[Bug]: aws_lakeformation_permissions does not always revoke permission

[ronald8192]

Terraform Core Version

1.9.5

AWS Provider Version

5.64.0

Affected Resource(s)

aws_lakeformation_permissions

Expected Behavior

Remove aws_lakeformation_permissions from Terraform code or run terraform destroy will revoke corresponding Lake Formation permission

Actual Behavior

Destroy aws_lakeformation_permissions.column resource not revoke the permission on Lake Formation, even it is showing resource will be destroy in the plan.

The bug only happens if:

• Multiple aws_lakeformation_permissions resources have the same principal

• The table level includes permissions does not include in column level. (see below Terraform config, if adding DESCRIBE to both aws_lakeformation_permissions permission, a DESCRIBE permission on the LakeFormation table will be granted and won't hit this bug)

• aws_lakeformation_permissions.column destroy first, or destroy together with aws_lakeformation_permissions.table resource (regardless the order during apply time)

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_lakeformation_permissions" "table" {
  principal                     = aws_iam_role.test.arn
  permissions                   = ["DESCRIBE"]
  permissions_with_grant_option = []

  table {
    catalog_id    = "111111111111"
    database_name = "my-catalog-db"
    wildcard      = true
  }
}

resource "aws_lakeformation_permissions" “column” {
  principal                     = aws_iam_role.test.arn
  permissions                   = ["SELECT"]
  permissions_with_grant_option = []

  table_with_columns {
    catalog_id    = "111111111111"
    database_name = "my-catalog-db"
    name          = "my-table"
    wildcard      = true
  }
}

resource "aws_iam_role" "test" {
  name = "my-test-role"

  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "glue.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  })
}

Steps to Reproduce

1. Run terraform apply to create the permission and other dependent resources
2. Comment out aws_lakeformation_permissions.column resource block
3. Run terraform apply again
4. Check Lake Formation permissions on console, the permission still exist

Debug Output

Apply log

• Showing only SELECT permission will be added, actual:

  • SELECT permission will be added to LakeFormation (expected)
  • SELECT and the permissions in table level (DESCRIBE in this case) will be added to state file (unexpected, not showing on plan)

    
    # aws_lakeformation_permissions.column will be created

  • resource "aws_lakeformation_permissions" "column" {

    • catalog_resource = false

    • id = (known after apply)

    • permissions = [

      • "SELECT", ]

    • permissions_with_grant_option = []

    • principal = "arn:aws:iam::222222222222:role/my-test-role"

    • data_location (known after apply)

    • database (known after apply)

    • lf_tag (known after apply)

    • lf_tag_policy (known after apply)

    • table (known after apply)

    • table_with_columns {

      • catalog_id = "111111111111"
      • database_name = "my-catalog-db"
      • name = "my-table"
      • wildcard = true } }

Destroy log

• Showing there is a additional DESCRIBE permission in state file
• The state is removed from the state file, but nothing got revoke on Lake Formation

# aws_lakeformation_permissions.column will be destroyed
# (because aws_lakeformation_permissions.column is not in configuration)
- resource "aws_lakeformation_permissions" "column" {
    - catalog_resource              = false -> null
    - id                            = "1234567890" -> null
    - permissions                   = [
        - "DESCRIBE",
        - "SELECT",
      ] -> null
    - permissions_with_grant_option = [] -> null
    - principal                     = "arn:aws:iam::222222222222:role/my-test-role" -> null

    - table_with_columns {
        - catalog_id    = "111111111111" -> null
        - database_name = "my-catalog-db" -> null
        - name          = "my-table" -> null
        - wildcard      = true -> null
      }
  }

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Similar #36639 Similar #39009 Similar #28366