Closed djmcgreal-cc closed 4 months ago
github-actions[bot]
commented
6 months ago This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
github-actions[bot]
commented
5 months ago This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
github-actions[bot]
commented
4 months ago This issue was automatically closed because of stale in 10 days
github-actions[bot]
commented
3 months ago I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Is your request related to a problem? Please describe.
A process that assumes a role managed by module/iam-assumable-role-with-oidc (though presumably this is a general problem) needs to do some cleanup on
terraform destroybut it can't because there's nothing in the dependency graph to prevent terraform from removing the module's policy attachment.I can't add a
depends_onto the iam module because this would be cyclic.Describe the solution you'd like.
I imagine whoever reads this will be more expert than me but the module(s) could either
attachment_depends_onvariable, but now I'm not sure as this might create some funny behaviour in the dependency where the dependency assumes the role but the attachment isn't created yet.Describe alternatives you've considered.
Set
role_policy_arnsto [] and create them myself out of the module, then add a dependency to them from the process that assumes the role. Not too bad, but it's a fair chunk of the functionality managed by the module.Additional context