feat: Add lifecycle.ignore_changes for access to support google_bigquery_dataset_access

[timothy-jabez]

Summary

When using the google_bigquery_dataset_access resource to manage dataset permissions separately, this module produces a persistent diff because it doesn't ignore changes to the access block within the google_bigquery_dataset resource.

Problem Description

The module currently defines dataset access via the access variable, which is directly translated into access blocks within the google_bigquery_dataset resource. This approach works well when all access controls are managed within the module.

However, for users who prefer to manage dataset access separately using the standalone google_bigquery_dataset_access resource, this creates a conflict. Terraform detects a drift between the state file (which includes the access defined by the module) and the actual state in GCP (managed by the separate resource), resulting in a plan that always shows changes to be applied.

As noted in the google_bigquery_dataset_access documentation, when using this resource, the google_bigquery_dataset resource must either have no defined access blocks or a lifecycle block with ignore_changes = [access].

Proposed Solution

To support this alternative access management pattern, I propose adding a new boolean variable, for example ignore_access_changes, to the module.

When ignore_access_changes is set to true, the module should add a lifecycle block to the google_bigquery_dataset.main resource:

resource "google_bigquery_dataset" "main" {
  # ... existing configuration ...

  lifecycle {
    ignore_changes = [
      access
    ]
  }
}

This would allow users to decouple dataset access management from the dataset creation, providing greater flexibility.

Steps to Reproduce

1. Instantiate the terraform-google-bigquery module to create a dataset.
2. In a separate Terraform configuration, use the google_bigquery_dataset_access resource to grant permissions to the same dataset.
3. Run terraform plan.
4. Observe that Terraform proposes to remove the access granted by the google_bigquery_dataset_access resource.

[bharathkkb]

Hi @timothy-jabez,

To support this alternative access management pattern, I propose adding a new boolean variable, for example ignore_access_changes, to the module. When ignore_access_changes is set to true, the module should add a lifecycle block to the google_bigquery_dataset.main resource

Unfortunately lifecycle block does not evaluate variables to conditionally ignore certain fields
hashicorp/terraform#24188

I would recommend either natively using the resource or managing permissions via the module