Hi I just tried to create a service account and assign a rol pulumi-community #general

Title

flat-mechanic-75334

05/06/2020, 4:19 PM

Hi! I just tried to create a service account and assign a role to it in GCP and it worked. However, running

pulumi destroy

didn’t only delete the service account in question, but also blew away the role assignments from ALL service accounts that had identical role. Am I doing this wrong? Seems quite risky. Here’s the code I used to create the service account and assign the role:

Copy code

const serviceAccount = new gcp.serviceAccount.Account("myServiceAccount", 
    {
     accountId: SID,
     displayName: SNAME,
     description: "Service account Created by Pulumi"
    }
);

const iam = new gcp.projects.IAMBinding("myBinding",
   {
        members: [pulumi.interpolate `serviceAccount:${serviceAccount.email}`],
        role: "roles/storage.objectViewer",  
   }
);

green-school-95910

05/06/2020, 4:28 PM

The bindings control all members of that role. You should use

IAMMember

to prevent that

flat-mechanic-75334

05/06/2020, 4:39 PM

Copy code

gcp.projects.IAMMember?

green-school-95910

05/06/2020, 4:49 PM

Yes

Make on resource for each member, then if/when you destroy them it will only remove that member instead of the whole binding

flat-mechanic-75334

05/06/2020, 5:27 PM

Thanks!

4 Views