Description
Terraform and AWS Provider Version
Terraform v1.12.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.98.0Affected Resource(s) or Data Source(s)
aws_cloudwatch_log_group
Expected Behavior
In version 5.98.0, DELIVERY was introduced as a valid log_group_class for the aws_cloudwatch_log_group resource (via update of AWS SDK Go v2).
Since the PutRetentionPolicy operation is not allowed when log_group_class = "DELIVERY", it should be skipped even if retention_in_days is specified, and the terraform apply operation should succeed.
Actual Behavior
Apply Error 1
When log_group_class = "DELIVERY" and retention_in_days are specified together, the initial terraform apply fails with the following error message:
│ Error: setting CloudWatch Logs Log Group (delivery-test-log-group) retention policy: operation error CloudWatch Logs: PutRetentionPolicy, https response error StatusCode: 400, RequestID: 2ddb46c4-135b-4528-8a2b-6053f18063db, api error ValidationException: This operation is not supported for Delivery log class
│
│ with aws_cloudwatch_log_group.test,
│ on main.tf line 1, in resource "aws_cloudwatch_log_group" "test":
│ 1: resource "aws_cloudwatch_log_group" "test" {This error can be avoided by omitting the retention_in_days argument.
However, the preferred behavior is for the provider to skip operations related to the retention policy when log_group_class = "DELIVERY" is specified.
Permanent Diff
After the initial deployment (with retention_in_days omitted), a persistent diff related to retention_in_days appears:
# aws_cloudwatch_log_group.test will be updated in-place
~ resource "aws_cloudwatch_log_group" "test" {
id = "delivery-test-log-group"
name = "delivery-test-log-group"
~ retention_in_days = 2 -> 0
tags = {}
# (6 unchanged attributes hidden)
}When log_group_class = "DELIVERY" is used, AWS automatically sets retention_in_days to 2.
Because the AWS API returns this value during the read operation, the Terraform state is refreshed to reflect retention_in_days = 2.
However, since retention_in_days is not explicitly set in the configuration, Terraform attempts to reset it to 0, resulting in an unnecessary diff.
This diff should be suppressed when log_group_class = "DELIVERY" is specified.
Apply Error 2
Running terraform apply again results in the following error:
Error: deleting CloudWatch Logs Log Group (delivery-test-log-group) retention policy: operation error CloudWatch Logs: DeleteRetentionPolicy, https response error StatusCode: 400, RequestID: 77425800-7ca5-495a-9c8c-c8a01d4ad744, api error ValidationException: This operation is not supported for Delivery log class
│
│ with aws_cloudwatch_log_group.test,
│ on main.tf line 1, in resource "aws_cloudwatch_log_group" "test":
│ 1: resource "aws_cloudwatch_log_group" "test" {In the current implementation, when a change to retention_in_days is detected, DeleteRetentionPolicy and PutRetentionPolicy operations are attempted.
However, these operations are not supported when log_group_class = "DELIVERY" is specified, causing the apply to fail.
Relevant Error/Panic Output
Shown above in the Actual Behavior
Sample Terraform Configuration
Click to expand configuration
resource "aws_cloudwatch_log_group" "test" {
name = "delivery-test-log-group"
log_group_class = "DELIVERY"
retention_in_days = 30 // comment out in the step 2
}
Steps to Reproduce
- Apply configuration -> Apply Error 1
- Comment out
retention_in_days - Apply -> Succeeded
- Plan again -> A permanent diff appears
- Apply again -> Apply Error 2
Debug Logging
GenAI / LLM Assisted Development
n/a
Important Facts and References
This behavior was discovered when I was investigating the new Lambda logging destination functionality (#42573 )
Would you like to implement a fix?
Yes