search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
441 stars 154 forks source link

AWS Lake Formation Permissions not working #1531

Closed XanManZA closed 2 years ago

XanManZA commented 3 years ago

I'm trying to scaffold AWS Lake Formation Permissions on a Glue Catalogue Database but receiving an error: "ExactlyOne: "table": only one of catalog_resource,data_location,database,table,table_with_columns can be specified, but catalog_resource,database were specified."

image

Steps to reproduce

using TypeScript, try to scaffold AWS Lake Formation permissions.

new aws.lakeformation.Permissions(`ts3-symbyte`, {
  permissions: ['ALL'],
  principal: glueServiceRoleArn,
  database: {
    name: glueDatabase.name,
  },
})
  1. Follow instructions on https://www.pulumi.com/docs/reference/pkg/aws/lakeformation/permissions/#grant-permissions-for-a-glue-catalog-database
  2. Try and create the above Lake Formation Permissions
  3. Run pulumi up and receive error ExactlyOne: "table": only one ofcatalog_resource,data_location,database,table,table_with_columns`

Expected: Pulumi up to show what resources are to be scaffolded Actual: Receive error as indicated abov.

tusharshahrs commented 3 years ago

We can replicate the issue with:

The index.ts can have

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const bucket = new aws.s3.Bucket("demo-bucket", {
});

const awsGlueCatalogDatabase = new aws.glue.CatalogDatabase("demo_aws_glue_catalog_database", {
    name: "mycatalogdatabase",
});

const awsGlueCatalogTable = new aws.glue.CatalogTable("demo_aws_glue_catalog_table", {
    databaseName: awsGlueCatalogDatabase.name,
    name: "mycatalogtable",
});

const lakeformations = new aws.lakeformation.Resource("demo-lakeformation", {arn: bucket.arn});

const datalakeuser = new aws.iam.User("demo-datalakeuser");

// Export the resources
export const bucketName = bucket.id;
export const glue_database_name = awsGlueCatalogDatabase.name;
export const glue_database_catalog_name = awsGlueCatalogTable.name;
export const lakeformations_name = lakeformations.id;
export const datalakeuser_name = datalakeuser.name;

const lakeformation_permissions = new aws.lakeformation.Permissions("demo-lakepermissions", {
 permissions: ["DESCRIBE"],
 principal: datalakeuser.arn,
 database: {
     name: awsGlueCatalogDatabase.name,
 }
});

Run pulumi up and we get the following error:

  aws:lakeformation:Permissions (demo-lakepermissions):
    error: aws:lakeformation/permissions:Permissions resource 'demo-lakepermissions' has a problem: ExactlyOne: "table_with_columns": only one of `catalog_resource,data_location,database,table,table_with_columns` can be specified, but `catalog_resource,database` were specified.. Examine values at 'Permissions.TableWithColumns'.
XanManZA commented 3 years ago

Any updates on this?

jon-king-mindbodyonline commented 3 years ago

Lake Formation permissions are still broken for us, and we've had to strip it out of existing pulumi applications. We had Permissions working previously, we think in one of the releases after 2.13 and up-to and including 3.36.

XanManZA commented 3 years ago

I've been wondering if one should rather subscribe to Pulumi Cloud than self-host but currently with such an amount of issues and missing features it doesn't make sense - especially if the turnaround time on issues is 2 months. A great open-source tool don't get me wrong.

tusharshahrs commented 2 years ago

To get around this issue, you will have to pin the following in the package.json file. "@pulumi/aws": "3.36.0" like here

The code for a working example is aws-ts-lakeformation

lukehoban commented 2 years ago

This appears to be specifically due to https://github.com/hashicorp/terraform-provider-aws/blob/1ea62b4ea6e82be62bad6375a9578c39d2ad1b61/aws/resource_aws_lakeformation_permissions.go#L36:L36. We could fix this by removing that default from our fork, and the default can never be meaningful in Terraform either due to the ExactlyOneOf.

That said, we should also likely add first-class understanding of ExactlyOneOf to the Terraform Bridge similar to how we handle ConflictsWith, so that we never try to apply any defaults for fields that are ExactlyOneOf conflicts with something that was provided by the user. In theory - a "correct" schema shouldn't ever require that for ExactlyOneOf, but we can't guarantee we only get correct schemas. https://github.com/pulumi/pulumi-terraform-bridge/blob/ffadf4eeca2edae3a292aea3d86ba509d29becf0/pkg/tfbridge/schema.go#L353:L353

stack72 commented 2 years ago

Ok, while the work in the bridge has not been tackled yet (I opened https://github.com/pulumi/pulumi-terraform-bridge/issues/384 to track that work) but we have removed the rogue default to unblock this issue