Error creating CloudTrail with terraform

cochrasc · September 8, 2020, 8:41pm

I’m getting this error while trying to create a cloudtrail in terraform:

**Error:** **Error creating CloudTrail: InvalidCloudWatchLogsLogGroupArnException: 
Access denied. Check the permissions for your role.** on 
../../../Modules/security_base/cloudwatch.tf line 1, in resource "aws_cloudtrail" 
"cloudtrail_default": 1: resource "aws_cloudtrail" "cloudtrail_default" {

I’m not sure how to check the value of the CloudWatchLogsLogGroupArn for this particular block, but another region in the same account (using the same module code) outputs a valid ARN that looks how I would expect:

**cloudtrail_logs_arn = [** **"arn:aws:logs:us-east-1:account number redacted:log- 
group:account name redacted:*",**

I did verify the CloudWatchLogsLogGroup was created properly and exists. I’ve tried running terraform several times in a row, just to be sure the order of creation wasn’t interfering. I’m at a complete loss of what is causing this. The AWS documentation states the error as:

**InvalidCloudWatchLogsLogGroupArnException**
This exception is thrown when the provided CloudWatch log group is not valid.
HTTP Status Code: 400

But the “access denied” message is throwing me off. The account I’m using to run the terraform code has admin access to everything.

Here is my code:

resource "aws_cloudtrail" "cloudtrail_default" {
  count                      = var.enable_cloudtrail ? 1 : 0
  name                       = var.account_name
  is_multi_region_trail      = var.multi_region_trail
  s3_bucket_name             = var.bucket_name
  enable_logging             = var.enable_logging
  enable_log_file_validation = var.enable_log_file_validation
  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.log_group_default[0].arn
  cloud_watch_logs_role_arn  = 
data.terraform_remote_state.iam.outputs.AWS_CLOUDTRAIL_ROLE
  tags                       = merge(var.tags)

  lifecycle {
    ignore_changes = [event_selector]
  }
}

resource "aws_cloudwatch_log_group" "log_group_default" {
  count = var.enable_cloudtrail ? 1 : 0
  name  = var.cloudwatch_log_group
}

resource "aws_sns_topic" "sns_topic_default" {
  count = var.enable_cloudtrail ? 1 : 0
  name   = var.sns_topic
  policy = data.aws_iam_policy_document.cloudtrail_alarm_policy.json
}

This is in the state file, and the ARN matches what is in AWS:

module: "module.security_base",
mode: "managed",
type: "aws_cloudwatch_log_group",
name: "log_group_default",
each: "list",
provider: "provider.aws",
instances: [
{
  index_key: 0,
  schema_version: 0,
  attributes: {
    arn: "arn:aws:logs:ap-southeast-1:account number redacted:log-group:account name 
redacted:*",

Any help would be appreciated

Topic		Replies	Views
ElasticSearch domain ValidationException on Cloudwatch Logs Resource Policy Terraform	3	3384	May 29, 2023
InvalidParameterException: destinationArn for vendor lambda cannot be used with Terraform hcp-terraform	0	2219	August 20, 2020
Issue while creating ElasticSearch Domain AWS	0	308	December 10, 2023
Aws Cloudwatch log and lambda permissions AWS	0	1439	August 13, 2020
Error: Cycle - but not seeing why Terraform	6	10581	June 24, 2022

Error creating CloudTrail with terraform

Related topics