gorgeous-country-43026
11/21/2022, 2:13 PMgcloud
as expected and they do appear and everything works. But with Pulumi this simply doesn't happen but in Pulumi state those are set thus leading to Pulumi state not being in sync with the actual environment.
The code I'm running has worked without issues before and as such this must be a regression. This happens at least with the latest version of @pulumi/gcp
(version 6.43.0). I tried downgrading @pulumi/gcp
to around when our lower environment was created (and when IAM bindings were successfully created) but that didn't help. So it might be something related to newer Pulumi CLI versions or something. I do not know at this point.
This however is fatal for us. Not being able to set IAM bindings reliably obviously is more or less catastrophic from IaC point of view. And because of this I'm thinking this kind of bug just cannot have slipped past and I'm reaching out if anyone else has faced this? This worked for us ~2 months ago but not anymore.billowy-army-68599
11/21/2022, 2:36 PMgorgeous-country-43026
11/21/2022, 3:17 PMflaky-arm-38472
11/21/2022, 3:53 PMpulumi refresh
before applying @gorgeous-country-43026. I have some vague thoughts of this happening to me and it was resolved with a refresh. Not completely sure if it was the same tho.gorgeous-country-43026
11/21/2022, 4:01 PMbillowy-army-68599
11/21/2022, 4:09 PMgorgeous-country-43026
11/21/2022, 4:09 PMbillowy-army-68599
11/21/2022, 4:11 PMPulumi thinks they are thereif the refresh doesn’t remove them, they’re somewhere
gorgeous-country-43026
11/21/2022, 4:12 PMbillowy-army-68599
11/21/2022, 4:12 PMgorgeous-country-43026
11/21/2022, 5:07 PM-v=9
but don't see anything that special. But also I do not see any GCP API calls in it, guess I need some other flags to surface those into logsflaky-arm-38472
11/22/2022, 2:35 AMpulumi stack delete 'resource urns'
and then run pulumi up
againgorgeous-country-43026
11/22/2022, 8:36 AMexport const testBinding = new gcp.pubsub.TopicIAMBinding("testing", {
topic: pubsubTopics.myTopic.name,
role: "roles/pubsub.publisher",
members: [
backend.theServiceAccount.email.apply(email => `serviceAccount:${email}`)
]
});
and no pubsub.publisher role appears for the given service account