Adding in DeleteBeforeReplace: True to IAM types #2650
Conversation
Does the PR have any schema changes?Looking good! No breaking changes found. Maintainer note: consult the runbook for dealing with any breaking changes. |
There was a problem hiding this comment.
Thanks for opening this. I am fairly certain that IAM Member resources do not work without DeleteBeforeReplace - all the upstream schema fields are ForceNew and the replacements works as described in #2463 (comment), which causes a silent deletion of the resource.
It'd be nice if we added a test for these resources but it might be non-trivial given that it involves permissions.
I am wondering if we can solve this more widely for GCP - there are a fair number of Iam_policy and iam_member resources and I suspect all of them work this way. Perhaps something to consider as a follow up - we could add a test which provisions each of these resources and verifies that a replacement ends with a resource still existing.
|
@VenelinMartinov I like it, we could use the gcloud technique you showed me last week to do a |
|
A property with Generally resources do not require Unfortunately, a number of resources do not have their own "identity" in the cloud. These tend to be resources representing a link between two other resources. We call these "structural" resources, there is a big and old issue about supporting these better: pulumi/pulumi#918 In this case, IAM Member is a structural resource, and that manifests in issues like #2463 Structural resources do need |
|
This PR has been shipped in release v8.10.0. |
This added in DeleteBeforeReplace for google_project_iam_policy, google_project_iam_member