[Bug]: aws_cloudwatch_query_definition error when use cross account log groups

[robsonpiere]

Terraform Core Version

1.8.0

AWS Provider Version

5.54.1

Affected Resource(s)

aws_cloudwatch_query_definition

Expected Behavior

When trying to create or import an aws_cloudwatch_query_definition that references a log from another account, instead of the name of the log, the arn of the resource is used. This should work via aws-cli and the web console.

Actual Behavior

when trying to create or import a resource where the log group name belongs to another account, the following error is displayed

"log_group_names.1" isn't a valid log group name (alphanumeric characters, underscores, hyphens, slashes, hash signs and dots are allowed): "arn:aws:logs:us-east-1:999999999999:log-group:/aws/lambda/another-accounnt-lambda"

The problem is the used validation, that does not accept arn format

https://github.com/hashicorp/terraform-provider-aws/blob/46b15e93e3c8c496d2454714d19ad1890a886eb4/internal/service/logs/query_definition.go#L54

https://github.com/hashicorp/terraform-provider-aws/blob/46b15e93e3c8c496d2454714d19ad1890a886eb4/internal/service/logs/validate.go#L25-L43

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

Example Gist https://gist.github.com/robsonpiere/0340d506f63833491d68039679cc4a23

Steps to Reproduce

For import error

• Create a query definition via aws-cli

aws logs put-query-definition -log-group-names "/aws/lambda/first-account-lambda" "arn:aws:logs:us-east-1:999999999999:log-group:/aws/lambda/seccond-accounnt-lambda" --query-string "fields @timestamp, @message | filter @message like /ERROR/ | sort @timestamp desc | limit 20" --query-definition-name "example-query"

Try to import in terraform generating a tf.file

import {
  to = aws_cloudwatch_query_definition.example
  id = "arn:aws:logs:us-east-1:<account>:query-definition:<query id>"
}

terraform plan -generate-config-out=genarated.tf

Output:

"log_group_names.1" isn't a valid log group name (alphanumeric characters, underscores, hyphens, slashes, hash signs and dots are allowed): "arn:aws:logs:us-east-1:999999999999:log-group:/aws/lambda/another-accounnt-lambda"

for create a new resource

resource "aws_cloudwatch_query_definition" "example_query" {
  name = "example-query"

  query_string = <<EOF
  fields @timestamp, @message, @logStream, @log
  | sort @timestamp desc
  | limit 1000
  EOF 

  log_group_names = [
    "/aws/lambda/first-account-lambda",
    "arn:aws:logs:us-east-1:999999999999:log-group:/aws/lambda/another-accounnt-lambda"
   ]
}

same output error

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[dihuynh]

+1 this feature would be very useful for monitoring accounts set up per this doc https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html