https://pulumi.com logo
Powered by
Title
b

bright-orange-69401

07/31/2021, 6:23 PM
I’m trying to integrate Snowflake with AWS via Pulumi and I have sort of a circular resource dependency going on Here’s what I’m trying to do: 1. Create 
Role
in AWS 2. Create 
StorageIntegration
in Snowflake using 
Role
from step 1 3. Update 
Role
by adding parameters obtained after creating the 
StorageIntegration
in step 2 Is there a way to solve such a pattern in Pulumi ? (Other than manually hard-coding stuff and re-deploying) Is there maybe an 
UpdateRole
resource that I can provision in my step 3 ? (NB: it’s specifically the 
assume_role_policy
that I need to alter in step 3)
g

great-sunset-355

08/01/2021, 4:22 PM
no, there isn't update role method (as in cdk 😞 ), AWS IAM consists of objects and attachment objects
Just a guess, but isn't this parameter where you pass the role to the Storage Integration? https://www.pulumi.com/docs/reference/pkg/snowflake/storageintegration/#storage_aws_role_arn_python Also it is not clear what parameters are you trying to update on the role then
If you could share a piece of code on what you are trying to achieve we'd be able to help you better
b

bright-orange-69401

08/02/2021, 10:33 AM
Hey @great-sunset-355 Unfortunately no, it’s not the 
storage_aws_role_arn
variable : this one needs to be set before creating the 
StorageIntegration
I’ll share a code snippet below to illustrate
snowflake_storage_integration.py
My 
aws_storage_integration
variable then has two outputs (
storage_aws_external_id
& 
storage_aws_iam_user_arn
) which corresponds to resources that are present on Snowflake’s own AWS account To secure the AWS-Snowflake integration, I would then need to change my 
assume_role_policy
to whitelist this specific user and external id
I’ve found an elegant way to solve this without manual intervention : using 
StackReference
on the current stack
For other developers encountering this case, the solution may look something like this
solution_to_circular_reference.py
🙏 1
It works because 
current_stack.get_output("FOO")
returns 
None
upon the initial deployment
It’s not a great solution though, because you’d still have to run the 
pulumi up
twice to get everything set up, but at least there’s no manual intervention
@steep-sunset-89396
#generalJoin Slack
Powered by