Cannot destroy namespace with Terraform CR as ServiceAccount is removed before runner created

[heschlie]

Hello, I have a potentially odd use case but it seems like it should work, digging into the details we understand why, but would like input on how we can do this before we dive into creating our own work around.

We would like to host the Terraform CR in a namespace with the deployment it is tied to. We have some testing deployments that are ephemeral in nature and we like to have the ability to simply destroy the entire namespace and just let k8s clean it all up. We started trying out tf-controller recently and found that while the Terraform CRs have a finalizer on them to ensure the cloud resources are destroyed, there is no mechanism for the ServiceAccount and k8s happily deletes it before the runner pod even has a chance to spin up.

I'm not sure this is technically the problem of tf-controller but it would be nice if there was a way to get tf-controller to keep the requisite service account around until it isn't needed anymore. I see there is code for adding finalizers to dependent Terraform resources, perhaps we could hijack that to add a finalizer to the ServiceAccount?