When you upgrade to terraform aws provider > v3.0.0 the module.example.aws_iam_role_policy.log_agent Resource will see a change, removing a colon wildcard.
# module.example.aws_iam_role_policy.log_agent will be updated in-place
~ resource "aws_iam_role_policy" "log_agent" {
id = "example-task-role:example-log-permissions"
name = "example-log-permissions"
~ policy = jsonencode(
~ {
~ Statement = [
~ {
Action = [
"logs:PutLogEvents",
"logs:CreateLogStream",
]
Effect = "Allow"
~ Resource = "arn:aws:logs:eu-west-1:123456789:log-group:example:*" -> "arn:aws:logs:eu-west-1:123456789:log-group:example"
Sid = ""
},
]
Version = "2012-10-17"
}
)
role = "example-task-role"
}
When you upgrade to terraform aws provider > v3.0.0 the module.example.aws_iam_role_policy.log_agent Resource will see a change, removing a colon wildcard.
From the v3.0.0 upgrade guide: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-3-upgrade#resource-aws_cloudwatch_log_group
The way to make it compatible with the previous one is like so:
resources = ["${aws_cloudwatch_log_group.example.arn}:*"]Terraform version