regular_service_perimeter fails to create in v4.0.1

[blakefallow]

TL;DR

Receiving errors upgrading our regular_service_perimeter module from v2.1.0 > v4.0.1 with all of the outlined structure changes posted in the latest example.

Expected behavior

No response

Observed behavior

│ Error: Unsupported block type │ │ on .terraform/modules/prod_regular_perimeter_1/modules/regular_service_perimeter/main.tf line 36, in resource "google_access_context_manager_service_perimeter" "regular_service_perimeter": │ 36: dynamic "ingress_policies" { │ │ Blocks of type "ingress_policies" are not expected here. ╵ ╷ │ Error: Unsupported block type │ │ on .terraform/modules/prod_regular_perimeter_1/modules/regular_service_perimeter/main.tf line 73, in resource "google_access_context_manager_service_perimeter" "regular_service_perimeter": │ 73: dynamic "egress_policies" { │ │ Blocks of type "egress_policies" are not expected here. ╵ ╷ │ Error: Unsupported block type │ │ on .terraform/modules/prod_regular_perimeter_1/modules/regular_service_perimeter/main.tf line 121, in resource "google_access_context_manager_service_perimeter" "regular_service_perimeter": │ 121: dynamic "ingress_policies" { │ │ Blocks of type "ingress_policies" are not expected here. ╵ ╷ │ Error: Unsupported block type │ │ on .terraform/modules/prod_regular_perimeter_1/modules/regular_service_perimeter/main.tf line 158, in resource "google_access_context_manager_service_perimeter" "regular_service_perimeter": │ 158: dynamic "egress_policies" { │ │ Blocks of type "egress_policies" are not expected here. ╵

Terraform Configuration

module "prod_regular_perimeter_1" {
  source = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
  version = "4.0.1"

  policy = var.org_policy_id
  perimeter_name = "regular_perimeter_x"
  description = "Perimeter shielding prod projects"
  resources = [
    module.project_XXXX.project_number,
    module.project_XXXXX.project_number,
    module.project_XXXXXX.project_number,
    module.project_XXXXXXX.project_number
  ]

  restricted_services = [
    "bigquery.googleapis.com",
    "datacatalog.googleapis.com",
    "pubsub.googleapis.com",
    "run.googleapis.com",
    "storage.googleapis.com",
    "storagetransfer.googleapis.com",
    "vpcaccess.googleapis.com"
  ]
  ingress_policies = [
    {
      from = {
        "sources" = {
          resources = [
            "*"],
          access_levels = [
            module.access_level_XXX.name,
            module.access_level_XXXXX_vendor.name,
            module.access_level_XXXXXXX_vendor.name
          ]
        },
        "identity_type" = ""
        "identities" = [
          "service-XXXXXXXXXXX@XXXXXXXXXX.iam.gserviceaccount.com"]
      }
      to = {
        "operations" = {
          "bigquery.googleapis.com" = {
            "methods" = [
              "*"]
          }
        }
      }
    }
  ]
}

Terraform Version

Terraform v0.14.6

Additional information

Hashicorp/Google v3.58.0

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[bharathkkb]

Thanks for the report @blakefallow Looks like this was added in provider 3.62.0 and we should update our supported min versions. https://github.com/hashicorp/terraform-provider-google/blob/v3.90.1/CHANGELOG.md

[blakefallow]

@bharathkkb Thanks. Working as expected with >= 3.62.0. For anyone else going through the upgrade process, the upgrade documentation was very helpful as we had to follow these steps before we got a clean plan: https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/blob/master/docs/upgrading_to_v4.0.md