[Bug]: Cloudwatch Logs log class is not supported in AWS GovCloud

[pjaudiomv]

Terraform Core Version

1.6.5

AWS Provider Version

5.30.0

Affected Resource(s)

aws_cloudwatch_log_group

Expected Behavior

terraform should not try to add log_group_class to cloudwatch log group resources in GovCloud

Actual Behavior

fails with http 400

Relevant Error/Panic Output Snippet

│ Error: creating CloudWatch Logs Log Group (my-log-group): operation error CloudWatch Logs: CreateLogGroup, https response error StatusCode: 400, RequestID: 4dffd8c0-a5a2-400e-bcf0-b572a479c329, InvalidParameterException: Only Standard log class is supported.
│
│   with aws_cloudwatch_log_group.this,
│   on main.tf line 15, in resource "aws_cloudwatch_log_group" "this":
│   15: resource "aws_cloudwatch_log_group" "this" {

Terraform Configuration Files

provider "aws" {
  region = "us-gov-west-1"
}

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "5.30.0"
    }
  }
}

resource "aws_cloudwatch_log_group" "this" {
  name              = "my-log-group"
}

Steps to Reproduce

Try to apply terraform in Gov Cloud containing either an existing cloudwatch log group resource or a new one

Debug Output

aws_cloudwatch_log_group.this: Creating...
2023-12-08T10:01:36.377-0500 [INFO] Starting apply for aws_cloudwatch_log_group.this
2023-12-08T10:01:36.377-0500 [DEBUG] aws_cloudwatch_log_group.this: applying the planned Create change
2023-12-08T10:01:36.378-0500 [DEBUG] provider.terraform-provider-aws_v5.30.0_x5: [DEBUG] setting computed for "tags_all" from ComputedKeys
2023-12-08T10:01:36.379-0500 [DEBUG] provider.terraform-provider-aws_v5.30.0_x5: HTTP Request Sent: @module=aws tf_aws.sdk=aws-sdk-go-v2 http.request.header.x_amz_date=20231208T150136Z rpc.service="CloudWatch Logs" tf_mux_provider="schema.GRPCProviderServer" tf_req_id=043d3a8f-5c78-716b-73a1-28f16c1b4ca1 rpc.method=CreateLogGroup tf_resource_type=aws_cloudwatch_log_group http.method=POST http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA*ZN76/20231208/us-gov-west-1/logs/aws4_request, SignedHeaders=amz-sdk-invocation-id;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=" http.request.header.x_amz_security_token="" http.url=https://logs.us-gov-west-1.amazonaws.com/ tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange http.request.header.amz_sdk_invocation_id=cf511c21-5079-4f3c-aa84-588f50c557af rpc.system=aws-api tf_aws.signing_region="" http.request.header.content_type=application/x-amz-json-1.1 net.peer.name=logs.us-gov-west-1.amazonaws.com http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.6.3 (+https://www.terraform.io) terraform-provider-aws/5.30.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.23.5 os/macos lang/go#1.20.11 md/GOOS#darwin md/GOARCH#amd64 api/cloudwatchlogs#1.29.3" @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45 aws.region=us-gov-west-1
http.request.body=
| {"logGroupClass":"STANDARD","logGroupName":"my-log-group"}
http.request.header.x_amz_target=Logs_20140328.CreateLogGroup http.request_content_length=58 timestamp=2023-12-08T10:01:36.379-0500
2023-12-08T10:01:36.791-0500 [DEBUG] provider.terraform-provider-aws_v5.30.0_x5: HTTP Response Received: rpc.method=CreateLogGroup tf_aws.sdk=aws-sdk-go-v2 http.response.header.date="Fri, 08 Dec 2023 15:01:35 GMT" http.response.header.x_amzn_requestid=7cb71f10-5c62-4c9e-abea-319a21bb8d4e http.response_content_length=88 http.status_code=400 tf_resource_type=aws_cloudwatch_log_group @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45 aws.region=us-gov-west-1 http.duration=411
http.response.body=
| {"__type":"InvalidParameterException","message":"Only Standard log class is supported."}
http.response.header.content_type=application/x-amz-json-1.1 tf_rpc=ApplyResourceChange tf_aws.signing_region="" tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=043d3a8f-5c78-716b-73a1-28f16c1b4ca1 @module=aws rpc.service="CloudWatch Logs" rpc.system=aws-api timestamp=2023-12-08T10:01:36.791-0500
2023-12-08T10:01:36.791-0500 [DEBUG] provider.terraform-provider-aws_v5.30.0_x5: request failed with unretryable error https response error StatusCode: 400, RequestID: 7cb71f10-5c62-4c9e-abea-319a21bb8d4e, InvalidParameterException: Only Standard log class is supported.: rpc.method=CreateLogGroup tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange rpc.service="CloudWatch Logs" rpc.system=aws-api tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=043d3a8f-5c78-716b-73a1-28f16c1b4ca1 @module=aws tf_aws.sdk=aws-sdk-go-v2 tf_resource_type=aws_cloudwatch_log_group @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45 aws.region=us-gov-west-1 timestamp=2023-12-08T10:01:36.791-0500
2023-12-08T10:01:36.792-0500 [ERROR] provider.terraform-provider-aws_v5.30.0_x5: Response contains error diagnostic: diagnostic_severity=ERROR tf_req_id=043d3a8f-5c78-716b-73a1-28f16c1b4ca1 tf_proto_version=5.4 @module=sdk.proto tf_provider_addr=registry.terraform.io/hashicorp/aws tf_resource_type=aws_cloudwatch_log_group @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_summary="creating CloudWatch Logs Log Group (my-log-group): operation error CloudWatch Logs: CreateLogGroup, https response error StatusCode: 400, RequestID: 7cb71f10-5c62-4c9e-abea-319a21bb8d4e, InvalidParameterException: Only Standard log class is supported." tf_rpc=ApplyResourceChange timestamp=2023-12-08T10:01:36.791-0500
2023-12-08T10:01:36.818-0500 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2023-12-08T10:01:36.818-0500 [ERROR] vertex "aws_cloudwatch_log_group.this" error: creating CloudWatch Logs Log Group (my-log-group): operation error CloudWatch Logs: CreateLogGroup, https response error StatusCode: 400, RequestID: 7cb71f10-5c62-4c9e-abea-319a21bb8d4e, InvalidParameterException: Only Standard log class is supported.
╷
│ Error: creating CloudWatch Logs Log Group (my-log-group): operation error CloudWatch Logs: CreateLogGroup, https response error StatusCode: 400, RequestID: 7cb71f10-5c62-4c9e-abea-319a21bb8d4e, InvalidParameterException: Only Standard log class is supported.
│
│ with aws_cloudwatch_log_group.this,
│ on main.tf line 14, in resource "aws_cloudwatch_log_group" "this":
│ 14: resource "aws_cloudwatch_log_group" "this" {
│
╵
2023-12-08T10:01:36.850-0500 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-12-08T10:01:36.860-0500 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/5.30.0/darwin_amd64/terraform-provider-aws_v5.30.0_x5 pid=25975
2023-12-08T10:01:36.860-0500 [DEBUG] provider: plugin exited

