DevOps
Fix Terraform Error: CloudWatch Log Group Already Exists
Fix terraform CloudWatch Log Group ResourceAlreadyExistsException. Import orphaned log groups, prevent Lambda auto-creation
3 min read
DevOps
Fix Terraform Error - Error Creating CloudWatch Log Group - ResourceAlreadyExistsException
Fix ResourceAlreadyExistsException when creating CloudWatch Log Groups in Terraform. Import existing groups, handle retention policies, and prevent name...
LLuca Berton1 min read
Quick Answer
#A CloudWatch Log Group with that name already exists. Import it with terraform import aws_cloudwatch_log_group.main /my/log/group, or use a unique name. Many AWS services auto-create log groups — check before creating them in Terraform.
The Error
#Error: creating CloudWatch Log Group (/ecs/my-app):
ResourceAlreadyExistsException: The specified log group already existsWhat Causes This
#- AWS service auto-created it — Lambda, ECS, API Gateway automatically create log groups
- Created manually in CloudWatch console
- Previous Terraform apply created it but state was lost
- Duplicate across configs — two Terraform configs managing the same log group
How to Fix It
#Solution 1: Import the Existing Log Group
#terraform import aws_cloudwatch_log_group.app /ecs/my-appSolution 2: Let AWS Create It (Skip Terraform)
#For Lambda and ECS, you can let AWS auto-create the log group and just manage retention:
# Instead of creating the log group, import it after first deployment
# Or use data source to reference it
data "aws_cloudwatch_log_group" "lambda" {
name = "/aws/lambda/${aws_lambda_function.main.function_name}"
}Solution 3: Create Before the Service
## Create log group BEFORE the Lambda/ECS resource
resource "aws_cloudwatch_log_group" "lambda" {
name = "/aws/lambda/${var.function_name}"
retention_in_days = 30
# Create before Lambda so Terraform owns it
lifecycle {
create_before_destroy = true
}
}
resource "aws_lambda_function" "main" {
depends_on = [aws_cloudwatch_log_group.lambda]
function_name = var.function_name
# ...
}Solution 4: Use Unique Names
#resource "aws_cloudwatch_log_group" "app" {
name = "/${var.project}/${var.environment}/app"
retention_in_days = 14
tags = { Environment = var.environment }
}Services That Auto-Create Log Groups
#| AWS Service | Log Group Pattern |
|---|---|
| Lambda | /aws/lambda/<function-name> |
| ECS | /ecs/<service-name> (if configured) |
| API Gateway | /aws/apigateway/<api-id> |
| RDS | /aws/rds/instance/<id>/<log-type> |
| VPC Flow Logs | Custom name |
| CodeBuild | /aws/codebuild/<project-name> |
Troubleshooting Checklist
#- ✅ Does the log group exist? (
aws logs describe-log-groups --log-group-name-prefix /ecs/my-app) - ✅ Was it auto-created by a service?
- ✅ Can you import it instead of creating?
- ✅ Is Terraform creating the log group before the service that needs it?
Related Articles
#Conclusion
#CloudWatch Log Groups often already exist because AWS services auto-create them. Import existing groups into Terraform state, or create them before the service that uses them. Set retention_in_days to avoid unlimited log storage costs.
#Terraform#Troubleshooting#DevOps#Error Fix#Infrastructure as Code
Related articles
DevOps
Fix Terraform Error: Cannot Import Into Existing State
Fix terraform import errors when a resource already exists in state. Covers state rm, state show, reimport workflow, import blocks
3 min read
DevOps
Fix Terraform Error: Too Many Command Line Arguments
Fix terraform too many command line arguments errors. Correct -var syntax, quote values with spaces, and learn proper Terraform CLI argument format for plan
3 min read
DevOps
Fix Terraform Error: Invalid Escape Sequence in String
Fix terraform invalid escape sequence errors. Double backslashes for Windows paths, use heredocs for regex, and learn all valid HCL escape sequences.
2 min read