search

hashicorp / terraform-provider-awscc

Terraform AWS Cloud Control provider
https://registry.terraform.io/providers/hashicorp/awscc/latest/docs
Mozilla Public License 2.0
241 stars 107 forks source link

awscc_logs_log_group after resource is provision has an invalid arn ID capture in state file #1028

Open jackywong-amazon opened 1 year ago

jackywong-amazon commented 1 year ago

Community Note

Terraform CLI and Terraform AWS Cloud Control Provider Version

Affected Resource(s)

awscc_logs_log_group

Terraform Configuration Files

resource "awscc_wafv2_logging_configuration" "awscc_waf_logging" {
  resource_arn            = aws_wafv2_web_acl.example.arn
  log_destination_configs = [awscc_logs_log_group.example.arn]

}

resource "awscc_logs_log_group" "example" {
  log_group_name = "aws-waf-logs-awscc"
}

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

after the CW log group is provision, the arn should have the correct arn store in state file "arn": "arn:aws:logs:us-east-1:********:log-group:aws-waf-logs-awscc",

When looking at the WAFv2 console, AWS WAF > Logging and metrics > Amazon CloudWatch Logs log group > display aws-waf-logs-awscc

Actual Behavior

the actual arn after the resource is provision as "arn": "arn:aws:logs:us-east-1::********:log-group:aws-waf-logs-awscc:*", store in state file

When looking at the WAFv2 console, AWS WAF > Logging and metrics > Amazon CloudWatch Logs log group > display * , after clicking the *, it redirects to an error page.

Steps to Reproduce

Terraform Plan Terraform Apply Inspect the state file

  1. terraform apply

Important Factoids

References

kadrach commented 1 year ago

This looks to be an upstream issue. WAFv2 accepts log group ARNs with a wildcard suffix (see below), but the UI does not like it (I have not tested logging functionality itself). The following seems to work:

resource "awscc_wafv2_logging_configuration" "awscc_waf_logging" {
  resource_arn            = aws_wafv2_web_acl.example.arn
  log_destination_configs = [trimsuffix(awscc_logs_log_group.example.arn, ":*")]
}

What's going on?

% aws cloudcontrol list-resources --type-name AWS::Logs::LogGroup                                           
{
    "ResourceDescriptions": [
        {
            "Identifier": "aws-waf-logs-awscc",
            "Properties": "{\"LogGroupName\":\"aws-waf-logs-awscc\",\"Arn\":\"arn:aws:logs:ap-southeast-2:000000000000:log-group:aws-waf-logs-awscc:*\"}"
        }
    ],
    "TypeName": "AWS::Logs::LogGroup"
}

Looking at the docs this is a valid ARN (this surprised me).

% aws wafv2 get-logging-configuration --resource-arn arn:aws:wafv2:ap-southeast-2:000000000000:regional/webacl/potato/411b5efe-9c06-41f1-8d6b-676493444cca
{
    "LoggingConfiguration": {
        "ResourceArn": "arn:aws:wafv2:ap-southeast-2:000000000000:regional/webacl/potato/411b5efe-9c06-41f1-8d6b-676493444cca",
        "LogDestinationConfigs": [
            "arn:aws:logs:ap-southeast-2:000000000000:log-group:aws-waf-logs-awscc:*"
        ],
        "ManagedByFirewallManager": false
    }
}

Screenshot 2023-07-04 at 2 54 56 pm 🤔

Trimming the :* suffix from the ARN fixes the display issue (as mentioned I did not test logging itself).

Perhaps worth including this in #1027 - otherwise this appears to be an upstream issue.

wellsiau-aws commented 11 months ago

@jackywong-amazon , can you try the workaround as mentioned by @kadrach ?

resource "awscc_wafv2_logging_configuration" "awscc_waf_logging" {
  resource_arn            = aws_wafv2_web_acl.example.arn
  log_destination_configs = [trimsuffix(awscc_logs_log_group.example.arn, ":*")]
}