0

I am using a Terraform google_project_iam_policy resource to manage a number of roles for a project.

I have noticed that it does not always remove a member from a role when I am expecting it to - seemingly sometimes (but not always) if I use the cloud console to add a member to a role for a project, Terraform does not remove that when I reapply. I would expect it to remove that member from that role in line with the terraform resource definition.

I'd like to understand what is happening here: is terraform able to distinguish between these? is there some undisplayed state in the cloud console/gcloud projects get-iam-policy that I am not seeing?

Ben Clifford
  • 256
  • 1
  • 6

1 Answers1

0

I'd not expect that from terraform when using AWS resources, but cannot say if there is a difference when working on google cloud.

The role attachment & user you are creating on the console is not managed by terraform, so why would terraform remove it? You should be able to create resources alongside terraform, without having them destroyed in the next re-apply. If you do direct modifications on a resource that is terraform managed, it will revert the changes.

But for example if you create a security group, and some rules in terraform, and then manually add another rule, terraform will not remove that rule, as it is not managed by terraform.

hargut
  • 3,908
  • 7
  • 10