hello guys. maybe someone here can give me a hand ...
# python
hello guys. maybe someone here can give me a hand on this one ? I have some code to create service accounts in GCP and bind this accounts to some roles using IAMBindings my issue is that every time I run pulumi up, pulumi updates the service account rolebindings. I guess this is caused by the for loop I am using to create them ? this is my code:
Copy code
serviceAccounts = [
    ("droneci", "droneci", "Drone Service Account", ["roles/storage.admin"]),
        "Spinnaker Service Account",

def bindToRole(name: str, sa: Account, args: Optional[dict] = None):
    """Given a GCP IAM Service Account and a list of roles, create a IAMBinginh between them."""
    for i, role in enumerate(args["roles"]):
            members=[sa.email.apply(lambda email: f"serviceAccount:{email}")],

for saName, saId, saDesc, saRoles in serviceAccounts:
    sa = Account(
        saName, project=conf.get("project"), account_id=saId, display_name=saDesc
        f"{saName}-roleBinding", sa, {"project": conf.get("project"), "roles": saRoles}
    saKey = util.createServiceAccountKey(f"{saName}-key", sa)
    export(name=f"{saName}-serviceAccount-key", value=saKey)
    export(name=f"{saName}-serviceAccount-secret", value=util.clientSecret(saKey))
    export(name=f"{saName}-serviceAccount-email", value=sa.email)
and this is an example of the changes it trys to make every time I run this:
Copy code
~ gcp:projects/iAMBinding:IAMBinding: (refresh)
        [provider=urn:pulumi:dev::my stack::pulumi:providers:gcp::default_4_17_0::620feff3-c68d-4f3f-b35d-715c080f8b7d]
      ~ etag     : "BwW/YsjdngI=" => "BwW/YucGdm0="
      ~ members  : [
          ~ [0]: "serviceAccount:spinnaker@my-project.iam.gserviceaccount.com" => "serviceAccount:droneci@my-project.iam.gserviceaccount.com"
any idea why this might be happening ?
IAMBinding is a configuration you do once and it will overwrite the role members, so every time you run a binding against a role with a different set of members you're overwriting your IAM configuration. I recommend you either pass the entire list of service accounts to each role in an IAMBinding, or totally change IAMBinding to IAMMember and pass one member at a time.
This is what Authoritative and Non-Authoritative mean in the documentation, I think
I had this issue yesterday, and changed everything to IAMMember