Pulumi refresh is adding __defaults (input) and alwaysApplyTrigger: "" (output) when pulumi import did not #552
Description
What happened?
I used the pulumi import command to bulk import thousands of Snowflake resources using type "snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole". After the grants are imported, with no changes to the actual resource/grant itself, Pulumi wants to update the state when running pulumi refresh. I do not expect the state to be modified, yet it is.
So either pulumi import did not import all the necessary parameters to represent a grant privilege to account role state or pulumi refresh is unnecessarily modifying the state.
Example
For example, this is the id of a privilege grant I imported:
"APPLICATION|false|false|SELECT|OnSchemaObject|OnAll|TABLES|InDatabase|DB_APPS".
The state file then contains this JSON:
{
"urn": "urn:pulumi:prod::snowflake-table-grants::snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole::application--false--onschemaobject--onall--tables--indatabase--db-apps--without-grant-option--table-to-role--grant",
"custom": true,
"id": "APPLICATION|false|false|SELECT|OnSchemaObject|OnAll|TABLES|InDatabase|DB_APPS",
"type": "snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole",
"inputs": {
"__defaults": [],
"accountRoleName": "\"APPLICATION\"",
"onSchemaObject": {
"__defaults": [],
"all": {
"__defaults": [],
"inDatabase": "\"DB_APPS\"",
"objectTypePlural": "TABLES"
}
},
"privileges": [
"SELECT"
]
},
"outputs": {
"accountRoleName": "\"APPLICATION\"",
"allPrivileges": false,
"alwaysApply": false,
"id": "APPLICATION|false|false|SELECT|OnSchemaObject|OnAll|TABLES|InDatabase|DB_APPS",
"onAccount": false,
"onAccountObject": null,
"onSchema": null,
"onSchemaObject": {
"all": {
"inDatabase": "\"DB_APPS\"",
"inSchema": "",
"objectTypePlural": "TABLES"
},
"future": null,
"objectName": "",
"objectType": ""
},
"privileges": [
"SELECT"
],
"withGrantOption": false
},
"parent": "urn:pulumi:prod::snowflake-table-grants::pulumi:pulumi:Stack::snowflake-table-grants-prod",
"provider": "urn:pulumi:prod::snowflake-table-grants::pulumi:providers:snowflake::default::40264408-63d8-47f5-805d-de289179a141",
"created": "2024-03-27T00:09:03.075739409Z",
"modified": "2024-03-27T00:09:03.075739409Z"
},
After running pulumi refresh, the JSON for the grant looks like this:
{
"urn": "urn:pulumi:prod::snowflake-table-grants::snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole::application--false--onschemaobject--onall--tables--indatabase--db-apps--without-grant-option--table-to-role--grant",
"custom": true,
"id": "APPLICATION|false|false|SELECT|OnSchemaObject|OnAll|TABLES|InDatabase|DB_APPS",
"type": "snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole",
"inputs": {
"__defaults": [
"alwaysApply",
"alwaysApplyTrigger",
"withGrantOption"
],
"accountRoleName": "\"APPLICATION\"",
"alwaysApply": false,
"alwaysApplyTrigger": "",
"onSchemaObject": {
"__defaults": [],
"all": {
"__defaults": [],
"inDatabase": "\"DB_APPS\"",
"objectTypePlural": "TABLES"
}
},
"privileges": [
"SELECT"
],
"withGrantOption": false
},
"outputs": {
"accountRoleName": "\"APPLICATION\"",
"allPrivileges": false,
"alwaysApply": false,
"alwaysApplyTrigger": "",
"id": "APPLICATION|false|false|SELECT|OnSchemaObject|OnAll|TABLES|InDatabase|DB_APPS",
"onAccount": false,
"onAccountObject": null,
"onSchema": null,
"onSchemaObject": {
"all": {
"inDatabase": "\"DB_APPS\"",
"inSchema": "",
"objectTypePlural": "TABLES"
},
"future": null,
"objectName": "",
"objectType": ""
},
"privileges": [
"SELECT"
],
"withGrantOption": false
},
"parent": "urn:pulumi:prod::snowflake-table-grants::pulumi:pulumi:Stack::snowflake-table-grants-prod",
"provider": "urn:pulumi:prod::snowflake-table-grants::pulumi:providers:snowflake::default::40264408-63d8-47f5-805d-de289179a141",
"propertyDependencies": {
"accountRoleName": [],
"onSchemaObject": [],
"privileges": []
},
"created": "2024-03-27T00:09:03.075739409Z",
"modified": "2024-04-02T19:59:40.110880888Z"
},
Pulumi is adding in default inputs and a parameter of alwaysApplyTrigger: "" as an output.
Output of pulumi about
CLI
Version 3.112.0
Go Version go1.22.1
Go Compiler gc
Plugins
NAME VERSION
snowflake unknown
yaml unknown
Host
OS ubuntu
Version 22.04
Arch x86_64
This project is written in yaml
Current Stack: organization/snowflake-table-grants/prod
TYPE URN
pulumi:pulumi:Stack urn:pulumi:prod::snowflake-table-grants::pulumi:pulumi:Stack::snowflake-table-grants-prod
pulumi:providers:snowflake urn:pulumi:prod::snowflake-table-grants::pulumi:providers:snowflake::default
snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole urn:pulumi:prod::snowflake-table-grants::snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole::application--false--onschemaobject--onfuture--tables--indatabase--db-apps--without-grant-option--table-to-role--grant
Additional context
I have thousands of similar grants, and with a self-managed backend hosted in S3, running pulumi refresh on the stack means each resource is getting a state modification individually. Writing to S3 for each individual modification is slow and should be unnecessary in this case.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).