How to setup an Iam policy on an instance when the instance is recreated by a new run of terraform (gcp)

Hi,
On GCP, I have a terraform code which

  • generate a startup script containing a public ssh key at every run. It is made in a shell script in order the private key not being stored in the tfstate
  • create an instance (GCE) using the startup script
  • set an Iam policy on the GCE. I added a depends_on entry on the GCE creation

The first time it runs, everything goes well : the GCE is created with the ssh key and the IAM policy is set

After a new run : the GCE is recreated as the startup script is updated with a new ssh key
But, the IAM policy is not setup again on the recreated GCE
One can see google_compute_instance_iam_member.allow_on_off_role_on_jumpbox_to_tbr_group_for_linux[0]: Refreshing state…
But nothing after the GCE recreation in terraform plan and apply

How may I make this policy set again after GCE recreation ? The depends_on statement is not enough

Thank you
MLD

resource “null_resource” “linux_tbr_create_ssh_key” {
count = var.tbr_iap_enable == “linux” ? 1 : 0
triggers = {
project = google_project.main.project_id
build_number = timestamp()
}

provisioner “local-exec” {
environment = {
JUMPBOX_PRIVATE_KEY_FILE = “…/ansible/tmpkey”
}
command = < y
ssh-keygen -b 4096 -f $JUMPBOX_PRIVATE_KEY_FILE -C “wallix_jumpbox@local” -q -N “” < y
EOT
}
}

data “null_data_source” “sshkey” {
count = var.tbr_iap_enable == “linux” ? 1 : 0
inputs = {
sshpubkey = file(“…/ansible/tmpkey.pub”)
}
depends_on = [null_resource.linux_tbr_create_ssh_key, ]
}

data “template_file” “init_jumpbox_linux_script” {
count = var.tbr_iap_enable == “linux” ? 1 : 0
template = file(“${path.module}/init_jumpbox_linux.tpl”)
vars = {
sshpubkey = data.null_data_source.sshkey[0].outputs[“sshpubkey”]
}
}

resource “google_compute_instance” “linux_jumpbox” {
count = var.tbr_iap_enable == “linux” ? 1 : 0
name = local.jumpboxname
project = var.bastion_project_id
machine_type = “g1-small” # “n1-standard-1”
zone = “europe-west1-b”

boot_disk {
initialize_params {
image = “centos-cloud/centos-8” # Mandatory for TLS access through cloud IAP
}
auto_delete = “true”
}

network_interface {
subnetwork = var.connection_to_host_project == “true” ? data.google_compute_subnetwork.subnet[0].name : data.google_compute_subnetwork.subnet-ifnotconnect2hostproject[0].name
subnetwork_project = var.host_project_id
}
metadata_startup_script = data.template_file.init_jumpbox_linux_script[0].rendered
}

resource google_compute_instance_iam_member “allow_on_off_role_on_jumpbox_to_tbr_group_for_linux” {
count = var.tbr_iap_enable == “linux” ? 1 : 0
project = var.bastion_project_id
zone = “europe-west1-b”
instance_name = google_compute_instance.linux_jumpbox[0].name
role = “organizations/${var.org_id}/roles/gceonoff”
member = “group:${local.grouponoff}@xxxxx.com
depends_on = [google_compute_instance.linux_jumpbox, ]
}

Seems to be linked to Update/replace resource when a dependency is changed · Issue #8099 · hashicorp/terraform · GitHub