search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.75k stars 9.11k forks source link

[Bug]: QuickSight dataset configuration is persisted to state file incorrectly #32100

Open awendt opened 1 year ago

awendt commented 1 year ago

Terraform Core Version

1.2.2

AWS Provider Version

4.67.0

Affected Resource(s)

Expected Behavior

Once applied and no changes have been made to the remote or local files there should be no changes in any subsequent plans.

Actual Behavior

There are constant changes when attempting new plans:

  # aws_quicksight_data_set.awendt-rls-user-based-rules will be updated in-place
  ~ resource "aws_quicksight_data_set" "awendt-rls-user-based-rules" {
        id             = "123456789012,awendt-rls-user-based-rules-2"
        name           = "awendt-rls-user-based-rules-2"
        tags           = {}
        # (6 unchanged attributes hidden)

      + physical_table_map {
          + physical_table_map_id = "awendt-rls-physical-table"

          + s3_source {
              + data_source_arn = "arn:aws:quicksight:eu-west-1:123456789012:datasource/awendt-user-based-rules"

              + input_columns {
                  + name = "GroupName"
                  + type = "STRING"
                }
              + input_columns {
                  + name = "org"
                  + type = "STRING"
                }

              + upload_settings {
                  + contains_header = (known after apply)
                  + delimiter       = (known after apply)
                  + format          = "JSON"
                  + start_from_row  = (known after apply)
                  + text_qualifier  = (known after apply)
                }
            }
        }
      - physical_table_map {
          - physical_table_map_id = "awendt-rls-physical-table" -> null

          - s3_source {
              - data_source_arn = "arn:aws:quicksight:eu-west-1:123456789012:datasource/awendt-user-based-rules" -> null

              - input_columns {
                  - name = "GroupName" -> null
                  - type = "STRING" -> null
                }
              - input_columns {
                  - name = "org" -> null
                  - type = "STRING" -> null
                }

              - upload_settings {
                  - contains_header = true -> null
                  - format          = "JSON" -> null
                  - start_from_row  = 0 -> null
                  - text_qualifier  = "DOUBLE_QUOTE" -> null
                }
            }
        }
        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_s3_bucket" "quicksight-recurring-diff" {
  bucket        = "awendt-reproduce-quicksight-recurring-diff"
  force_destroy = true
}

resource "aws_s3_object" "user_based_rls" {
  bucket = aws_s3_bucket.quicksight-recurring-diff.bucket
  key    = "quicksight/user_based_rls.json"

  # Note that the order of the keys in this json needs to match the order of the RLS dataset's column config.
  content = jsonencode([])

  content_type = "application/json"
  acl          = "private"
}

resource "aws_s3_object" "user_based_rls_manifest" {
  bucket = aws_s3_bucket.quicksight-recurring-diff.bucket
  key    = "quicksight/user_based_rls_manifest.json"

  content = jsonencode({
    fileLocations        = [{ URIs = ["s3://${aws_s3_bucket.quicksight-recurring-diff.bucket}/${aws_s3_object.user_based_rls.key}"] }]
    globalUploadSettings = { format = "JSON" }
  })

  content_type = "application/json"
  acl          = "private"
}

## Give QuickSight permission to access S3 via IAM role policy
data "aws_iam_policy_document" "s3-readwrite" {
  statement {
    actions = [
      "s3:*",
    ]

    resources = [
      aws_s3_bucket.quicksight-recurring-diff.arn,
      "${aws_s3_bucket.quicksight-recurring-diff.arn}/*"
    ]
  }
}

resource "aws_iam_role_policy" "s3-quicksight-access" {
  name   = "awendt-quicksight-access"
  role   = "aws-quicksight"
  policy = data.aws_iam_policy_document.s3-readwrite.json
}

resource "aws_quicksight_data_source" "awendt-user-based-rules" {
  data_source_id = "awendt-user-based-rules"
  name           = "awendt-user-based-rules"
  type           = "S3"

  parameters {
    # Uses the manifest file location on s3
    s3 {
      manifest_file_location {
        bucket = aws_s3_bucket.quicksight-recurring-diff.bucket
        key    = aws_s3_object.user_based_rls_manifest.key
      }
    }
  }

  depends_on = [
    aws_iam_role_policy.s3-quicksight-access,
  ]
}

resource "aws_quicksight_data_set" "awendt-rls-user-based-rules" {
  name        = "awendt-rls-user-based-rules-2"
  data_set_id = "awendt-rls-user-based-rules-2"
  import_mode = "SPICE"

  physical_table_map {
    physical_table_map_id = "awendt-rls-physical-table"
    s3_source {
      data_source_arn = aws_quicksight_data_source.awendt-user-based-rules.arn
      input_columns {
        name = "GroupName"
        type = "STRING"
      }
      input_columns {
        name = "org"
        type = "STRING"
      }

      upload_settings {
        format = "JSON"
      }
    }
  }
}

Steps to Reproduce

  1. terraform apply (may fail with AccessDeniedException: Insufficient permission to access the manifest file because the permission takes a while to propagate)
  2. Once everything is created successfully, terraform apply will show a recurring diff

Debug Output

https://gist.github.com/awendt/ed5e77d9a1b93c719c690245515ce72f

Panic Output

No response

Important Factoids

        "PhysicalTableMap": {
            "name": {
                "S3Source": {
                    "DataSourceArn": "arn:of:resource",
                    "UploadSettings": {
                        "Format": "JSON",
                        "ContainsHeader": true,
                        "TextQualifier": "DOUBLE_QUOTE"
                    },
                }
            }
        }
"upload_settings": [
  {
    "contains_header": true,
    "delimiter": "",
    "format": "JSON",
    "start_from_row": 0,
    "text_qualifier": "DOUBLE_QUOTE"
  }
]

It seems when not providing StartFromRow and Delimiter, it's being persisted as 0 and "" respectively, even though the QuickSight API does not include them in UploadSettings.

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

justinretzolk commented 1 year ago

Hey @awendt 👋 Thank you for taking the time to raise this! So that we have the relevant information in order to take a look into this, can you supply debug logs (redacted as needed) as well?

awendt commented 1 year ago

@justinretzolk Sorry this took so long. Here's the debug logs: https://gist.github.com/awendt/ed5e77d9a1b93c719c690245515ce72f

hanstf commented 5 months ago

we are also having the same issue, actually even though the _start_fromrow is set to 1 and state also having the _start_fromrow as 1, whenever we do plan, it's still showing that start_from_row is 0. When calling quicksight describe-data-set, we also never get the StartFromRow even though we set it to 1 already.

"PhysicalTableMap": {
            "draft-rls": {
                "S3Source": {
                    "DataSourceArn": "arn:aws:quicksight:ap-southeast-1:962483987846:----",
                    "UploadSettings": {
                        "Format": "CSV",
                        "ContainsHeader": true,
                        "TextQualifier": "DOUBLE_QUOTE",
                        "Delimiter": ","
                    },