aws_cloudtrail does not respect initial include_global_service_events value of false

[fillup]

Hi there,

Terraform Version

Terraform v0.10.8

Affected Resource(s)

Please list the resources as a list, for example:

• aws_cloudtrail

Terraform Configuration Files

resource "aws_s3_bucket" "cloudtrail" {
  bucket        = "cloudtrail-demo-1510085695"
  force_destroy = true

  policy = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::cloudtrail-demo-1510085695"
        },
        {
            "Sid": "AWSCloudTrailWrite",
            "Effect": "Allow",
            "Principal": {
              "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::cloudtrail-demo-1510085695/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
POLICY
}

resource "aws_cloudtrail" "cloudtrail" {
  name                          = "cloudtrail-demo"
  s3_bucket_name                = "${aws_s3_bucket.cloudtrail.id}"
  include_global_service_events = false
}

Expected Behavior

When the CloudTrail is created, include_global_service_events should be false.

Actual Behavior

The CloudTrail is created with include_global_service_events as true. By running terraform plan again it shows it wants to change from true to false. Running terraform apply changes the setting from true to false.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. terraform plan

Example Output

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + aws_cloudtrail.cloudtrail
      id:                            <computed>
      arn:                           <computed>
      enable_log_file_validation:    "false"
      enable_logging:                "true"
      home_region:                   <computed>
      include_global_service_events: "false"
      is_multi_region_trail:         "false"
      name:                          "cloudtrail-demo"
      s3_bucket_name:                "${aws_s3_bucket.cloudtrail.id}"

  + aws_s3_bucket.cloudtrail
      id:                            <computed>
      acceleration_status:           <computed>
      acl:                           "private"
      arn:                           <computed>
      bucket:                        "cloudtrail-demo-1510085695"
      bucket_domain_name:            <computed>
      force_destroy:                 "true"
      hosted_zone_id:                <computed>
      policy:                        "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AWSCloudTrailAclCheck\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n              \"Service\": \"cloudtrail.amazonaws.com\"\n            },\n            \"Action\": \"s3:GetBucketAcl\",\n            \"Resource\": \"arn:aws:s3:::cloudtrail-demo-1510085695\"\n        },\n        {\n            \"Sid\": \"AWSCloudTrailWrite\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n              \"Service\": \"cloudtrail.amazonaws.com\"\n            },\n            \"Action\": \"s3:PutObject\",\n            \"Resource\": \"arn:aws:s3:::cloudtrail-demo-1510085695/*\",\n            \"Condition\": {\n                \"StringEquals\": {\n                    \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n                }\n            }\n        }\n    ]\n}\n"
      region:                        <computed>
      request_payer:                 <computed>
      versioning.#:                  <computed>
      website_domain:                <computed>
      website_endpoint:              <computed>


Plan: 2 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------



$ terraform apply
aws_s3_bucket.cloudtrail: Creating...
  acceleration_status: "" => "<computed>"
  acl:                 "" => "private"
  arn:                 "" => "<computed>"
  bucket:              "" => "cloudtrail-demo-1510085695"
  bucket_domain_name:  "" => "<computed>"
  force_destroy:       "" => "true"
  hosted_zone_id:      "" => "<computed>"
  policy:              "" => "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AWSCloudTrailAclCheck\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n              \"Service\": \"cloudtrail.amazonaws.com\"\n            },\n            \"Action\": \"s3:GetBucketAcl\",\n            \"Resource\": \"arn:aws:s3:::cloudtrail-demo-1510085695\"\n        },\n        {\n            \"Sid\": \"AWSCloudTrailWrite\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n              \"Service\": \"cloudtrail.amazonaws.com\"\n            },\n            \"Action\": \"s3:PutObject\",\n            \"Resource\": \"arn:aws:s3:::cloudtrail-demo-1510085695/*\",\n            \"Condition\": {\n                \"StringEquals\": {\n                    \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n                }\n            }\n        }\n    ]\n}\n"
  region:              "" => "<computed>"
  request_payer:       "" => "<computed>"
  versioning.#:        "" => "<computed>"
  website_domain:      "" => "<computed>"
  website_endpoint:    "" => "<computed>"
aws_s3_bucket.cloudtrail: Creation complete after 4s (ID: cloudtrail-demo-1510085695)
aws_cloudtrail.cloudtrail: Creating...
  arn:                           "" => "<computed>"
  enable_log_file_validation:    "" => "false"
  enable_logging:                "" => "true"
  home_region:                   "" => "<computed>"
  include_global_service_events: "" => "false"
  is_multi_region_trail:         "" => "false"
  name:                          "" => "cloudtrail-demo"
  s3_bucket_name:                "" => "cloudtrail-demo-1510085695"
aws_cloudtrail.cloudtrail: Creation complete after 3s (ID: cloudtrail-demo)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.



$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_s3_bucket.cloudtrail: Refreshing state... (ID: cloudtrail-demo-1510085695)
aws_cloudtrail.cloudtrail: Refreshing state... (ID: cloudtrail-demo)

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_cloudtrail.cloudtrail
      include_global_service_events: "true" => "false"


Plan: 0 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------



$ terraform apply
aws_s3_bucket.cloudtrail: Refreshing state... (ID: cloudtrail-demo-1510085695)
aws_cloudtrail.cloudtrail: Refreshing state... (ID: cloudtrail-demo)
aws_cloudtrail.cloudtrail: Modifying... (ID: cloudtrail-demo)
  include_global_service_events: "true" => "false"
aws_cloudtrail.cloudtrail: Modifications complete after 1s (ID: cloudtrail-demo)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.



$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_s3_bucket.cloudtrail: Refreshing state... (ID: cloudtrail-demo-1510085695)
aws_cloudtrail.cloudtrail: Refreshing state... (ID: cloudtrail-demo)

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

[bflad]

This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!