No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

stack-conflict-iambinding.jpg

Only the `provider` name of `gcp` is the same.  The names of each resource including the bindings are diff.  These are different stacks (targeting the same `GOOGLE_CLOUD_PROJECT` , so I see no logical reason why pulumi is having this conflict.

It’s also worth noting that after `green`, then `blue`, going back to `up green` - pulumi thinks it is unchanged even though the IAM bindings are now missing.  I have bumped into a case where it thinks 1 of 3 accounts have members changed.  It does not appear to be reliable

I tried a unique name for the provider, no difference.  Pulumi is wiping out members from a different stack.

I filed an issue <https://github.com/pulumi/pulumi/issues/13799>

<@UGA82D0RX> are you saying here that you’re doing `pulumi stack init` to create an entirely new stack, then provisioning those resources is deleting the blue stack?

Two stacks, both inited.  up one, good.  up the other, IAM bindings disappear from the first.

<@UGA82D0RX> this is expected behaviour for the `gcp.projects.IAMBinding` resource, from the docs:

<https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iambinding/>

&gt; Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
I think you want `IamMember`

both stacks continue to exist, and pulumi reports all good, and no canges

i think this is an idiosyncrasy of the gcloud API. Ie, you use an IAM binding, add another IAM binding resource and it removes all previous resources. I bet if you look in your blue stack the resource still exists but the backend GCP has removed it

I’d suggest remove reference to iambinding and I _think_ you’ll need to use iamMember, but I gcp is my least used cloud. I have to drop, but please update me on the fix

I’ll change and confirm right now. Thank you

<@UCWG26BH7> Confirmed user error.  Switching `IAMBinding` (authoritative) to `IAMMember` works.  Thank you for the pointer!