Improve KMS: add custom role to handle keys

fast/stages/00-bootstrap/organization.tf

@@ -171,6 +171,12 @@ module "organization" {
       "dns.networks.bindPrivateDNSZone",
       "resourcemanager.projects.get",
     ]
+    (var.custom_role_names.cloud_kms_key_role_editor) = [
+      "cloudkms.cryptoKeys.get",
+      "cloudkms.cryptoKeys.list",
+      "cloudkms.cryptoKeys.getIamPolicy",
+      "cloudkms.cryptoKeys.setIamPolicy"
+    ]
   }
   logging_sinks = {
     for name, attrs in var.log_sinks : name => {

fast/stages/00-bootstrap/variables.tf

@@ -79,10 +79,12 @@ variable "custom_role_names" {
   type = object({
     organization_iam_admin        = string
     service_project_network_admin = string
+    cloud_kms_key_role_editor     = string
   })
   default = {
     organization_iam_admin        = "organizationIamAdmin"
     service_project_network_admin = "serviceProjectNetworkAdmin"
+    cloud_kms_key_role_editor     = "cloudKmsKeyAdmin"
   }
 }
 

fast/stages/02-security/core-dev.tf

@@ -27,7 +27,8 @@ module "dev-sec-project" {
   prefix          = var.prefix
   billing_account = var.billing_account.id
   iam = {
-    "roles/cloudkms.viewer" = local.dev_kms_restricted_admins
+    (local.custom_roles.cloud_kms_key_role_editor) = ["serviceAccount:${var.service_accounts.data-platform-dev}"]
+    "roles/cloudkms.viewer"                        = local.dev_kms_restricted_admins
   }
   labels   = { environment = "dev", team = "security" }
   services = local.project_services

fast/stages/02-security/core-prod.tf

@@ -27,7 +27,8 @@ module "prod-sec-project" {
   prefix          = var.prefix
   billing_account = var.billing_account.id
   iam = {
-    "roles/cloudkms.viewer" = local.prod_kms_restricted_admins
+    (local.custom_roles.cloud_kms_key_role_editor) = ["serviceAccount:${var.service_accounts.data-platform-prod}"]
+    "roles/cloudkms.viewer"                        = local.prod_kms_restricted_admins
   }
   labels   = { environment = "prod", team = "security" }
   services = local.project_services

fast/stages/02-security/main.tf

@@ -15,6 +15,7 @@
  */
 
 locals {
+  custom_roles = coalesce(var.custom_roles, {})
   kms_keys = {
     for k, v in var.kms_keys : k => {
       iam    = coalesce(v.iam, {})

fast/stages/02-security/variables.tf

@@ -31,6 +31,15 @@ variable "billing_account" {
   })
 }
 
+variable "custom_roles" {
+  # tfdoc:variable:source 00-bootstrap
+  description = "Custom roles defined at the org level, in key => id format."
+  type = object({
+    cloud_kms_key_role_editor = string
+  })
+  default = null
+}
+
 variable "folder_ids" {
   # tfdoc:variable:source 01-resman
   description = "Folder name => id mappings, the 'security' folder name must exist."
@@ -81,6 +90,8 @@ variable "service_accounts" {
   # tfdoc:variable:source 01-resman
   description = "Automation service accounts that can assign the encrypt/decrypt roles on keys."
   type = object({
+    data-platform-dev    = string
+    data-platform-prod   = string
     project-factory-dev  = string
     project-factory-prod = string
   })