From 1e8603192c7e0af4b508198437270a97d5292e85 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Mon, 2 Mar 2026 08:06:37 +0100 Subject: [PATCH] Allow reusing IAM binding key across objects in kms module (#3775) * allow reusing IAM binding key across objects in kms module * fix inventory --- modules/kms/README.md | 15 ++++++++++++- modules/kms/iam.tf | 4 ++-- tests/modules/kms/context.yaml | 4 ++-- tests/modules/kms/examples/basic.yaml | 32 +++++++++++++++++++++++++-- 4 files changed, 48 insertions(+), 7 deletions(-) diff --git a/modules/kms/README.md b/modules/kms/README.md index a53cd14f7..f115e5570 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -37,9 +37,22 @@ module "kms" { iam = { "roles/cloudkms.admin" = ["group:${var.group_email}"] } + iam_bindings = { + agent = { + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + members = [var.service_account.iam_email] + } + } } key-b = { rotation_period = "604800s" + iam_bindings = { + # reusing the same binding name across different keys is supported + agent = { + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + members = [var.service_account.iam_email] + } + } iam_bindings_additive = { key-b-iam1 = { key = "key-b" @@ -55,7 +68,7 @@ module "kms" { } } } -# tftest modules=1 resources=6 inventory=basic.yaml e2e +# tftest modules=1 resources=8 inventory=basic.yaml e2e ``` ### Using an existing keyring diff --git a/modules/kms/iam.tf b/modules/kms/iam.tf index e867e6ea0..81ff7584b 100644 --- a/modules/kms/iam.tf +++ b/modules/kms/iam.tf @@ -27,7 +27,7 @@ locals { key_iam_bindings = merge([ for k, v in var.keys : { for binding_key, data in v.iam_bindings : - binding_key => { + "${k}:${binding_key}" => { key = k role = data.role members = data.members @@ -38,7 +38,7 @@ locals { key_iam_bindings_additive = merge([ for k, v in var.keys : { for binding_key, data in v.iam_bindings_additive : - binding_key => { + "${k}:${binding_key}" => { key = k role = data.role member = data.member diff --git a/tests/modules/kms/context.yaml b/tests/modules/kms/context.yaml index ce80f5190..4f5c2fbe5 100644 --- a/tests/modules/kms/context.yaml +++ b/tests/modules/kms/context.yaml @@ -59,7 +59,7 @@ values: members: - serviceAccount:test@test-project.iam.gserviceaccount.com role: roles/viewer - google_kms_crypto_key_iam_binding.bindings["myrole_two"]: + google_kms_crypto_key_iam_binding.bindings["key-a:myrole_two"]: condition: - description: null expression: resource.matchTag('1234567890/environment', 'development') @@ -67,7 +67,7 @@ values: members: - serviceAccount:test@test-project.iam.gserviceaccount.com role: organizations/366118655033/roles/myRoleTwo - google_kms_crypto_key_iam_member.members["myrole_three"]: + google_kms_crypto_key_iam_member.members["key-b:myrole_three"]: condition: [] member: serviceAccount:test@test-project.iam.gserviceaccount.com role: organizations/366118655033/roles/myRoleThree diff --git a/tests/modules/kms/examples/basic.yaml b/tests/modules/kms/examples/basic.yaml index d08eb7637..f8e4969ad 100644 --- a/tests/modules/kms/examples/basic.yaml +++ b/tests/modules/kms/examples/basic.yaml @@ -14,30 +14,57 @@ values: module.kms.google_kms_crypto_key.default["key-a"]: + effective_labels: + goog-terraform-provisioned: 'true' labels: null name: key-a purpose: ENCRYPT_DECRYPT rotation_period: null skip_initial_version_creation: false + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null module.kms.google_kms_crypto_key.default["key-b"]: + effective_labels: + goog-terraform-provisioned: 'true' labels: null name: key-b purpose: ENCRYPT_DECRYPT rotation_period: 604800s skip_initial_version_creation: false + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null module.kms.google_kms_crypto_key.default["key-c"]: + effective_labels: + env: test + goog-terraform-provisioned: 'true' labels: env: test name: key-c purpose: ENCRYPT_DECRYPT rotation_period: null skip_initial_version_creation: false + terraform_labels: + env: test + goog-terraform-provisioned: 'true' + timeouts: null module.kms.google_kms_crypto_key_iam_binding.authoritative["key-a.roles/cloudkms.admin"]: condition: [] members: - group:organization-admins@example.org role: roles/cloudkms.admin - module.kms.google_kms_crypto_key_iam_member.members["key-b-iam1"]: + module.kms.google_kms_crypto_key_iam_binding.bindings["key-a:agent"]: + condition: [] + members: + - serviceAccount:sa1@sa.example + role: roles/cloudkms.cryptoKeyEncrypterDecrypter + module.kms.google_kms_crypto_key_iam_binding.bindings["key-b:agent"]: + condition: [] + members: + - serviceAccount:sa1@sa.example + role: roles/cloudkms.cryptoKeyEncrypterDecrypter + module.kms.google_kms_crypto_key_iam_member.members["key-b:key-b-iam1"]: condition: [] member: group:organization-admins@example.org role: roles/cloudkms.cryptoKeyEncrypterDecrypter @@ -45,9 +72,10 @@ values: location: europe-west8 name: test-test project: project-id + timeouts: null counts: google_kms_crypto_key: 3 - google_kms_crypto_key_iam_binding: 1 + google_kms_crypto_key_iam_binding: 3 google_kms_crypto_key_iam_member: 1 google_kms_key_ring: 1