Open ellisonch opened 5 days ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @ellisonch 👋 Thank you for taking the time to raise this! In this case, the error message you're seeing is coming directly from the AWS API. This bit of the provided logs is what clued me into this:
http.response.body=
| {"__type":"InvalidRequestException","AthenaErrorCode":"INSUFFICIENT_PERMISSIONS","ErrorCode":"INSUFFICIENT_PERMISSIONS","Message":"Unable to verify/create output bucket foobarbaz"}
It's not entirely clear to me why the first workaround you mentioned works, but given that the provider itself isn't the part of the process validating the permissions, I suspect that'll be something upstream as well. If you're able to provider debug logging, that may help whoever ultimately picks this up to look into.
If you're able to provider debug logging, that may help whoever ultimately picks this up to look into.
@justinretzolk Happy to provide any more logs that might be useful. What other logs would you like to see that I didn't capture above?
Terraform Core Version
1.9.7
AWS Provider Version
5.71.0
Affected Resource(s)
aws_athena_database
Expected Behavior
I'd like to be able to create this resource, while only giving terraform provider that creates the database the least permissions possible. Terraform shouldn't have to read/write to the bucket just to create the database.
Actual Behavior
When creating an
aws_athena_database
resource, the provider apparently tries to "check" whether or not the S3 bucket is writeable. If terraform doesn't have the appropriate permissions to read/write to the bucket, it fails to create the resource.However, it seems unnecessary to have to give terraform permission to read/write to the S3 bucket, since all it needs to do is create the athena database; it's not supposed to be using the database.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Just run
terraform apply
, and you get:Debug Output
Panic Output
No response
Important Factoids
This seems possibly related to the previous bug report at https://github.com/hashicorp/terraform-provider-aws/issues/19085.
There are a couple of workarounds to this problem, but neither is great.
The first is to simply create the database using a "fake" bucket that the provider DOES have access to, then changing the bucket that the db points to, to the real database it doesn't have access to. Apparently, the way the provider is implemented, changing the bucket doesn't trigger the verification checks, so this proceeds as expected.
The second is to grant terraform the (unnecessary) permissions to the bucket. This seems to be, at minimum,
s3:GetBucketLocation
,s3:GetObject
, ands3:PutObject
.It also might be possible to implicitly create the db using glue, and then import it? I haven't tested this, but it seems to work on the web console.
References
No response
Would you like to implement a fix?
None