Closed onetwopunch closed 3 years ago
If the device_policy is empty in the condition block, the plan output always tries to add a new one that is empty because the block exists.
device_policy
module "access_level_members" { source = "terraform-google-modules/vpc-service-controls/google//modules/access_level" version = "~> 1.0.1" policy = module.org_policy.policy_id name = "terraform_members" members = ["serviceAccount:${var.terraform_service_account}"] }
Generates the following plan after being applied with no modifications made
Terraform will perform the following actions: # module.access_level_members.google_access_context_manager_access_level.access_level will be updated in-place ~ resource "google_access_context_manager_access_level" "access_level" { id = "accessPolicies/.../accessLevels/terraform_members" name = "accessPolicies/.../accessLevels/terraform_members" parent = "accessPolicies/..." title = "terraform_members" ~ basic { combining_function = "AND" ~ conditions { ip_subnetworks = [] members = [ "serviceAccount:project-factory-XXXXX@my-project.iam.gserviceaccount.com", ] negate = false required_access_levels = [] + device_policy { + allowed_device_management_levels = [] + allowed_encryption_statuses = [] + require_screen_lock = false + os_constraints {} } } } timeouts {} } Plan: 0 to add, 1 to change, 0 to destroy.
We should probably add a dynamic block to accommodate this.
fixed by https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/issues/26
If the
device_policy
is empty in the condition block, the plan output always tries to add a new one that is empty because the block exists.Generates the following plan after being applied with no modifications made