CloudTrail can't validate ARN of CloudWatch Logs LogGroup
Closed this issue · 2 comments
Hello, I'm using aws provider 3.37 and I tested on Terraform 12.29 and 12.31. When trying to apply this module, it pretends to replace the cloudwatch_log ARN:
resource "aws_cloudtrail" "main" {
arn = "arn:aws:cloudtrail:::trail/cloudtrail"
~ cloud_watch_logs_group_arn = "arn:aws:logs:::log-group:cloudtrail:*" -> "arn:aws:logs:::log-group:cloudtrail"
cloud_watch_logs_role_arn = "arn:aws:iam:::role/cloudtrail-cloudwatch-logs-role"
Which throws an error related to the impossibility of Cloudtrail to validate the cloudwatch_log ARN. (hashicorp/terraform-provider-aws#14557)
According to: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#cloud_watch_logs_group_arn the solution is to replace:
cloud_watch_logs_group_arn = aws_cloudwatch_log_group.cloudtrail.arn
by:
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
This has already been fixed for 0.13 and greater. We are likely going to be dropping support for 0.12 as it's more than two releases behind stable (0.15). Is there any chance you'll be able to upgrade?