search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.61k stars 9k forks source link

[Bug]: Error removing LakeFormation permissions in hybrid mode #36827

Open mlnrt opened 2 months ago

mlnrt commented 2 months ago

Terraform Core Version

1.7.4

AWS Provider Version

5.37.0

Affected Resource(s)

Expected Behavior

  1. The Terraform state should be correct when granting the DESCRIBE permissions granted to a role on a Lake Formation database, which S3 data lake location is registered in hybrid mode and which has the IamAllowedPrincipals granted ALL permissions on the database (as required for hybrid mode). The state should describe what Terraform has done, instead of listing incorrect permissions.
  2. When deleting the DESCRIBE permission to the role, Terraform should correctly remove the DESCRIBE permissions instead of failing.

Actual Behavior

  1. When granting an external account role the DESCRIBE permission to a database in hybrid mode which has the IamAllowedPrincipals granted ALL permissions on the database, the Terraform plan, correctly plans to grant DESCRIBE to the role on the database. Terraform correctly applies the plan as Lake Formation correctly shows the role having the correct permission. But the Terraform state shows the role having [ALL, ALTER, CREATE_TABLE, DESCRIBE, DROP] permissions. So the state does not describe what Terraform actually did.
  2. When trying to delete the role's permissions, Terraform fails with the error 
     Error: unable to revoke LakeFormation Permissins (input: &{{ALL ALTER CREATE_TABLE DESCRIBE DROP}} 0x***** <nil> [] {}}): unable to revoke LakeFormation Permissions: operation error LakeFormation: RevokePermissions: http response error StatusCode: 400, RequestID: ****, InvalidInputException: Cross Account ALL or DROP is not supported for databases

    If it is not possible to gran DROP or Super to an external account, why does the Terraform state contains these permissions in its list of granted permissions?

The issue does not happen in non hybrid mode.

Relevant Error/Panic Output Snippet

Error: unable to revoke LakeFormation Permissions (input: &{{ALL ALTER CREATE_TABLE DESCRIBE DROP}} 0x***** <nil> [] {}}): unable to revoke LakeFormation Permissions: operation error LakeFormation: RevokePermissions: http response error StatusCode: 400, RequestID: ****, InvalidInputException: Cross Account ALL or DROP is not supported for databases`

Terraform Configuration Files

resource "aws_lakeformation_resource" "example" {
 arn         = <S3 bucket ARN>
 role_arn = <Lake Formation admin role ARN>

  hybrid_access_enabled = true
}

resource "aws_lakeformation_permissions" "example" {
  permissions = ["DESCRIBE"]
  principal   = "arn:aws:iam:us-east-1:123456789012:role/consumer"

  database {
    name = "my_test_db"
  }
}

Steps to Reproduce

  1. Set Lake Formation cross-account version settings to "version 4"
  2. Create a Lake Formation database with the S3 bucket location
  3. Register the database S3 data lake location in Lake Formation in hybrid mode
  4. Make sure IamAllowedPrincipals is granted ALL permissions on the database
  5. Grant an external account role DESCRIBE permissions on the database with aws_lakeformation_permissions resource
  6. The plan and apply phase shows the proper permissions applied but the Terraform states shows different permissions applied
  7. Try to delete the aws_lakeformation_permissions resource

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

github-actions[bot] commented 2 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

andrassy commented 2 months ago

S3 data lake location is registered in hybrid mode

I think this problem occurs even when the mode is LakeFormation, but when the cross-account version is 4.