From e3ff8a543cb06aa4703b6ab78628bdd138357018 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Gillot-Lamure?= <leo.gillot@navaati.net>
Date: Wed, 6 Jan 2021 13:01:40 +0100
Subject: [PATCH] fix: Remove CreateLogGroup permission from service role
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This permission is not needed because we create the log group with Terraform so the VPC Flow Logs service doesn’t need to do it. On the other hand having this permission causes a bug where, on terraform destroy the log group will be destroyed, but then if there is still a few messages in a VPC Flow Logs queue the managed service will see that the log group does not exist and create it again using.

You’ll then have the log group lingering after the tf destroy, which can cause trouble if you try to terraform apply again with the same name: the log group will be already existing and your apply will fail. Not having the permission prevents that as the managed service will not be able to recreate the log group after the tf destroy.
---
 vpc-flow-logs.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index a47ead5e5..d18439ce7 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -89,7 +89,6 @@ data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
     effect = "Allow"
 
     actions = [
-      "logs:CreateLogGroup",
       "logs:CreateLogStream",
       "logs:PutLogEvents",
       "logs:DescribeLogGroups",