Hey folks... have a really weird thing going on and maybe it's my python ignorance but I have code that does something like this:

for client, id in query_from_bigquery():
    sa = create_service_account_and_iam_bindings(name=f"{client}_service_account")

    dynamic_resource_create_access_policy(props={"sa": sa}, name=some_name_i_pick) # etc

then:

def create_service_account_and_iam_bindings(name):

   sa = gcp.serviceaccount.Account(resource_name=name)

   policy1 = f"{name}_for_bigquery_data_view"
   gcp.projects.IAMBinding(resource_name=policy1, members=[sa.member], ...)

   policy2 = f"{name}_for_bigquery_other_thing"
   gcp.projects.IAMBinding(resource_name=policy2, members=[sa.member], ...)

   policy3 = f"{name}_for_bigquery_yadda_yadda"
   gcp.projects.IAMBinding(resource_name=policy3, members=[sa.member], ...)

   key = gcp.serviceaccount.Key(resource_name=f"{name}_key", service_account_id=sa.name)

   return sa

Which seems simple enough. Basically I have a list of clients and I need to make a service account and assign some bigquery IAM policies. When I run pulumi, the plan looks fine. Detail view shows that it will make a service account named after a client and then use the service account name to assign to the iam binding. Great. Then, when it applies... it picks a totally random service account name when making the update. The resources in pulumi cloud show:

IamBinding: bigquery-data-viewer-for-CLIENT-1
    Members: service-account for CLIENT-4

IamBinding: bigquery-data-viewer-for-CLIENT-2
    Members: service-account for CLIENT-3

etc. Any idea why this might happen? The plan is perfect. The actual update is what leaves it in a gibberish state. I also tried running it on pulumi cloud after thinking maybe my setup is just busted? Same result.