Support CMEK configuration in org module logging settings, expose identities in FAST context (#3656)

* support CMEK configuration in org module logging settings, expose identities as FAST contexts

* remove hash from inventories

fast/stages/0-org-setup/README.md

@@ -365,6 +365,7 @@ This is a simple reference table of available interpolation namespaces, refer to
 - `$iam_principals:my_principal`
 - `$iam_principals:service_accounts/my_project/my_sa`
 - `$iam_principals:service_agents/my_project/my_api`
+- `$iam_principals:organization/logging/kms`
 - `$kms_keys:my_key`
 - `$kms_keys:autokeys/my_key`
 - `$log_buckets:my_project/my_bucket`

fast/stages/0-org-setup/factory.tf

@@ -50,7 +50,10 @@ module "factory" {
         default = try(module.organization[0].id, null)
       }
     )
-    iam_principals = local.iam_principals
+    iam_principals = merge(
+      local.org_logging_identities,
+      local.iam_principals
+    )
     tag_values = merge(
       local.ctx.tag_values,
       local.org_tag_values

fast/stages/0-org-setup/organization.tf

@@ -60,6 +60,14 @@ locals {
     gcp-security-admins     = "group:gcp-security-admins@${local.organization.domain}"
     gcp-support             = "group:gcp-support@${local.organization.domain}"
   }
+  org_logging_identities = merge(
+    module.organization[0].logging_identities.kms == null ? {} : {
+      "organization/logging/kms" = module.organization[0].logging_identities.kms
+    },
+    module.organization[0].logging_identities.logging == null ? {} : {
+      "organization/logging/sinks" = module.organization[0].logging_identities.logging
+    }
+  )
   org_tag_keys = {
     for k, v in module.organization[0].tag_keys : k => v.id
   }