lakeformation admin as principal for aws_lakeformation_permissions when using table_with_columns and column_names

Avatar
A. Badger
  • Updated

Introduction

Granting a LakeFormation principal/administrator permissions on a table with columns and providing column_names, will result in a InvalidInputException: Permissions modification is invalid error because this configuration is attempting to narrow the implicit permissions of the LakeFormation principal/administrator.

 

Prerequisites

This resource configuration issue was found when testing with the Terraform and AWS provider versions shown below.

  • Terraform v1.0.0
  • aws provider ~> 3.46.0

Problem

The Terraform configuration shown below for resource aws_lakeformation_permissions is invalid because the aws_lakeformation_data_lake_settings administrator is also configured as the principal under aws_lakeformation_permissions while column_names are being specified.

resource "aws_lakeformation_permissions" "test1" {
  principal = "arn:aws:iam::123456789123:role/dev" #principal/administrator
  permissions = ["SELECT"]

  table_with_columns {
    database_name = aws_glue_catalog_database.test.name
    name = aws_glue_catalog_table.test.name
    column_names = ["yes", "no", "maybe"]
  }

}

resource "aws_lakeformation_data_lake_settings" "test" {
  admins = ["arn:aws:iam::123456789123:role/dev"] #principal/administrator
}

Cause

  • We suggest avoiding this configuration since it may cause unintended terraform apply state output. Naming of explicit permissions for the named principal under column_names do not override the implicit permissions inherited when the same principal is configured as the aws_lakeformation_data_lake_settings administrator for the account.

    Any permissions changes to the column_names will not take effect when running a terraform apply because the principal / administrator inherits its permissions from the lakeformation administrator.

Solution

As an alternative configuration, you can set wildcard to true and remove the column_names as is shown in the belowaws_lakeformation_permissions resource.

resource "aws_lakeformation_permissions" "test1" {
  principal = "arn:aws:iam::123456789123:role/dev"
  permissions = ["SELECT"]

  table_with_columns {
    database_name = aws_glue_catalog_database.test.name
    name = aws_glue_catalog_table.test.name
    wildcard = true
  }

  depends_on = [aws_lakeformation_data_lake_settings.test]
}

resource "aws_lakeformation_data_lake_settings" "test" {
  admins = ["arn:aws:iam::123456789123:role/dev"]
}

 

Articles in this section

See more

Related articles