`project` force replacement in `secret_manager_iam` module

[hekystyle]

TL;DR

Passing data.google_project.production.project_id to project of secret_manager_iam causes force replace.

Expected behavior

Passing data.google_project.production.project_id to project of secret_manager_iam won't cause force replace of resource = behavior is consistent with other _iam modules.

Observed behavior

No response

Terraform Configuration

locals {
  gcp_project_id = ""
  gcp_region     = "europe-west1"   # Belgium
  gcp_zone       = "europe-west1-b" # Belgium
}

provider "google" {
  project = local.gcp_project_id
  region  = local.gcp_region
  zone    = local.gcp_zone
}

terraform {
  backend "gcs" {
    bucket = ""
    prefix = "terraform/state/production"
  }
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 6.43"
    }
  }
}

data "google_project" "production" {
  project_id = local.gcp_project_id
}


resource "google_secret_manager_secret" "github_pac" {
  secret_id = "github-pac"
  replication {
    auto {}
  }
}

resource "google_secret_manager_secret_version" "github_pac_version" {
  secret         = google_secret_manager_secret.github_pac.id
  secret_data_wo = var.github_pac
}

module "github_pac_secret_manager_iam" {
  source  = "terraform-google-modules/iam/google//modules/secret_manager_iam"
  version = "~> 8.1"

  project = data.google_project.production.project_id
  secrets = [google_secret_manager_secret.github_pac.name]
  mode    = "additive"

  bindings = {
    "roles/secretmanager.secretAccessor" = [
      "serviceAccount:service-${data.google_project.production.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
    ]
  }
}

Terraform Version

Terraform v1.12.2
on windows_amd64
+ provider registry.terraform.io/hashicorp/google v6.43.0
+ provider registry.terraform.io/hashicorp/google-beta v6.43.0

Terraform Provider Versions

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/google] ~> 6.43
├── module.pdf-generator-iam
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
├── module.project-iam-bindings
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
├── module.project-services
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│   └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
├── module.files-iam-bindings
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
├── module.invoice-generator-iam
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
├── module.artifact-registry-repository-iam
│   ├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.53.0, < 7.0.0
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
├── module.default_compute_sa_iam
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
├── module.email_password_secret_iam
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
├── module.github_pac_secret_manager_iam
│   ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│   └── module.helper
└── module.internal_api_iam
    ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
    └── module.helper

Providers required by state:

    provider[registry.terraform.io/hashicorp/google]

    provider[registry.terraform.io/hashicorp/google-beta]

Additional information

terraform apply output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.github_pac_secret_manager_iam.google_secret_manager_secret_iam_member.secret_manager_iam_additive["default--roles/secretmanager.secretAccessor--serviceAccount:service-REDACTED@gcp-sa-artifactregistry.iam.gserviceaccount.com"] must be replaced
-/+ resource "google_secret_manager_secret_iam_member" "secret_manager_iam_additive" {
      ~ etag      = "REDACTED" -> (known after apply)
      ~ id        = "projects/REDACTED/secrets/github-pac/roles/secretmanager.secretAccessor/serviceAccount:service-REDACTED@gcp-sa-artifactregistry.iam.gserviceaccount.com" -> (known after apply)  
      ~ project   = "REDACTED" -> "accuna-production" # forces replacement
        # (3 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.