Fix identity handling in service perimeter when identity is null (#3461)

2025-10-24 07:00:06 +02:00
parent 3a3142d852
commit bc31714f68
1 changed files with 8 additions and 8 deletions
--- a/modules/vpc-sc/perimeters.tf
+++ b/modules/vpc-sc/perimeters.tf
@@ -74,8 +74,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
            for_each = policy.value.from == null ? [] : [""]
            content {
              identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                  startswith(i, "$identity_sets:")
                  ? lookup(local.ctx.identity_sets, i, [i])
                  : lookup(local.ctx.iam_principals_list, i, [i])
@@ -159,8 +159,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
            for_each = policy.value.from == null ? [] : [""]
            content {
              identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                  startswith(i, "$identity_sets:")
                  ? lookup(local.ctx.identity_sets, i, [i])
                  : lookup(local.ctx.iam_principals_list, i, [i])
@@ -271,8 +271,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
            for_each = policy.value.from == null ? [] : [""]
            content {
              identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                  startswith(i, "$identity_sets:")
                  ? lookup(local.ctx.identity_sets, i, [i])
                  : lookup(local.ctx.iam_principals_list, i, [i])
@@ -356,8 +356,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
            for_each = policy.value.from == null ? [] : [""]
            content {
              identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                  startswith(i, "$identity_sets:")
                  ? lookup(local.ctx.identity_sets, i, [i])
                  : lookup(local.ctx.iam_principals_list, i, [i])