Access error while creating an aws_flow_log using terraform

1
votes

I'm creating a flow log for VPC that sends the logs to a cloudwatch group. I'm using the exact same code from CloudWatch Logging section of this link: https://www.terraform.io/docs/providers/aws/r/flow_log.html and just changing the vpc_id with my VPC's id.

Although the flow log gets created, but after around 15 minutes the status changes from "Active" to "Access error: The log destination is not accessible."

1) It isn't a policy issue as when I'm doing the same from console, I'm using the same IAM role that terraform created and it is working perfectly fine.

2) I tried entering the ARN of an already existing cloudwatch log group rather than creating one from the terraform code but it isn't working as well.

Please let me know where I'm going wrong.

2
amazon-web-servicesterraformamazon-cloudwatch
GitHub (reported by SO user Connore Tyndall): github.com/terraform-providers/terraform-provider-aws/issues/…Roman Pokrovskij

2 Answers

2
votes

To fix this, look at my example:

resource "aws_flow_log" "management-vpc-flow-log-reject" {
  log_destination = "arn:aws:logs:ap-southeast-2:XXXXXXXXXXX:log-group:REJECT-TRAFFIC-VPC-SHARED-SERVICES"
  iam_role_arn    = "${aws_iam_role.management-flow-log-role.arn}"
  vpc_id          = "${aws_vpc.management.id}"
  traffic_type    = "REJECT"
}

The error is in the log_destination. Terraform adds a ":*" to the end of the ARN. I tested this by manually creating the log group in the AWS console, and then importing it into terraform, and then doing a terraform state show to compare the two.

My log groups and streams are now working.

0
votes

So it turned out to be a bug in the terraform. It seems the issue https://github.com/terraform-providers/terraform-provider-aws/issues/6373 will be resolved in the next version 1.43.0(provider AWS).