From dc35ce15ee9512588b87590252d4691a02107ab7 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Thu, 8 Jan 2026 13:53:05 +0100
Subject: [PATCH] fix previous change to vpc sc module (#3629)

---
 modules/vpc-sc/perimeters-additive.tf | 44 ++++++++++++++++++++++-----
 tests/modules/vpc_sc/context.yaml     | 11 ++++---
 2 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/modules/vpc-sc/perimeters-additive.tf b/modules/vpc-sc/perimeters-additive.tf
index 6e471cd64..601783697 100644
--- a/modules/vpc-sc/perimeters-additive.tf
+++ b/modules/vpc-sc/perimeters-additive.tf
@@ -17,28 +17,56 @@
 # tfdoc:file:description Regular service perimeter resources which ignore resource changes.
 
 locals {
-  perimeters_additive = {
-    for k, v in google_access_context_manager_service_perimeter.additive :
-    k => v.id
-  }
-  spec_additive_resources = flatten([
+  _spec_resource_sets = flatten([
+    for k, v in local.perimeters : [
+      for vv in try(v.spec.resources, []) : [
+        for vvv in lookup(local.ctx.resource_sets, vv, []) : {
+          key       = "${k}/${vvv}"
+          perimeter = k
+          resource  = vvv
+        }
+      ] if startswith(vv, "$resource_sets:")
+    ] if v.ignore_resource_changes
+  ])
+  _spec_resources = flatten([
     for k, v in local.perimeters : [
       for vv in try(v.spec.resources, []) : {
         key       = "${k}/${vv}"
         perimeter = k
         resource  = vv
-      }
+      } if !startswith(vv, "$resource_sets:")
     ] if v.ignore_resource_changes
   ])
-  status_additive_resources = flatten([
+  _status_resource_sets = flatten([
+    for k, v in local.perimeters : [
+      for vv in try(v.status.resources, []) : [
+        for vvv in lookup(local.ctx.resource_sets, vv, []) : {
+          key       = "${k}/${vvv}"
+          perimeter = k
+          resource  = vvv
+        }
+      ] if startswith(vv, "$resource_sets:")
+    ] if v.ignore_resource_changes
+  ])
+  _status_resources = flatten([
     for k, v in local.perimeters : [
       for vv in try(v.status.resources, []) : {
         key       = "${k}/${vv}"
         perimeter = k
         resource  = vv
-      }
+      } if !startswith(vv, "$resource_sets:")
     ] if v.ignore_resource_changes
   ])
+  perimeters_additive = {
+    for k, v in google_access_context_manager_service_perimeter.additive :
+    k => v.id
+  }
+  spec_additive_resources = concat(
+    local._spec_resource_sets, local._spec_resources
+  )
+  status_additive_resources = concat(
+    local._status_resource_sets, local._status_resources
+  )
 }
 
 resource "google_access_context_manager_service_perimeter" "additive" {
diff --git a/tests/modules/vpc_sc/context.yaml b/tests/modules/vpc_sc/context.yaml
index 25672706c..49cd2eae5 100644
--- a/tests/modules/vpc_sc/context.yaml
+++ b/tests/modules/vpc_sc/context.yaml
@@ -105,13 +105,16 @@ values:
   google_access_context_manager_service_perimeter_resource.default["default/$project_numbers:test-1"]:
     resource: projects/222222
     timeouts: null
-  google_access_context_manager_service_perimeter_resource.default["default/$resource_sets:test"]:
-    resource: $resource_sets:test
+  google_access_context_manager_service_perimeter_resource.default["default/projects/321"]:
+    resource: projects/321
+    timeouts: null
+  google_access_context_manager_service_perimeter_resource.default["default/projects/654"]:
+    resource: projects/654
     timeouts: null
 
 counts:
   google_access_context_manager_access_level: 1
   google_access_context_manager_service_perimeter: 1
-  google_access_context_manager_service_perimeter_resource: 3
+  google_access_context_manager_service_perimeter_resource: 4
   modules: 0
-  resources: 5
+  resources: 6