terraform-provider-aws: [Bug]: AWS Flow Log + CloudWatch

Terraform Core Version

1.3.7

AWS Provider Version

4.53

Affected Resource(s)

aws_flow_log

Expected Behavior

Following the given example on AWS Flow Log documentation, when I try to create this resource using Terraform, I got an error described below.

But when you run the TF apply again, it works.

Actual Behavior

module.vpc.aws_flow_log.this[0]: Creating...
╷
│ Error: creating Flow Log (vpc-XXXXXXXXX): InvalidParameter: Unable to assume given IAM role: 'arn:aws:iam::ACCOUNT_ID:role/example'
│       status code: 400, request id: xxxxxxxx-yyyy-xxxx-yyyy-xxxxxxxxxxxxx
│
│   with module.vpc.aws_flow_log.this[0],
│   on ../modules/aws/vpc/aws_vpc_flow_log.tf line 110, in resource "aws_flow_log" "this":
│  110: resource "aws_flow_log" "this" {
│
╵

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_flow_log" "example" {
  iam_role_arn    = aws_iam_role.example.arn
  log_destination = aws_cloudwatch_log_group.example.arn
  traffic_type    = "ALL"
  vpc_id          = aws_vpc.example.id
}

resource "aws_cloudwatch_log_group" "example" {
  name = "example"
}

resource "aws_iam_role" "example" {
  name = "example"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "example" {
  name = "example"
  role = aws_iam_role.example.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

Steps to Reproduce

Set up a VPC Flow Log on a VPC using the documentation example.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

About this issue

Original URL
State: closed
Created a year ago
Reactions: 26
Comments: 15

Most upvoted comments

Our solution, although not ideal was to use TF’s intrinsic “sleep_time” coupled with the “depends_on” resource to make sure the policy exists before creating the aws_flow_log resource.

It is the same concept as the OP @marcel-mattr is using, but without the need to fork and use the aws cli.

The delay for us doesn’t add much overhead since there’s other time consuming resources within our infra, but your mileage or disdain for sleep may vary.

For anyone that doesn’t mind a little depends_on sleep hack, this is what we cobbled together from the docs.

resource "time_sleep" "wait" {
  create_duration = "30s"
}

resource "aws_flow_log" "vpc_flow_log" {
...
  depends_on = [
    time_sleep.wait
  ]
}

Although, now that I see @present-lee 's non-sleep solution with multiple depends_on resources, perhaps we should give that a try @jmayhill1.

Sources: https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep https://developer.hashicorp.com/terraform/language/meta-arguments/depends_on

benwcb on Feb 17, 2023

This might be related https://stackoverflow.com/a/53183325.

I created my flow log through the console and imported it. terraform plan shows:

  # module.network.aws_flow_log.vpc must be replaced
-/+ resource "aws_flow_log" "vpc" {
      ~ arn                      = "arn:aws:ec2:us-east-2:123456789:vpc-flow-log/fl-0751b9c0b4d94da72" -> (known after apply)
      ~ id                       = "fl-0751b9c0b4d94da72" -> (known after apply)
      + log_destination          = "arn:aws:logs:us-east-2:123456789:log-group:/aws/vpc/dev-primary" # forces replacement
      ~ log_format               = "${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}" -> (known after apply)
      ~ log_group_name           = "/aws/vpc/dev-primary" -> (known after apply)
      - tags                     = {} -> null
      ~ tags_all                 = {} -> (known after apply)
        # (5 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

If I instead specify the deprecated log_group_name argument instead of log_destination, terraform plan gives me a deprecation warning but says the configuration matches.

djlambert on Feb 11, 2023

Same issue I am also facing, giving delay is not a good solution for production script, anyone one why suddenly it’s start giving error same script was working fine till 8 February 2023

Ankita5892 on Feb 13, 2023

@jmayhill1 i tried with depends on in flow logs resource for iam role and policy but it’s still failed with same error so depends on inside the resource not working. I have raised ticket with aws support but they are also not able to answer as from console we are able to create but still waiting for feedback from aws, if anyone know any alternate way please suggest.

Ankita5892 on Feb 15, 2023

Also facing this issue, however I am using an application which generates terraform configurations and there doesn’t seem to be a way using this application to add a sleep command. So if anybody else has a suggestion for how to work around this, I would appreciate it!

Also +1 to the suggestion that there seems to be a bug on the AWS side. Anybody know where we can open a bug to get this checked?

iusetabs on Feb 15, 2023

My team uses slightly earlier versions of Terraform Core and the AWS Provider and see the same results as described in the original post. We saw a few sporadic failures in the last few months, but now it is almost every request. We’re looking at the local exec sleep “hack”, but thinking about trying depends_on first as in the example here: https://developer.hashicorp.com/terraform/language/v1.1.x/meta-arguments/depends_on Has anyone tried it?

jmayhill1 on Feb 15, 2023