terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: Terraform does not destroy cloudwatch log group

Open siriseresha opened this issue 2 years ago • 3 comments

Terraform Core Version

v1.3.7

AWS Provider Version

v4.48.0

Affected Resource(s)

aws_cloudwatch_log_group

Expected Behavior

Terraform should destroy the log groups.

Actual Behavior

Terraform says that it has destroyed the log group but log groups are still visible in aws..

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_cloudwatch_log_group" "cw_logs_userlog" {
  name = "/aws/redshift/cluster/sample_redshift_cluster_abc/userlog"
  retention_in_days = 90
  kms_key_id = var.kms_arn
}

Steps to Reproduce

  • create a service that writes its logs to log group with specific name, I used redshift in my case
  • create that log group with terraform
  • encrypt that log group with KMS

Terraform destroy command will destroy everything but log group will still be there.

Debug Output

No response

Panic Output

No response

Important Factoids

Terraform removes the KMS key that is used to encrypt the log group but it does not remove the log group.

Permissions were removed from redshift IAM role to createloggroup and it did not fix the issue.

References

No response

Would you like to implement a fix?

None

siriseresha avatar Feb 03 '23 22:02 siriseresha

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

github-actions[bot] avatar Feb 03 '23 22:02 github-actions[bot]

Reference https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2446

this is a big issue for IAC that the SLR recreates the LG after it should have been destroyed.

cdenneen avatar Feb 23 '23 13:02 cdenneen

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/main.tf#L294-L318

cdenneen avatar Feb 23 '23 13:02 cdenneen

Hi

Also, already exists an issue where this problem was discussed before at EKS module: https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1019#issuecomment-697201414

Probably avoiding cluster log group creation from Terraform and let Fluentbit care of logging could be a workaround.

CarlosBrunoE avatar Nov 11 '23 17:11 CarlosBrunoE

I tried everything I could think of:

  • Implicit dependency by specifying the log_group in the Lambda function's logging_config.
  • Explicit dependency by providing the aws_cloudwatch_log_group resource as a depends_on meta-argument in the aws_lambda_function.
  • Explicitly set the skip_destroy argument to false in the aws_cloudwatch_log_group resource.

Nothing worked. It's simply impossible to destroy an aws_cloudwatch_log_group.

garysassano avatar Mar 17 '24 10:03 garysassano