https://pulumi.com logo
f

flat-mechanic-75334

05/06/2020, 4:19 PM
Hi! I just tried to create a service account and assign a role to it in GCP and it worked. However, running
pulumi destroy
didn’t only delete the service account in question, but also blew away the role assignments from ALL service accounts that had identical role. Am I doing this wrong? Seems quite risky. Here’s the code I used to create the service account and assign the role:
Copy code
const serviceAccount = new gcp.serviceAccount.Account("myServiceAccount", 
    {
     accountId: SID,
     displayName: SNAME,
     description: "Service account Created by Pulumi"
    }
);

const iam = new gcp.projects.IAMBinding("myBinding",
   {
        members: [pulumi.interpolate `serviceAccount:${serviceAccount.email}`],
        role: "roles/storage.objectViewer",  
   }
);
g

green-school-95910

05/06/2020, 4:28 PM
The bindings control all members of that role. You should use
IAMMember
to prevent that
f

flat-mechanic-75334

05/06/2020, 4:39 PM
Copy code
gcp.projects.IAMMember?
g

green-school-95910

05/06/2020, 4:49 PM
Yes
Make on resource for each member, then if/when you destroy them it will only remove that member instead of the whole binding
f

flat-mechanic-75334

05/06/2020, 5:27 PM
Thanks!
4 Views