Ability to prevent policy detachment to allow assumable-role dependants to clear up

[djmcgreal-cc]

Is your request related to a problem? Please describe.

A process that assumes a role managed by module/iam-assumable-role-with-oidc (though presumably this is a general problem) needs to do some cleanup on terraform destroy but it can't because there's nothing in the dependency graph to prevent terraform from removing the module's policy attachment.

I can't add a depends_on to the iam module because this would be cyclic.

Describe the solution you'd like.

I imagine whoever reads this will be more expert than me but the module(s) could either

• output their attachments in some way and I could include them in the dependency creating the necessary relationships implicitly. This might be preferred because it adds some functionality (i.e. if there are any other cases where knowing e.g. the attachment ids is useful).
• adding an attachment_depends_on variable, but now I'm not sure as this might create some funny behaviour in the dependency where the dependency assumes the role but the attachment isn't created yet.

Describe alternatives you've considered.

Set role_policy_arns to [] and create them myself out of the module, then add a dependency to them from the process that assumes the role. Not too bad, but it's a fair chunk of the functionality managed by the module.

Additional context

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days