Cloudwatch log groups created not deleted on "terraform destroy"

[stephanpelikan]

Description

I created a rds instance and asked for the Cloudwatch log-groups to be created:

module "db" {
  source                 = "terraform-aws-modules/rds/aws"
  enabled_cloudwatch_logs_exports = ["alert", "audit"]
  create_cloudwatch_log_group     = true
  ...
}

It is created successfully. After running terraform destroy and rerunning terraform apply I got this error:

Error: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists:  The CloudWatch Log Group '/aws/rds/instance/el-vi-rds-oracle/audit' already exists.
  with module.db.module.db_instance.aws_cloudwatch_log_group.this["audit"],
  on .terraform/modules/db/modules/db_instance/main.tf line 138, in resource "aws_cloudwatch_log_group" "this":
  138: resource "aws_cloudwatch_log_group" "this" {

In AWS console I saw that the groups created were not deleted on terraform destroy.

Versions

• Terraform v1.2.4
• provider registry.terraform.io/hashicorp/aws v4.22.0
• provider registry.terraform.io/hashicorp/random v3.3.2
• RDS 4.7.0

Reproduction Code

1. Build a RDS instance like shown in the description
2. Run terraform destroy
3. Run terraform apply

Expected behavior

The Cloudwatch log groups created by the RDS module are removed on running terraform destroy.

Actual behavior

The Cloudwatch log groups created by the RDS module were not removed on running terraform destroy.

[magreenbaum]

The cloudwatch log groups created by terraform are being destroyed however it looks like while the database is being deleted, it can still create and send to cloudwatch logs due to the service linked role it is using AmazonRDSServiceRolePolicy which as far as I understand is not modifiable. Here's a related issue I found in the terraform aws provider repo: hashicorp/terraform-provider-aws#5348

[bryantbiggs]

That's correct - we see that on other services like EKS where tasks are still logging but Terraform removed the log group it has created

[stephanpelikan]

This is only about RDS. Maybe this can be solved by simply adding a depends_on = [ aws_cloudwatch_log_group.this ] to

terraform-aws-rds/modules/db_instance/main.tf

Line 32 in e49273b

resource "aws_db_instance" "this" {

?
This should ensure the groups are created before and destroyed after db_instance.

[bryantbiggs]

Closed in #423

[stephanpelikan]

Thx for the fix and also for the release 5.0.1 👍

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.