Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bugfix: Lake Formation permissions/permissions_with_grant_option type #38047

Merged
merged 7 commits into from
Dec 13, 2024
Merged

bugfix: Lake Formation permissions/permissions_with_grant_option type #38047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d4d9bc1
bugfix: Permissions dont need to be a list, because the order does no…
diofeher Jun 19, 2024
361e68c
bugfix: Fix tests and add changelog
diofeher Jun 20, 2024
17ce4fb
better changelog
diofeher Jun 20, 2024
27032f1
better changelog
diofeher Jun 20, 2024
af81829
resolve conflicts
johnsonaj Dec 12, 2024
df055df
tweak CHANGELOG entry
johnsonaj Dec 12, 2024
e807a14
aws_lakeformation_permissions: use TypeList for datasource since it i…
johnsonaj Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/38047.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
resource/aws_lakeformation_permissions: Fix refreshing state so order is not considered in `permissions` and `permissions_with_grant_option` attributes
```
12 changes: 6 additions & 6 deletions internal/service/lakeformation/permissions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ func ResourcePermissions() *schema.Resource {
},
},
names.AttrPermissions: {
Type: schema.TypeList,
Type: schema.TypeSet,
ForceNew: true,
MinItems: 1,
Required: true,
Expand All @@ -264,7 +264,7 @@ func ResourcePermissions() *schema.Resource {
},
},
"permissions_with_grant_option": {
Type: schema.TypeList,
Type: schema.TypeSet,
Computed: true,
ForceNew: true,
Optional: true,
Expand Down Expand Up @@ -422,7 +422,7 @@ func resourcePermissionsCreate(ctx context.Context, d *schema.ResourceData, meta
conn := meta.(*conns.AWSClient).LakeFormationClient(ctx)

input := &lakeformation.GrantPermissionsInput{
Permissions: flex.ExpandStringyValueList[awstypes.Permission](d.Get(names.AttrPermissions).([]interface{})),
Permissions: flex.ExpandStringyValueSet[awstypes.Permission](d.Get(names.AttrPermissions).(*schema.Set)),
Principal: &awstypes.DataLakePrincipal{
DataLakePrincipalIdentifier: aws.String(d.Get(names.AttrPrincipal).(string)),
},
Expand All @@ -438,7 +438,7 @@ func resourcePermissionsCreate(ctx context.Context, d *schema.ResourceData, meta
}

if v, ok := d.GetOk("permissions_with_grant_option"); ok {
input.PermissionsWithGrantOption = flex.ExpandStringyValueList[awstypes.Permission](v.([]interface{}))
input.PermissionsWithGrantOption = flex.ExpandStringyValueSet[awstypes.Permission](v.(*schema.Set))
}

if _, ok := d.GetOk("catalog_resource"); ok {
Expand Down Expand Up @@ -741,8 +741,8 @@ func resourcePermissionsDelete(ctx context.Context, d *schema.ResourceData, meta
conn := meta.(*conns.AWSClient).LakeFormationClient(ctx)

input := &lakeformation.RevokePermissionsInput{
Permissions: flex.ExpandStringyValueList[awstypes.Permission](d.Get(names.AttrPermissions).([]interface{})),
PermissionsWithGrantOption: flex.ExpandStringyValueList[awstypes.Permission](d.Get("permissions_with_grant_option").([]interface{})),
Permissions: flex.ExpandStringyValueSet[awstypes.Permission](d.Get(names.AttrPermissions).(*schema.Set)),
PermissionsWithGrantOption: flex.ExpandStringyValueSet[awstypes.Permission](d.Get("permissions_with_grant_option").(*schema.Set)),
Principal: &awstypes.DataLakePrincipal{
DataLakePrincipalIdentifier: aws.String(d.Get(names.AttrPrincipal).(string)),
},
Expand Down
67 changes: 34 additions & 33 deletions internal/service/lakeformation/permissions_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func testAccPermissions_basic(t *testing.T) {
testAccCheckPermissionsExists(ctx, resourceName),
resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, roleName, names.AttrARN),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionCreateDatabase)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionCreateDatabase)),
resource.TestCheckResourceAttr(resourceName, "catalog_resource", acctest.CtTrue),
),
},
Expand Down Expand Up @@ -101,9 +101,9 @@ func testAccPermissions_database(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "database.#", "1"),
resource.TestCheckResourceAttrPair(resourceName, "database.0.name", dbName, names.AttrName),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "3"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAlter)),
resource.TestCheckResourceAttr(resourceName, "permissions.1", string(awstypes.PermissionCreateTable)),
resource.TestCheckResourceAttr(resourceName, "permissions.2", string(awstypes.PermissionDrop)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAlter)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionCreateTable)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDrop)),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.0", string(awstypes.PermissionCreateTable)),
),
Expand Down Expand Up @@ -133,7 +133,7 @@ func testAccPermissions_databaseIAMAllowed(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "database.#", "1"),
resource.TestCheckResourceAttrPair(resourceName, "database.0.name", dbName, names.AttrName),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAll)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAll)),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "0"),
