attempt to patch locked table (dynamodb fivetran_connector_schema_config)

[ann8ty]

Describe the bug Some DDB tables pass "plan" but fail in "apply".

│ Error wile applying schema config patch. error while patching schema dynamodb_raw: 
│       attempt to patch locked table a5-n-rt-x; Please report this issue to the provider developers.

To Reproduce

data "aws_ssm_parameter" "ssm_dynamodb_connector_id" {
  name = "/${local.app_env}/${local.schema_name}/dynamodbConnectorId"
}

resource "fivetran_connector_schema_config" "dynamodb_schema" {
  connector_id = data.aws_ssm_parameter.ssm_dynamodb_connector_id.value
  schema_change_handling = "ALLOW_COLUMNS"

  schemas = {
    "dynamodb_raw" = {
      enabled = true

      tables = {

        "a5-a-a-x" = {enabled = true}
        "a5-c-r-x" = { enabled = true }
        "a5-d-a-x"  = { enabled = true }
        "a5-d-cs-x" = { enabled = true }
        # "a5-d-ds-x"= {} # vanished error
        "a5-d-hs-x"                  = { enabled = true }
        "a5-d-nw-x"                  = { enabled = true }
        "a5-g-d-dl-x"                  = { enabled = true }
        "a5-i-od-x"      = { enabled = true }
        "a5-i-ods-x" = { enabled = true }
        "a5-l-a-x"                         = { enabled = true }
        "a5-l-l-x"                      = { enabled = true }
        "a5-n-ns-x"    = { enabled = true } # │       attempt to patch locked table a5-n-ns-x; Please report this issue to the provider developers.
        "a5-n-nv3-x"          = { enabled = true }
        "a5-n-rt-x"       = { enabled = true } # │       attempt to patch locked table a5-n-rt-x; Please report this issue to the provider developers.
        # "a5-w-d-s-ltnzt-x"= {} # vanished error
        "a5-w-d-s-lttst-x" = { enabled = true }
        "a5-w-d-s-tst-x"           = { enabled = true }
        "a5-w-d-s-ts-x"                = { enabled = true }
        "a5-w-d-s-wa-x"                 = { enabled = true }

      }

      timeouts = {
        create = "60s"
        read = "60s"
        update = "60s"
      }

    }
  }
}

I tried with and without timeouts, no difference.

Expected behavior If the tables are locked in Fivetran, I would expect Fivetran to handle that internally. How are they locked? How do they get unlocked?

Logs & Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # fivetran_connector_schema_config.dynamodb_schema will be updated in-place
  ~ resource "fivetran_connector_schema_config" "dynamodb_schema" {
      ~ id                     = "xxx" -> (known after apply)
      ~ schemas                = {
          ~ "dynamodb_raw" = {
              ~ tables  = {
                  ~ "a5-a-a-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-c-r-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-d-a-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-d-cs-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-d-hs-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-d-ns-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-g-d-dl-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-i-od-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-i-ods-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-l-a-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-l-l-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  + "a5-n-ns-x" = {
                      + enabled   = true
                      + sync_mode = (known after apply)
                    },
                  ~ "a5-n-nv3-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  + "a5-n-rt-x" = {
                      + enabled   = true
                      + sync_mode = (known after apply)
                    },
                  ~ "a5-w-d-s-lttst-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-w-d-s-tst-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-w-d-s-ts-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                  ~ "a5-w-d-s-wa-x" = {
                      + sync_mode = (known after apply)
                        # (1 unchanged attribute hidden)
                    },
                }
                # (1 unchanged attribute hidden)
            },
        }
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Changes to Outputs:
  ~ object_test = {
      + a5-n-ns-x                  = {
          + enabled = true
        }
      + a5-n-rt-x                     = {
          + enabled = true
        }
        # (16 unchanged attributes hidden)
    }

