Error creating CloudTrail with terraform

I’m getting this error while trying to create a cloudtrail in terraform:

**Error:** **Error creating CloudTrail: InvalidCloudWatchLogsLogGroupArnException: 
Access denied. Check the permissions for your role.** on 
../../../Modules/security_base/ line 1, in resource "aws_cloudtrail" 
"cloudtrail_default": 1: resource "aws_cloudtrail" "cloudtrail_default" {

I’m not sure how to check the value of the CloudWatchLogsLogGroupArn for this particular block, but another region in the same account (using the same module code) outputs a valid ARN that looks how I would expect:

**cloudtrail_logs_arn = [** **"arn:aws:logs:us-east-1:account number redacted:log- 
group:account name redacted:*",**

I did verify the CloudWatchLogsLogGroup was created properly and exists. I’ve tried running terraform several times in a row, just to be sure the order of creation wasn’t interfering. I’m at a complete loss of what is causing this. The AWS documentation states the error as:

This exception is thrown when the provided CloudWatch log group is not valid.
HTTP Status Code: 400

But the “access denied” message is throwing me off. The account I’m using to run the terraform code has admin access to everything.

Here is my code:

resource "aws_cloudtrail" "cloudtrail_default" {
  count                      = var.enable_cloudtrail ? 1 : 0
  name                       = var.account_name
  is_multi_region_trail      = var.multi_region_trail
  s3_bucket_name             = var.bucket_name
  enable_logging             = var.enable_logging
  enable_log_file_validation = var.enable_log_file_validation
  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.log_group_default[0].arn
  cloud_watch_logs_role_arn  = 
  tags                       = merge(var.tags)

  lifecycle {
    ignore_changes = [event_selector]

resource "aws_cloudwatch_log_group" "log_group_default" {
  count = var.enable_cloudtrail ? 1 : 0
  name  = var.cloudwatch_log_group

resource "aws_sns_topic" "sns_topic_default" {
  count = var.enable_cloudtrail ? 1 : 0
  name   = var.sns_topic
  policy = data.aws_iam_policy_document.cloudtrail_alarm_policy.json

This is in the state file, and the ARN matches what is in AWS:

module: "module.security_base",
mode: "managed",
type: "aws_cloudwatch_log_group",
name: "log_group_default",
each: "list",
provider: "",
instances: [
  index_key: 0,
  schema_version: 0,
  attributes: {
    arn: "arn:aws:logs:ap-southeast-1:account number redacted:log-group:account name 

Any help would be appreciated