IAM member deletion during Pub/Sub subscription replace causes pull errors in production – How to avoid this? #20710
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue
When replacing a
google_pubsub_subscription resource, any IAM members associated with the subscription are temporarily deleted. This results in Pub/Sub clients failing to perform Pull operations, causing downtime in our production environment.As noted in Issue #2301, using
replace_triggered_byensures that the IAM members are automatically recreated when thegoogle_pubsub_subscriptionis replaced. However, this does not resolve the problem of temporary removal, as the IAM members are still deleted briefly during the replacement process.Questions
How can this issue be avoided in production?
Is there a Terraform-based solution to prevent the temporary removal of IAM members when a Pub/Sub subscription is replaced?
Should replacing resources be avoided altogether?
If resource replacement is not a best practice in production, what alternatives do you recommend to update the resource?
Detecting resource replacements beforehand
Is there a mechanism to detect when a resource will be replaced during terraform plan so we can proactively address this in production?
Enviroment
The text was updated successfully, but these errors were encountered: