When the project is destroyed, if it was created with the default Service Account and attached to a VPC-SC Service Perimeter + the perimeter uses this default Service Account in an ingress or egress rule, the destroy execution fails in a dead lock.
The reason for this is that the default Service Account (google_service_account.default_service_account) is destroyed before the project is detached from perimeter, so when the resource google_access_context_manager_service_perimeter_resource.service_perimeter_attachment is destroyed it actually submits the whole perimeter configuration in the API call, which still contains the "already" destroyed Service Account failing to destroy the attachment, sample output:
Error: Error when reading or editing ServicePerimeterResource: googleapi: Error 400: The email address 'sa-my-test@.iam.gserviceaccount.com' is invalid or non-existent.
Expected behavior
Resources should be destroyed in the correct sequence:
1st detach project from perimeter
2nd destroy the default Service Account
Observed behavior
It is not possible to destroy all resources, placing the execution in a dead lock
TL;DR
When the project is destroyed, if it was created with the default Service Account and attached to a VPC-SC Service Perimeter + the perimeter uses this default Service Account in an ingress or egress rule, the destroy execution fails in a dead lock. The reason for this is that the default Service Account (
google_service_account.default_service_account
) is destroyed before the project is detached from perimeter, so when the resourcegoogle_access_context_manager_service_perimeter_resource.service_perimeter_attachment
is destroyed it actually submits the whole perimeter configuration in the API call, which still contains the "already" destroyed Service Account failing to destroy the attachment, sample output:Error: Error when reading or editing ServicePerimeterResource: googleapi: Error 400: The email address 'sa-my-test@.iam.gserviceaccount.com' is invalid or non-existent.
Expected behavior
Resources should be destroyed in the correct sequence: 1st detach project from perimeter 2nd destroy the default Service Account
Observed behavior
It is not possible to destroy all resources, placing the execution in a dead lock
Terraform Configuration
Terraform Version
Additional information
No response