search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.36k stars 1.75k forks source link

Terraform doesn't remove Deleted Service Account IAM Assignments on BQ Dataset #11579

Open ryanbianchi-lbg opened 2 years ago

ryanbianchi-lbg commented 2 years ago

We have found a possible issue whereby Terraform seems to ignore IAM assignments for deleted service accounts.

Our scenario is as follows:

Is this behaviour expected or should the provider still remove the IAM assignment even after the Service Account has been deleted?

If you have a support request or question please submit them to one of these resources:

Noah-Codex commented 3 months ago

Some clarifications for future readers:

  1. This behavior can be replicated in a single project by deleting a service account (in Terraform) and attempting to apply the same Dataset IAM role on another service account.
  2. Whether or not this is intended, if this causes Terraform state issues (e.g. trying to apply changes to the deleted service account), a solution is to delete the IAM permissions on the affected dataset. At the time of posting, that looks like:
    1. Go to the affected GCP project's BigQuery service.
    2. Click on the dataset the service account had IAM permissions on prior to deletion.
    3. Click on Sharing > Permissions.
    4. Find the permission on the deleted service account. Hovering over this will even clarify that the service account has been deleted.
    5. Manually delete the permission, assuming the user has the permissions to do so.

Note that this (a) does not clarify the cause of the issue and (b) can probably done with a CLI command.