Terraform: How to use iam_policy without locking yourself out

Question

I'm having issues with using iam_policy resource types without being getting myself locked-out on terraform destroy. This applies to resource types like google_storage_bucket_iam_policy and google_project_iam_policy.

This example applies to google_storage_bucket_iam_policy resource. Let's say I have a list of owners and the service account used by terraform to be granted the roles/storage.admin role.

resource "google_storage_bucket" "default" {
  name = "default"
  location = "EU"
}

resource "google_storage_bucket_iam_role"  "owners" {
  bucket = "default"
  binding {
    role = "roles/storage.admin"
    members = [
      "${var.owners}",
      "${var.serviceAccount}"
    ]
  }
}

The order of the resource creation is bucket first, then policy. Naturally, the destroy action processes the resources in reverse order - policy first, then bucket. However after policy removal, the service account doesn't have sufficient privileges for the bucket removal.

Perhaps a way around could be using google_storage_bucket_iam_member resource for the owners, however this approach doesn't seem very clean as it inherits whatever was defined on the project previously, which could be quite messy.

Btw, the same logic applies on the project level to the resource google_project_iam_policy. Thanks in advance.

Answer 1

You can create an explicit dependency which will:

1. Ensure the IAM role is created before the bucket
2. Ensure the bucket is destroyed before the IAM role

Here is your example with a depends_on added:

resource "google_storage_bucket" "default" {
  name = "default"
  location = "EU"
  depends_on = ["google_storage_bucket_iam_role.owners"]
}

resource "google_storage_bucket_iam_role"  "owners" {
  bucket = "default"
  binding {
    role = "roles/storage.admin"
    members = [
      "${var.owners}",
      "${var.serviceAccount}"
    ]
  }
}