Merge pull request #26643 from Tonkonozhenko/patch-3

Lakeformation Permissions trigger Force New

Author: ewbankkit

.changelog/26643.txt

@@ -0,0 +1,19 @@
+```release-note:bug
+ resource/aws_lakeformation_permissions: Change `lf_tag`, `lf_tag.values`, `lf_tag_policy`, `lf_tag_policy.expression.key`, `lf_tag_policy.expression.values` and `lf_tag_policy.resource_type` to [ForceNew](https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew)
+```
+
+```release-note:bug
+ resource/aws_lakeformation_permissions: Remove limit on number of `lf_tag_policy.expression` blocks
+```
+
+```release-note:bug
+ data-source/aws_lakeformation_permissions: Remove limit on number of `lf_tag_policy.expression` blocks
+```
+
+```release-note:bug
+ resource/aws_lakeformation_permissions: Change `lf_tag_policy.expression` from `TypeList` to `TypeSet` as order is not significant
+```
+
+```release-note:bug
+ data-source/aws_lakeformation_permissions: Change `lf_tag_policy.expression` from `TypeList` to `TypeSet` as order is not significant
+```

internal/service/lakeformation/lakeformation_test.go

@@ -17,14 +17,15 @@ func TestAccLakeFormation_serial(t *testing.T) {
 			"withoutCatalogId": testAccDataLakeSettings_withoutCatalogID,
 		},
 		"PermissionsBasic": {
-			"basic":              testAccPermissions_basic,
-			"database":           testAccPermissions_database,
-			"databaseIAMAllowed": testAccPermissions_databaseIAMAllowed,
-			"databaseMultiple":   testAccPermissions_databaseMultiple,
-			"dataLocation":       testAccPermissions_dataLocation,
-			"disappears":         testAccPermissions_disappears,
-			"lfTag":              testAccPermissions_lfTag,
-			"lfTagPolicy":        testAccPermissions_lfTagPolicy,
+			"basic":               testAccPermissions_basic,
+			"database":            testAccPermissions_database,
+			"databaseIAMAllowed":  testAccPermissions_databaseIAMAllowed,
+			"databaseMultiple":    testAccPermissions_databaseMultiple,
+			"dataLocation":        testAccPermissions_dataLocation,
+			"disappears":          testAccPermissions_disappears,
+			"lfTag":               testAccPermissions_lfTag,
+			"lfTagPolicy":         testAccPermissions_lfTagPolicy,
+			"lfTagPolicyMultiple": testAccPermissions_lfTagPolicyMultiple,
 		},
 		"PermissionsDataSource": {
 			"basic":            testAccPermissionsDataSource_basic,

internal/service/lakeformation/permissions.go

@@ -120,6 +120,7 @@ func ResourcePermissions() *schema.Resource {
 				Type:     schema.TypeList,
 				Optional: true,
 				Computed: true,
+				ForceNew: true,
 				MaxItems: 1,
 				ExactlyOneOf: []string{
 					"catalog_resource",
@@ -132,6 +133,12 @@ func ResourcePermissions() *schema.Resource {
 				},
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"catalog_id": {
+							Type:     schema.TypeString,
+							ForceNew: true,
+							Optional: true,
+							Computed: true,
+						},
 						"key": {
 							Type:         schema.TypeString,
 							Required:     true,
@@ -141,19 +148,13 @@ func ResourcePermissions() *schema.Resource {
 						"values": {
 							Type:     schema.TypeSet,
 							Required: true,
+							ForceNew: true,
 							MinItems: 1,
 							MaxItems: 15,
 							Elem: &schema.Schema{
 								Type:         schema.TypeString,
 								ValidateFunc: validateLFTagValues(),
 							},
-							Set: schema.HashString,
-						},
-						"catalog_id": {
-							Type:     schema.TypeString,
-							ForceNew: true,
-							Optional: true,
-							Computed: true,
 						},
 					},
 				},
@@ -162,6 +163,7 @@ func ResourcePermissions() *schema.Resource {
 				Type:     schema.TypeList,
 				Optional: true,
 				Computed: true,
+				ForceNew: true,
 				MaxItems: 1,
 				ExactlyOneOf: []string{
 					"catalog_resource",
@@ -181,34 +183,35 @@ func ResourcePermissions() *schema.Resource {
 							ValidateFunc: verify.ValidAccountID,
 						},
 						"expression": {
-							Type:     schema.TypeList,
+							Type:     schema.TypeSet,
 							Required: true,
 							MinItems: 1,
-							MaxItems: 5,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"key": {
 										Type:         schema.TypeString,
 										Required:     true,
+										ForceNew:     true,
 										ValidateFunc: validation.StringLenBetween(1, 128),
 									},
 									"values": {
 										Type:     schema.TypeSet,
 										Required: true,
+										ForceNew: true,
 										MinItems: 1,
 										MaxItems: 15,
 										Elem: &schema.Schema{
 											Type:         schema.TypeString,
 											ValidateFunc: validateLFTagValues(),
 										},
-										Set: schema.HashString,
 									},
 								},
 							},
 						},
 						"resource_type": {
 							Type:         schema.TypeString,
 							Required:     true,
+							ForceNew:     true,
 							ValidateFunc: validation.StringInSlice(lakeformation.ResourceType_Values(), false),
 						},
 					},
@@ -320,7 +323,6 @@ func ResourcePermissions() *schema.Resource {
 							Type:     schema.TypeSet,
 							ForceNew: true,
 							Optional: true,
-							Set:      schema.HashString,
 							Elem: &schema.Schema{
 								Type:         schema.TypeString,
 								ValidateFunc: validation.NoZeroValues,
@@ -339,7 +341,6 @@ func ResourcePermissions() *schema.Resource {
 							Type:     schema.TypeSet,
 							ForceNew: true,
 							Optional: true,
-							Set:      schema.HashString,
 							Elem: &schema.Schema{
 								Type:         schema.TypeString,
 								ValidateFunc: validation.NoZeroValues,
@@ -888,8 +889,8 @@ func ExpandLFTagPolicyResource(tfMap map[string]interface{}) *lakeformation.LFTa
 		apiObject.CatalogId = aws.String(v)
 	}
 
