EKS aws_cloudwatch_log_group recreates via stream

cdenneen · October 3, 2023, 8:35pm

So in using the GitHub - terraform-aws-modules/terraform-aws-eks: Terraform module to create an Elastic Kubernetes (EKS) cluster and associated resources 🇺🇦 module I’m having issue, which seems to be seen by many others.

When the cluster is destroyed the log group resource is deleted but there are lingering streams that cause the log group to be recreated.

If a new cluster is now plan/apply with same name it complains because the log group already exists.

The “fix” was to apply a Deny policy to the cluster role so it can’t recreate the log group but that doesn’t appear to be working as expected.

I need a way for when the cluster is deleted it actually deletes the log group. Maybe the cluster shouldn’t depend on the log group and the log group should depend on the cluster?

I’m open to work around suggestions but this is definitely frustrating.

Alternatively if there was a way to upon cluster creation (first plan/apply) it could delete log group if found to avoid the apply from failing that would work to circumvent this problem but a true destroy of the stack (not to be recreated) could/would leave rogue log groups around due to these stream recreating the log group.

cdenneen · October 4, 2023, 12:21am

Issue is with AWSServiceRoleForAmazonEKS actually re-creating the logGroup after it has been deleted so the next time TF runs even though it thought it deleted it it’s already there:

github.com/terraform-aws-modules/terraform-aws-eks

CloudWatch Logs Log Group already exists (even with inline_policy Deny)

opened 08:28PM - 03 Oct 23 UTC

cdenneen

question

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/c7565e265e23cbc6…22041fc153193f490cfe948f/main.tf#L294-L318 _Originally posted by @bryantbiggs in https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2486#issuecomment-1441751885_ So even with the supplied Deny the cluster-recreation complains because the logGroup was still written to. Part of me almost suggests removing the depends_on from eks cluster to the log group and have the log group depend on the cluster. This way when the cluster is actually deleted THEN the log group gets deleted. This will get any last minute streams that might come through and hopefully prevent recreation. @haarchri has this deny still worked for you? I know it was part of your original merge but it seems it keeps happening to me. My alternative would be to avoid creating replacement clusters with ones I just destroyed but this still wouldn't cleanup rogue log groups that should have properly been cleaned up.

Need a way to avoid this issue.

cdenneen · October 4, 2023, 12:44am

Tried to create dependency on the underlying “optional” node_groups but not sure if that will work:

github.com/terraform-aws-modules/terraform-aws-eks

Create dependency in the nodegroups on the aws_cloudwatch_log_group

terraform-aws-modules:master ← cdenneen:cloudwatch_log_group_depends

opened 12:41AM - 04 Oct 23 UTC

cdenneen

+8 -0

Create dependency in the nodegroups on the aws_cloudwatch_log_group. Once the n…odegroup is deleted then the logGroup can. Not sure if this will work 100%. I'd rather do the dependency on the logGroup in the main module but since the node_groups are optional not sure if depends_on can have condition of being there only if the count for those resources exist?

bartles618 · February 14, 2025, 9:03pm

The solution manually delete the log group:

aws logs delete-log-group --log-group-name /aws/eks/log-name/cluster

Topic		Replies	Views
Cloudwatch log group is not deleted while apply terraform destroy AWS	0	621	June 22, 2023
Aws_eks_node_group rolling update AWS k8s	0	548	November 23, 2021
Questions about aws_eks_node_group Terraform	1	773	April 29, 2020
Troubleshooting unreliable ENI destroy (AWS EKS) AWS k8s	2	1860	October 10, 2022
Existing Cloudwatch log group retention policy Terraform	1	2728	February 24, 2022

EKS aws_cloudwatch_log_group recreates via stream

Related topics