[Bug]: leaving empty `create_table_default_permission` in `aws_glue_catalog_database` does not remove the default IAM_ALLOWED_PRINCIPALS

[thulasirajkomminar]

Terraform Core Version

1.3.2

AWS Provider Version

4.35.0

Affected Resource(s)

aws_glue_catalog_database

Expected Behavior

The issue occurs during apply

resource "aws_glue_catalog_database" "default" {
  name = "database"

  create_table_default_permission {}
}

The expected behaviour is when sending the api call to aws should look like

"requestParameters": {
        "catalogId": "*******",
        "name": "database",
        "databaseInput": {
            "name": "database",
            "createTableDefaultPermissions": [
            ]
        }
    }

Actual Behavior

The actual call to aws looks like this

"requestParameters": {
        "catalogId": "*****",
        "name": "database",
        "databaseInput": {
            "name": "database",
            "createTableDefaultPermissions": [
                {}
            ]
        }
    }

which is invalid and results in

"errorCode": "InvalidInputException",
"errorMessage": "Principal in PrincipalPrivileges cannot be null.",

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_glue_catalog_database" "default" {
  name = "database"

  create_table_default_permission {}
}

Steps to Reproduce

resource "aws_glue_catalog_database" "default" {
  name = "database"

  create_table_default_permission {}
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

Yes

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jar-b]

Implementation notes:

• Given create_table_default_permissions is optional and computed, appropriately triggering a diff when a configured value is removed requires a CustomizeDiff function.
  • As these can become complicated, especially for nested blocks and optional/computed arguments, I've removed the good first issue label. This fix will require familiarity (or research into) interacting with raw state and configuration data.
• In order to remove permissions, an empty permissions object ([]*glue.PrincipalPermissions{}) must be sent. Setting the CreateTableDefaultPermissions struct argument to nil results in no changes.
• The existing TestAccGlueCatalogDatabase_createTablePermission can be modified to exercise this case by adding a step between the permission updates which removes them entirely (use the _basic config). The step should check that the permissions attribute has 0 entries.