[Bug]: creating aws_athena_database resource requires seemingly unnecessary permissions

[ellisonch]

Terraform Core Version

1.9.7

AWS Provider Version

5.71.0

Affected Resource(s)

aws_athena_database

Expected Behavior

I'd like to be able to create this resource, while only giving terraform provider that creates the database the least permissions possible. Terraform shouldn't have to read/write to the bucket just to create the database.

Actual Behavior

When creating an aws_athena_database resource, the provider apparently tries to "check" whether or not the S3 bucket is writeable. If terraform doesn't have the appropriate permissions to read/write to the bucket, it fails to create the resource.

However, it seems unnecessary to have to give terraform permission to read/write to the S3 bucket, since all it needs to do is create the athena database; it's not supposed to be using the database.

Relevant Error/Panic Output Snippet

Error: creating Athena Database (logs_xxx): operation error Athena: StartQueryExecution, https response error StatusCode: 400, RequestID: 1745e0d0-xxxx-47b3-8126-e2b4250ad832, InvalidRequestException: Unable to verify/create output bucket xxxx-yyyy
│ 
│   with module.athena.aws_athena_database.output_logs,
│   on ../tf_deploy/modules/athena/athena.tf line 1, in resource "aws_athena_database" "output_logs":
│    1: resource "aws_athena_database" "output_logs" {

Terraform Configuration Files

terraform {
  required_version = "= 1.9.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "= 5.71.0"
    }
  }
}

resource "aws_athena_database" "output_logs" {
  name   = "test_athena_db"
  bucket = "foobarbaz"
}

Steps to Reproduce

Just run terraform apply, and you get:

aws_athena_database.output_logs: Creating...
╷
│ Error: creating Athena Database (test_athena_db): operation error Athena: StartQueryExecution, https response error StatusCode: 400, RequestID: cac3b421-3c2f-4e29-ba1d-e7ed2323097c, InvalidRequestException: Unable to verify/create output bucket foobarbaz
│ 
│   with aws_athena_database.output_logs,
│   on test.tf line 12, in resource "aws_athena_database" "output_logs":
│   12: resource "aws_athena_database" "output_logs" {
│ 

