Merge pull request #19817 from hashicorp/b-lakeformation-19643

r/lakeformation_permissions: Fix update bug
hashicorp · Jun 17, 2021 · e22269b · e22269b
2 parents 111b55e + 5bf5b84
commit e22269b
Show file tree

Hide file tree

Showing 11 changed files with 1,207 additions and 345 deletions.
diff --git a/.changelog/19817.txt b/.changelog/19817.txt
@@ -0,0 +1,15 @@
+```release-note:bug
+resource/aws_lakeformation_permissions: Fix bug preventing updates (inconsistent result)
+```
+
+```release-note:bug
+resource/aws_lakeformation_permissions: Fix bug where resource is not properly removed from state
+```
+
+```release-note:bug
+resource/aws_lakeformation_permissions: Fix diffs resulting only from order of column names and exclude column names
+```
+
+```release-note:bug
+data-source/aws_lakeformation_permissions: Fix diffs resulting from order of column names and exclude column names
+```
diff --git a/aws/data_source_aws_lakeformation_permissions.go b/aws/data_source_aws_lakeformation_permissions.go
@@ -6,13 +6,11 @@ import (
 
  "github.com/aws/aws-sdk-go/aws"
  "github.com/aws/aws-sdk-go/service/lakeformation"
- "github.com/hashicorp/aws-sdk-go-base/tfawserr"
- "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
  "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
  "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
  "github.com/terraform-providers/terraform-provider-aws/aws/internal/hashcode"
- iamwaiter "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/iam/waiter"
- "github.com/terraform-providers/terraform-provider-aws/aws/internal/tfresource"
+ tflakeformation "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/lakeformation"
+ "github.com/terraform-providers/terraform-provider-aws/aws/internal/service/lakeformation/waiter"
 )
 
 func dataSourceAwsLakeFormationPermissions() *schema.Resource {
@@ -134,8 +132,9 @@ func dataSourceAwsLakeFormationPermissions() *schema.Resource {
  ValidateFunc: validateAwsAccountId,
  },
  "column_names": {
- Type: schema.TypeList,
+ Type: schema.TypeSet,
  Optional: true,
+ Set: schema.HashString,
  Elem: &schema.Schema{
  Type: schema.TypeString,
  ValidateFunc: validation.NoZeroValues,
@@ -146,8 +145,9 @@ func dataSourceAwsLakeFormationPermissions() *schema.Resource {
  Required: true,
  },
  "excluded_column_names": {
- Type: schema.TypeList,
+ Type: schema.TypeSet,
  Optional: true,
+ Set: schema.HashString,
  Elem: &schema.Schema{
  Type: schema.TypeString,
  ValidateFunc: validation.NoZeroValues,
@@ -198,89 +198,49 @@ func dataSourceAwsLakeFormationPermissionsRead(d *schema.ResourceData, meta inte
 
  if v, ok := d.GetOk("table"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
  input.Resource.Table = expandLakeFormationTableResource(v.([]interface{})[0].(map[string]interface{}))
- tableType = TableTypeTable
+ tableType = tflakeformation.TableTypeTable
  }
 
  if v, ok := d.GetOk("table_with_columns"); ok && len(v.([]interface{})) > 0 && v.([]interface{})[0] != nil {
  // can't ListPermissions for TableWithColumns, so use Table instead
  input.Resource.Table = expandLakeFormationTableWithColumnsResourceAsTable(v.([]interface{})[0].(map[string]interface{}))
- tableType = TableTypeTableWithColumns
+ tableType = tflakeformation.TableTypeTableWithColumns
  }
 
- log.Printf("[DEBUG] Reading Lake Formation permissions: %v", input)
- var allPermissions []*lakeformation.PrincipalResourcePermissions
-
- err := resource.Retry(iamwaiter.PropagationTimeout, func() *resource.RetryError {
- err := conn.ListPermissionsPages(input, func(resp *lakeformation.ListPermissionsOutput, lastPage bool) bool {
- for _, permission := range resp.PrincipalResourcePermissions {
- if permission == nil {
- continue
- }
+ columnNames := make([]*string, 0)
+ excludedColumnNames := make([]*string, 0)
+ columnWildcard := false
 
