DestroyEdgeTransformer2: module.rg.azurerm_resource_group.rg["rg1"] has stored dependency of module.rbac

I have a terraform deployment which deploys resource groups, user assigned identities, role assignments and azure policies.

this was used to create 3 user assigned identities, approx 50 - 100 policies and policy assignments, and about 20 role assignments, without any issue.

recently, i added a few more policy definitions and another user assigned identity and now all of a sudden terraform thinks that something has changed with the user assigned identities and wants to destroy and replace all role assignments.

when i remove the additional user assigned identity and run a plan it returns to normal and sees no changes.

i run in DEBUG mode and saw the below log messages for all role assignments:

DestroyEdgeTransformer2: module.rg.azurerm_resource_group.rg[“rg-pr-1”] has stored dependency of module.role_assignments.azurerm_role_assignment.role_assignment[“sqlmi-contributor”] (destroy)

what is happening and how do i prevent it?

i only have one azurerm provider and no alias’

Hi @fsaleem722,

The debug log output isn’t relevant here, dependencies determine the order of operations, so this is just Terraform figuring out exactly when azurerm_role_assignment.role_assignment[“sqlmi-contributor”] (destroy) needs to be executed.

The actual, complete, plan output would be more informative as to why your resources are being replaced, but it may require seeing the configuration as well.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.