),
},
Expand Down Expand Up @@ -166,9 +166,9 @@ func testAccPermissions_databaseMultiple(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "database.#", "1"),
resource.TestCheckResourceAttrPair(resourceName, "database.0.name", dbName, names.AttrName),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "3"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAlter)),
resource.TestCheckResourceAttr(resourceName, "permissions.1", string(awstypes.PermissionCreateTable)),
resource.TestCheckResourceAttr(resourceName, "permissions.2", string(awstypes.PermissionDrop)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAlter)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionCreateTable)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDrop)),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.0", string(awstypes.PermissionCreateTable)),
testAccCheckPermissionsExists(ctx, resourceName2),
Expand Down Expand Up @@ -205,7 +205,7 @@ func testAccPermissions_dataCellsFilter(t *testing.T) {
testAccCheckPermissionsExists(ctx, resourceName),
resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, roleName, names.AttrARN),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionDescribe)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDescribe)),
resource.TestCheckResourceAttr(resourceName, "data_cells_filter.#", "1"),
),
},
Expand All @@ -232,7 +232,7 @@ func testAccPermissions_dataLocation(t *testing.T) {
testAccCheckPermissionsExists(ctx, resourceName),
resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, roleName, names.AttrARN),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionDataLocationAccess)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDataLocationAccess)),
resource.TestCheckResourceAttr(resourceName, "catalog_resource", acctest.CtFalse),
resource.TestCheckResourceAttr(resourceName, "data_location.#", "1"),
resource.TestCheckResourceAttrPair(resourceName, "data_location.0.arn", bucketName, names.AttrARN),
Expand Down Expand Up @@ -266,8 +266,8 @@ func testAccPermissions_lfTag(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "lf_tag.0.key", tagName, names.AttrKey),
resource.TestCheckResourceAttrPair(resourceName, "lf_tag.0.values", tagName, names.AttrValues),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "2"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", "ASSOCIATE"),
resource.TestCheckResourceAttr(resourceName, "permissions.1", "DESCRIBE"),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", "ASSOCIATE"),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", "DESCRIBE"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "2"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.0", "ASSOCIATE"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.1", "DESCRIBE"),
Expand Down Expand Up @@ -303,9 +303,9 @@ func testAccPermissions_lfTagPolicy(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "lf_tag_policy.0.expression.0.key", tagName, names.AttrKey),
resource.TestCheckResourceAttrPair(resourceName, "lf_tag_policy.0.expression.0.values", tagName, names.AttrValues),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "3"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAlter)),
resource.TestCheckResourceAttr(resourceName, "permissions.1", string(awstypes.PermissionCreateTable)),
resource.TestCheckResourceAttr(resourceName, "permissions.2", string(awstypes.PermissionDrop)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAlter)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionCreateTable)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDrop)),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.0", string(awstypes.PermissionCreateTable)),
),
Expand Down Expand Up @@ -350,9 +350,9 @@ func testAccPermissions_lfTagPolicyMultiple(t *testing.T) {
"values.#": "2",
}),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "3"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAlter)),
resource.TestCheckResourceAttr(resourceName, "permissions.1", string(awstypes.PermissionCreateTable)),
resource.TestCheckResourceAttr(resourceName, "permissions.2", string(awstypes.PermissionDrop)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAlter)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionCreateTable)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDrop)),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.0", string(awstypes.PermissionCreateTable)),
),
Expand Down Expand Up @@ -383,9 +383,9 @@ func testAccPermissions_tableBasic(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "table.0.database_name", tableName, names.AttrDatabaseName),
resource.TestCheckResourceAttrPair(resourceName, "table.0.name", tableName, names.AttrName),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "3"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAlter)),
resource.TestCheckResourceAttr(resourceName, "permissions.1", string(awstypes.PermissionDelete)),
