when using an existing cloudwatch log group for flow logs, vpc_flow_log_cloudwatch policy breaks

[danielmklein]

Description

When using this module with a pre-existing cloudwatch log groups to be used for the flow log destination, the recent change in 5.12 that attempts to make the flow log policy least-privilege results in an invalid policy document (because there are no resources in the policy).

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [5.12+]:

• Terraform version:
  1.7.5

• Provider version(s):
  aws v5.62.0
  vpc v5.13.0

Reproduction Code [Required]

data "aws_availability_zones" "available" {}

locals {
  availability_zones = [
    data.aws_availability_zones.available.names[0],
    data.aws_availability_zones.available.names[1],
    data.aws_availability_zones.available.names[2]
  ]
  vpc_name         = "my-network"
  vpc_cidr         = "10.2.0.0/16"
  database_subnets = ["10.2.1.0/24", "10.2.2.0/24", "10.2.3.0/24"]
  intra_subnets    = ["10.2.100.0/24"]
  public_subnets   = ["10.2.200.0/28", "10.2.200.16/28"]
}

module "vpc" {
  source           = "terraform-aws-modules/vpc/aws"
  version          = "5.13.0"
  name             = local.vpc_name
  azs              = local.availability_zones
  cidr             = local.vpc_cidr
  database_subnets = local.database_subnets
  intra_subnets    = local.intra_subnets
  public_subnets   = local.public_subnets

  create_database_subnet_route_table = true

  enable_dns_hostnames = true
  enable_dns_support   = true

  map_public_ip_on_launch       = false
  manage_default_security_group = false
  manage_default_route_table    = false
  manage_default_network_acl    = false

  enable_flow_log                     = true
  create_flow_log_cloudwatch_iam_role = true
  flow_log_destination_arn            = "some existing log group ARN goes here"
}

Steps to reproduce the behavior:

You would likely have to run the repro code with version 5.11.0 (or something else less than 5.12.0) in order for it to run successfully and create everything. Then, you would re-run with 5.12.0 or higher.

Expected behavior

The module should not generate a change that results in an invalid policy document.

Actual behavior

The module attempts to entirely remove the resources list from the policy, which yields an invalid policy document -- applying this fails.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

De-stale thyself

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

This is still valid.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

Still relevant.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[danielmklein]

Still relevant.