[Python, cloudresourcemanager] ProjectIamBinding requires project property, but does not expect it

[Portugapt]

What happened?

The error when not providing the project argument:

Diagnostics:
  google-native:cloudresourcemanager/v3:ProjectIamBinding (project-iam-binding-test-2):
    error: google-native:cloudresourcemanager/v3:ProjectIamBinding resource 'project-iam-binding-test-2' has a problem: missing required property 'project'. Either set it explicitly or configure it with 'pulumi config set google-native:project <value>'.

When I provide the argument project

      File "/workspace/./infra/gcp_pulumi/resource_manager/project_iam_binding/main.py", line 36, in do
        'project-iam-binding-test-1': rm.ProjectIamBinding(
      File "/usr/local/lib/python3.9/site-packages/pulumi_google_native/cloudresourcemanager/v3/project_iam_binding.py", line 138, in __init__
        __self__._internal_init(resource_name, *args, **kwargs)
    TypeError: _internal_init() got an unexpected keyword argument 'project'

Expected Behavior

The expected behavior was to explicitly state the project argument, which isn't possible.

As it is, I don't see how to explicitly state the project argument in the resource

pulumi-google-native/sdk/python/pulumi_google_native/cloudresourcemanager/v3/project_iam_binding.py

Lines 94 to 103 in 894acfc

	class ProjectIamBinding(pulumi.CustomResource):
	@overload
	def __init__(__self__,
	resource_name: str,
	opts: Optional[pulumi.ResourceOptions] = None,
	condition: Optional[pulumi.Input[pulumi.InputType['_iam.v1.ConditionArgs']]] = None,
	members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
	name: Optional[pulumi.Input[str]] = None,
	role: Optional[pulumi.Input[str]] = None,
	__props__=None):

Steps to reproduce

Any code that tries to create a ProjectIamBinding resource without defining the project globally.

My case:

from pulumi_google_native.cloudresourcemanager import v3 as rm

# ...

config = {"global": {
    "project": "my_project",
    "api_version": "google-native.cloudresourcemanager/v3.ProjectIamPolicy"
  }
}
do_output: Dict[str, rm.ProjectIamBinding] = {}

do_output.update({
      'project-iam-binding-test-1': rm.ProjectIamBinding(
          resource_name='project-iam-binding-test-1',
          project=config['global']['project'], # Argument with problems, remove for reproducability
          members=[
              Output.format(
                  'serviceAccount:{0}',
                  service_accounts["iam_sa_roles_and_sa_creator"].email
              )
          ],
          name=service_accounts["iam_sa_roles_and_sa_creator"].name,
          role='roles/iam.serviceAccountCreator',
      ),
      'project-iam-binding-test-2': rm.ProjectIamBinding(
          resource_name='project-iam-binding-test-2',
          project=config['global']['project'], # Argument with problems, remove for reproducability
          members=[
              Output.format(
                  'serviceAccount:{0}',
                  service_accounts["iam_sa_roles_and_sa_creator"].email
              )
          ],
          name=service_accounts["iam_sa_roles_and_sa_creator"].name,
          role='roles/iam.roleAdmin',
      )}
)

Output of pulumi about

I am running in Cloud Build.

CLI          
Version      3.66.0
Go Version   go1.20.3
Go Compiler  gc

Plugins
NAME           VERSION
google-native  0.30.0
python         unknown

Host     
OS       debian
Version  11.7
Arch     x86_64

This project is written in python: executable='/usr/local/bin/python3' version='3.9.16
'

Current Stack: organization/myproject/dev

TYPE                                 URN
pulumi:pulumi:Stack                  urn:pulumi:dev::myproject::pulumi:pulumi:Stack::myproject-dev
pulumi:providers:google-native       urn:pulumi:dev::myproject::pulumi:providers:google-native::default_0_30_0
google-native:iam/v1:Role            urn:pulumi:dev::myproject::google-native:iam/v1:Role::first_test_role
google-native:iam/v1:ServiceAccount  urn:pulumi:dev::myproject::google-native:iam/v1:ServiceAccount::iam_sa_roles_and_sa_creator
google-native:iam/v1:Role            urn:pulumi:dev::myproject::google-native:iam/v1:Role::second_test_role
google-native:iam/v1:ServiceAccount  urn:pulumi:dev::myproject::google-native:iam/v1:ServiceAccount::test_role


Found no pending operations associated with dev

Backend        
Name           44f4701f663d
URL            gs://pulumi-state-myproject-dev
User           root
Organizations  

Dependencies:
NAME                  VERSION
pip                   22.0.4
pulumi-google-native  0.30.0
setuptools            58.1.0
wheel                 0.40.0

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[thomas11]

Thanks you for reporting this with a repro, @Portugapt! At first glance this does indeed seem like a bug, at least with the error message.

As a workaround, if you cannot set the project globally, you can use explicit providers, one per project, and pass them to your resources in ResourceOption. Note that global configuration set via pulumi config does not apply to explicit providers, you'll need to set these configurations on the provider object.

[Portugapt]

As a workaround I did set pulumi config set google-native:project ${project}-${stack} on the script I use for the CI/CD.
But it's not ideal, as I had to do a pulumi init after some frustrating attempts at developing my infrastructure, and I can't set a project on a stack that does not exist yet.

In the meantime, I did manage to do what I wanted with the ProjectIamMember class.

Thank you for the less brittle workaround! I will try it.