aws_lakeformation_permissions tries to revoke non-existent permissions

[simonB2020]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5

• provider.aws v3.28.0

Affected Resource(s)

aws_lakeformation_permissions

Terraform Configuration Files

resource "aws_lakeformation_permissions" "createtable_access" {
  principal        = data.aws_iam_role.sqlman_role.arn
  permissions = ["CREATE_TABLE", "ALTER", "DROP"]

  database {
    name       = "ath_cloudtrail${local.ap_suffix_athena}"
    catalog_id = var.accountid
  }
}

Debug Output

First Apply works successfully and grants the requested permissions in lake formation.
However, subsequent applys generate the following error :

aws_lakeformation_permissions.createtable_access: Destroying... [id=4129471711]

Error: unable to revoke LakeFormation Permissions (input: {
  Permissions: ["ALTER","CREATE_TABLE","DROP"],
  PermissionsWithGrantOption: [
    "ALL",
    "ALTER",
    "CREATE_TABLE",
    "DESCRIBE",
    "DROP"
  ],
  Principal: {
    DataLakePrincipalIdentifier: "arn:aws:iam::xxxxxxxxxxxx:role/myrole"
  },
  Resource: {
    Database: {
      CatalogId: "xxxxxxxxxxxx",
      Name: "ath_cloudtrail_use_tch"
    }
  }
}): unable to revoke Lake Formation Permissions: InvalidInputException: No permissions revoked. Grantee does not have grantable permissions on:[DROP, DESCRIBE, ALL, ALTER, CREATE_TABLE]

Expected Behavior

No Changes to Apply

Actual Behavior

The plan decides that the resource needs to be replaced.
Looking at the PLAN, Terraform is seeing false current values for both sets of permissions.

With 'permissions' it is removing and re-adding the 'ALTER' , which has not changed in the TF code at all

 ~ permissions                   = [ # forces replacement
          - "ALTER",
            "CREATE_TABLE",
          + "ALTER",
            "DROP",
        ]

With 'permissions_with_grant_option' it is trying to remove permissions that never existed

 ~ permissions_with_grant_option = [
          - "ALL",
          - "ALTER",
          - "CREATE_TABLE",
          - "DESCRIBE",
          - "DROP",
        ] -> (known after apply)

Steps to Reproduce

1. terraform apply

Important Factoids

Also Note :
Playing in the console, I note that you are not allowed to add the grant_option permissions, if you do not also have them as normal 'permission'.
Console >>
`All privileges within the grant option list need to be a part of the privileges list."

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lakeformation_permissions

• #0000

[MoustafaAMahmoud]

I am facing the same issue, and we could fix this asap.

[PG-Daniel-Andrews]

Strange as it may sound, the first issue with permissions may be due to the order you've placed the strings in your list.

I was facing the same issue with table permissions, when I set permissions as: permissions = ["ALTER", "INSERT", "DELETE"]

However, when I set permissions as: permissions = ["ALTER", "DELETE", "INSERT"] , this issue was resolved.

Obviously this is far from ideal, and still looking into the grant_option permission issue, which I'm also facing.

[PG-Daniel-Andrews]

For the permissions_with_grant_option issue, although the Terraform docs say it's optional, it seems you do still need to provide a value, even if it's an empty list.

The second error went away for me once I started specifying this in the permissions block: permissions_with_grant_option = []

e.g.

resource "aws_lakeformation_permissions" "test" {
  principal   = aws_iam_role.test.arn
  permissions = ["ALTER", "DELETE", "INSERT"]

  permissions_with_grant_option = []

  table {
    database_name = var.db_name
    name = var.table_name
  }
}

[simonB2020]

PG-Daniel-Andrews
Thanks for the tip.

However, after applying perms on the first PLAN, any subsequent action now comes up with :
"Error: error reading Lake Formation permissions: no permissions found"

I am executing with a role that has a policy of Allow *

Now I cannot run with or without the resource as it won't destroy.
Think I'll try and manually remove from state and await a later version that's less buggy.

Worth as shot anyway, so thanks

[trejas]

Any resolution here? I am seeing something similar when making an update to a permission set. TF is trying to revoke a non-existent "ALL" permission on places where I previously granted a more limited permission set.

[jackbatzner]

The issues of no permissions found are caused by #18446 , I've got a fix for that which is awaiting review by the provider team, #18505.

[YakDriver]

Additional Principals	Perm Delete/Revoke
Related #16848 (Issue) Related #16916 Related #18034 (Issue) Related #18374	Related #17633 (Issue) Related #18446 (Issue) Related #18505 Related #19063 (Issue) Related #19064 (Issue)

[ghost]

This has been released in version 3.39.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.