billions-cat-24200
03/26/2024, 2:16 AMfor client, id in query_from_bigquery():
sa = create_service_account_and_iam_bindings(name=f"{client}_service_account")
dynamic_resource_create_access_policy(props={"sa": sa}, name=some_name_i_pick) # etc
then:
def create_service_account_and_iam_bindings(name):
sa = gcp.serviceaccount.Account(resource_name=name)
policy1 = f"{name}_for_bigquery_data_view"
gcp.projects.IAMBinding(resource_name=policy1, members=[sa.member], ...)
policy2 = f"{name}_for_bigquery_other_thing"
gcp.projects.IAMBinding(resource_name=policy2, members=[sa.member], ...)
policy3 = f"{name}_for_bigquery_yadda_yadda"
gcp.projects.IAMBinding(resource_name=policy3, members=[sa.member], ...)
key = gcp.serviceaccount.Key(resource_name=f"{name}_key", service_account_id=sa.name)
return sa
Which seems simple enough.
Basically I have a list of clients and I need to make a service account and assign some bigquery IAM policies.
When I run pulumi, the plan looks fine. Detail view shows that it will make a service account named after a client and then use the service account name to assign to the iam binding. Great.
Then, when it applies... it picks a totally random service account name when making the update. The resources in pulumi cloud show:
IamBinding: bigquery-data-viewer-for-CLIENT-1
Members: service-account for CLIENT-4
IamBinding: bigquery-data-viewer-for-CLIENT-2
Members: service-account for CLIENT-3
etc. Any idea why this might happen? The plan is perfect. The actual update is what leaves it in a gibberish state. I also tried running it on pulumi cloud after thinking maybe my setup is just busted? Same result.