Hello,
While trying to deploy GHA runners, we're noting that there appears to be a race condition. In order to deploy GHA runners with encryption, IAM roles need to be deployed first otherwise KMS creation fails. A possible workaround would be to deploy KMS without policies that reference IAM roles that are created (unconditionally) by the runners module and then attach the policy after the runners are deployed. This causes drift caused by the post-creation apply of the KMS policies. Is there a way to update the runners module to except a conditional creation of IAM roles? The expectation is that the module should either create the roles, get them as input variables, and fail if neither is done (e.g. create set to false and existing Arn not provided).
Hello,
While trying to deploy GHA runners, we're noting that there appears to be a race condition. In order to deploy GHA runners with encryption, IAM roles need to be deployed first otherwise KMS creation fails. A possible workaround would be to deploy KMS without policies that reference IAM roles that are created (unconditionally) by the
runnersmodule and then attach the policy after the runners are deployed. This causes drift caused by the post-creation apply of the KMS policies. Is there a way to update therunnersmodule to except a conditional creation of IAM roles? The expectation is that the module should either create the roles, get them as input variables, and fail if neither is done (e.g. create set tofalseand existing Arn not provided).