Service Accounts Deleted/Recreated Lose IAM permissions

[BusiPlay]

We ran into an issue when migrating a service account to a for_each construct where Terraform deleted and recreated the service account. This caused the service accounts to lose all IAM Bindings as described at https://cloud.google.com/iam/docs/understanding-service-accounts#deleting_and_recreating_service_accounts.

Example code:
Replaced:
resource "google_service_account" "service_account_a" {
account_id = "service_account_a"
display_name = "Service Account A"
}

with

variable "service_accounts" {
description="Map of Service Accounts"
default = {service_account_a = "Service Account A"}
}

resource "google_service_account" "service_account" {
for_each = var.service_accounts
account_id = each.key
display_name = each.value
}

Terraform treats this as deleting google_service_account.service_account_a and creating google_service_account.service_account["service_account_a"] and deletes the first service account, and creates a new one with the same account id.

Is there any way that the provider can recognize the account_id value in old and new state is the same, and apply an edit in place?

[venkykuberan]

Terraform does not know they are identical and treats them as 2 different resources as its unique_id is different. We can make terraform aware that they are identical and just resource is renamed by removing it from state and import with new name in 2 steps

1. terraform rm state service_account_a
2. terraform import google_service_account.service_account["service_account_a"] [email protected]

It should fix the issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!