ctrongminh commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

terraform -v

Terraform v1.2.4 on darwin_amd64

provider registry.terraform.io/hashicorp/aws v4.27.0
Affected Resource(s)

aws providers v4.27.0

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "aws_lakeformation_permissions" "lf_tag" {
  count       = length(var.lf_permissions_with_lf_tags)
  principal   = var.lf_permissions_with_lf_tags[count.index].role_arn
  permissions = var.lf_permissions_with_lf_tags[count.index].permissions

  lf_tag_policy {
    resource_type = var.lf_permissions_with_lf_tags[count.index].resource_type

    dynamic "expression" {
      for_each = var.lf_permissions_with_lf_tags[count.index].expression
      content {
        key    = expression.value["key"]
        values = expression.value["values"]
      }
    }
  }
}

input value for the list lf_permissions_with_lf_tags
lf_permissions_with_lf_tags = [
    {
      "role_arn": "arn:aws:iam::xxxxx:role/lf-tag",
      "permissions": ["SELECT"],
      "resource_type": "TABLE",
      "expression": [
        {
          "key": "test",
          "values": ["test"]
        }
      ]
    }
  ]

Debug Output

Panic Output

Expected Behavior

The existing lakeformation permission for the lf-tag should have been destroyed and recreated. In stead, I think it calls the update api, so it fails

Actual Behavior

The terraform apply failed with the below error

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes

aws_lakeformation_permissions.lf_tag[2]: Modifying... [id=2540408176] ╷ │ Error: doesn't support update │ │ with aws_lakeformation_permissions.lf_tag[2], │ on lf_tags_permission.tf line 1, in resource "aws_lakeformation_permissions" "lf_tag": │ 1: resource "aws_lakeformation_permissions" "lf_tag" { │

Steps to Reproduce

terraform apply
Change the input lf-tag value to something else
terraform apply
The error will occur

Important Factoids

Currently, If I want to update the permission that has been deployed by terraform I need to do the workaround by calling destroy and then apply. But I think it should be done in the terraform code.

Run terraform destroy for that resource
Update the input / value
Run terraform apply for the resource

References

0000

earglass commented 1 year ago

Is there anything happening on this topic? I see ready PR, that sits here since September. What's the workaround for now? Seems lifecycle 'replace_triggered_by' is just ignored by this resource, so what's left, cloudformation stack? Or will we get some movement on this finally?

github-actions[bot] commented 1 year ago

This functionality has been released in v4.64.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!