[Bug]: Lake Formation Resource Permission parameters need to be Lexical order

Terraform Core Version

1.3.6

AWS Provider Version

4.64.0

Affected Resource(s)

aws_lakeformation_permissions

Expected Behavior

The following code block should not lead to deletion/creation of resources if unchanged.

resource "aws_lakeformation_permissions" "lf_read" {
    permissions = ["SELECT", "DESCRIBE"]
    for_each = data.aws_iam_role.some_roles
    principal = each.value.arn
    table {
        database_name = var.glue_database
        wildcard = true
    }
}

Actual Behavior

The above code block leads to deletion and creation of the lake formation permission on multiple runs due to internal/implicit reordering in the provider to lexical order.

Changing the source in Terraform for permissions to be lexical order stops this unexpected behaviour.

resource "aws_lakeformation_permissions" "lf_read" {
    permissions = ["DESCRIBE", "SELECT"]
    for_each = data.aws_iam_role.some_roles
    principal = each.value.arn
    table {
        database_name = var.glue_database
        wildcard = true
    }
}

Relevant Error/Panic Output Snippet

N/A

Terraform Configuration Files

N/A

Steps to Reproduce

N/A

Debug Output

N/A

Panic Output

N/A

Important Factoids

The documentation hints towards implicit lexical ordering. This helped with troubleshooting this issue. Happy to document this in the provider explicitly.

Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lakeformation_permissions

Would you like to implement a fix?

Yes

hashicorp / terraform-provider-aws