Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LakeFormation not clearing default permissions #4366

Open
automagic opened this issue Aug 13, 2024 · 2 comments
Open

LakeFormation not clearing default permissions #4366

automagic opened this issue Aug 13, 2024 · 2 comments
Labels
customer/feedback Feedback from customers kind/enhancement Improvements or new features service/lakeformation

Comments

@automagic
Copy link

automagic commented Aug 13, 2024

Describe what happened

Encountering an issue with AWS Lake Formation using Pulumi. Specifically, we are unable to clear the DatabaseDefaultPermissions and TableDefaultPermissions that are already set in the system.

Issue:
Despite setting createDatabaseDefaultPermissions and createTableDefaultPermissions to empty arrays, the permissions are not being cleared in the AWS Lake Formation settings. The expected behavior is that these permissions should be removed or reset to an empty state, but this does not seem to be happening.

According the AWS Document https://docs.aws.amazon.com/lake-formation/latest/dg/change-settings.html
Passing an empty array or omit that setting will revoke that permission, tried the both with: pulumi up – refresh, it can see the diff of the resources, but not applying the changes for the resource.

Sample program

export const dataLakeSettings = new aws.lakeformation.DataLakeSettings(createResourceName("data-lake-settings"), {
    admins: adminAccounts,
    createDatabaseDefaultPermissions: [],
    createTableDefaultPermissions: [],
});

Log output

No response

Affected Resource(s)

aws.lakeformation.DataLakeSettings

Output of pulumi about

CLI
Version 3.127.0
Go Version go1.22.5
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 6.47.0
language nodejs unknown
resource std 1.7.3

Host
OS Microsoft Windows 10 Enterprise
Version 10.0.19045 Build 19045
Arch x86_64

This project is written in nodejs: executable='C:\Program Files\nodejs\node.exe' version='v20.16.0'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@automagic automagic added customer/feedback Feedback from customers kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Aug 13, 2024
@t0yv0 t0yv0 added service/lakeformation and removed needs-triage Needs attention from the triage team labels Aug 14, 2024
@t0yv0
Copy link
Member

t0yv0 commented Aug 14, 2024

Thank you for reporting this and I am sorry pulumi-aws does not work as expected here! I've taken a pass at diagnosing the issue and it appears the feature of calling PutDataLakeSettings in this way is not yet supported. Per the documentation you referenced, the desired request has a body of:

{
    "DataLakeSettings": {
        "DataLakeAdmins": [
            {
                "DataLakePrincipalIdentifier": "arn:aws:iam::<AccountId>:user/<Username>"
            }
        ],
        "CreateDatabaseDefaultPermissions": [],
        "CreateTableDefaultPermissions": []
    }
}

Unfortunately given the TF heritage of the provider, create_database_default_permissions is defined as a block in TF and is unable to express the distinction between an empty value and a missing value in TF. This also seems to translate to the pulumi-aws projection of the provider.

Running pulumi up given:

const dataLakeSettings = new aws.lakeformation.DataLakeSettings("dls", {
    createTableDefaultPermissions: [],
});

Or else this:

const dataLakeSettings = new aws.lakeformation.DataLakeSettings("dls", {});

Sends this:

POST https://lakeformation.us-west-2.amazonaws.com/PutDataLakeSettings {"DataLakeSettings":{}}
resource "aws_lakeformation_data_lake_settings" "dls" {
  create_database_default_permissions {
    # permissions = ["SELECT", "ALTER", "DROP"]
    # principal   = aws_iam_user.test.arn
  }
}

Results in:

│ Error: creating Lake Formation data lake settings: creating Lake Formation dattDataLakeSettings, https response error StatusCode: 400, RequestID: 3d8c0ec5-362nvalid ARN:ARNs must start with 'arn:':
│
│   with aws_lakeformation_data_lake_settings.dls,
│   on infra.tf line 1, in resource "aws_lakeformation_data_lake_settings" "dls"│    1: resource "aws_lakeformation_data_lake_settings" "dls" {

While this:

resource "aws_lakeformation_data_lake_settings" "dls" {
}

Sends:

2024-08-14T11:40:03.506-0400 [DEBUG] provider.terraform-provider-aws_v5.62.0_x5: HTTP Request Sent: 
rpc.method=PutDataLakeSettings tf_req_id=e2fceb67-91b3-1c43-43fa-3f6545989906
  http.request.body=
  | {"DataLakeSettings":{}}

I'll circle back with the team as time permits to see if this feature can be added in a sensible way.

@t0yv0 t0yv0 added kind/enhancement Improvements or new features and removed kind/bug Some behavior is incorrect or out of spec labels Aug 14, 2024
@wtfzambo
Copy link

wtfzambo commented Nov 21, 2024

I'm afraid this is an AWS API issue cause we're having the same exact problem with the AWS CDK. Cc. @rehanvdm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
customer/feedback Feedback from customers kind/enhancement Improvements or new features service/lakeformation
Projects
None yet
Development

No branches or pull requests

3 participants