IAMPolicyMember locked hand on delete attempt

[b4nst]

Describe the bug
I made a typo in the version of the referenced IAM service account for an IAM policy member (v1alpha1 instead of v1beta1). Config connector correctly logged the error ([...] no match for kind IAMServiceAccount in version iam.cnrm.cloud.google.com/v1alpha1) but then the policy member could be deleted. kubectl delete logs that the iampolicymember has been deleted (it has not) and then hangs forever.

ConfigConnector Version
1.19.1

To Reproduce
Steps to reproduce the behavior:

• kubectl apply -f sa.yml
• kubectl delete iampolicymember gsa-wli

YAML snippets:

---
kind: IAMServiceAccount
apiVersion: iam.cnrm.cloud.google.com/v1beta1
metadata:
  name: gsa
spec:
  displayName: Google service account
---
kind: IAMPolicyMember
apiVersion: iam.cnrm.cloud.google.com/v1beta1
metadata:
  name: gsa-wli
spec:
  member: serviceAccount:project.svc.id.goog[default/ksa]
  role: roles/iam.workloadIdentityUser
  resourceRef:
    kind: IAMServiceAccount
# Typo next line, as it should be v1beta1
    apiVersion: iam.cnrm.cloud.google.com/v1alpha1
    name: gsa

[caieo]

Hi @b4nst, sorry you ran into this. It looks like IAMPolicyMembers spec is immutable and will return errors if you are trying to modify it (which was what you ran into). Unfortunately, you will need to delete and reapply the correct YAML.

In order to actually delete this faulty IAMPolicyMember, you can abandon the resource by adding & applying the cnrm.cloud.google.com/deletion-policy: abandon annotation to the original YAML. This will indicate to Config Connector that the resource should be abandoned instead of attempting to delete it. When you reapply the correct YAML, the resource will either be acquired (if it existed before) or created properly. Let me know if this works for you!

[b4nst]

Oh that makes sense, I didn't think about abandoning it. Works fine, thanks !