when using an existing cloudwatch log group for flow logs, `vpc_flow_log_cloudwatch` policy breaks

[danielmklein]

Description

When using this module with a pre-existing cloudwatch log groups to be used for the flow log destination, the recent change in 5.12 that attempts to make the flow log policy least-privilege results in an invalid policy document (because there are no resources in the policy).

• [x] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [5.12+]:

• Terraform version: 1.7.5

• Provider version(s): aws v5.62.0 vpc v5.13.0

Reproduction Code [Required]

data "aws_availability_zones" "available" {}

locals {
  availability_zones = [
    data.aws_availability_zones.available.names[0],
    data.aws_availability_zones.available.names[1],
    data.aws_availability_zones.available.names[2]
  ]
  vpc_name         = "my-network"
  vpc_cidr         = "10.2.0.0/16"
  database_subnets = ["10.2.1.0/24", "10.2.2.0/24", "10.2.3.0/24"]
  intra_subnets    = ["10.2.100.0/24"]
  public_subnets   = ["10.2.200.0/28", "10.2.200.16/28"]
}

module "vpc" {
  source           = "terraform-aws-modules/vpc/aws"
  version          = "5.13.0"
  name             = local.vpc_name
  azs              = local.availability_zones
  cidr             = local.vpc_cidr
  database_subnets = local.database_subnets
  intra_subnets    = local.intra_subnets
  public_subnets   = local.public_subnets

  create_database_subnet_route_table = true

  enable_dns_hostnames = true
  enable_dns_support   = true

  map_public_ip_on_launch       = false
  manage_default_security_group = false
  manage_default_route_table    = false
  manage_default_network_acl    = false

  enable_flow_log                     = true
  create_flow_log_cloudwatch_iam_role = true
  flow_log_destination_arn            = "some existing log group ARN goes here"
}

Steps to reproduce the behavior:

You would likely have to run the repro code with version 5.11.0 (or something else less than 5.12.0) in order for it to run successfully and create everything. Then, you would re-run with 5.12.0 or higher.

Expected behavior

The module should not generate a change that results in an invalid policy document.

Actual behavior

The module attempts to entirely remove the resources list from the policy, which yields an invalid policy document -- applying this fails.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

De-stale thyself

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

This is still valid.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

Still relevant.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

Still relevant.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

Still relevant.

Still relevant.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

💐

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

🧟‍♂️

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[staticaland]

💐

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[yngvark]

🖼️

[antonbabenko]

Guys, have you wondered why something you want has not been happening for a long time for free?

Consider sponsoring any of these accounts:

• https://github.com/sponsors/terraform-aws-modules
• https://github.com/sponsors/antonbabenko
• https://github.com/sponsors/bryantbiggs

PS: I would appreciate it if you could bring this up with your employer...

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.