From 347a4c6b69c8775898e6d971f27d5986ed92877d Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Mon, 3 Jan 2022 15:27:00 +0100
Subject: [PATCH] remove lifecycle block from vpc sc perimeters (#412)

---
 modules/vpc-sc/README.md                     | 2 ++
 modules/vpc-sc/access_levels.tf              | 2 +-
 modules/vpc-sc/service_perimeters_bridge.tf  | 6 +++---
 modules/vpc-sc/service_perimeters_regular.tf | 6 +++---
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md
index 5fa2037a..a7bcaf4f 100644
--- a/modules/vpc-sc/README.md
+++ b/modules/vpc-sc/README.md
@@ -76,7 +76,9 @@ The regular perimeters variable exposes all the complexity of the underlying res
 
 If you need to refer to access levels created by the same module in regular service perimeters, simply use the module's outputs in the provided variables. The example below shows how to do this in practice.
 
+/*
 Resources for both perimeters have a `lifecycle` block that ignores changes to `spec` and `status` resources (projects), to allow using the additive resource `google_access_context_manager_service_perimeter_resource` at project creation. If this is not needed, the `lifecycle` blocks can be safely commented in the code.
+*/
 
 #### Bridge type
 
diff --git a/modules/vpc-sc/access_levels.tf b/modules/vpc-sc/access_levels.tf
index f8c34355..b732f080 100644
--- a/modules/vpc-sc/access_levels.tf
+++ b/modules/vpc-sc/access_levels.tf
@@ -21,7 +21,7 @@
 # google_access_context_manager_access_levels resource
 
 resource "google_access_context_manager_access_level" "basic" {
-  for_each = var.access_levels
+  for_each = var.access_levels == null ? {} : var.access_levels
   parent   = "accessPolicies/${local.access_policy}"
   name     = "accessPolicies/${local.access_policy}/accessLevels/${each.key}"
   title    = each.key
diff --git a/modules/vpc-sc/service_perimeters_bridge.tf b/modules/vpc-sc/service_perimeters_bridge.tf
index 3c57f6b9..180dffda 100644
--- a/modules/vpc-sc/service_perimeters_bridge.tf
+++ b/modules/vpc-sc/service_perimeters_bridge.tf
@@ -31,9 +31,9 @@ resource "google_access_context_manager_service_perimeter" "bridge" {
   status {
     resources = each.value.status_resources == null ? [] : each.value.status_resources
   }
-  lifecycle {
-    ignore_changes = [spec[0].resources, status[0].resources]
-  }
+  # lifecycle {
+  #   ignore_changes = [spec[0].resources, status[0].resources]
+  # }
   depends_on = [
     google_access_context_manager_access_policy.default,
     google_access_context_manager_access_level.basic
diff --git a/modules/vpc-sc/service_perimeters_regular.tf b/modules/vpc-sc/service_perimeters_regular.tf
index d3069c57..e93ea5a6 100644
--- a/modules/vpc-sc/service_perimeters_regular.tf
+++ b/modules/vpc-sc/service_perimeters_regular.tf
@@ -301,9 +301,9 @@ resource "google_access_context_manager_service_perimeter" "regular" {
       # end vpc_accessible_services
     }
   }
-  lifecycle {
-    ignore_changes = [spec[0].resources, status[0].resources]
-  }
+  # lifecycle {
+  #   ignore_changes = [spec[0].resources, status[0].resources]
+  # }
   depends_on = [
     google_access_context_manager_access_policy.default,
     google_access_context_manager_access_level.basic