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: .terraform/a5.out

To perform exactly these actions, run the following command to apply:
    terraform apply ".terraform/a5.out"
(.venv) ~/ $ AWS_PROFILE="dbf" terraform apply .terraform/$CDK_PREFIX.out                                                           

fivetran_connector_schema_config.dynamodb_schema: Modifying... [id=xxx]
╷
│ Error: Unable to Create Connector Schema Resource.
│ 
│   with fivetran_connector_schema_config.dynamodb_schema,
│   on schema-dynamodb.tf line 25, in resource "fivetran_connector_schema_config" "dynamodb_schema":
│   25: resource "fivetran_connector_schema_config" "dynamodb_schema" {
│ 
│ Error wile applying schema config patch. error while patching schema dynamodb_raw: 
│       attempt to patch locked table a5-n-rt-x; Please report this issue to the provider developers.
╵

even though it says it failed, on the next run, after commenting out it tries to remove (terraform state)

      - a5-n-ns-x                  = {
          - enabled = true
        }
      - a5-n-rt-x                     = {
          - enabled = true
        }

but it is not checked / enabled in the fivetran UI

Plugin version:

    fivetran = {
      source  = "fivetran/fivetran"
      version = "1.1.24"
    }

Additional context

brand new Terraform backend on v1.1.24

if i comment out the first failing one and run again, the second on fails

created a brand new schema and still getting this error

fivetran_connector_schema_config.dynamodb_schema: Modifying... [id=xxx]
╷
│ Error: Unable to Create Connector Schema Resource.
│ 
│   with fivetran_connector_schema_config.dynamodb_schema,
│   on schema-dynamodb.tf line 26, in resource "fivetran_connector_schema_config" "dynamodb_schema":
│   26: resource "fivetran_connector_schema_config" "dynamodb_schema" {
│ 
│ Error wile applying schema config patch. error while patching schema dynamodb_raw: 
│       attempt to patch locked table a5-n-rt-x; Please report this issue to the provider developers.

why is the table locked? how do i unlock it?

[beevital]

@ann8ty I need your connection id to investigate the issue. And also I need a timeline when you were trying to apply these changes to find the logs on API side.

Modifying... [id=xxx] - here please do not hide the id.

[beevital]

How are they locked? How do they get unlocked?

Most likely it's a streaming tables, but the connector doesn't configured to support streaming. Could you please share a screenshot of schema tab for this connector. The table couldn't be un-locked. You just can't manage it's state. In UI warning should look like this:

Here in our docs you can read about how to configure streams: https://fivetran.com/docs/connectors/databases/dynamodb/setup-guide#enablestreamsforamazondynamodbtables

[beevital]

even though it says it failed, on the next run, after commenting out it tries to remove (terraform state)

  - a5-n-ns-x                  = {
      - enabled = true
    }
  - a5-n-rt-x                     = {
      - enabled = true
    }

but it is not checked / enabled in the fivetran UI

As a WA I could suggest to not to comment it out, but to set it disabled in config:

"a5-n-ns-x"    = { enabled = false }

In that case Terraform shouldn't try to change it's state.

[ann8ty]

I wrote python automation to confirm that streams were enabled. They were.

Could we work over support channel to provide additional info if you need it, such as IDs?

I've already worked around the issue and got it into a working state.

[beevital]

Could we work over support channel to provide additional info if you need it, such as IDs?

Sure, it's always an optiona to file a support ticket to Fivetran support. Actually - the table could be deleted from source.

I'm currently adding more detailed output for this error, we will provide reason for lock in output. So it should be easier to figure out what is the reason.

[beevital]

I'm currently working on these issues you've reported. So the main problem is with validation. Once you've provide a setting for a table that might be later removed from source (on the source DB side) - it will lead to element vanished issue. Once you've made a mistake in some table name -> you'll get element vanished on first refresh after creation etc.

So now I'm thinking to rework the resource input validation and introduce two modes: Strict and Soft. On Strict mode we will return error on attempt to setup any settings for schema/table/column that isn't represented in source schema. On Soft - just write a warning into terraform diagnostics output, but apply and save in state everything you've provided in .tf.

[ann8ty]

It is very unlikey there were "mistakes" in table names, the names are read via code into a json file, then TF reads directly from the json file. The tables were not new, either, having existed in fivetran for over a year.

[beevital]

The issue should be fixed by v1.2.0. Now we introduced precise validation for schemas/tables names. So provider will fetch recent schema from source if won't be able to find some table.

TF reads directly from the json file

And where this json file comes from?

[beevital]

Closing the issue as the fix was released. Feel free to re-open or open a new one id the fix didn't work for you.