Panic Output

No response

Important Factoids

I tried to set log_group_class = null but that didnt help either as default is standard and it still makes request with parameter

References

https://aws.amazon.com/about-aws/whats-new/2023/11/amazon-cloudwatch-logs-infrequent-access-log-class/ specifically calls out only supported in Commercial regions

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

Similar: #34809.
Relates #34679.

[ewbankkit]

Running acceptance test in GovCloud:

% make testacc TESTARGS='-run=TestAccLogsGroup_basic' PKG=logs
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/logs/... -v -count 1 -parallel 20  -run=TestAccLogsGroup_basic -timeout 360m
=== RUN   TestAccLogsGroup_basic
=== PAUSE TestAccLogsGroup_basic
=== CONT  TestAccLogsGroup_basic
    vcr.go:428: Step 1/2 error: Error running apply: exit status 1
        
        Error: creating CloudWatch Logs Log Group (tf-acc-test-7541597066803148292): operation error CloudWatch Logs: CreateLogGroup, https response error StatusCode: 400, RequestID: ce6c92ff-ebae-46dc-8483-86a8b69c288d, InvalidParameterException: Only Standard log class is supported.
        
          with aws_cloudwatch_log_group.test,
          on terraform_plugin_test.tf line 12, in resource "aws_cloudwatch_log_group" "test":
          12: resource "aws_cloudwatch_log_group" "test" {
        
--- FAIL: TestAccLogsGroup_basic (7.12s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-aws/internal/service/logs	12.900s
FAIL
make: *** [testacc] Error 1

[github-actions]

This functionality has been released in v5.31.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.