Hello,

we have all BigQuery datasets defined in TF, including accesses.

We are contemplating to use another service that would govern some user READ accesses, but we still want to keep the more critical (e.g. Write accesses for Service Accounts) defined and governed by TF.

Is there a way to do that? - eg. specific items in the ignore_changes block .

Thanks
S.

Yes, you can use the ignore_changes block in Terraform to selectively ignore changes to specific resources or attributes. In your case, you could use this block to ignore changes to the access controls managed by the other service, while still allowing changes to the access controls managed by Terraform.

For example, let’s say you have a google_bigquery_dataset resource defined in your Terraform configuration:

resource “google_bigquery_dataset” “example_dataset” {
dataset_id = “example_dataset”

access {
role_entity = “user:jane@example.com”
role = “READER”
}

access {
role_entity = “serviceAccount:my-service-account@example-project.iam.gserviceaccount.com”
role = “WRITER”
}

other configuration here
}

To ignore changes to the access block managed by the other service, you could add the following ignore_changes block:

resource “google_bigquery_dataset” “example_dataset” {
dataset_id = “example_dataset”

access {
role_entity = “user:jane@example.com”
role = “READER”
}

access {
role_entity = “serviceAccount:my-service-account@example-project.iam.gserviceaccount.com”
role = “WRITER”
}

other configuration here

ignore_changes = [
access,
]
}

This will tell Terraform to ignore changes to the access block when determining if updates are necessary. However, changes to any other attributes of the google_bigquery_dataset resource will still be detected and applied as usual.