How can I use deployment manager to create a new service account and topic and only give it access to that topic?

Question

I can create a new pub/sub topic in my templates and a new service account.

I can see how to give that service account project wide pub/sub access: https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources

Also that example seems to be using a different resource type, this is my template:

resources:
  - name: "mytopic"
    type: gcp-types/pubsub-v1:projects.topics
    #type: pubsub-v1ubsub.v1.topic
    properties:
      topic: "mytopic"
      labels:
        my-lable: mytopic

I'm using gcp-types/pubsub-v1:projects.topics when I switch to pubsub-v1ubsub.v1.topic I get:

- code: RESOURCE_NOT_FOUND
  message: The type [pubsub-v1ubsub.v1.topic] was not found.

If I try to add accessControl to gcp-types/pubsub-v1:projects.topics I get:

- code: RESOURCE_ERROR
  location: /deployments/mydeployment/resources/mytopic
  message: '{"ResourceType":"gcp-types/pubsub-v1:projects.topics","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
    Found","requestPath":"https://pubsub.googleapis.com/v1/:setIamPolicy","httpMethod":"POST"}}

I want to create a new topic, new service account, and give that service account access to that specific topic only.

Is this possible in deployment manager?

This is the full template with accessControl:

resources:
  - name: "mytopic"
    type: gcp-types/pubsub-v1:projects.topics
    #type: pubsub-v1ubsub.v1.topic
    properties:
      topic: "mytopic"
      labels:
        label: "sdfsdfsdf"
    accessControl:
      gcpIamPolicy:
        bindings:
        - role: roles/pubsub.editor
          members:
          - "serviceAccount:[email protected]"
        - role: roles/pubsub.publisher
          members:
          - "serviceAccount:[email protected]"

Edit

I think I got this working but now I have a question about dependencies. Do I need to declare the acl resource is dependant on the pub/sub resource? Or is this unnecessary? If I don't include it it works, but I want to confirm that it won't ever fail and try to deploy the acl first or something.

(Google could do with adding a complete example to their docs - it would go a long way to make them much more accessible).

resources:
  - name: "mytopic"
    type: gcp-types/pubsub-v1:projects.topics
    properties:
      topic: "mytopic"

  - name: "mytopic-permissions"
    type: pubsub.v1.topic
    properties:
      topic: "mytopic"
    accessControl:
      gcpIamPolicy:
        bindings:
        - role: roles/pubsub.editor
          members:
          - "serviceAccount:[email protected]"
        - role: roles/pubsub.publisher
          members:
          - "serviceAccount:[email protected]"
    # Do I need this? If I don't have it, deploys still seem to work
    metadata:
      dependsOn:
      - "mytopic"