-  allPermissions = append(allPermissions, permission)
-  }
- return !lastPage
- })
+ if tableType == tflakeformation.TableTypeTableWithColumns {
+ if v, ok := d.GetOk("table_with_columns.0.wildcard"); ok {
+ columnWildcard = v.(bool)
+ }
 
- if err != nil {
- if tfawserr.ErrMessageContains(err, lakeformation.ErrCodeInvalidInputException, "Invalid principal") {
- return resource.RetryableError(err)
+ if v, ok := d.GetOk("table_with_columns.0.column_names"); ok {
+ if v, ok := v.(*schema.Set); ok && v.Len() > 0 {
+ columnNames = expandStringSet(v)
  }
- return resource.NonRetryableError(fmt.Errorf("error reading Lake Formation Permissions: %w", err))
  }
- return nil
- })
-
- if tfresource.TimedOut(err) {
- err = conn.ListPermissionsPages(input, func(resp *lakeformation.ListPermissionsOutput, lastPage bool) bool {
- for _, permission := range resp.PrincipalResourcePermissions {
- if permission == nil {
- continue
- }
 
- allPermissions = append(allPermissions, permission)
+ if v, ok := d.GetOk("table_with_columns.0.excluded_column_names"); ok {
+ if v, ok := v.(*schema.Set); ok && v.Len() > 0 {
+ excludedColumnNames = expandStringSet(v)
  }
- return !lastPage
- })
+ }
  }
 
+ log.Printf("[DEBUG] Reading Lake Formation permissions: %v", input)
+
+ allPermissions, err := waiter.PermissionsReady(conn, input, tableType, columnNames, excludedColumnNames, columnWildcard)
+
  d.SetId(fmt.Sprintf("%d", hashcode.String(input.String())))
 
  if err != nil {
  return fmt.Errorf("error reading Lake Formation permissions: %w", err)
  }
 
- var cleanPermissions []*lakeformation.PrincipalResourcePermissions
-
- if input.Resource.Catalog != nil {
- cleanPermissions = filterLakeFormationCatalogPermissions(allPermissions)
- }
-
- if input.Resource.DataLocation != nil {
- cleanPermissions = filterLakeFormationDataLocationPermissions(allPermissions)
- }
-
- if input.Resource.Database != nil {
- cleanPermissions = filterLakeFormationDatabasePermissions(allPermissions)
- }
-
- if tableType == TableTypeTable {
- cleanPermissions = filterLakeFormationTablePermissions(
- aws.StringValue(input.Resource.Table.Name),
- input.Resource.Table.TableWildcard != nil,
- allPermissions,
- )
- }
-
- if tableType == TableTypeTableWithColumns {
- cleanPermissions = filterLakeFormationTableWithColumnsPermissions(
- d.Get("table_with_columns.0.database_name").(string),
- d.Get("table_with_columns.0.wildcard").(bool),
- expandStringList(d.Get("table_with_columns.0.column_names").([]interface{})),
- expandStringList(d.Get("table_with_columns.0.excluded_column_names").([]interface{})),
- allPermissions,
- )
- }
+ // clean permissions = filter out permissions that do not pertain to this specific resource
+ cleanPermissions := tflakeformation.FilterPermissions(input, tableType, columnNames, excludedColumnNames, columnWildcard, allPermissions)
 
  if len(cleanPermissions) != len(allPermissions) {
  log.Printf("[INFO] Resource Lake Formation clean permissions (%d) and all permissions (%d) have different lengths (this is not necessarily a problem): %s", len(cleanPermissions), len(allPermissions), d.Id())
@@ -292,6 +252,8 @@ func dataSourceAwsLakeFormationPermissionsRead(d *schema.ResourceData, meta inte
 
