Open Fanswers opened 1 year ago
The issue is not related to terraform directly, the TF generates the query correctly but AWS response is [] for resource type table even for cli direct calls.
{ "Principal": { "DataLakePrincipalIdentifier": "arn:aws:iam::xxx" }, "Resource": { "LFTagPolicy": { "CatalogId": "central_account_id", "ResourceType": "TABLE", "Expression": [ { "TagKey": "lob", "TagValues": [ "line" ] }, { "TagKey": "lob.line", "TagValues": [ "lambo" ] } ] } } }
-> aws lakeformation list-permissions --cli-input-json file://test_above.json { "PrincipalResourcePermissions": [] } and it should find something in my configuration, for type "DATABASE" it's ok.
Hi, Thank's for your answer, but I don't think it respond to my problem. Maybe I've miss understand something.
The error is that Terraform can't create datalake permissions on lf_tags shared across accounts. But we can do it with the grant-permissions
query on the AWS CLI. So I think the problem come from terraform.
It's not a solution, just a note left here, that the issue is probably in different repository, as AWS api call return value is wrong, and do not include ""SELECT" values so terraform cannot confirm that resource is being created.
We are also experiencing this issue - anyone able to find a solve for this?
We are also experiencing this issue - anyone able to find a solve for this?
In waiting that this issue is solve, we used the AWS CLI via terraform to create our lf tags. It's not a very clean solution but this is the only one I've found to skirt this bug.
We have also being hit by this bug. Terraforms produces this error after the apply but the permission is actually created:
Error: error reading Lake Formation permissions: timeout while waiting for state to become 'AVAILABLE' (last state: 'NOT FOUND', timeout: 1m0s)
Here is the reproduction steps using AWS CLI:
{
"CatalogId": "local_catalog",
"Permissions": [
"DESCRIBE"
],
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::local_catalog:role/myrole"
},
"Resource": {
"LFTagPolicy": {
"CatalogId": "remote_catalog",
"Expression": [
{
"TagKey": "data_layer",
"TagValues": [
"gold"
]
}
],
"ResourceType": "DATABASE"
}
}
}
$ aws lakeformation grant-permissions --cli-input-json file://test-create.json
{
"CatalogId": "local_catalog",
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::local_catalog:role/myrole"
},
"Resource": {
"LFTagPolicy": {
"CatalogId": "remote_catalog",
"Expression": [
{
"TagKey": "data_layer",
"TagValues": [
"gold"
]
}
],
"ResourceType": "DATABASE"
}
}
}
$ aws lakeformation list-permissions --cli-input-json file://test-list.json
{
"PrincipalResourcePermissions": []
}
Does anyone know if this bug is resolved or not?
Does anyone know if this bug is resolved or not?
Doesn't seems resolved no 😕
the issue still open
Thank you!
We encountered this issue as well but discovered a work-around, at least for our setup. If we only specify some of the tags and values used for the cross-account sharing we get the timeout reliably, but if we specify the exact same tags and values the aws_lakeformation_permissions
resource creates successfully.
I'm not sure why this works but FWIW.
Of course this work-around has limited utility because you can't specify more narrow permissions to a local principal than what was granted at the account-level. Can confirm provider create narrower permissions and they work, it just times out trying to read them back.
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v1.2.8 on windows_amd64
Affected Resource(s)
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
template file :
main.tf :
Expected Behavior
An AWS Lake Formation Permissions should be created on the lf tag who's shared between differents accounts.
Actual Behavior
Terraform can't find the lf tag targeted, it raise an EntityNotFoundException error. If we precise the catalog_id of the lf tag it will raise another error saying : "error reading Lake Formation permissions: timeout while waiting for state to become 'AVAILABLE' (last state: 'NOT FOUND', timeout: 1m0s)"
It is however possible to do it by hand an with the AWS CLI.
Steps to Reproduce
terraform plan
terraform apply