bacoboy
commented
6 years ago Is this different from #6360?
Closed connor-tyndall closed 6 years ago
bacoboy
commented
6 years ago Is this different from #6360?
connor-tyndall
commented
6 years ago @bacoboy It is in the sense that it affects the resource aws_flow_log and the error we are seeing in the console and not specifically aws_cloudwatch_log_subscription_filter, although the argument could be made that they are essentially the same issue. I think it relates to the same issue you are seeing that :* is an invalid input.
connor-tyndall
commented
6 years ago @bacoboy Are you seeing the above Access error... message in your flow logs configuration in the console after approx. 15 min?
bacoboy
commented
6 years ago No in my case the additional characters fail the regex that field is supposed to conform to.
If you look at the bottom of my terraform code, there is a small transformation you can steal to trim the :* for now. But since the field is deprecated, it seems they should switch all the uses of log_group_name to using the arn like they did on the resource.
connor-tyndall
commented
6 years ago So it seems as though the log_destination field is expecting the :* in the regex of that field ("^arn:[\\w-]+:([a-zA-Z0-9\\-])+:([a-z]{2}-(gov-)?[a-z]+-\\d{1})?:(\\d{12})?:(.*)$"). If log_destination is set with :* it seems as though the log_group_name is being set with :* as well, hence the following change when reverting back to using log_group_name:
log_destination: "arn:aws:logs:us-east-1:123456789012:log-group:vpc-flow-logs:*" => <computed>
log_destination_type: "cloud-watch-logs" => "cloud-watch-logs"
log_group_name: "vpc-flow-logs:*" => "vpc-flow-logs" (forces new resource)I guess AWS does not recognize the :* that is being added to log_group_name.
erikpaasonen
commented
6 years ago The reported Terraform version is v0.11.8. Not that it makes a significant difference, but I can confirm this is happening with Terraform v0.11.10 as well. Also running v1.42.0 of the AWS provider.
bflad
commented
6 years ago Should we strings.TrimSuffix(":*") it when calling the API, and suppress the plan difference (either via StateFunc or DiffSuppressFunc)? We've done similar for aws_api_gateway_stage:
connor-tyndall
commented
6 years ago @erikpaasonen I can confirm that as well. Upgraded to v0.11.10 and using v1.42.0 and same behavior after approx. 20 min:
bflad
commented
6 years ago Pull request submitted to automatically trim :* suffix from log_destination: https://github.com/terraform-providers/terraform-provider-aws/pull/6377
bflad
commented
6 years ago The above mentioned change has been merged and will release with version 1.43.0 of the AWS provider, likely later today or tomorrow. π
bflad
commented
6 years ago This has been released in version 1.43.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
ghost
commented
4 years ago I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
Community Note
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Actual Behavior
Steps to Reproduce
terraform applyReferences
https://stackoverflow.com/questions/53150946/access-error-while-creating-an-aws-flow-log-using-terraform https://github.com/terraform-providers/terraform-provider-aws/issues/6360 https://www.terraform.io/docs/providers/aws/r/flow_log.html