From 17abe3e20b00f6ccdba460b3720bbc457683239a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Mon, 30 Mar 2026 13:52:02 +0000
Subject: [PATCH] reprovision IAM only on function replacement

---
 modules/cloud-function-v1/main.tf | 2 +-
 modules/cloud-function-v2/main.tf | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/cloud-function-v1/main.tf b/modules/cloud-function-v1/main.tf
index 4df938b00..0ad8a3309 100644
--- a/modules/cloud-function-v1/main.tf
+++ b/modules/cloud-function-v1/main.tf
@@ -118,6 +118,6 @@ resource "google_cloudfunctions_function_iam_binding" "default" {
   role           = lookup(local.ctx.custom_roles, each.key, each.key)
   members        = [for member in each.value : lookup(local.ctx.iam_principals, member, member)]
   lifecycle {
-    replace_triggered_by = [google_cloudfunctions_function.function]
+    replace_triggered_by = [google_cloudfunctions_function.function.id]
   }
 }
diff --git a/modules/cloud-function-v2/main.tf b/modules/cloud-function-v2/main.tf
index 55c61e451..84c889761 100644
--- a/modules/cloud-function-v2/main.tf
+++ b/modules/cloud-function-v2/main.tf
@@ -165,7 +165,7 @@ resource "google_cloudfunctions2_function_iam_binding" "binding" {
   role           = lookup(local.ctx.custom_roles, each.key, each.key)
   members        = [for member in each.value : lookup(local.ctx.iam_principals, member, member)]
   lifecycle {
-    replace_triggered_by = [google_cloudfunctions2_function.function]
+    replace_triggered_by = [google_cloudfunctions2_function.function.id]
   }
 }
 
@@ -189,7 +189,7 @@ resource "google_cloud_run_service_iam_binding" "invoker" {
   role     = "roles/run.invoker"
   members  = [for member in local.run_invoker_members : lookup(local.ctx.iam_principals, member, member)]
   lifecycle {
-    replace_triggered_by = [google_cloudfunctions2_function.function]
+    replace_triggered_by = [google_cloudfunctions2_function.function.id]
   }
 }
 
@@ -206,7 +206,7 @@ resource "google_cloud_run_service_iam_member" "invoker" {
   role     = "roles/run.invoker"
   member   = "serviceAccount:${local.trigger_sa_email}"
   lifecycle {
-    replace_triggered_by = [google_cloudfunctions2_function.function]
+    replace_triggered_by = [google_cloudfunctions2_function.function.id]
   }
 }