From bc31714f68904986fd7e520063e0ebc5988bdd6f Mon Sep 17 00:00:00 2001
From: Viliam Pucik <viliampucik@users.noreply.github.com>
Date: Fri, 24 Oct 2025 07:00:06 +0200
Subject: [PATCH] Fix identity handling in service perimeter when identity is
 null (#3461)

---
 modules/vpc-sc/perimeters.tf | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/modules/vpc-sc/perimeters.tf b/modules/vpc-sc/perimeters.tf
index 601efb329..c3358cb7a 100644
--- a/modules/vpc-sc/perimeters.tf
+++ b/modules/vpc-sc/perimeters.tf
@@ -74,8 +74,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
             for_each = policy.value.from == null ? [] : [""]
             content {
               identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                   startswith(i, "$identity_sets:")
                   ? lookup(local.ctx.identity_sets, i, [i])
                   : lookup(local.ctx.iam_principals_list, i, [i])
@@ -159,8 +159,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
             for_each = policy.value.from == null ? [] : [""]
             content {
               identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                   startswith(i, "$identity_sets:")
                   ? lookup(local.ctx.identity_sets, i, [i])
                   : lookup(local.ctx.iam_principals_list, i, [i])
@@ -271,8 +271,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
             for_each = policy.value.from == null ? [] : [""]
             content {
               identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                   startswith(i, "$identity_sets:")
                   ? lookup(local.ctx.identity_sets, i, [i])
                   : lookup(local.ctx.iam_principals_list, i, [i])
@@ -356,8 +356,8 @@ resource "google_access_context_manager_service_perimeter" "regular" {
             for_each = policy.value.from == null ? [] : [""]
             content {
               identity_type = policy.value.from.identity_type
-              identities = flatten([
-                for i in policy.value.from.identities : (
+              identities = policy.value.from.identities == null ? null : flatten([
+                for i in coalesce(policy.value.from.identities, []) : (
                   startswith(i, "$identity_sets:")
                   ? lookup(local.ctx.identity_sets, i, [i])
                   : lookup(local.ctx.iam_principals_list, i, [i])