-	if v, ok := tfMap["expression"]; ok && v != nil {
-		apiObject.Expression = ExpandLFTagExpression(v.([]interface{}))
+	if v, ok := tfMap["expression"].(*schema.Set); ok && v.Len() > 0 {
+		apiObject.Expression = ExpandLFTagExpression(v.List())
 	}
 
 	if v, ok := tfMap["resource_type"].(string); ok && v != "" {

internal/service/lakeformation/permissions_data_source.go

@@ -74,27 +74,18 @@ func DataSourcePermissions() *schema.Resource {
 					},
 				},
 			},
-			"permissions": {
-				Type:     schema.TypeList,
-				Computed: true,
-				Elem: &schema.Schema{
-					Type: schema.TypeString,
-				},
-			},
-			"permissions_with_grant_option": {
-				Type:     schema.TypeList,
-				Computed: true,
-				Elem: &schema.Schema{
-					Type: schema.TypeString,
-				},
-			},
 			"lf_tag": {
 				Type:     schema.TypeList,
 				Optional: true,
 				Computed: true,
 				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"catalog_id": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Computed: true,
+						},
 						"key": {
 							Type:         schema.TypeString,
 							Required:     true,
@@ -109,12 +100,6 @@ func DataSourcePermissions() *schema.Resource {
 								Type:         schema.TypeString,
 								ValidateFunc: validateLFTagValues(),
 							},
-							Set: schema.HashString,
-						},
-						"catalog_id": {
-							Type:     schema.TypeString,
-							Optional: true,
-							Computed: true,
 						},
 					},
 				},
@@ -133,10 +118,9 @@ func DataSourcePermissions() *schema.Resource {
 							ValidateFunc: verify.ValidAccountID,
 						},
 						"expression": {
-							Type:     schema.TypeList,
+							Type:     schema.TypeSet,
 							Required: true,
 							MinItems: 1,
-							MaxItems: 5,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"key": {
@@ -153,7 +137,6 @@ func DataSourcePermissions() *schema.Resource {
 											Type:         schema.TypeString,
 											ValidateFunc: validateLFTagValues(),
 										},
-										Set: schema.HashString,
 									},
 								},
 							},
@@ -166,6 +149,20 @@ func DataSourcePermissions() *schema.Resource {
 					},
 				},
 			},
+			"permissions": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
+			"permissions_with_grant_option": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"principal": {
 				Type:         schema.TypeString,
 				Required:     true,
@@ -217,7 +214,6 @@ func DataSourcePermissions() *schema.Resource {
 						"column_names": {
 							Type:     schema.TypeSet,
 							Optional: true,
-							Set:      schema.HashString,
 							Elem: &schema.Schema{
 								Type:         schema.TypeString,
 								ValidateFunc: validation.NoZeroValues,
@@ -230,7 +226,6 @@ func DataSourcePermissions() *schema.Resource {
 						"excluded_column_names": {
 							Type:     schema.TypeSet,
 							Optional: true,
-							Set:      schema.HashString,
 							Elem: &schema.Schema{
 								Type:         schema.TypeString,
 								ValidateFunc: validation.NoZeroValues,

internal/service/lakeformation/permissions_data_source_test.go

@@ -283,11 +283,6 @@ resource "aws_s3_bucket" "test" {
   force_destroy = true
 }
 
-resource "aws_s3_bucket_acl" "test" {
-  bucket = aws_s3_bucket.test.id
-  acl    = "private"
-}
-
 resource "aws_lakeformation_resource" "test" {
   arn = aws_s3_bucket.test.arn
 }