resource.TestCheckResourceAttr(resourceName, "permissions.2", string(awstypes.PermissionDescribe)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAlter)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDelete)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDescribe)),
),
},
},
Expand Down Expand Up @@ -414,7 +414,7 @@ func testAccPermissions_tableIAMAllowed(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "table.0.database_name", dbName, names.AttrDatabaseName),
resource.TestCheckResourceAttrPair(resourceName, "table.0.name", dbName, names.AttrName),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAll)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAll)),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "0"),
),
},
Expand Down Expand Up @@ -475,9 +475,9 @@ func testAccPermissions_tableMultipleRoles(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "table.0.database_name", tableName, names.AttrDatabaseName),
resource.TestCheckResourceAttrPair(resourceName, "table.0.name", tableName, names.AttrName),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "3"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionAlter)),
resource.TestCheckResourceAttr(resourceName, "permissions.1", string(awstypes.PermissionDelete)),
resource.TestCheckResourceAttr(resourceName, "permissions.2", string(awstypes.PermissionDescribe)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionAlter)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDelete)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionDescribe)),
testAccCheckPermissionsExists(ctx, resourceName2),
resource.TestCheckResourceAttrPair(roleName2, names.AttrARN, resourceName2, names.AttrPrincipal),
resource.TestCheckResourceAttr(resourceName2, "table.#", "1"),
Expand Down Expand Up @@ -513,7 +513,7 @@ func testAccPermissions_tableSelectOnly(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, "table.0.database_name", tableName, names.AttrDatabaseName),
resource.TestCheckResourceAttrPair(resourceName, "table.0.name", tableName, names.AttrName),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionSelect)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
),
},
},
Expand Down Expand Up @@ -588,7 +588,7 @@ func testAccPermissions_tableWildcardSelectOnly(t *testing.T) {
testAccCheckPermissionsExists(ctx, resourceName),
resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, roleName, names.AttrARN),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionSelect)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "0"),
),
},
Expand Down Expand Up @@ -646,7 +646,7 @@ func testAccPermissions_twcBasic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.0", "event"),
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.1", "timestamp"),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionSelect)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
),
},
{
Expand All @@ -661,7 +661,7 @@ func testAccPermissions_twcBasic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.0", "event"),
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.1", "timestamp"),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionSelect)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
),
},
{
Expand All @@ -677,7 +677,7 @@ func testAccPermissions_twcBasic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.1", "timestamp"),
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.2", "transactionamount"),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionSelect)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
),
},
{
Expand All @@ -691,7 +691,7 @@ func testAccPermissions_twcBasic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.#", "1"),
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.0", "event"),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionSelect)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
),
},
},
Expand Down Expand Up @@ -777,7 +777,7 @@ func testAccPermissions_twcWildcardSelectOnly(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.column_names.#", "0"),
resource.TestCheckResourceAttr(resourceName, "table_with_columns.0.wildcard", acctest.CtTrue),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "1"),
resource.TestCheckResourceAttr(resourceName, "permissions.0", string(awstypes.PermissionSelect)),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
),
},
},
Expand All @@ -803,6 +803,7 @@ func testAccPermissions_twcWildcardSelectPlus(t *testing.T) {
resource.TestCheckResourceAttrPair(resourceName, names.AttrPrincipal, roleName, names.AttrARN),
resource.TestCheckResourceAttr(resourceName, "permissions.#", "7"),
resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "0"),
resource.TestCheckTypeSetElemAttr(resourceName, "permissions.*", string(awstypes.PermissionSelect)),
),
},
},
Expand Down Expand Up @@ -2636,7 +2637,7 @@ resource "aws_lakeformation_data_lake_settings" "test" {
}

resource "aws_lakeformation_permissions" "test" {
permissions = ["ALL", "ALTER", "DELETE", "DESCRIBE", "DROP", "INSERT", "SELECT"]
permissions = ["SELECT", "ALTER", "DELETE", "DESCRIBE", "DROP", "INSERT", "ALL"]
principal = aws_iam_role.test.arn

table_with_columns {
Expand Down
Loading