Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_cloudwatch_log_group does not destroy #1019

Closed
1 of 4 tasks
agaudreault opened this issue Sep 22, 2020 · 4 comments
Closed
1 of 4 tasks

aws_cloudwatch_log_group does not destroy #1019

agaudreault opened this issue Sep 22, 2020 · 4 comments

Comments

@agaudreault
Copy link

agaudreault commented Sep 22, 2020
edited
Loading

I have issues

I'm submitting a...

  • bug report
  • feature request
  • support request - read the FAQ first!
  • kudos, thank you, warm fuzzy

What is the current behavior?

After a cluster have been destroyed, trying to recreate the cluster will fail with

Error: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists:  The CloudWatch Log Group '/aws/eks/<cluster_name>/cluster' already exists.

  on .terraform/modules/eks/cluster.tf line 1, in resource "aws_cloudwatch_log_group" "this":
   1: resource "aws_cloudwatch_log_group" "this" {

If this is a bug, how to reproduce? Please include a code sample if relevant.

  1. terraform init
  2. terraform apply
  3. terraform destroy
  4. repeat

What's the expected behavior?

If terraform creates the log group, the cluster should not have the permission to create it does not exist.

Are you able to fix this problem and submit a PR? Link here if you have already.

This is related to hashicorp/terraform-provider-aws#14057 and removing the logs:CreateLogGroup permission might fix the issue.

Workaround

Either terraform import the current log group, or delete it manually.

Environment details

  • Affected module version: v12.2.0
  • OS: MacOs
  • Terraform version: 0.12.24

Any other relevant info
@dpiddockcmp
Copy link
Contributor

The problem here, in my experience, is that the cloudwatch log group is deleted by Terraform but the EKS service continues to write logs after claiming to have been completely shut down. You end up with the log group recreated without an expiry policy set.

We cannot just revoke logs:CreateLogGroup policy permission as it's part of the AWS managed policy attached to the AWS Service Role. It cannot be modified.

I don't think there's anything we, as a terraform module, can do here. The aws provider issue you linked to was closed because there's nothing they can do either. You can try raising an issue on the containers-roadmap to see if there's anything the AWS team itself can do.

@stale
Copy link

stale bot commented Dec 22, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 22, 2020
@stale
Copy link

stale bot commented Jan 21, 2021

This issue has been automatically closed because it has not had recent activity since being marked as stale.

@stale stale bot closed this as completed Jan 21, 2021
@timblaktu timblaktu mentioned this issue Feb 22, 2022
Closed
4 tasks
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dpiddockcmp @agaudreault