I am raising two sets of stacks one `green` and one `blue` W Pulumi Community #general

I am raising two sets of stacks, one `green`, and ...

important-leather-28796

08/26/2023, 7:41 PM

I am raising two sets of stacks, one

green

, and one

blue

. We are seeing the appropriate resources after up

green

, but after up

blue

, we see that the IAM bindings disappear from

green

and disabling those identities because they lose their permissions. The resources are named uniquely, have different urns, and of course different stack names. What am I missing here? How would pulumi or the gcp libs decide to take away from one when creating another?

important-leather-28796

08/26/2023, 7:43 PM

Only the

provider

name of

gcp

is the same. The names of each resource including the bindings are diff. These are different stacks (targeting the same

GOOGLE_CLOUD_PROJECT

, so I see no logical reason why pulumi is having this conflict.

important-leather-28796

08/26/2023, 7:46 PM

It’s also worth noting that after

green

, then

blue

, going back to

up green

- pulumi thinks it is unchanged even though the IAM bindings are now missing. I have bumped into a case where it thinks 1 of 3 accounts have members changed. It does not appear to be reliable

important-leather-28796

08/26/2023, 7:54 PM

I tried a unique name for the provider, no difference. Pulumi is wiping out members from a different stack.

important-leather-28796

08/26/2023, 8:37 PM

I filed an issue https://github.com/pulumi/pulumi/issues/13799

billowy-army-68599

08/26/2023, 8:38 PM

@important-leather-28796 are you saying here that you’re doing

pulumi stack init

to create an entirely new stack, then provisioning those resources is deleting the blue stack?

important-leather-28796

08/26/2023, 8:41 PM

Two stacks, both inited. up one, good. up the other, IAM bindings disappear from the first.

billowy-army-68599

08/26/2023, 8:41 PM

@important-leather-28796 this is expected behaviour for the

gcp.projects.IAMBinding

resource, from the docs: https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iambinding/

Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.

I think you want

IamMember

important-leather-28796

08/26/2023, 8:41 PM

both stacks continue to exist, and pulumi reports all good, and no canges

important-leather-28796

08/26/2023, 8:42 PM

oh, that would be great if so!

important-leather-28796

08/26/2023, 8:43 PM

PERFECT!

billowy-army-68599

08/26/2023, 8:43 PM

i think this is an idiosyncrasy of the gcloud API. Ie, you use an IAM binding, add another IAM binding resource and it removes all previous resources. I bet if you look in your blue stack the resource still exists but the backend GCP has removed it

important-leather-28796

08/26/2023, 8:43 PM

That’s got to be it

important-leather-28796

08/26/2023, 8:44 PM

lol you beat me to the issue

billowy-army-68599

08/26/2023, 8:44 PM

I’d suggest remove reference to iambinding and I think you’ll need to use iamMember, but I gcp is my least used cloud. I have to drop, but please update me on the fix

important-leather-28796

08/26/2023, 8:45 PM

I’ll change and confirm right now. Thank you

important-leather-28796

08/26/2023, 8:59 PM

@billowy-army-68599 Confirmed user error. Switching

IAMBinding

(authoritative) to

IAMMember

works. Thank you for the pointer!

2 Views

Open in Slack

Previous Next