add support for additive IAM roles to KMS (#417)

modules/kms/main.tf

@@ -15,6 +15,25 @@
  */
 
 locals {
+  iam_additive_members = flatten([
+    for role, members in var.iam_additive : [
+      for member in members : {
+        member = member
+        role   = role
+      }
+    ]
+  ])
+  key_iam_additive_members = flatten([
+    for key, roles in var.key_iam_additive : [
+      for role, members in roles : [
+        for member in members : {
+          key    = key
+          member = member
+          role   = role
+        }
+      ]
+    ]
+  ])
   key_iam_members = flatten([
     for key, roles in var.key_iam : [
       for role, members in roles : {
@@ -57,6 +76,16 @@ resource "google_kms_key_ring_iam_binding" "default" {
   members     = each.value
 }
 
+resource "google_kms_key_ring_iam_member" "default" {
+  for_each = {
+    for binding in local.iam_additive_members :
+    "${binding.role}${binding.member}" => binding
+  }
+  key_ring_id = local.keyring.id
+  role        = each.value.role
+  member      = each.value.member
+}
+
 resource "google_kms_crypto_key" "default" {
   for_each        = var.keys
   key_ring        = local.keyring.id
@@ -82,3 +111,13 @@ resource "google_kms_crypto_key_iam_binding" "default" {
   crypto_key_id = google_kms_crypto_key.default[each.value.key].id
   members       = each.value.members
 }
+
+resource "google_kms_crypto_key_iam_member" "default" {
+  for_each = {
+    for binding in local.key_iam_additive_members :
+    "${binding.key}.${binding.role}${binding.member}" => binding
+  }
+  role          = each.value.role
+  crypto_key_id = google_kms_crypto_key.default[each.value.key].id
+  member        = each.value.member
+}