https://pulumi.com logo
#general
Title
# general
i

important-leather-28796

08/26/2023, 7:41 PM
I am raising two sets of stacks, one
green
, and one
blue
. We are seeing the appropriate resources after up
green
, but after up
blue
, we see that the IAM bindings disappear from
green
and disabling those identities because they lose their permissions. The resources are named uniquely, have different urns, and of course different stack names. What am I missing here? How would pulumi or the gcp libs decide to take away from one when creating another?
Only the
provider
name of
gcp
is the same. The names of each resource including the bindings are diff. These are different stacks (targeting the same
GOOGLE_CLOUD_PROJECT
, so I see no logical reason why pulumi is having this conflict.
It’s also worth noting that after
green
, then
blue
, going back to
up green
- pulumi thinks it is unchanged even though the IAM bindings are now missing. I have bumped into a case where it thinks 1 of 3 accounts have members changed. It does not appear to be reliable
I tried a unique name for the provider, no difference. Pulumi is wiping out members from a different stack.
b

billowy-army-68599

08/26/2023, 8:38 PM
@important-leather-28796 are you saying here that you’re doing
pulumi stack init
to create an entirely new stack, then provisioning those resources is deleting the blue stack?
i

important-leather-28796

08/26/2023, 8:41 PM
Two stacks, both inited. up one, good. up the other, IAM bindings disappear from the first.
b

billowy-army-68599

08/26/2023, 8:41 PM
@important-leather-28796 this is expected behaviour for the
gcp.projects.IAMBinding
resource, from the docs: https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iambinding/
Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
I think you want
IamMember
i

important-leather-28796

08/26/2023, 8:41 PM
both stacks continue to exist, and pulumi reports all good, and no canges
oh, that would be great if so!
PERFECT!
b

billowy-army-68599

08/26/2023, 8:43 PM
i think this is an idiosyncrasy of the gcloud API. Ie, you use an IAM binding, add another IAM binding resource and it removes all previous resources. I bet if you look in your blue stack the resource still exists but the backend GCP has removed it
i

important-leather-28796

08/26/2023, 8:43 PM
That’s got to be it
lol you beat me to the issue
b

billowy-army-68599

08/26/2023, 8:44 PM
I’d suggest remove reference to iambinding and I think you’ll need to use iamMember, but I gcp is my least used cloud. I have to drop, but please update me on the fix
i

important-leather-28796

08/26/2023, 8:45 PM
I’ll change and confirm right now. Thank you
@billowy-army-68599 Confirmed user error. Switching
IAMBinding
(authoritative) to
IAMMember
works. Thank you for the pointer!
2 Views