search

pulumi / pulumi-google-native

Apache License 2.0
71 stars 18 forks source link

ServiceAccountIamPolicy refresh not working #379

Closed lblackstone closed 2 years ago

lblackstone commented 2 years ago

Hello!

Issue details

The resource lifecycle does not appear to be working for the iam/v1:ServiceAccountIamPolicy resource. Refreshing the resource shows that it is deleted, and then updating the stack again shows it being created.

Steps to reproduce

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/google-native";

export = async () => {
    // Create a GCP provider.
    const gcpConfig = new pulumi.Config("gcp");
    const gcpRegion = gcpConfig.require("region");
    const gcpProject = gcpConfig.require("project");

    const userPrefix = "user";
    const userEmail = "test@example.com";

    // Create a GCP provider.
    const gcpProvider = new gcp.Provider("google", {
        project: gcpProject,
        region: gcpRegion,
    });

    const serviceAccount = new gcp.iam.v1.ServiceAccount(
        "test-sa",
        {
            accountId: "test-sa",
            description: "testing sa iam policy",
            project: gcpProject,
        },
        {
            provider: gcpProvider,
        },
    );

    const serviceAccountIamPolicy = new gcp.iam.v1.ServiceAccountIamPolicy(
        "test-sa-policy",
        {
            serviceAccountId: serviceAccount.email,
            bindings: [
                {
                    members: [`${userPrefix}:${userEmail}`],
                    role: "roles/iam.serviceAccountUser",
                },
                {
                    members: [`${userPrefix}:${userEmail}`],
                    role: "roles/iam.serviceAccountTokenCreator",
                },
            ],
            project: gcpProject,
        },
        {
            provider: gcpProvider,
        },
    );

    return {
        serviceAccountId: serviceAccount.id,
        serviceAccountIamPolicyId: serviceAccountIamPolicy.id,
    };
};

This program causes the following behavior:

On pulumi update

Updating (my-org/gcp-gke-typescript/dev)

     Type                                             Name                               Status      
     pulumi:pulumi:Stack                              gcp-gke-typescript-dev              
 +   └─ google-native:iam/v1:ServiceAccountIamPolicy  test-sa-policy                     created

On pulumi refresh

Refreshing (my-org/gcp-gke-typescript/dev)

     Type                                             Name                               Status      
     pulumi:pulumi:Stack                              gcp-gke-typescript-dev
     β”œβ”€ google-native:iam/v1:ServiceAccount           test-sa                                        
     β”œβ”€ pulumi:providers:google-native                google                                         
 -   └─ google-native:iam/v1:ServiceAccountIamPolicy  test-sa-policy                     deleted

On subsequent pulumi update

Updating (my-org/gcp-gke-typescript/dev)

     Type                                             Name                               Status      
     pulumi:pulumi:Stack                              gcp-gke-typescript-dev              
 +   └─ google-native:iam/v1:ServiceAccountIamPolicy  test-sa-policy                     created
cakoose commented 2 years ago

I'm also seeing this issue with google-native:cloudtasks/v2:QueueIamPolicy

(I'm mostly using the older "gcp" module. But since that module doesn't support QueueIamPolicy, I'm using the newer "google-native" module just for this one resource.)

lblackstone commented 2 years ago

I suspect that the changes in https://github.com/pulumi/pulumi-google-native/pull/374 will fix this. It looks like the provider is currently using the wrong verb on the Read operation.

The same thing is happening on QueueIamPolicy.

lblackstone commented 2 years ago

Fixed by #374

pulumi-bot commented 2 years ago

Cannot close issue without required labels: resolution/