aws_lakeformation_permissions forcing replacement due to non-existing permissions changes

LuigiClemente-Awin commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v. 1.0.1 AWS Provider v. 3.71.0

Affected Resource(s)

aws_lakeformation_permissions

Terraform Configuration Files

This happens to every table permissions that I have set for a "read-only" role Audit, for example:

resource "aws_lakeformation_permissions" "cloudtrail_table" {
  for_each = toset(local.user_role_arns)

  permissions = ["SELECT", "DESCRIBE"]
  principal   = each.key

  table {
    database_name = var.audit_database_name
    name          = var.cloudtrail_table_name
  }
}

As you see, I only set SELECT and DESCRIBE. In the console I only see SELECT and DESCRIBE permissions for all tables. Every time I run plan or apply it will replace the tables. This does not break lake formation settings, but it doesn't look correct to me. Please note that this happened also in version 3.56.0 of the aws provider.

I apply the changes and all permissions resources are replaced. Nothing changes in console UI. I re-run the plan and again it shows the same forced replacements.

Debug Output

Every time I run plan I get:

 # aws_lakeformation_permissions.vpc_flowlogs_table["arn:aws:iam::xxxxxxxxxx:role/Audit"] must be replaced
-/+ resource "aws_lakeformation_permissions" "vpc_flowlogs_table" {
      ~ id                            = "xxxxxxxxxxx" -> (known after apply)
      ~ permissions                   = [ # forces replacement
          - "ALL",
          - "DESCRIBE",
            "SELECT",
          + "DESCRIBE",
        ]

Thanks in advance for checking this.

Best,

Luigi

m4t22 commented 2 years ago

I get the same bug everytime I execute the plan.

zerfahp commented 2 years ago

I am seeing the same issue.

zerfahp commented 2 years ago

This is a bigger issue than it seems because permissions are revoked temporarily then re-granted (according to the plan and apply). This will result in access being temporarily lost. If a role is using the data in question the process will fail. This could have a big impact on say, production batch jobs running on Athena.

zerfahp commented 2 years ago

I seem to have stopped it happening for some resource by explicitly adding:

permissions_with_grant_option = []

Even though I am not adding any grant options. Doesn't seem to have cleared all of them up though.

GeorgeTerry commented 2 years ago

I have the same issue. This line permissions_with_grant_option = [] didn't work for me. For this case I make a lifecycle to ignore changes after the permission was applied.

lifecycle { ignore_changes = [ permissions ] }

peter-resnick commented 1 year ago

Any updates on this? We are at double digits thumbs up on this one for something reported almost a year ago. We are seeing this issue still and its significantly bloating our terraform operations

peter-resnick commented 1 year ago

I know this was supposedly resolved after the submission of this issue but something is still wrong as the non existent permissions are still being shown by terraform as needing to be replaced but the AWS API calls return

"errorMessage": "No permissions revoked. Grantee does not have grantable permissions on:[ALTER, ALL, DELETE, DROP, DESCRIBE, INSERT, SELECT]",

When terraform tries to make a RevokePermissions call

hashicorp / terraform-provider-aws