We don't need to set the ID to "" in read-modify-write helpers, because
once they're done, we read anyways to update state based on the changes.
And that read checks if the binding/member still exists, and does the
SetId("") if it doesn't.
This way, we stick with state only getting set based on the API state,
not by what we think the state will be.
Tests need to have unique names. Whoooops.
Also, the Elem property accepts an interface I guess, which means we
actually need the struct type repetition there.
We were repeating that logic a lot, so this helper just reads a policy,
calls the passed modify function on the policy, then writes the policy
back and takes care of the optimistic concurrency logic for the caller.
So now all the caller has to do is the unique part, which is the modify
function.
Changing the role is ForceNew, because the role is part of the ID.
Make reads go through to the Binding functions, not the Policy
functions. That's embarrassing.
Add a resource that manages just a single binding within a Google
project's IAM Policy.
Note that this resource should not be used when
google_project_iam_policy is used, or they will fight over which is
correct.
This also required wrapping the error returned from setProjectIamPolicy,
as we need to test to see if it's a 409 error and retry, which can't be
done if we just use fmt.Errorf.