Debug Output

2024-10-14T10:43:30.856-0400 [DEBUG] provider.terraform-provider-aws_v5.71.0_x5: HTTP Request Sent: http.request.header.authorization="AWS4-HMAC-SHA256 Credential=ASIA************QN6Z/20241014/us-east-1/athena/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=*****" tf_rpc=ApplyResourceChange http.request.header.amz_sdk_invocation_id=66121fa6-ff64-4fa9-81e7-f4829232e2b4 http.method=POST http.request.header.amz_sdk_request="attempt=1; max=25" http.request.header.x_amz_date=20241014T144330Z http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.9.7 (+https://www.terraform.io) terraform-provider-aws/5.71.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.32.2 os/linux lang/go#1.23.2 md/GOOS#linux md/GOARCH#amd64 api/athena#1.47.2" rpc.service=Athena tf_req_id=f0bcebb5-a0a5-78ac-ad85-ac189a3b9663 @module=aws http.url=https://athena.us-east-1.amazonaws.com/ tf_aws.sdk=aws-sdk-go-v2
  http.request.body=
  | {"ClientRequestToken":"5dd16905-4900-4893-a818-f4d6e6c77ebb","QueryString":"create database `test_athena_db`;","ResultConfiguration":{"OutputLocation":"s3://foobarbaz"}}
   http.request.header.x_amz_target=AmazonAthena.StartQueryExecution tf_resource_type=aws_athena_database aws.region=us-east-1 http.request.header.content_type=application/x-amz-json-1.1 rpc.method=StartQueryExecution rpc.system=aws-api tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws http.request.header.x_amz_security_token="*****" http.request_content_length=169 tf_aws.signing_region="" @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.58/logging/tf_logger.go:45 net.peer.name=athena.us-east-1.amazonaws.com timestamp=2024-10-14T10:43:30.856-0400
2024-10-14T10:43:30.943-0400 [DEBUG] provider.terraform-provider-aws_v5.71.0_x5: HTTP Response Received: rpc.service=Athena rpc.system=aws-api tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws
  http.response.body=
  | {"__type":"InvalidRequestException","AthenaErrorCode":"INSUFFICIENT_PERMISSIONS","ErrorCode":"INSUFFICIENT_PERMISSIONS","Message":"Unable to verify/create output bucket foobarbaz"}
   http.status_code=400 http.duration=86 @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.58/logging/tf_logger.go:45 @module=aws aws.region=us-east-1 rpc.method=StartQueryExecution tf_aws.sdk=aws-sdk-go-v2 tf_resource_type=aws_athena_database http.response_content_length=180 tf_aws.signing_region="" tf_req_id=f0bcebb5-a0a5-78ac-ad85-ac189a3b9663 tf_rpc=ApplyResourceChange http.response.header.content_type=application/x-amz-json-1.1 http.response.header.date="Mon, 14 Oct 2024 14:43:30 GMT" http.response.header.x_amzn_requestid=42a1663d-8f93-403e-9be9-1eac73b43b29 timestamp=2024-10-14T10:43:30.943-0400
2024-10-14T10:43:30.943-0400 [DEBUG] provider.terraform-provider-aws_v5.71.0_x5: request failed with unretryable error https response error StatusCode: 400, RequestID: 42a1663d-8f93-403e-9be9-1eac73b43b29, InvalidRequestException: Unable to verify/create output bucket foobarbaz: tf_resource_type=aws_athena_database @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.58/logging/tf_logger.go:45 @module=aws aws.region=us-east-1 rpc.service=Athena tf_aws.sdk=aws-sdk-go-v2 tf_rpc=ApplyResourceChange tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=f0bcebb5-a0a5-78ac-ad85-ac189a3b9663 rpc.method=StartQueryExecution rpc.system=aws-api tf_mux_provider="*schema.GRPCProviderServer" timestamp=2024-10-14T10:43:30.943-0400

Panic Output

No response

Important Factoids

This seems possibly related to the previous bug report at https://github.com/hashicorp/terraform-provider-aws/issues/19085.

There are a couple of workarounds to this problem, but neither is great.

The first is to simply create the database using a "fake" bucket that the provider DOES have access to, then changing the bucket that the db points to, to the real database it doesn't have access to. Apparently, the way the provider is implemented, changing the bucket doesn't trigger the verification checks, so this proceeds as expected.

The second is to grant terraform the (unnecessary) permissions to the bucket. This seems to be, at minimum, s3:GetBucketLocation, s3:GetObject, and s3:PutObject.

It also might be possible to implicitly create the db using glue, and then import it? I haven't tested this, but it seems to work on the web console.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @ellisonch 👋 Thank you for taking the time to raise this! In this case, the error message you're seeing is coming directly from the AWS API. This bit of the provided logs is what clued me into this:

  http.response.body=
  | {"__type":"InvalidRequestException","AthenaErrorCode":"INSUFFICIENT_PERMISSIONS","ErrorCode":"INSUFFICIENT_PERMISSIONS","Message":"Unable to verify/create output bucket foobarbaz"}

It's not entirely clear to me why the first workaround you mentioned works, but given that the provider itself isn't the part of the process validating the permissions, I suspect that'll be something upstream as well. If you're able to provider debug logging, that may help whoever ultimately picks this up to look into.

[ellisonch]

If you're able to provider debug logging, that may help whoever ultimately picks this up to look into.

@justinretzolk Happy to provide any more logs that might be useful. What other logs would you like to see that I didn't capture above?

[eugercek]

AFAIK this is not a bug provider actually runs create database query. And API doesn't have Createendpoint, so this looks like only way.