  if cleanPermissions[0].Resource.Catalog != nil {
  d.Set("catalog_resource", true)
+ } else {
+ d.Set("catalog_resource", false)
  }
 
  if cleanPermissions[0].Resource.DataLocation != nil {

diff --git a/aws/internal/service/lakeformation/filter.go b/aws/internal/service/lakeformation/filter.go
@@ -0,0 +1,181 @@
+package lakeformation
+
+import (
+ "reflect"
+ "sort"
+
+ "github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/service/lakeformation"
+)
+
+const (
+ TableNameAllTables = "ALL_TABLES"
+ TableTypeTable = "Table"
+ TableTypeTableWithColumns = "TableWithColumns"
+)
+
+func FilterPermissions(input *lakeformation.ListPermissionsInput, tableType string, columnNames []*string, excludedColumnNames []*string, columnWildcard bool, allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+ // For most Lake Formation resources, filtering within the provider is unnecessary. The input
+ // contains everything for AWS to give you back exactly what you want. However, many challenges
+ // arise with tables and tables with columns. Perhaps the two biggest problems (so far) are as
+ // follows:
+ // 1. SELECT - when you grant SELECT, it may be part of a list of permissions. However, when
+ // listing permissions, SELECT comes back in a separate permission.
+ // 2. Tables with columns. The ListPermissionsInput does not allow you to include a tables with
+ // columns resource. This means you might get back more permissions than actually pertain to
+ // the current situation. The table may have separate permissions that also come back.
+ //
+ // Thus, for most cases this is just a pass through filter but attempts to clean out
+ // permissions in the special cases to avoid extra permissions being included.
+
+ if input.Resource.Catalog != nil {
+ return FilterLakeFormationCatalogPermissions(allPermissions)
+ }
+
+ if input.Resource.DataLocation != nil {
+ return FilterLakeFormationDataLocationPermissions(allPermissions)
+ }
+
+ if input.Resource.Database != nil {
+ return FilterLakeFormationDatabasePermissions(allPermissions)
+ }
+
+ if tableType == TableTypeTableWithColumns {
+ return FilterLakeFormationTableWithColumnsPermissions(input.Resource.Table, columnNames, excludedColumnNames, columnWildcard, allPermissions)
+ }
+
+ if input.Resource.Table != nil || tableType == TableTypeTable {
+ return FilterLakeFormationTablePermissions(input.Resource.Table, allPermissions)
+ }
+
+ return nil
+}
+
+func FilterLakeFormationTablePermissions(table *lakeformation.TableResource, allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+ // CREATE PERMS (in) = ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT, SELECT on Table, Name = (Table Name)
+ // LIST PERMS (out) = ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT on Table, Name = (Table Name)
+ // LIST PERMS (out) = SELECT on TableWithColumns, Name = (Table Name), ColumnWildcard
+
+ // CREATE PERMS (in) = ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT, SELECT on Table, TableWildcard
+ // LIST PERMS (out) = ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT on Table, TableWildcard, Name = ALL_TABLES
+ // LIST PERMS (out) = SELECT on TableWithColumns, Name = ALL_TABLES, ColumnWildcard
+
+ var cleanPermissions []*lakeformation.PrincipalResourcePermissions
+
+ for _, perm := range allPermissions {
+ if perm.Resource.TableWithColumns != nil && perm.Resource.TableWithColumns.ColumnWildcard != nil {
+ if aws.StringValue(perm.Resource.TableWithColumns.Name) == aws.StringValue(table.Name) || (table.TableWildcard != nil && aws.StringValue(perm.Resource.TableWithColumns.Name) == TableNameAllTables) {
+ if len(perm.Permissions) > 0 && aws.StringValue(perm.Permissions[0]) == lakeformation.PermissionSelect {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+
