[Bug]: aws_networkfirewall_logging_configuration fails to apply 3 log destination configs

[AJD-UK]

Terraform Core Version

0.13.4

AWS Provider Version

5.63.0

Affected Resource(s)

• aws_networkfirewall_logging_configuration

Expected Behavior

Alert, Flow and TLS log types should be configured

Actual Behavior

Only 2 of the 3 log types can ever be configured in any combination

Relevant Error/Panic Output Snippet

operation error Network Firewall: UpdateLoggingConfiguration, https response error StatusCode: 400, RequestID: hex, InvalidRequestException: Given logging configuration attempts to create/modify multiple log destination configs

Terraform Configuration Files

resource "aws_networkfirewall_logging_configuration" "this" {
  firewall_arn = aws_networkfirewall_firewall.anfw.arn
  logging_configuration {
    log_destination_config {
      log_destination = {
        logGroup = aws_cloudwatch_log_group.anfw_alert_log_group.name
      }
      log_destination_type = "CloudWatchLogs"
      log_type             = "ALERT"
    }
    log_destination_config {
      log_destination = {
        logGroup = aws_cloudwatch_log_group.anfw_flow_log_group.name
      }
      log_destination_type = "CloudWatchLogs"
      log_type             = "FLOW"
    }
    log_destination_config {
      log_destination = {
        logGroup = aws_cloudwatch_log_group.anfw_tls_log_group.name
      }
      log_destination_type = "CloudWatchLogs"
      log_type             = "TLS"
    }
  }
}

Steps to Reproduce

terraform apply with 3 log types defined

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

https://github.com/hashicorp/terraform-provider-aws/issues/38790 https://github.com/hashicorp/terraform-provider-aws/pull/38824

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[erikvdijk88]

It seems a fix was done in :https://github.com/hashicorp/terraform-provider-aws/pull/38824 But after testing I get a different error now:

peration error Network Firewall: UpdateLoggingConfiguration, https response error StatusCode: 400, RequestID: 7ae56df8-f29a-4fc5-b0f9-2a99c16a3bcd, InvalidRequestException: Given logging configuration attempts to create/modify multiple log destination configs

it seems you can have all 3 logs configured on 1 network firewall with terraform. (alert, flow and tls). when you only add 2 configs (in any order) it works as expected.

[AJD-UK]

lorodoes can you spot anything related to PR https://github.com/hashicorp/terraform-provider-aws/pull/38824 that could cause this?

[michaeldop]

Looks like something was reverted in the logic in this commit to look for 2: https://github.com/hashicorp/terraform-provider-aws/commit/ce791ab4258c3b38aa8629ca46d1b7e88a519bd3. Maybe this is the culprit?

[AJD-UK]

Seems like a smoking gun to me @michaeldop but not being a Go developer I'm not sure I understand the context.

[lorodoes]

I found the issue. I over looked one line of code during the expansion. Problem Code

I will see if I can't get a MR up shortly. Sorry for missing this.

[lorodoes]

40092 This PR does have the fix for this issue.