Lake Formation LF-Tag Expression Limit Update

[hocanint-amzn]

Description

There is a discrepancy between the number items that are allowed in an LF-Tag expression when granting permissions that is limiting some use cases. The current code assumes a limit of 5, where as the service documentation does not specify a limit (See references). We would like to update the limit to match the documentation. If we feel uncomfortable not leaving a limit to the number of items in the expression, a safe limit would be 20.

Just to note, I am an employee in the Lake Formation Service team at AWS and this is a request on behalf some our customers.

Thank you!

References

Location where the limit exists:

• https://github.com/hashicorp/terraform-provider-aws/blob/5857c145b31d41966bef256f669c12ae35cc2486/internal/service/lakeformation/permissions_data_source.go#L138 Lake Formation documentation:
• https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_LFTagPolicyResource.html

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Related: #26633 Related: #26546

[hocanint-amzn]

@justinretzolk Thanks for taking a look a this issue. Just to confirm that this is a different limit that is being hit than the related issues posted, and thus is not a duplicate. Just want to make sure that we are not closing out this issue. Thanks!

[justinretzolk]

Hey @hocanint-amzn, thanks for confirming those are different limits, and apologies for the misunderstanding on my part!

[wzzzrd86]

@hocanint-amzn I'd like to take a look at this, and think I have reproduced what you are talking about very simply.

Do you have an example config file to share?

This is my very basic recreation of the issue.

resource "aws_lakeformation_permissions" "<my test>" {
  principal   = "<my arn>"
  permissions = ["CREATE_TABLE", "ALTER", "DROP"]

 lf_tag_policy {
    resource_type = "DATABASE"

    expression {
      key    = "test"
      values = ["a"]
    }
    expression {
      key    = "test"
      values = ["b"]
    }
    expression {
      key    = "test"
      values = ["c"]
    }
    expression {
      key    = "test"
      values = ["d"]
    }
    expression {
      key    = "test"
      values = ["e"]
    }
    expression {
      key    = "test"
      values = ["f"]
    }
  }

Which produces the following

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.