[Bug]: LakeFormation permissions for S3Tables Catalog

[alfonsozamorac]

Terraform Core Version

1.10.3

AWS Provider Version

5.82.2

Affected Resource(s)

aws_lakeformation_permissions

Expected Behavior

Give table permissions in S3Tables Bucket (Grant permission on a table -> https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html)

Actual Behavior

Error getting the catalog_id, in command line works:

aws lakeformation grant-permissions \
--region <region e.g. us-east-1> \
--cli-input-json \
'{
    "Principal": {
        "DataLakePrincipalIdentifier": "<user or role ARN e.g. arn:aws:iam::<accound-id>:role/ExampleRole>"
    },
    "Resource": {
        "Table": {
            "CatalogId": "<account-id>:<s3tablescatalog>/<S3 table bucket name>",
            "DatabaseName": "<S3 table bucket namespace e.g. test_namespace>",
            "Name": "<S3 table bucket table name e.g. test_table>"
        }
    },
    "Permissions": [
        "ALL"
    ]
}'

Relevant Error/Panic Output Snippet

Error: "table.0.catalog_id" doesn't look like AWS Account ID (exactly 12 digits): "$ACCOUNT_ID:s3tablescatalog/$TABLE_BUCKET"
│ 
│   with aws_lakeformation_permissions.example,
│   on main.tf line 192, in resource "aws_lakeformation_permissions" "example":
│  192:     catalog_id = "${data.aws_caller_identity.current.account_id}:s3tablescatalog/${var.table_bucket.name}"

Terraform Configuration Files

data "aws_caller_identity" "current" {}

data "aws_iam_user" "current_user" {
  user_name = var.aws_user
}

resource "aws_s3tables_table" "example" {
  name             = "example-table"
  namespace        = aws_s3tables_namespace.example
  table_bucket_arn = aws_s3tables_namespace.example.table_bucket_arn
  format           = "ICEBERG"
}

resource "aws_s3tables_namespace" "example" {
  namespace        = "example-namespace"
  table_bucket_arn = aws_s3tables_table_bucket.example.arn
}

resource "aws_s3tables_table_bucket" "example" {
  name = "example-bucket"
}

resource "aws_lakeformation_permissions" "table_permissions" {
  permissions = ["ALL"]
  principal   = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${var.aws_user}"

  table {
    catalog_id = "${data.aws_caller_identity.current.account_id}:s3tablescatalog/${var.table_bucket}"
    database_name = aws_s3tables_namespace.example.namespace
    name          = aws_s3tables_table.example.name
  }
}

Steps to Reproduce

1. terraform init -upgrade
2. terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.