CloudWatch LogGroup not destroyed

[ahmedfourti]

Hello,

To reproduce this you can create a VPC with thoses inputs

  create_flow_log_cloudwatch_log_group      = true
  create_flow_log_cloudwatch_iam_role       = true
  flow_log_cloudwatch_log_group_name_prefix = "/my-log-grou-name/" 

This will create VPC, enable flow log and create log group as expected.
Then destroy it.
The log group is not destroyed.

However the destroy command succeded.

In reality the log group is destroyed when we issued the destroy command...but as the IAM policy contains logs:CreateLogGroup so when a flow log is logged, it will create the log group again.

Do we really need that policy ? In my opinion no as the one who will apply this module has enough permission to create it.

[antonbabenko]

Hi,

The IAM policy is for AWS Service "vpc-flow-logs.amazonaws.com" and that service needs to have permissions to create log groups and log streams.

Or I didn't understand what you mean?

[ahmedfourti]

Hi,

No this is not needed as the log group is created while deploying the module in the following resource

resource "aws_cloudwatch_log_group" "flow_log" {
  count = local.create_flow_log_cloudwatch_log_group ? 1 : 0

  name              = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.vpc_id}"
  retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
  kms_key_id        = var.flow_log_cloudwatch_log_group_kms_key_id

  tags = merge(var.tags, var.vpc_flow_log_tags)
}

[antonbabenko]

I see, and I think you are right - "logs:CreateLogGroup" is not needed in any of two cases (when log group is provided or when it is created by the module).

[ahmedfourti]

Yes exactly

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.