Security_Resources Stack fails when upgrade from 1.5.1 to 1.7.1

[aholen]

Describe the bug
Security_Resources fails when upgrading from 1.5.1 to 1.7.1 with LogGroupName aws-accelerator-cloudtrail-AccountTraill already exists
To Reproduce

1. Update the LZA as of documentation: Updating the AWSAccelerator-InstallerStacks with latest, specifying release/v1.7.1 as branch name.
2. AWSAccelerator-Installer succeeds.
3. Running the AWSAccelerator-Pipeline fails on AWSAccelerator-SecurityResourcesStack and runs

Expected behavior
Stacks created successfully, and the Pipeline AWSAccelerator-Pipeline to run OK.

Please complete the following information about the solution:

• Version: v1.7.1
• Region: eu-north-1
• Was the solution modified from the version published on this repository? No
• If the answer to the previous question was yes, are the changes available on GitHub?
• Have you checked your service quotas for the services this solution uses?
• Were there any errors in the CloudWatch Logs? Yes, or rather from the pipeline.

Screenshots

Logs:

AWSAccelerator-SecurityResourcesStack-<accountid>-eu-north-1 |  0/23 | 10:41:39 PM | UPDATE_IN_PROGRESS   | AWS::SSM::Parameter                   | SsmParamAcceleratorVersion (SsmParamAcceleratorVersionFF83282D) 
eWSAccelerator-SecurityResourcesStack-<accountid>-eu-north-1 |  0/23 | 10:41:39 PM | CREATE_FAILED        | AWS::Logs::LogGroup                   | CloudTrailLogGroup-AccountTrail (CloudTrailLogGroupAccountTrail5D107C96) Resource handler returned message: "Resource of type 'AWS::Logs::LogGroup' with identifier '{"/properties/LogGroupName":"aws-accelerator-cloudtrail-AccountTrail"}' already exists." (RequestToken: <redacted>, HandlerErrorCode: AlreadyExists)
    new LogGroup (/codebuild/output/src4177/src/s3/00/source/node_modules/aws-cdk-lib/aws-logs/lib/log-group.js:1:5268)
    \_ SecurityResourcesStack.configureAccountCloudTrail (/codebuild/output/src4177/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:1479:40)
    \_ SecurityResourcesStack.configureAccountCloudTrails (/codebuild/output/src4177/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:1537:12)
    \_ new SecurityResourcesStack (/codebuild/output/src4177/src/s3/00/source/packages/@aws-accelerator/accelerator/lib/stacks/security-resources-stack.ts:126:10)
    \_ createSecurityResourcesStack (/codebuild/output/src4177/src/s3/00/source/packages/@aws-accelerator/accelerator/utils/stack-utils.ts:944:36)
    \_ createMultiAccountMultiRegionStacks (/codebuild/output/src4177/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:184:35)
    \_ main (/codebuild/output/src4177/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:248:5)
    \_ processTicksAndRejections (node:internal/process/task_queues:95:5)
    \_ async /codebuild/output/src4177/src/s3/00/source/packages/@aws-accelerator/accelerator/bin/app.ts:256:5
AWSAccelerator-SecurityResourcesStack-<accountid>-eu-north-1 |  0/23 | 10:41:40 PM | CREATE_IN_PROGRESS   | AWS::IAM::Role                        | AcceleratorCloudTrail-AccountTrail/LogsRole (AcceleratorCloudTrailAccountTrailLogsRoleB60B6909) Resource creation Initiated

Additional context
This looks like a related issue, but on another resource: #471

[aholen]

Workaround: Disable sendToCloudWatchLogs

logging:
  account: LogArchive
  cloudtrail:
    enable: true
    organizationTrail: false
    accountTrails:
      - name: AccountTrail
        regions:
          - *HOME_REGION
        deploymentTargets:
          accounts: []
          organizationalUnits:
            - Root
        settings:
          multiRegionTrail: true
          globalServiceEvents: true
          managementEvents: true
          s3DataEvents: false
          lambdaDataEvents: false
          sendToCloudWatchLogs: false
          apiErrorRateInsight: false
          apiCallRateInsight: false

[johnraws]

Closing this issue as it is resolved in release/v1.8.0

[aholen]

@johnraws I'm still seeing this in 1.9.1

AWSAccelerator-SecurityResourcesStack-XXX-eu-central-1 failed: Error: The stack named AWSAccelerator-SecurityResourcesStack-XXX-eu-central-1 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Resource of type 'AWS::Logs::LogGroup' with identifier '{"/properties/LogGroupName":"aws-accelerator-cloudtrail-AccountTrail"}' already exists." (RequestToken: 90fa8d52-8b33-8507-76e8-590f62ee977a, HandlerErrorCode: AlreadyExists)
--
227 | at FullCloudFormationDeployment.monitorDeployment (/codebuild/output/src2133/src/s3/00/source/node_modules/aws-cdk/lib/api/deploy-stack.ts:523:13)
228 | at processTicksAndRejections (node:internal/process/task_queues:95:5)
229 | at async Object.deployStack (/codebuild/output/src2133/src/s3/00/source/node_modules/aws-cdk/lib/cdk-toolkit.ts:332:24)
230 | at async /codebuild/output/src2133/src/s3/00/source/node_modules/aws-cdk/lib/util/work-graph.ts:105:11