Unable to delete Workload Identity module after creation

[bwburch]

TL;DR

I have created some resources using terraform-google-workload-identity - Google service account, kubernetes service account and IAM binding.
The problem I am having is deleting these resources. When I remove the module from the manifest, it returns the following error: Error: Cycle: module.kubernetes.google_container_cluster.primary[0], module.kubernetes.provider["registry.terraform.io/hashicorp/kubernetes"], module.kubernetes.module.my-app-workload-identity.kubernetes_service_account.main[0] (destroy) which isn't detailed.

Expected behavior

The workload identity module should remove the workload identities and any resources allocated during the creation.

Observed behavior

Error: Cycle: module.gke.module.gke.google_container_node_pool.pools["hr-tech-dev-np"], module.gke.module.workload-identity["fileupload"].kubernetes_service_account.main[0] (destroy), module.gke.module.gke.random_string.cluster_service_account_suffix, module.gke.module.gke.local.service_account_default_name (expand), module.gke.module.gke.google_service_account.cluster_service_account[0], module.gke.module.gke.local.service_account_list (expand), module.gke.module.gke.local.service_account (expand), module.gke.module.workload-identity["learning"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["iam"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["dataload"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["bgcheck"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["associate-sched"].kubernetes_service_account.main[0] (destroy), module.gke.module.workload-identity["encryption"].kubernetes_service_account.main[0] (destroy), module.gke.module.gke.local.cluster_output_master_auth (expand), module.gke.module.gke.local.cluster_master_auth_list_layer1 (expand), module.gke.module.gke.local.cluster_master_auth_list_layer2 (expand), module.gke.module.gke.local.cluster_master_auth_map (expand), module.gke.module.gke.local.cluster_ca_certificate (expand), module.gke.module.gke.output.ca_certificate (expand), module.gke.provider["registry.terraform.io/hashicorp/kubernetes"], module.gke.module.workload-identity["associate"].kubernetes_service_account.main[0] (destroy), module.gke.module.gke.google_container_cluster.primary, module.gke.module.gke.local.cluster_endpoint (expand), module.gke.module.gke.output.endpoint (expand)

Terraform Configuration

locals {
  workload_identities = {
    "bgcheck" = {
      name  = "sa-bgcheck"
      roles = [
        "roles/cloudsql.client",
        "roles/cloudsql.instanceUser",
        "roles/iam.serviceAccountTokenCreator",
        "roles/secretmanager.secretAccessor",
        "roles/pubsub.publisher",
        "roles/pubsub.subscriber"
      ]
    }
# Trying to remove this one: dataload
    "dataload" = {
      name  = "sa-dataload"
      roles = [
        "roles/cloudsql.client",
        "roles/cloudsql.instanceUser",
        "roles/iam.serviceAccountTokenCreator",
        "roles/secretmanager.secretAccessor",
        "roles/pubsub.publisher",
        "roles/pubsub.subscriber"
      ]
    }
}

module "workload-identity" {
  source     = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity"
  
  for_each   = local.workload_identities

  name       = each.value.name         # KSA name
  namespace  = "my-namespace"
  project_id = var.project_id
  roles      = each.value.roles        # Custom roles per service account
  annotate_k8s_sa = true
}

Terraform Version

1.3.0

Additional information

No response