-
-
Notifications
You must be signed in to change notification settings - Fork 945
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to prevent policy detachment to allow assumable-role dependants to clear up #467
Labels
Comments
This issue has been automatically marked as stale because it has been open 30 days |
This issue has been automatically marked as stale because it has been open 30 days |
This issue was automatically closed because of stale in 10 days |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your request related to a problem? Please describe.
A process that assumes a role managed by module/iam-assumable-role-with-oidc (though presumably this is a general problem) needs to do some cleanup on
terraform destroy
but it can't because there's nothing in the dependency graph to prevent terraform from removing the module's policy attachment.I can't add a
depends_on
to the iam module because this would be cyclic.Describe the solution you'd like.
I imagine whoever reads this will be more expert than me but the module(s) could either
attachment_depends_on
variable, but now I'm not sure as this might create some funny behaviour in the dependency where the dependency assumes the role but the attachment isn't created yet.Describe alternatives you've considered.
Set
role_policy_arns
to [] and create them myself out of the module, then add a dependency to them from the process that assumes the role. Not too bad, but it's a fair chunk of the functionality managed by the module.Additional context
The text was updated successfully, but these errors were encountered: