Allow reusing IAM binding key across objects in kms module (#3775)

* allow reusing IAM binding key across objects in kms module * fix inventory
2026-03-02 08:06:37 +01:00
parent d9d0ce9002
commit 1e8603192c
4 changed files with 48 additions and 7 deletions
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -37,9 +37,22 @@ module "kms" {
      iam = {
        "roles/cloudkms.admin" = ["group:${var.group_email}"]
      }
+      iam_bindings = {
+        agent = {
+          role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+          members = [var.service_account.iam_email]
+        }
+      }
    }
    key-b = {
      rotation_period = "604800s"
+      iam_bindings = {
+        # reusing the same binding name across different keys is supported
+        agent = {
+          role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+          members = [var.service_account.iam_email]
+        }
+      }
      iam_bindings_additive = {
        key-b-iam1 = {
          key    = "key-b"
@@ -55,7 +68,7 @@ module "kms" {
    }
  }
 }
-# tftest modules=1 resources=6 inventory=basic.yaml e2e
+# tftest modules=1 resources=8 inventory=basic.yaml e2e
 ```

 ### Using an existing keyring
--- a/modules/kms/iam.tf
+++ b/modules/kms/iam.tf
@@ -27,7 +27,7 @@ locals {
  key_iam_bindings = merge([
    for k, v in var.keys : {
      for binding_key, data in v.iam_bindings :
-      binding_key => {
+      "${k}:${binding_key}" => {
        key       = k
        role      = data.role
        members   = data.members
@@ -38,7 +38,7 @@ locals {
  key_iam_bindings_additive = merge([
    for k, v in var.keys : {
      for binding_key, data in v.iam_bindings_additive :
-      binding_key => {
+      "${k}:${binding_key}" => {
        key       = k
        role      = data.role
        member    = data.member