Empty device_policy causes unclean plan #26
Description
If the device_policy is empty in the condition block, the plan output always tries to add a new one that is empty because the block exists.
module "access_level_members" {
source = "terraform-google-modules/vpc-service-controls/google//modules/access_level"
version = "~> 1.0.1"
policy = module.org_policy.policy_id
name = "terraform_members"
members = ["serviceAccount:${var.terraform_service_account}"]
}
Generates the following plan after being applied with no modifications made
Terraform will perform the following actions:
# module.access_level_members.google_access_context_manager_access_level.access_level will be updated in-place
~ resource "google_access_context_manager_access_level" "access_level" {
id = "accessPolicies/.../accessLevels/terraform_members"
name = "accessPolicies/.../accessLevels/terraform_members"
parent = "accessPolicies/..."
title = "terraform_members"
~ basic {
combining_function = "AND"
~ conditions {
ip_subnetworks = []
members = [
"serviceAccount:[email protected]",
]
negate = false
required_access_levels = []
+ device_policy {
+ allowed_device_management_levels = []
+ allowed_encryption_statuses = []
+ require_screen_lock = false
+ os_constraints {}
}
}
}
timeouts {}
}
Plan: 0 to add, 1 to change, 0 to destroy.