+ if len(perm.PermissionsWithGrantOption) > 0 && aws.StringValue(perm.PermissionsWithGrantOption[0]) == lakeformation.PermissionSelect {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+ }
+ }
+
+ if perm.Resource.Table != nil && aws.StringValue(perm.Resource.Table.DatabaseName) == aws.StringValue(table.DatabaseName) {
+ if aws.StringValue(perm.Resource.Table.Name) == aws.StringValue(table.Name) {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+
+ if perm.Resource.Table.TableWildcard != nil && table.TableWildcard != nil {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+ }
+ continue
+ }
+
+ return cleanPermissions
+}
+
+func FilterLakeFormationTableWithColumnsPermissions(twc *lakeformation.TableResource, columnNames []*string, excludedColumnNames []*string, columnWildcard bool, allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+ // CREATE PERMS (in) = ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT, SELECT on TableWithColumns, Name = (Table Name), ColumnWildcard
+ // LIST PERMS (out) = ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT on Table, Name = (Table Name)
+ // LIST PERMS (out) = SELECT on TableWithColumns, Name = (Table Name), ColumnWildcard
+
+ var cleanPermissions []*lakeformation.PrincipalResourcePermissions
+
+ for _, perm := range allPermissions {
+ if perm.Resource.TableWithColumns != nil && perm.Resource.TableWithColumns.ColumnNames != nil {
+ if StringSlicesEqualIgnoreOrder(perm.Resource.TableWithColumns.ColumnNames, columnNames) {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+ }
+
+ if perm.Resource.TableWithColumns != nil && perm.Resource.TableWithColumns.ColumnWildcard != nil && (columnWildcard || len(excludedColumnNames) > 0) {
+ if perm.Resource.TableWithColumns.ColumnWildcard.ExcludedColumnNames == nil && len(excludedColumnNames) == 0 {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+
+ if len(excludedColumnNames) > 0 && StringSlicesEqualIgnoreOrder(perm.Resource.TableWithColumns.ColumnWildcard.ExcludedColumnNames, excludedColumnNames) {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+ }
+
+ if perm.Resource.Table != nil && aws.StringValue(perm.Resource.Table.Name) == aws.StringValue(twc.Name) {
+ cleanPermissions = append(cleanPermissions, perm)
+ continue
+ }
+ }
+
+ return cleanPermissions
+}
+
+func FilterLakeFormationCatalogPermissions(allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+ var cleanPermissions []*lakeformation.PrincipalResourcePermissions
+
+ for _, perm := range allPermissions {
+ if perm.Resource.Catalog != nil {
+ cleanPermissions = append(cleanPermissions, perm)
+ }
+ }
+
+ return cleanPermissions
+}
+
+func FilterLakeFormationDataLocationPermissions(allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+ var cleanPermissions []*lakeformation.PrincipalResourcePermissions
+
+ for _, perm := range allPermissions {
+ if perm.Resource.DataLocation != nil {
+ cleanPermissions = append(cleanPermissions, perm)
+ }
+ }
+
+ return cleanPermissions
+}
+
+func FilterLakeFormationDatabasePermissions(allPermissions []*lakeformation.PrincipalResourcePermissions) []*lakeformation.PrincipalResourcePermissions {
+ var cleanPermissions []*lakeformation.PrincipalResourcePermissions
+
+ for _, perm := range allPermissions {
+ if perm.Resource.Database != nil {
+ cleanPermissions = append(cleanPermissions, perm)
+ }
+ }
+
+ return cleanPermissions
+}
+
+func StringSlicesEqualIgnoreOrder(s1, s2 []*string) bool {
+ if len(s1) != len(s2) {
+ return false
+ }
+
+ v1 := aws.StringValueSlice(s1)
+ v2 := aws.StringValueSlice(s2)
+
+ sort.Strings(v1)
+ sort.Strings(v2)
+
+ return reflect.DeepEqual(v1, v2)
+}