Unable to delete Workload Identity module after creation

[bwburch]

TL;DR

I have created some resources using terraform-google-workload-identity - Google service account, kubernetes service account and IAM binding. The problem I am having is deleting these resources. When I remove the module from the manifest, it returns the following error: Error: Cycle: module.kubernetes.google_container_cluster.primary[0], module.kubernetes.provider["registry.terraform.io/hashicorp/kubernetes"], module.kubernetes.module.my-app-workload-identity.kubernetes_service_account.main[0] (destroy) which isn't detailed.

Expected behavior

The workload identity module should remove the workload identities and any resources allocated during the creation.

Observed behavior

Error: Cycle: module.gke.module.gke.google_container_node_pool.pools["hr-tech-dev-np"], module.gke.module.workload-identity["fileupload"].kubernetes_service_account.main[0] (destroy), module.gke.module.gke.random_string.cluster_service_account_suffix, module.gke.module.gke.local.service_account_default_name (expand), module.gke.module.gke.google_service_account.cluster_service_account[0], module.gke.module.gke.local.service_account_list (expand), module.gke.module.gke.local.service_account (expand), module.gke.module.workload-identity["learning"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["iam"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["dataload"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["bgcheck"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["associate-sched"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["encryption"].kubernetes_service_account.main[0] (destroy), module.gke.module.gke.local.cluster_output_master_auth (expand), module.gke.module.gke.local.cluster_master_auth_list_layer1 (expand), module.gke.module.gke.local.cluster_master_auth_list_layer2 (expand), module.gke.module.gke.local.cluster_master_auth_map (expand), module.gke.module.gke.local.cluster_ca_certificate (expand), module.gke.module.gke.output.ca_certificate (expand), module.gke.provider["registry.terraform.io/hashicorp/kubernetes"], module.gke.module.workload-identity["associate"].kubernetes_service_account.main[0] (destroy), module.gke.module.gke.google_container_cluster.primary, module.gke.module.gke.local.cluster_endpoint (expand), module.gke.module.gke.output.endpoint (expand)

Terraform Configuration

locals {
  workload_identities = {
    "bgcheck" = {
      name  = "sa-bgcheck"
      roles = [
        "roles/cloudsql.client",
        "roles/cloudsql.instanceUser",
        "roles/iam.serviceAccountTokenCreator",
        "roles/secretmanager.secretAccessor",
        "roles/pubsub.publisher",
        "roles/pubsub.subscriber"
      ]
    }
# Trying to remove this one: dataload
    "dataload" = {
      name  = "sa-dataload"
      roles = [
        "roles/cloudsql.client",
        "roles/cloudsql.instanceUser",
        "roles/iam.serviceAccountTokenCreator",
        "roles/secretmanager.secretAccessor",
        "roles/pubsub.publisher",
        "roles/pubsub.subscriber"
      ]
    }
}

module "workload-identity" {
  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"

  for_each   = local.workload_identities

  name       = each.value.name         # KSA name
  namespace  = "my-namespace"
  project_id = var.project_id
  roles      = each.value.roles        # Custom roles per service account
  annotate_k8s_sa = true
}

Terraform Version

1.3.0

Additional information

No response

[flozzone]

@bwburch Which version of terraform-google-kubernetes-engine are you currently using? It seems you haven't pinned the version in your workload-identity module definition. And which Google provider are you using in your required-provider block?

[bwburch]

Here's the version: source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" version = "~> 30.2.0"

terraform { required_version = "~> 0.12.6"

required_providers { google = "~> 2.1" google-beta = "~> 2.1" } }

[flozzone]

ok, these are the constraints but which are you actually using?

[bwburch]

terraform-google-kubernetes-engine: actual version being used 30.2.0, there are no patched version for this module.

required-provider: version 3.5.0

Also thank you so much for taking the time to help resolve this issue!