Modifying an IAMMember deletes the resource and doesn't recreate it.

[stooj]

Describe what happened

When modifying the name of a gcp.projects.IAMMember, the resource is deleted on changes.

The same thing happens with gcp.serviceaccount.IAMMember.

Pulumi deletes the old resource, and the create action "succeeds", but the resource is not actually created.

To reproduce:

1. pulumi up the code below
2. Check the users associated with the project with gcloud projects get-iam-policy ticket-5866 --flatten="bindings[].members" --format="table(bindings.members)"
3. Make a change to projectMember name (say, ticket-5866 -> ticket-5866foo)
4. Run another pulumi up
5. Check the users again using the same gcloud command.

Sample program

import * as gcp from "@pulumi/gcp";

// Project to house all this stuff
const ticketProject = new gcp.organizations.Project(
  "ticketProject",
  {
    name: "Ticket 5866",
    // deletionPolicy: "DELETE",
    projectId: "ticket-5866",
    orgId: "<REPLACE_WITH_ORG_ID>",
  },
  {
    retainOnDelete: true,
  },
);

// IAMMember
const projectMember = new gcp.projects.IAMMember("ticket-5866", {
  project: ticketProject.id,
  role: "roles/editor",
  member: "user:[email protected]",
});

Log output

change-iam-member.txt

Affected Resource(s)

• gcp.projects.IAMMember
• gcp.serviceaccount.IAMMember

Output of pulumi about

Tested with pulumi v3.113.0 and v3.134.1, and with pulumi/gcp 8.3.1.

CLI          
Version      3.134.1
Go Version   go1.23.1
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  gcp     8.3.1
language  nodejs  unknown

Host     
OS       nixos
Version  24.05 (Uakari)
Arch     x86_64

This project is written in nodejs: executable='/nix/store/ilkfhnqz4xczrliqjva8770x2svbfznd-nodejs-20.14.0/bin/node' version='v20.14.0'

Current Stack: stooj/5866/dev

TYPE                               URN
pulumi:pulumi:Stack                urn:pulumi:dev::5866::pulumi:pulumi:Stack::5866-dev
pulumi:providers:gcp               urn:pulumi:dev::5866::pulumi:providers:gcp::default_8_3_1
gcp:organizations/project:Project  urn:pulumi:dev::5866::gcp:organizations/project:Project::ticketProject
gcp:projects/iAMMember:IAMMember   urn:pulumi:dev::5866::gcp:projects/iAMMember:IAMMember::ticket-5866foo


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/stooj
User           stooj
Organizations  stooj, team-ce
Token type     personal

Dependencies:
NAME            VERSION
typescript      5.6.2
@pulumi/gcp     8.3.1
@pulumi/pulumi  3.134.1
@types/node     18.19.53

Pulumi locates its logs in /tmp by default

Additional context

A pulumi up --refresh will fix this, but since pulumi thinks the recreation succeeds the user isn't given any warning that things didn't actually work.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[guineveresaenger]

Hi @stooj - thank you for filing this issue. It sounds like there's a workaround for in the meantime but we'll take a look.

[VenelinMartinov]

This sounds like a structural resource which needs DeleteBeforeReplace in the schema. For example: https://github.com/pulumi/pulumi-aws/blob/3ff4fa4ddc54bcef6d043e7c62e0e881c6ecdaa5/provider/resources.go#L2435