New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_lakeformation_permissions (data_location) timeout #21539
Comments
Just happend to me. After short debugging, it seems to be an issue in the filter logic (filter.go). I'm creating a table_with_columns permission here (could also be table or data_location, doesnt really matter) resource "aws_lakeformation_permissions" "access" {
principal = local.principal_arn
permissions = ["SELECT"]
table_with_columns {
catalog_id = local.catalog_id
database_name = local.db_name
name = local.table_name
wildcard = true
}
} Debug output
Provider tries to do
Applying
The ColumnWildcard object is empty, I would have expected something else. After creating it, the provider tries to check if its there and gets following response {
"NextToken": null,
"PrincipalResourcePermissions": [
{
"AdditionalDetails": null,
"Permissions": [
"SELECT"
],
"PermissionsWithGrantOption": [],
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::***:role/***"
},
"Resource": {
"Catalog": null,
"DataCellsFilter": null,
"DataLocation": null,
"Database": null,
"LFTag": null,
"LFTagPolicy": null,
"Table": null,
"TableWithColumns": {
"CatalogId": "***",
"ColumnNames": [
"col1",
"col2"
],
"ColumnWildcard": null,
"DatabaseName": "db_name",
"Name": "table_name"
}
}
}
]
} So the provider receives the correct information back, but I think the post filtering is responsible on why the 'NOT FOUND' state is returned // clean permissions = filter out permissions that do not pertain to this specific resource
cleanPermissions := FilterPermissions(input, tableType, columnNames, excludedColumnNames, columnWildcard, permissions)
if len(cleanPermissions) == 0 {
return nil, statusNotFound, nil
}
return permissions, statusAvailable, nil This will filter out the returned permission (looking at func FilterTableWithColumnsPermissions) because I did specify the wildcard in terraform, but the returned permission says that ColumnWildcard is set to null - as it was created using an empty object. Instead, it lists all columns in the ColumnNames array - which also results in filtering the permission. This all seems kind of strange. I know from your comments that LakeFormation does a lot of implicit stuff (
Thanks! |
Unfortunately, I am unable to reproduce this problem. We have working tests with nearly the exact configurations you provided. Do you see how these might be different? The s3 configuration from @simonB2020 above seems a lot like this test: data "aws_partition" "current" {}
resource "aws_iam_role" "test" {
name = "terraform-test"
path = "/"
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "glue.${data.aws_partition.current.dns_suffix}"
}
}, {
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "s3.${data.aws_partition.current.dns_suffix}"
}
}]
Version = "2012-10-17"
})
}
resource "aws_s3_bucket" "test" {
bucket = "terraform-test"
force_destroy = true
}
resource "aws_s3_bucket_acl" "test" {
bucket = aws_s3_bucket.test.id
acl = "private"
}
resource "aws_lakeformation_resource" "test" {
arn = aws_s3_bucket.test.arn
role_arn = aws_iam_role.test.arn
}
data "aws_caller_identity" "current" {}
data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}
resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_iam_session_context.current.issuer_arn]
}
resource "aws_lakeformation_permissions" "test" {
principal = aws_iam_role.test.arn
permissions = ["DATA_LOCATION_ACCESS"]
data_location {
arn = aws_s3_bucket.test.arn
}
# for consistency, ensure that admins are setup before testing
depends_on = [aws_lakeformation_data_lake_settings.test]
} The table with columns config from @kasleet above seems a lot like this test: data "aws_partition" "current" {}
resource "aws_iam_role" "test" {
name = "terraform-test"
path = "/"
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "glue.${data.aws_partition.current.dns_suffix}"
}
}]
Version = "2012-10-17"
})
}
resource "aws_glue_catalog_database" "test" {
name = "terraform-test"
}
resource "aws_glue_catalog_table" "test" {
name = "terraform-test"
database_name = aws_glue_catalog_database.test.name
}
data "aws_caller_identity" "current" {}
data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
}
resource "aws_lakeformation_data_lake_settings" "test" {
admins = [data.aws_iam_session_context.current.issuer_arn]
}
resource "aws_lakeformation_permissions" "test" {
permissions = ["SELECT"]
principal = aws_iam_role.test.arn
table_with_columns {
database_name = aws_glue_catalog_table.test.database_name
name = aws_glue_catalog_table.test.name
wildcard = true
}
# for consistency, ensure that admins are setup before testing
depends_on = [aws_lakeformation_data_lake_settings.test]
} |
I haven't heard back on anything so I'm going close as complete. If this is not the case, please let us know! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
We ran into this issue while granting cross-account Lake Formation permissions using terraform. The setup is as below:
Steps 1 and 2 are performed in separate terraforms, and obviously on separate accounts. Step 2 terraform throws the below error |
To add more context to the above, while it looks like a TIMEOUT issue which appears like a Race condition, However re-trying the Terraform version
Our provider versions:
|
Also would be good to add support for custom timeouts: https://www.terraform.io/language/resources/syntax#operation-timeouts |
Issue with full templates raised here too #26602 |
Hello everyone, is there someone working on this? I can still reproduce this with Provider version 5.5.0.. |
Hi!! I have experiences the same issue, and I completely agree with @kasleet analysis. What I have identified in my case, is that this happens when the The logging messages are:
|
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform: 0.14.6
AWS: 3.63.0
Affected Resource(s)
aws_lakeformation_permissions
(with data_location argument)
Terraform Configuration Files
Debug Output
Error: error reading Lake Formation permissions: timeout while waiting for state to become 'AVAILABLE' (last state: 'NOT FOUND', timeout: 1m0s)
Panic Output
Expected Behavior
Permissions should be applied succesfully
Actual Behavior
As above, the action times out.
Steps to Reproduce
Important Factoids
Executing role is set as a datalake admin
References
The text was updated successfully, but these errors were encountered: