[Bug]: aws_cloudwatch_metric_alarm with aws_oam_link and forbidden ValidationError #32436
Labels
bug
Addresses a defect in current functionality.
service/cloudwatch
Issues and PRs that pertain to the cloudwatch service.
Terraform Core Version
v1.5.0
AWS Provider Version
v4.67.0
Affected Resource(s)
aws_cloudwatch_metric_alarm
Expected Behavior
During a new foundation deployment we configure an alerting account using OAM sink and links from member accounts to send their metrics to the alerting account.
The metrics and links are created, then the alarms fail to create with the error: ValidationError: One or more metrics in your request are Forbidden.
The deployment works with no changes after multiple applys.
I added in a null_resource to verify the metrics are available in the alerting account and added it as a dependency to the alerts resource, however the results are mixed, sometimes they all work, sometimes they all fail, other times a random number of them work.
The aws_cloudwatch_metric_alarm resource should be created with an option to ignore validation.
If this is not possible, it should have a "validation retry/wait/count" ability to wait for a defined time for the metric to become available.
Actual Behavior
ValidationError: One or more metrics in your request are Forbidden.
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
main.tf
Steps to Reproduce
Using 2 AWS accounts with CloudTrail configured to send its logs to their own log groups.
Create a role in each account to assume for the deployment.
Update locals, regions and the assume roles.
terraform apply
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: