fix: Use dynamic block to prevent empty device policies (#31)

* used dynamic block to handle lack of device policy * changed device_policy_enabled default value to true * fixed issues that were causing integration tests to break * removed device enabled variable * fixed string formatting error * refering to the variables using var. notation * update the expression that determines if device policy needs to be enabled Co-authored-by: Rajinder Singh <[email protected]>
terraform-google-modules · Apr 6, 2020 · 17a9329 · 17a9329
1 parent 4aba2a1
commit 17a9329
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/modules/access_level/main.tf b/modules/access_level/main.tf
@@ -32,14 +32,18 @@ resource "google_access_context_manager_access_level" "access_level" {
       members                = var.members
       negate                 = var.negate
 
-      device_policy {
-        require_screen_lock              = var.require_screen_lock
-        allowed_encryption_statuses      = var.allowed_encryption_statuses
-        allowed_device_management_levels = var.allowed_device_management_levels
+      dynamic "device_policy" {
+        for_each = var.require_screen_lock || length(var.allowed_encryption_statuses) > 0 || length(var.allowed_device_management_levels) > 0 || var.minimum_version != "" || var.os_type != "OS_UNSPECIFIED" ? [{}] : []
 
-        os_constraints {
-          minimum_version = var.minimum_version
-          os_type         = var.os_type
+        content {
+          require_screen_lock              = var.require_screen_lock
+          allowed_encryption_statuses      = var.allowed_encryption_statuses
+          allowed_device_management_levels = var.allowed_device_management_levels
+
+          os_constraints {
+            minimum_version = var.minimum_version
+            os_type         = var.os_type
+          }
         }
       }
     }