CloudTrail can't validate ARN of CloudWatch Logs LogGroup

[Lu-dorado]

Hello, I'm using aws provider 3.37 and I tested on Terraform 12.29 and 12.31. When trying to apply this module, it pretends to replace the cloudwatch_log ARN:

resource "aws_cloudtrail" "main" {
        arn                           = "arn:aws:cloudtrail:::trail/cloudtrail"
      ~ cloud_watch_logs_group_arn    = "arn:aws:logs:::log-group:cloudtrail:*" -> "arn:aws:logs:::log-group:cloudtrail"
        cloud_watch_logs_role_arn     = "arn:aws:iam:::role/cloudtrail-cloudwatch-logs-role"

Which throws an error related to the impossibility of Cloudtrail to validate the cloudwatch_log ARN. (hashicorp/terraform-provider-aws#14557)
According to: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#cloud_watch_logs_group_arn the solution is to replace:
cloud_watch_logs_group_arn = aws_cloudwatch_log_group.cloudtrail.arn
by:
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"

[dynamike]

This has already been fixed for 0.13 and greater. We are likely going to be dropping support for 0.12 as it's more than two releases behind stable (0.15). Is there any chance you'll be able to upgrade?

[dynamike]

Our versions support policy is to ensure we support terraform's stable and previous table versions. At this point, 0.12 is 4 releases behind so we won't be backporting this fix. If you still have an issue with Terraform 1.0 or 0.15, please reopen this issue.