Getting an issue when trying to upgrade our system from legacy Pulumi Snowflake Grants (StageGrant) to using the newer GrantPrivilegesToAccountRole. I'm seeing an issue when trying to provision permissions for a single schema object (in this case a stage). An example code Pulumi snippet is below:
stage = pulumi_snowflake.Stage(
...
)
stage_grant = pulumi_snowflake.GrantPrivilegesToAccountRole(
resource_name="account-admin-grant-account-role",
account_role_name=role,
on_schema_object={
"object_name": stage.fully_qualified_name,
"object_type": "STAGE",
},
privileges=["USAGE"],
opts=pulumi.ResourceOptions(parent=self, depends_on=[stage]),
)
Based off of the Snowflake Pulumi docs, this formatting should suffice but when I try and deploy I get:
error: snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole resource 'account-admin-grant-account-role' has a problem:
Invalid combination of arguments. "on_schema_object.0.future": one of `on_schema_object.0.all,on_schema_object.0.future,on_schema_object.0.object_name` must be specified.
Examine values at 'account-admin-grant-account-role.onSchemaObject.future'.
error: snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole resource 'account-admin-grant-account-role' has a problem:
Missing required argument. "on_schema_object.0.object_type": all of `on_schema_object.0.object_name,on_schema_object.0.object_type` must be specified.
Examine values at 'account-admin-grant-account-role.onSchemaObject.objectType'.
error: snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole resource 'account-admin-grant-account-role' has a problem:
Invalid combination of arguments. "on_schema_object.0.object_name": one of `on_schema_object.0.all,on_schema_object.0.future,on_schema_object.0.object_name` must be specified.
Examine values at 'account-admin-grant-account-role.onSchemaObject.objectName'.
error: snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole resource 'account-admin-grant-account-role' has a problem:
Invalid combination of arguments. "on_schema_object.0.all": one of `on_schema_object.0.all,on_schema_object.0.future,on_schema_object.0.object_name` must be specified.
Examine values at 'account-admin-grant-account-role.onSchemaObject.all'.
The error implies that my combination of on_schema_object args is invalid but the docs seem to indicate otherwise, any ideas for how to resolve/debug this?
Resolved this after some debugging. As it turns out, fully_qualified_name was actually a null value causing this issue, to resolve I manually constructed the fully_qualified_name. The docs imply that this should be an accessible field but it appears not. I didn't confirm, but I suspect it's related to the fact that I'm making these changes as part of an upgrade from a legacy version (0.54) to a newer version (1.1.3).