diff --git a/fast/stages/02-networking/vpc-spoke-dev.tf b/fast/stages/02-networking/vpc-spoke-dev.tf
index 8021f0c5..ce308ac4 100644
--- a/fast/stages/02-networking/vpc-spoke-dev.tf
+++ b/fast/stages/02-networking/vpc-spoke-dev.tf
@@ -103,3 +103,24 @@ module "dev-spoke-psa-addresses" {
     }
   }
 }
+
+# Create delegated grants for stage3 service accounts
+resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" {
+  project = module.dev-spoke-project.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  members = [
+    var.project_factory_sa.dev
+  ]
+  condition {
+    title       = "dev_stage3_sa_delegated_grants"
+    description = "Development host project delegated grants."
+    expression = format(
+      "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+      join(",", formatlist("'%s'", [
+        "roles/compute.networkUser",
+        "roles/container.hostServiceAgentUser",
+        "roles/vpcaccess.user",
+        ]
+    )))
+  }
+}
diff --git a/fast/stages/02-networking/vpc-spoke-prod.tf b/fast/stages/02-networking/vpc-spoke-prod.tf
index 574af757..7d8f0291 100644
--- a/fast/stages/02-networking/vpc-spoke-prod.tf
+++ b/fast/stages/02-networking/vpc-spoke-prod.tf
@@ -103,3 +103,24 @@ module "prod-spoke-psa-addresses" {
     }
   }
 }
+
+# Create delegated grants for stage3 service accounts
+resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" {
+  project = module.prod-spoke-project.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  members = [
+    var.project_factory_sa.prod
+  ]
+  condition {
+    title       = "prod_stage3_sa_delegated_grants"
+    description = "Production host project delegated grants."
+    expression = format(
+      "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
+      join(",", formatlist("'%s'", [
+        "roles/compute.networkUser",
+        "roles/container.hostServiceAgentUser",
+        "roles/vpcaccess.user",
+        ]
+    )))
+  }
+}
diff --git a/modules/net-vpc/main.tf b/modules/net-vpc/main.tf
index 7c25e039..9275ccf2 100644
--- a/modules/net-vpc/main.tf
+++ b/modules/net-vpc/main.tf
@@ -49,7 +49,7 @@ locals {
       ip_cidr_range      = v.ip_cidr_range
       name               = k
       region             = v.region
-      secondary_ip_range = try(v.secondary_ip_range, [])
+      secondary_ip_range = try(v.secondary_ip_range, {})
     }
   }
   _iam    = var.iam == null ? {} : var.iam
@@ -176,7 +176,7 @@ resource "google_compute_subnetwork" "subnetwork" {
   region        = each.value.region
   name          = each.value.name
   ip_cidr_range = each.value.ip_cidr_range
-  secondary_ip_range = each.value.secondary_ip_range == null ? [] : [
+  secondary_ip_range = [
     for name, range in each.value.secondary_ip_range :
     { range_name = name, ip_cidr_range = range }
   ]