that if I log into the console or check via the CLI that the trail does exist and is logging as expected, I haven't been able to find any documentation around this error message and the only way I've managed to get around it is by intercepting my build, running a terraform state rm on cloudtrail and redeploying.
I'm inclined to believe this is a bug with the provider, I've deployed and written similar cloudtrail modules before and I've never encountered this problem. If I'm mistaken and it's an easy fix that would make me happy!
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Unsure, problem happens intermittently and can happen a long time after the cloudtrail has been deployed.
Debug Output
ERROR
PLANNED CHANGES
Panic Output
No response
Important Factoids
Resource names, IDs and so and so have been changed for the purposes of the bug report.
References
The lines responsible for the logging message...
https://github.com/hashicorp/terraform-provider-aws/blob/8aebcb61aa37f33f47606097cce23e5aa1783121/internal/service/cloudtrail/cloudtrail.go#L366-L385
Would you like to implement a fix?
Happy too if it's a confirmed bug and can get some pointers!