Problem
When granting AWS Lake Formation permissions using the aws_lakeformation_permissions resource, you may encounter an error if the principal is also a Lake Formation administrator and you specify column_names. This configuration attempts to narrow the implicit permissions of the administrator, resulting in an InvalidInputException: Permissions modification is invalid error during terraform apply.
The following configuration demonstrates the issue.
resource "aws_lakeformation_permissions" "test1" {
principal = "arn:aws:iam::123456789123:role/dev" ## Principal is also an administrator
permissions = ["SELECT"]
table_with_columns {
database_name = aws_glue_catalog_database.test.name
name = aws_glue_catalog_table.test.name
column_names = ["yes", "no", "maybe"]
}
}
resource "aws_lakeformation_data_lake_settings" "test" {
admins = ["arn:aws:iam::123456789123:role/dev"] ## Principal is defined as an administrator
}Prerequisites
This issue was observed with the following versions:
- Terraform v1.0.0
- AWS Provider v3.46.0
Cause
A principal designated as a Lake Formation administrator in aws_lakeformation_data_lake_settings inherits implicit, broad permissions over the data lake. The aws_lakeformation_permissions resource configuration in the problem statement attempts to grant explicit, column-level permissions to this same principal.
This creates a conflict because you cannot override the administrator's implicit permissions with a more restrictive, explicit grant. Any changes to the column_names argument will be ignored during a terraform apply, and the initial application will fail with the InvalidInputException error.
Solution
To resolve this issue, you must grant permissions to the entire table for the administrator principal instead of specifying individual columns. Modify the aws_lakeformation_permissions resource to remove the column_names argument and set wildcard = true within the table_with_columns block.
This configuration correctly reflects the administrator's broad access without creating a permission conflict.
resource "aws_lakeformation_permissions" "test1" {
principal = "arn:aws:iam::123456789123:role/dev"
permissions = ["SELECT"]
table_with_columns {
database_name = aws_glue_catalog_database.test.name
name = aws_glue_catalog_table.test.name
wildcard = true
}
depends_on = [aws_lakeformation_data_lake_settings.test]
}
resource "aws_lakeformation_data_lake_settings" "test" {
admins = ["arn:aws:iam::123456789123:role/dev"]
}Additional Information
For more details on configuring Lake Formation permissions, refer to the official Terraform AWS Provider documentation for the aws_lakeformation_permissions and aws_lakeformation_data_lake_settings resources.