Creating google_project_iam_binding deletes google_project_iam_member

Question

I'm creating a Cloud Run service to act upon PubSub trigger using Terraform.

I've added the relevant terraform code, and besides that I also have the following portion already defined:

# bind token creations permission to the default app engine service account
# to allow gcp cloud functions to create firebase custom tokens
resource "google_project_iam_member" "serviceAccountTokenCreator" {
  project = var.PROJECT_ID
  role    = "roles/iam.serviceAccountTokenCreator"
  member  = "serviceAccount:${data.google_app_engine_default_service_account.default.email}"
}

I'm getting this weird behavior where after terraform applying and provisioning the Cloud Run service, it deletes the previously defined google_project_iam_member. This is what terraform plan shows:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_project_iam_member.serviceAccountTokenCreator will be created
  + resource "google_project_iam_member" "serviceAccountTokenCreator" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = "serviceAccount:myproject@appspot.gserviceaccount.com"
      + project = "myproject"
      + role    = "roles/iam.serviceAccountTokenCreator"
    }

When I hit terraform apply again, it mutates the new google_project_iam_binding resource that was created. This is what I get for terraform plan:

Terraform will perform the following actions:

  # google_project_iam_binding.dsp-records will be updated in-place
  ~ resource "google_project_iam_binding" "dsp-records" {
        id      = "myproject/roles/iam.serviceAccountTokenCreator"
      ~ members = [
          - "serviceAccount:myproject@appspot.gserviceaccount.com",
            # (1 unchanged element hidden)
        ]
        # (3 unchanged attributes hidden)
    }

And so I'm getting this weird circle every time I hit terraform apply.

This is how I defined google_project_iam_binding:

resource "google_service_account" "dsp-records" {
  account_id   = "dsp-records-invoker"
  display_name = "dsp-records Cloud Run Pub/Sub Invoker"
}

resource "google_cloud_run_service_iam_binding" "dsp-records" {
  location = google_cloud_run_service.dsp-records.location
  service  = google_cloud_run_service.dsp-records.name
  role     = "roles/run.invoker"
  members  = ["serviceAccount:${google_service_account.dsp-records.email}"]
}

resource "google_project_iam_binding" "dsp-records" {
  project = google_cloud_run_service.dsp-records.project
  role    = "roles/iam.serviceAccountTokenCreator"
  members = ["serviceAccount:${google_service_account.dsp-records.email}"]
}

Can someone explain this?