Skip to content

fix: IAM bindings lost when bucket is replaced #431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cjonesy wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: IAM bindings lost when bucket is replaced #431

cjonesy wants to merge 1 commit into from

Conversation

@cjonesy
Copy link

@cjonesy cjonesy commented Oct 17, 2025

Adds replace_triggered_by lifecycle meta-argument to all IAM binding resources to ensure they are replaced whenever the bucket is replaced:

resource "google_storage_bucket_iam_binding" "admins" {
  for_each = var.set_admin_roles ? local.names_set : []
  bucket   = google_storage_bucket.buckets[each.value].name
  role     = "roles/storage.objectAdmin"
  members  = ...

  lifecycle {
    replace_triggered_by = [google_storage_bucket.buckets[each.value]]
  }
}

Root Cause

The IAM binding resources reference the bucket by name:

resource "google_storage_bucket_iam_binding" "admins" {
  for_each = var.set_admin_roles ? local.names_set : []
  bucket   = google_storage_bucket.buckets[each.value].name  # References bucket name
  role     = "roles/storage.objectAdmin"
  members  = ...
}

When the bucket is replaced:

  • The bucket name stays the same (only location changes)
  • The for_each key doesn't change
  • The members don't change
  • Terraform sees no changes to the IAM binding resource configuration
  • But the underlying GCP bucket was destroyed and recreated, losing all IAM bindings

@cjonesy cjonesy requested review from a team, ayushmjain and q2w as code owners October 17, 2025 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ayushmjain ayushmjain Awaiting requested review from ayushmjain ayushmjain is a code owner

@q2w q2w Awaiting requested review from q2w q2w is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cjonesy