Empty device_policy causes unclean plan

[onetwopunch]

If the device_policy is empty in the condition block, the plan output always tries to add a new one that is empty because the block exists.

module "access_level_members" {
  source  = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
  version = "~> 1.0.1"
  policy  = module.org_policy.policy_id
  name    = "terraform_members"
  members = ["serviceAccount:${var.terraform_service_account}"]
}

Generates the following plan after being applied with no modifications made

Terraform will perform the following actions:

  # module.access_level_members.google_access_context_manager_access_level.access_level will be updated in-place
  ~ resource "google_access_context_manager_access_level" "access_level" {
        id     = "accessPolicies/.../accessLevels/terraform_members"
        name   = "accessPolicies/.../accessLevels/terraform_members"
        parent = "accessPolicies/..."
        title  = "terraform_members"

      ~ basic {
            combining_function = "AND"

          ~ conditions {
                ip_subnetworks         = []
                members                = [
                    "serviceAccount:project-factory-XXXXX@my-project.iam.gserviceaccount.com",
                ]
                negate                 = false
                required_access_levels = []

              + device_policy {
                  + allowed_device_management_levels = []
                  + allowed_encryption_statuses      = []
                  + require_screen_lock              = false

                  + os_constraints {}
                }
            }
        }

        timeouts {}
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[morgante]

We should probably add a dynamic block to accommodate this.

[bharathkkb]

fixed by https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/issues/26