[Enhancement]: Logging Improvement: InvalidSignatureException: Signature expired when deploying aws_cloudwatch_log_resource_policy

[fatbasstard]

Terraform Core Version

1.6.5

AWS Provider Version

5.29.0

Affected Resource(s)

• aws_cloudwatch_log_resource_policy

Expected Behavior

Succesfully create aws_cloudwatch_log_resource_policy when enabling Route53 DNS Query logging

Actual Behavior

Terraform run take pretty long (Plan & apply duration 16 minutes), causing this error to pop up:

Error: creating CloudWatch Logs Resource Policy (route53-query-logging-policy-xxx): operation error CloudWatch Logs: PutResourcePolicy, https response error StatusCode: 400, RequestID: XXX, api error InvalidSignatureException: Signature expired: 20231201T095742Z is now earlier than 20231201T095745Z (20231201T100245Z - 5 min.)

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

https://github.com/schubergphilis/terraform-aws-mcaf-route53-zones/blob/main/dns_query_logging.tf#L27

Steps to Reproduce

Get a big TF plan

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[dnlopes]

Also happening to me. Our runs are also moderately long, in this case it blowed up after 8min of an apply.

[dnlopes]

Update: I found out that the issue was on my side. I hit the limit of 10 resource policies per account/region. Apparently this is a hard limit.

It's odd that another person just hit this issue at the same as me, maybe something changed on the error handling here, and instead of blowing up with a 400 right away, Terraform keeps waiting for the resource to be created?

[fatbasstard]

Looked at our setup and it seems to be the limit indeed. So the error is confusing, seems like we hit the resource limit as well.

[fatbasstard]

So the error is valid, the message is annoying. Maybe that can be improved.

Thanks @dnlopes for pointing me in the right direction 👍

[justinretzolk]

Hi @fatbasstard 👋 Thanks for taking the time to raise this, and for the great discussion here. Given that you've found the source of the issue, but it seems like we could do a better job with logging, I've updated the issue a bit.