hello guys. maybe someone here can give me a hand on this one ? I have some code to create service accounts in GCP and bind this accounts to some roles using IAMBindings my issue is that every time I run pulumi up, pulumi updates the service account rolebindings. I guess this is caused by the for loop I am using to create them ? this is my code:

serviceAccounts = [
    ("droneci", "droneci", "Drone Service Account", ["roles/storage.admin"]),
    (
        "spinnaker",
        "spinnaker",
        "Spinnaker Service Account",
        [
            "roles/container.admin",
            "roles/container.clusterAdmin",
            "roles/container.developer",
            "roles/storage.admin",
        ],
    )
]

def bindToRole(name: str, sa: Account, args: Optional[dict] = None):
    """Given a GCP IAM Service Account and a list of roles, create a IAMBinginh between them."""
    for i, role in enumerate(args["roles"]):
        IAMBinding(
            f"{name}-{i}",
            members=[sa.email.apply(lambda email: f"serviceAccount:{email}")],
            project=args["project"],
            role=role,
        )

for saName, saId, saDesc, saRoles in serviceAccounts:
    sa = Account(
        saName, project=conf.get("project"), account_id=saId, display_name=saDesc
    )
    bindToRole(
        f"{saName}-roleBinding", sa, {"project": conf.get("project"), "roles": saRoles}
    )
    saKey = util.createServiceAccountKey(f"{saName}-key", sa)
    export(name=f"{saName}-serviceAccount-key", value=saKey)
    export(name=f"{saName}-serviceAccount-secret", value=util.clientSecret(saKey))
    export(name=f"{saName}-serviceAccount-email", value=sa.email)

and this is an example of the changes it trys to make every time I run this:

~ gcp:projects/iAMBinding:IAMBinding: (refresh)
        [id=my-project/roles/storage.admin]
        [urn=urn:pulumi:dev::my-stack::gcp:projects/iAMBinding:IAMBinding::spinnaker-roleBinding-3]
        [provider=urn:pulumi:dev::my stack::pulumi:providers:gcp::default_4_17_0::620feff3-c68d-4f3f-b35d-715c080f8b7d]
        --outputs:--
      ~ etag     : "BwW/YsjdngI=" => "BwW/YucGdm0="
      ~ members  : [
          ~ [0]: "serviceAccount:spinnaker@my-project.iam.gserviceaccount.com" => "serviceAccount:droneci@my-project.iam.gserviceaccount.com"
        ]

any idea why this might be happening ?

IAMBinding is a configuration you do once and it will overwrite the role members, so every time you run a binding against a role with a different set of members you're overwriting your IAM configuration. I recommend you either pass the entire list of service accounts to each role in an IAMBinding, or totally change IAMBinding to IAMMember and pass one member at a time.