Closed djmcgreal-cc closed 4 months ago
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
This issue was automatically closed because of stale in 10 days
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Is your request related to a problem? Please describe.
A process that assumes a role managed by module/iam-assumable-role-with-oidc (though presumably this is a general problem) needs to do some cleanup on
terraform destroy
but it can't because there's nothing in the dependency graph to prevent terraform from removing the module's policy attachment.I can't add a
depends_on
to the iam module because this would be cyclic.Describe the solution you'd like.
I imagine whoever reads this will be more expert than me but the module(s) could either
attachment_depends_on
variable, but now I'm not sure as this might create some funny behaviour in the dependency where the dependency assumes the role but the attachment isn't created yet.Describe alternatives you've considered.
Set
role_policy_arns
to [] and create them myself out of the module, then add a dependency to them from the process that assumes the role. Not too bad, but it's a fair chunk of the functionality managed by the module.Additional context