New provider causes updates to fail

[solomonshorser]

What happened?

We had to change the google-native provider from 0.26.1 to 0.32 recently for some newer features in the newer version.
When updating the stack, pulumi attempted to update a ServiceAccountPolicy, which failed with this error:

 google-native:iam/v1:ServiceAccountIamPolicy (my-sa-policy):
    error: error sending request: googleapi: got HTTP response code 404 with body: <!DOCTYPE html>
    <html lang=en>
      <meta charset=utf-8>
      <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
      <title>Error 404 (Not Found)!!1</title>
      <style>
        *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
      </style>
      <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
      <p><b>404.</b> <ins>That’s an error.</ins>
      <p>The requested URL <code>/v1/projects/my-project/serviceAccounts/:setIamPolicy?alt=json</code> was not found on this server.  <ins>That’s all we know.</ins>
    : "https://iam.googleapis.com/v1/projects/my-project/serviceAccounts/:setIamPolicy" map[bindings:[map[members:[serviceAccount:my-sa.svc.id.goog[sa-1/my-sa-1]] role:roles/iam.workloadIdentityUser]] project:my-project serviceAccountId:]

---

The preview that pulumi shows looks like this:

        --google-native:iam/v1:ServiceAccountIamPolicy: (delete-replaced)
            [id=v1/projects/my-project/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com:getIamPolicy]
            [urn=urn:pulumi:my-stack::my-pulumi-app::Stratus:ServiceAccount$google-native:iam/v1:ServiceAccountIamPolicy::my-sa]
            [provider=urn:pulumi:my-stack::my-pulumi-app::pulumi:providers:google-native::default_0_26_1::3cede355-6687-4339-a0d9-3219cf8ffec8]
        +-google-native:iam/v1:ServiceAccountIamPolicy: (replace)
            [id=v1/projects/my-project/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com:getIamPolicy]
            [urn=urn:pulumi:my-stack::my-pulumi-app::Stratus:ServiceAccount$google-native:iam/v1:ServiceAccountIamPolicy::my-sa]
            [provider: urn:pulumi:my-stack::my-pulumi-app::pulumi:providers:google-native::default_0_26_1::3cede355-6687-4339-a0d9-3219cf8ffec8 => urn:pulumi:my-stack::my-pulumi-app::pulumi:providers:google-native::default_0_32_0::6e3a0b07-4c6f-48ec-9203-6efed0534372]
        ++google-native:iam/v1:ServiceAccountIamPolicy: (create-replacement)
            [id=v1/projects/my-project/serviceAccounts/my-sa@my-project.iam.gserviceaccount.com:getIamPolicy]
            [urn=urn:pulumi:my-stack::my-pulumi-app::Stratus:ServiceAccount$google-native:iam/v1:ServiceAccountIamPolicy::my-sa]
            [provider: urn:pulumi:my-stack::my-pulumi-app::pulumi:providers:google-native::default_0_26_1::3cede355-6687-4339-a0d9-3219cf8ffec8 => urn:pulumi:my-stack::my-pulumi-app::pulumi:providers:google-native::default_0_32_0::6e3a0b07-4c6f-48ec-9203-6efed0534372]

The only real difference is the provider.

The weird thing is that in summary mode, preview shows this:

 +-  │  └─ google-native:iam/v1:ServiceAccountIamPolicy        my-sa                                                        replace     [diff: ~serviceAccountId]

Where the diff is the serviceAccountId.

Example

The code that creates the ServiceAccountPolicy looks like this:

return new native.iam.v1.ServiceAccountIamPolicy(name, {
            bindings: [
                {
                    members: [
                        member,
                    ],
                    role: "roles/iam.workloadIdentityUser",
                },
            ],
            project: project,
            serviceAccountId: this.email,
        }, { parent: this, dependsOn: dependencies});

Output of pulumi about

CLI
Version      3.115.1
Go Version   go1.22.2
Go Compiler  gc

Plugins
KIND      NAME           VERSION
resource  command        0.9.2
resource  gcp            7.21.1
resource  google-native  0.32.0
resource  kubernetes     4.11.0
resource  kubernetes     3.30.2
resource  kubernetes     3.30.2
language  nodejs         unknown

Host
OS       darwin
Version  13.6.6
Arch     x86_64

This project is written in nodejs: executable='/usr/local/bin/node' version='v20.3.0'


Backend


Organizations
Token type     personal

Dependencies:
NAME                              VERSION
@pulumi/google-native             0.32.0
@typescript-eslint/parser         2.34.0
@pulumi/command                   0.9.2
@pulumi/gcp                       7.21.1
@types/node                       12.20.55
@typescript-eslint/eslint-plugin  2.34.0
eslint                            6.8.0
@pulumi/kubernetes                4.11.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mjeffryes]

Hi @solomonshorser. Unfortunately, we've de-prioritized investment in this provider, so we may not be able to look into this right away. Since the error is pretty explicit about the failure talking to the API, you might debug by examining what API calls the cli tool would make for the same request. (or what the older version of the provider would do if you triggered this replace.) My assumption is that the discovery docs we're using to generate these calls are just wrong about the API we need to use here.

[solomonshorser]

@mjeffryes I think the prior version of the provider used for these resources would have been 0.26.1.

I was able to work around this problem by forcing pulumi to destroy the ServiceAccountIamPolicy resource (and dependents), removing the related GCP ServiceAccount from the stack, and then tweaking the code so that it would do a lookup to retrieve the service account rather trying to than manage the ServiceAccount it as its own resource.

If this provider has been deprioritized, I guess I should focus my future development to use the "classic" GCP provider, right?

[mjeffryes]

Thanks for sharing your workaround; I'm sorry you had to resort to unmanaging the SA to work around this. And yes, we would recommend using pulumi-gcp for any new resources and slowly migrating off of this provider as you are able.