search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.7k stars 9.07k forks source link

aws_lakeformation_data_lake_settings database and table default permissions block do not have the aws expected behavior #25134

Closed dthauvin closed 1 month ago

dthauvin commented 2 years ago

Community Note

Terraform CLI and Terraform AWS Provider Version

terraform --version
Terraform v1.2.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.16.0

Affected Resource(s)

Terraform Configuration Files

data "aws_caller_identity" "current" {}

data "aws_lakeformation_data_lake_settings" "get-lf-settings" {
  catalog_id = data.aws_caller_identity.current.account_id
}

resource "aws_lakeformation_data_lake_settings" "lf-admin-settings" {
  admins = data.aws_lakeformation_data_lake_settings.get-lf-settings.admins
  create_database_default_permissions {
  }
  create_table_default_permissions {
  }
  trusted_resource_owners = data.aws_lakeformation_data_lake_settings.get-lf-settings.trusted_resource_owners
}

Debug Output

$ terraform plan
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Expected Behavior

Terraform should remove the following initial security settings of lake formation :

In typical AWS Lake formation setup or migration AWS admins account want to disable these settings at the right time.

if blocks create_database_default_permissionsor create_table_default_permissions are empty, terraform should remove the initial security settings.

Using AWS CLI i get the right behavior : 

aws lakeformation put-data-lake-settings --catalog-id 111111111111  --cli-input-json file://debug-lf-settings.json --profile yourprofile

file://debug-lf-settings.json

{
    "CatalogId": "111111111111",
    "DataLakeSettings": {
        "DataLakeAdmins": [
            {
                "DataLakePrincipalIdentifier": "arn:aws:iam::111111111111:role/ADMIN1"
            },
            {
                "DataLakePrincipalIdentifier": "arn:aws:iam::111111111111:role/ADMIN2"
            }
        ],
        "CreateDatabaseDefaultPermissions": [],
        "CreateTableDefaultPermissions": [],
        "TrustedResourceOwners": []
    }
}

Result in AWS console :

image

Actual Behavior

Nothing happen , Terraform do not detect changes to apply.

Steps to Reproduce

data "aws_caller_identity" "current" {}

data "aws_lakeformation_data_lake_settings" "get-lf-settings" {
  catalog_id = data.aws_caller_identity.current.account_id
}

resource "aws_lakeformation_data_lake_settings" "lf-admin-settings" {
  admins = data.aws_lakeformation_data_lake_settings.get-lf-settings.admins
  trusted_resource_owners = data.aws_lakeformation_data_lake_settings.get-lf-settings.trusted_resource_owners
}
  1. initial apply terraform apply

If blocks create_database_default_permissionsor create_table_default_permissions are missing at the first run creation, the resource aws_lakeformation_data_lake_settings will delete Lakeformation initial settings.

  1. get back default settings terraform apply

As user need to keep inital lakeformation settings to perform lake formation activation at the right moment, user must do something like :

resource "aws_lakeformation_data_lake_settings" "lf-admin-settings" {
  admins = data.aws_lakeformation_data_lake_settings.get-lf-settings.admins
  create_database_default_permissions  {
      permissions = data.aws_lakeformation_data_lake_settings.get-lf-settings.create_database_default_permissions[0].permissions
      principal = data.aws_lakeformation_data_lake_settings.get-lf-settings.create_database_default_permissions[0].principal
  } 
  create_table_default_permissions {
      permissions = data.aws_lakeformation_data_lake_settings.get-lf-settings.create_table_default_permissions[0].permissions
      principal = data.aws_lakeformation_data_lake_settings.get-lf-settings.create_table_default_permissions[0].principal
  }
  trusted_resource_owners = data.aws_lakeformation_data_lake_settings.get-lf-settings.trusted_resource_owners
}
  1. when the right moment to remove initial settings shows up terraform apply
resource "aws_lakeformation_data_lake_settings" "lf-admin-settings" {
  admins = data.aws_lakeformation_data_lake_settings.get-lf-settings.admins
  create_database_default_permissions {
  }
  create_table_default_permissions {
  }
  trusted_resource_owners = data.aws_lakeformation_data_lake_settings.get-lf-settings.trusted_resource_owners
}

or 

resource "aws_lakeformation_data_lake_settings" "lf-admin-settings" {
  admins = data.aws_lakeformation_data_lake_settings.get-lf-settings.admins
  trusted_resource_owners = data.aws_lakeformation_data_lake_settings.get-lf-settings.trusted_resource_owners
}

simply does not work . Initial setting are not remove when user want it. terraform say : 

No changes. Your infrastructure matches the configuration.

References

AWS Documentation

github-actions[bot] commented 2 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] commented 3 weeks ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.