Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AWS::LakeFormation::DataLakeSettings] - [BUG] - Can not clear permissions #2197

Open
rehanvdm opened this issue Nov 22, 2024 · 1 comment
Open
Labels

Comments

@rehanvdm
Copy link

Name of the resource

AWS::LakeFormation::DataLakeSettings

Resource Name

No response

Issue Description

The CreateDatabaseDefaultPermissions and CreateTableDefaultPermissions properties does not clear the values, it is as if it does a no-op. The docs state that empty arrays OR omitting the properties will clear the boolean fields on the UI, but it does not, it is just ignored. So these properties can not be unset after they have been set.

LakeFormationSettings:
    Type: AWS::LakeFormation::DataLakeSettings
    Properties:
      Admins:
        - DataLakePrincipalIdentifier: "arn:aws:iam::*****:*****"
      CreateDatabaseDefaultPermissions: []
      CreateTableDefaultPermissions: []

image

Expected Behavior

The empty array or omitting the property should actually work

Observed Behavior

The values can not be unset

Test Cases

  1. Deploy with
LakeFormationSettings:
    Type: AWS::LakeFormation::DataLakeSettings
    Properties:
      Admins:
        - DataLakePrincipalIdentifier: "arn:aws:iam::*****:*****"
      CreateDatabaseDefaultPermissions:
        - Permissions:
            - ALL
          Principal:
            DataLakePrincipalIdentifier: IAM_ALLOWED_PRINCIPALS
      CreateTableDefaultPermissions:
        - Permissions:
            - ALL
          Principal:
            DataLakePrincipalIdentifier: IAM_ALLOWED_PRINCIPALS
  1. Then remove them, observe the values have not changed via the AWS Console or API
LakeFormationSettings:
    Type: AWS::LakeFormation::DataLakeSettings
    Properties:
      Admins:
        - DataLakePrincipalIdentifier: "arn:aws:iam::*****:*****"
  1. Attempt number two, set them as empty arrays, observe the values have not changed via the AWS Console or API
LakeFormationSettings:
    Type: AWS::LakeFormation::DataLakeSettings
    Properties:
      Admins:
        - DataLakePrincipalIdentifier: "arn:aws:iam::*****:*****"
      CreateDatabaseDefaultPermissions: []
      CreateTableDefaultPermissions: []

Other Details

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant