Hi Team, I am trying to create a GKE private Autopilot cluster via Pulumi typescript. I am creating a custom service account with limited IAM permission and want to attach the same to Autopilot cluster instead of using default service account. I tried multiple code changes but my Autopilot cluster is getting created with

default

service account only. Pulumi plan shows it will apply custom service account mentioned under

nodeConfig

but is applies

default

,on next run it tries to replace cluster with custom service account but applies

default

again, loop continues. I am using this Pulumi package for autopilot cluster creation. I came across terraform issue discussion where many users are facing similar default account issue. hashicorp/terraform-provider-google#9505 I tried the listed solution to use

clusterAutoscaling

but Pulumi says it conflicts with the

enable_autopilot

, same behavior with

node.pool

, you can't change much in Autopilot cluster. Why Pulumi or terraform is failing to attach custom service account to Autopilot cluster? Am I missing something? Any suggestions I can try? My typescript k8_autopilot code

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceaccount.Account("sa", {
    createIgnoreAlreadyExists: true,
    accountId: "test",
});
const cloudsql_admin = new gcp.projects.IAMBinding("cloudsql_admin", {
    project: "<Project_ID>",
    role: "roles/cloudsql.admin",
    members: [sa.email.apply(email => `serviceAccount:${email}`)],
});

const primary = new gcp.container.Cluster("primary", {
    name: "cluster-test",
    network: "<VPC_ID>",
    subnetwork: "<Private_Subnet_ID>",
    location: "us-east4",
    enableAutopilot: true,
    deletionProtection: false,
    masterAuthorizedNetworksConfig: {
        cidrBlocks: [{
            cidrBlock: "<IP>",
        }],
    },
    privateClusterConfig: {
        enablePrivateEndpoint: false,
        enablePrivateNodes: true,
    },
    nodeConfig: {
        serviceAccount: sa.email
    }
});