AWS aws_lakeformation_permissions (still) trying to revoke non-existent permissions

[simonB2020]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5 hashicorp/aws v3.39.0 ( as per https://github.com/hashicorp/terraform-provider-aws/issues/17633)

Affected Resource(s)

• aws_lakeformation_permissions

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_lakeformation_permissions" "myroleperms" {
  principal  = data.aws_iam_role.myrole.arn
  database {
    catalog_id = var.accountid
    name = aws_athena_database.my_db.name
  }
  permissions = ["CREATE_TABLE"]
  permissions_with_grant_option = []
}

Debug Output

First Plan/Apply is as expected:

# aws_lakeformation_permissions.myroleperms will be created
  + resource "aws_lakeformation_permissions" "myroleperms" {
      + catalog_resource              = false
      + id                            = (known after apply)
      + permissions                   = [
          + "CREATE_TABLE",
        ]
      + permissions_with_grant_option = []
      + principal                     = "arn:aws:iam::012345678901:role/myrole"

      + data_location {
          + arn        = (known after apply)
          + catalog_id = (known after apply)
        }

      + database {
          + catalog_id = "012345678901"
          + name       = "mydb"
        }
    ....    
    .....

Running the Pipeline again after the first apply, produces the error whereby plan finds a non-existent 'ALL' permission that apply tries to revoke (unsuccessfully as it does not exist)

# aws_lakeformation_permissions.myroleperms must be                                 replaced
    -/  + resource "aws_lakeformation_permissions" "myroleperms" {
        catalog_resource              = false
            ~  id = "0123456789"    -> (known after apply)
                    ~  permissions = [  # forces replacement
                - "ALL",
                "CREATE_TABLE",
            ]
            permissions_with_grant_option = []
            principal = "arn:aws:iam::012345678901:role/myrole"

                + data_location {
                                +  arn        = (known after apply)
                                +  catalog_id = (known after apply)
        }

        database {
            catalog_id = "012345678901"
            name       = "mydb"
        }

            + table {
                +  catalog_id    = (known after apply)
                +  database_name = (known after apply)
                                +  name          = (known after apply)
                                +  wildcard      = (known after apply)
            }

             + table_with_columns {
                +  catalog_id            = (known after apply)
                                +  column_names          = (known after apply)
                                +  database_name         = (known after apply)
                                +  excluded_column_names = (known after apply)
                                +  name                  = (known after apply)
                                +  wildcard              = (known after apply)
        }
}

Panic Output

Expected Behavior

The second plan/apply should find no changes.

Actual Behavior

The second plan/apply finds a non-existent 'ALL' permissions, tried to revoke it, and fails.

Steps to Reproduce

1. terraform plan
2. terraform apply
3. terraform plan >> this 3nd plan shows the incorrect permisison
4. terraform apply >> 2nd apply results in failure

Important Factoids

References

• 0000

[danu165]

Try upgrading to 3.49 or higher. That fixed it for me.

[breathingdust]

Hi @simonB2020! LakeFormation's permission model has been a tricky service to get right. We have done quite a lot of work on it in concert with a large client and we think it's been resolved now. As @danu165 said, please try 3.49.0 or higher.

[peter-resnick]

I'm also seeing this issue still occurring.

provider version: 4.31.0 terraform version: 1.0.3

[fatbasstard]

FYI: Hitting the same issue here (version 4.48)