resource/lakeformation_resource: Use ForceNew for more update options

hashicorp · Dec 9, 2020 · 870c35d · 870c35d
1 parent 7e920ba
commit 870c35d
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 23 deletions.
diff --git a/aws/resource_aws_lakeformation_resource.go b/aws/resource_aws_lakeformation_resource.go
@@ -15,7 +15,6 @@ func resourceAwsLakeFormationResource() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAwsLakeFormationResourceCreate,
 		Read:   resourceAwsLakeFormationResourceRead,
-		Update: resourceAwsLakeFormationResourceUpdate,
 		Delete: resourceAwsLakeFormationResourceDelete,
 
 		Schema: map[string]*schema.Schema{
@@ -33,6 +32,7 @@ func resourceAwsLakeFormationResource() *schema.Resource {
 				Type:         schema.TypeString,
 				Optional:     true,
 				Computed:     true,
+				ForceNew:     true,
 				ValidateFunc: validateArn,
 			},
 		},
@@ -102,26 +102,6 @@ func resourceAwsLakeFormationResourceRead(d *schema.ResourceData, meta interface
 	return nil
 }
 
-func resourceAwsLakeFormationResourceUpdate(d *schema.ResourceData, meta interface{}) error {
-	if _, ok := d.GetOk("role_arn"); !ok {
-		return resourceAwsLakeFormationResourceCreate(d, meta)
-	}
-
-	conn := meta.(*AWSClient).lakeformationconn
-
-	input := &lakeformation.UpdateResourceInput{
-		ResourceArn: aws.String(d.Get("resource_arn").(string)),
-		RoleArn:     aws.String(d.Get("role_arn").(string)),
-	}
-
-	_, err := conn.UpdateResource(input)
-	if err != nil {
-		return fmt.Errorf("error updating Lake Formation Resource (%s): %w", d.Id(), err)
-	}
-
-	return resourceAwsLakeFormationResourceRead(d, meta)
-}
-
 func resourceAwsLakeFormationResourceDelete(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).lakeformationconn
 	resourceArn := d.Get("resource_arn").(string)

diff --git a/aws/resource_aws_lakeformation_resource_test.go b/aws/resource_aws_lakeformation_resource_test.go
@@ -82,7 +82,7 @@ func TestAccAWSLakeFormationResource_serviceLinkedRole(t *testing.T) {
 	})
 }
 
-func TestAccAWSLakeFormationResource_update(t *testing.T) {
+func TestAccAWSLakeFormationResource_updateRoleToRole(t *testing.T) {
 	bucketName := acctest.RandomWithPrefix("tf-acc-test")
 	roleName1 := acctest.RandomWithPrefix("tf-acc-test")
 	roleName2 := acctest.RandomWithPrefix("tf-acc-test")
@@ -115,6 +115,47 @@ func TestAccAWSLakeFormationResource_update(t *testing.T) {
 	})
 }
 
+func TestAccAWSLakeFormationResource_updateSLRToRole(t *testing.T) {
+	bucketName := acctest.RandomWithPrefix("tf-acc-test")
+	roleName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceAddr := "aws_lakeformation_resource.test"
+	bucketAddr := "aws_s3_bucket.test"
+	roleAddr := "aws_iam_role.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPartitionHasServicePreCheck(lakeformation.EndpointsID, t)
+			testAccPreCheckIamServiceLinkedRole(t, "/aws-service-role/lakeformation.amazonaws.com")
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLakeFormationResourceDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLakeFormationResourceConfig_serviceLinkedRole(bucketName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSLakeFormationResourceExists(resourceAddr),
+					resource.TestCheckResourceAttrPair(resourceAddr, "resource_arn", bucketAddr, "arn"),
+					testAccCheckResourceAttrGlobalARN(resourceAddr, "role_arn", "iam", "role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess"),
+				),
+			},
+			{
+				Config: testAccAWSLakeFormationResourceConfig_basic(bucketName, roleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSLakeFormationResourceExists(resourceAddr),
+					resource.TestCheckResourceAttrPair(resourceAddr, "role_arn", roleAddr, "arn"),
+					resource.TestCheckResourceAttrPair(resourceAddr, "resource_arn", bucketAddr, "arn"),
+				),
+			},
+		},
+	})
+}
+
+// AWS does not support changing from an IAM role to an SLR. No error is thrown
+// but the registration is not changed (the IAM role continues in the registration).
+//
+// func TestAccAWSLakeFormationResource_updateRoleToSLR(t *testing.T) {
+
 func testAccCheckAWSLakeFormationResourceDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).lakeformationconn
 

diff --git a/website/docs/r/lakeformation_resource.html.markdown b/website/docs/r/lakeformation_resource.html.markdown
@@ -29,7 +29,9 @@ resource "aws_lakeformation_resource" "example" {
 The following arguments are required:
 
 * `resource_arn` – (Required) Amazon Resource Name (ARN) of the resource, an S3 path.
-* `role_arn` – (Optional) Role that has read/write access to the resource. If not provided, the service-linked role is used.
+* `role_arn` – (Optional) Role that has read/write access to the resource. If not provided, the Lake Formation service-linked role must exist and is used.
+
+~> **NOTE:** AWS does not support registering an S3 location with an IAM role and subsequently updating the S3 location registration to a service-linked role.
 
 ## Attributes Reference