prevent empty resources in flow log IAM policy when using external log group

ryotana · ryotana · commit e4e23925044e · 2026-04-05T17:45:28.000+09:00
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
@@ -21,10 +21,10 @@ locals {
   flow_log_destination_arn                  = local.create_flow_log_cloudwatch_log_group ? try(aws_cloudwatch_log_group.flow_log[0].arn, null) : var.flow_log_destination_arn
   flow_log_iam_role_arn                     = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? try(aws_iam_role.vpc_flow_log_cloudwatch[0].arn, null) : var.flow_log_cloudwatch_iam_role_arn
   flow_log_cloudwatch_log_group_name_suffix = var.flow_log_cloudwatch_log_group_name_suffix == "" ? local.vpc_id : var.flow_log_cloudwatch_log_group_name_suffix
-  flow_log_group_arns = [
+  flow_log_group_arns = local.create_flow_log_cloudwatch_log_group ? [
     for log_group in aws_cloudwatch_log_group.flow_log :
     "arn:${data.aws_partition.current[0].partition}:logs:${data.aws_region.current[0].region}:${data.aws_caller_identity.current[0].account_id}:log-group:${log_group.name}:*"
-  ]
+  ] : var.flow_log_destination_arn != null && var.flow_log_destination_arn != "" ? ["${var.flow_log_destination_arn}:*"] : []
 }
 
 ################################################################################
