From 8ddc68b648f16fe4a1096745cc2cd4b6fb7833bb Mon Sep 17 00:00:00 2001
From: Jack Batzner <brunhil@users.noreply.github.com>
Date: Wed, 31 Mar 2021 11:00:15 -0500
Subject: [PATCH] Write test to confirm bug #18446

---
 ...urce_aws_lakeformation_permissions_test.go | 94 +++++++++++++++++++
 aws/resource_aws_lakeformation_test.go        |  3 +-
 2 files changed, 96 insertions(+), 1 deletion(-)

diff --git a/aws/resource_aws_lakeformation_permissions_test.go b/aws/resource_aws_lakeformation_permissions_test.go
index 2f0c3ccd85b..31f437b3d08 100644
--- a/aws/resource_aws_lakeformation_permissions_test.go
+++ b/aws/resource_aws_lakeformation_permissions_test.go
@@ -238,6 +238,30 @@ func testAccAWSLakeFormationPermissions_selectPermissions(t *testing.T) {
 	})
 }
 
+func testAccAWSLakeFormationPermissions_wildcardPermissions(t *testing.T) {
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_lakeformation_permissions.test"
+	roleName := "aws_iam_role.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPartitionHasServicePreCheck(lakeformation.EndpointsID, t) },
+		ErrorCheck:   testAccErrorCheck(t, lakeformation.EndpointsID),
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSLakeFormationPermissionsDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSLakeFormationPermissionsConfig_wildcardPermissions(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSLakeFormationPermissionsExists(resourceName),
+					resource.TestCheckResourceAttrPair(resourceName, "principal", roleName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "permissions.#", "7"),
+					resource.TestCheckResourceAttr(resourceName, "permissions_with_grant_option.#", "7"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSLakeFormationPermissionsDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).lakeformationconn
 
@@ -835,3 +859,73 @@ resource "aws_lakeformation_permissions" "test" {
 }
 `, rName)
 }
+
+func testAccAWSLakeFormationPermissionsConfig_wildcardPermissions(rName string) string {
+	return fmt.Sprintf(`
+data "aws_partition" "current" {}
+
+resource "aws_iam_role" "test" {
+  name = %[1]q
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "glue.${data.aws_partition.current.dns_suffix}"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_glue_catalog_database" "test" {
+  name = %[1]q
+}
+
+resource "aws_glue_catalog_table" "test" {
+  name          = %[1]q
+  database_name = aws_glue_catalog_database.test.name
+
+  storage_descriptor {
+    columns {
+      name = "event"
+      type = "string"
+    }
+    columns {
+      name = "timestamp"
+      type = "date"
+    }
+    columns {
+      name = "value"
+      type = "double"
+    }
+  }
+}
+
+resource "aws_lakeformation_data_lake_settings" "test" {
+  # this will result in multiple permissions for iam role
+  admins = [aws_iam_role.test.arn, data.aws_caller_identity.current.arn]
+}
+
+resource "aws_lakeformation_permissions" "test" {
+  principal = aws_iam_role.test.arn
+
+  permissions                   = ["ALL", "ALTER", "DELETE", "DESCRIBE", "DROP", "INSERT", "SELECT"]
+  permissions_with_grant_option = ["ALL", "ALTER", "DELETE", "DESCRIBE", "DROP", "INSERT", "SELECT"]
+
+  table {
+    database_name = aws_glue_catalog_table.test.database_name
+	wildcard      = true
+  }
+}
+`, rName)
+}
diff --git a/aws/resource_aws_lakeformation_test.go b/aws/resource_aws_lakeformation_test.go
index ac9e38dd089..06ed7210893 100644
--- a/aws/resource_aws_lakeformation_test.go
+++ b/aws/resource_aws_lakeformation_test.go
@@ -16,7 +16,8 @@ func TestAccAWSLakeFormation_serial(t *testing.T) {
 			"basic":             testAccAWSLakeFormationPermissions_basic,
 			"dataLocation":      testAccAWSLakeFormationPermissions_dataLocation,
 			"database":          testAccAWSLakeFormationPermissions_database,
-			"selectPermissions": testAccAWSLakeFormationPermissions_selectPermissions,
+			"selectPermissions":   testAccAWSLakeFormationPermissions_selectPermissions,
+			"wildcardPermissions": testAccAWSLakeFormationPermissions_wildcardPermissions,
 		},
 		"TablePermissions": {
 			"tableName":                testAccAWSLakeFormationPermissions_table_name,