Add IAM cryptDecrypt role to robo service account on specified keys

2021-06-11 16:00:20 +02:00
parent d1b560c76d
commit 476d2c79e9
3 changed files with 34 additions and 0 deletions
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -65,6 +65,14 @@ locals {
      if sink.iam && sink.type == type
    }
  }
+  service_encryption_key_ids_flatten = flatten([
+    for service in keys(var.service_encryption_key_ids) : [
+      for key in var.service_encryption_key_ids[service] : {
+        service = service
+        key     = key
+      }
+    ]
+  ])
 }

 data "google_project" "project" {
@@ -356,3 +364,12 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
  perimeter_name = each.value
  resource       = "projects/${local.project.number}"
 }
+
+resource "google_kms_crypto_key_iam_member" "crypto_key" {
+  for_each = {
+    for service_key in local.service_encryption_key_ids_flatten : "${service_key.service}.${service_key.key}" => service_key
+  }
+  crypto_key_id = each.value.key
+  role          = "roles/cloudkms.cryptoKeyEncrypter"
+  member        = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
+}