No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

if you export the stack - do you get a resource ID? Would it be possible that you have pointed Pulumi to a different AWS account?

Thanks for the quick response. I'll try that and get back to you!

The missing log group was a red herring (after `pulumi destroy` and `pulumi up` it was created as expected). However, when I pass the ARN of the newly-created log group into CloudTrail, I get the following error:
```error: Error creating CloudTrail: InvalidCloudWatchLogsLogGroupArnException: Check the log group ARN: CloudTrail can't validate it.```
According to the <https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/cloudtrail/model/package-summary.html|AWS java SDK docs>, "This exception is thrown when the provided CloudWatch log group is not valid."

If you can open an issue in Pulumi-aws with some code to reproduce it, I can try and investigate

Sorry for the radio silence. The issue was that the `log_group` resource ARN lacks the `:*` suffix required for the CloudTrail resource. My workaround:

```log_group_arn = pulumi.Output.apply(log_group.arn, lambda arn: f"{arn}:*")
trail = cloudtrail.Trail(
    ...
    cloud_watch_logs_group_arn=log_group_arn,
    ...
)```

yeah this was a breaking change in the upstream provider in pulumi-aws v3.0.0

it's linked in the upstream TF provider changelog