cloudresourcemanager.v3.ProjectIamMember always detects diff and causes drift check (--expect-no-changes) to fail

[braaar]

What happened?

I am using cloudresourcemanager/v3.ProjectIamMember as described in the docs.

However, when I run pulumi, it always detects a difference between what's described in the source code and the state.

This doesn't create any real problems under normal operation, since the IAM members are correctly created and updated in google cloud, but since pulumi always detects a difference it wants to update these resources on every deployment, which is unnecessary, and more importantly, all drift checks fail, so drift checking is rather hard to do.

Pulumi cloud summarizes the diff like so:

 ~   └─ google-native:cloudresourcemanager/v3:ProjectIamMember          main-project-iam-member                   update     [diff: +member,name,role-resource,version]

It appears from looking at the detailed diff in Pulumi Cloud that the individual ProjectIamMember resource in the source code is being compared to the entire IAM Policy:

    ~ google-native:cloudresourcemanager/v3:ProjectIamMember: (update)
        [id=v3/projects/branches-org-main:getIamPolicy]
        [urn=urn:pulumi:main::branches-main::google-native:cloudresourcemanager/v3:ProjectIamMember::main-project-iam-member]
        ...

Could this bug have been introduced in #653?

Example

Here is a simplified excerpt from our infrastructure code, which is publicly available here.

project.ts:

import * as gcp from '@pulumi/gcp';
import * as google from '@pulumi/google-native';
import * as pulumi from '@pulumi/pulumi';
import { interpolate } from '@pulumi/pulumi';

const config = new pulumi.Config('google');

export const nullProvider = new gcp.Provider('google-null-provider', {
  project: 'not-really-used',
});

export const project = new gcp.organizations.Project(
  'main-project',
  {
    projectId: 'my-project',
    name: 'Branches Org Main',
    billingAccount: config.require('billing-account-id'),
    folderId: config.require('folder-id'),
  },
  { provider: nullProvider, deleteBeforeReplace: true },
);


export const mainProvider = new google.Provider('google-native-main-provider', {
  project: project.projectId,
});

new google.cloudresourcemanager.v3.ProjectIamMember(
  'main-project-iam-member',
  {
    member: interpolate`serviceAccount:${config.require('service-account')}`,
    role: 'roles/owner',
    name: project.projectId,
  },
  { provider: mainProvider },
);

Then I run a drift check with these options:

pulumi preview --expect-no-changes

Here is an example of this problem occurring in a github action.

Output of pulumi about

This is the output from my local machine, but the github action runner is obviously a different machine.

CLI          
Version      3.112.0
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME           VERSION
gcp            6.60.0
gcp            6.55.1
github         5.14.1
github         5.9.0
google-native  0.32.0
google-native  0.30.0
kubernetes     4.0.3
kubernetes     3.27.1
nodejs         unknown

Host     
OS       darwin
Version  14.3.1
Arch     arm64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mjeffryes]

Thanks for reporting this issue @braaar. Indeed you might be right that this bug dates all the way back to when the *IamMember resource were introduced. Unfortunately, we're not prioritizing fixes to the google-native provider right now, so I can't make any promises about when we could take a look at this issue.

If you're looking for a more immediate solution, you might need to instead import these resources to a program using the pulumi-gcp provider instead. Using pulumi-gcp is our recommended best practice for managing production infrastructure on GCP with pulumi.

[braaar]

If anyone is facing the same issue, here is how I'm addressing this: getbranches/conf#366