diff --git a/data-solutions/cmek-via-centralized-kms/main.tf b/data-solutions/cmek-via-centralized-kms/main.tf
index 66b7e6a3..94832905 100644
--- a/data-solutions/cmek-via-centralized-kms/main.tf
+++ b/data-solutions/cmek-via-centralized-kms/main.tf
@@ -79,10 +79,6 @@ module "kms" {
location = var.location
}
keys = { key-gce = null, key-gcs = null }
- key_iam_roles = {
- key-gce = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
- key-gcs = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
- }
key_iam_members = {
key-gce = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
diff --git a/data-solutions/gcs-to-bq-with-dataflow/main.tf b/data-solutions/gcs-to-bq-with-dataflow/main.tf
index 61bc24cf..41eca04a 100644
--- a/data-solutions/gcs-to-bq-with-dataflow/main.tf
+++ b/data-solutions/gcs-to-bq-with-dataflow/main.tf
@@ -120,11 +120,6 @@ module "kms" {
location = var.location
}
keys = { key-gce = null, key-gcs = null, key-bq = null }
- key_iam_roles = {
- key-gce = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
- key-gcs = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
- key-bq = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
- }
key_iam_members = {
key-gce = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
@@ -155,9 +150,6 @@ module "kms-regional" {
location = var.region
}
keys = { key-df = null }
- key_iam_roles = {
- key-df = ["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
- }
key_iam_members = {
key-df = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
diff --git a/modules/kms/README.md b/modules/kms/README.md
index 69ceb882..98c5743e 100644
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -16,7 +16,6 @@ In this module **no lifecycle blocks are set on resources to prevent destroy**,
module "kms" {
source = "../modules/kms"
project_id = "my-project"
- iam_roles = ["roles/owner"]
iam_members = {
"roles/owner" = ["user:user1@example.com"]
}
@@ -32,9 +31,6 @@ module "kms" {
module "kms" {
source = "../modules/kms"
project_id = "my-project"
- key_iam_roles = {
- key-a = ["roles/owner"]
- }
key_iam_members = {
key-a = {
"roles/owner" = ["user:user1@example.com"]
@@ -76,10 +72,8 @@ module "kms" {
|---|---|:---: |:---:|:---:|
| keyring | Keyring attributes. | object({...}) | ✓ | |
| project_id | Project id where the keyring will be created. | string | ✓ | |
-| *iam_members* | Keyring IAM members. | map(list(string)) | | {} |
-| *iam_roles* | Keyring IAM roles. | list(string) | | [] |
-| *key_iam_members* | IAM members keyed by key name and role. | map(map(list(string))) | | {} |
-| *key_iam_roles* | IAM roles keyed by key name. | map(list(string)) | | {} |
+| *iam_members* | Keyring IAM members. | map(set(string)) | | {} |
+| *key_iam_members* | IAM members keyed by key name and role. | map(map(set(string))) | | {} |
| *key_purpose* | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | map(object({...})) | | {} |
| *key_purpose_defaults* | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | object({...}) | | ... |
| *keyring_create* | Set to false to manage keys and IAM bindings in an existing keyring. | bool | | true |
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
index e69f3381..a6f4795f 100644
--- a/modules/kms/main.tf
+++ b/modules/kms/main.tf
@@ -15,14 +15,15 @@
*/
locals {
- key_iam_pairs = flatten([
- for name, roles in var.key_iam_roles :
- [for role in roles : { name = name, role = role }]
+ key_iam_members = flatten([
+ for key, roles in var.key_iam_members : [
+ for role, members in roles : {
+ key = key
+ role = role
+ members = members
+ }
+ ]
])
- key_iam_keypairs = {
- for pair in local.key_iam_pairs :
- "${pair.name}-${pair.role}" => pair
- }
key_purpose = {
for key, attrs in var.keys : key => try(
var.key_purpose[key], var.key_purpose_defaults
@@ -47,16 +48,13 @@ resource "google_kms_key_ring" "default" {
project = var.project_id
name = var.keyring.name
location = var.keyring.location
- # lifecycle {
- # prevent_destroy = true
- # }
}
resource "google_kms_key_ring_iam_binding" "default" {
- for_each = toset(var.iam_roles)
+ for_each = var.iam_members
key_ring_id = local.keyring.self_link
- role = each.value
- members = lookup(var.iam_members, each.value, [])
+ role = each.key
+ members = each.value
}
resource "google_kms_crypto_key" "default" {
@@ -73,16 +71,14 @@ resource "google_kms_crypto_key" "default" {
protection_level = local.key_purpose[each.key].version_template.protection_level
}
}
- # lifecycle {
- # prevent_destroy = true
- # }
}
resource "google_kms_crypto_key_iam_binding" "default" {
- for_each = local.key_iam_keypairs
+ for_each = {
+ for binding in local.key_iam_members :
+ "${binding.key}.${binding.role}" => binding
+ }
role = each.value.role
- crypto_key_id = google_kms_crypto_key.default[each.value.name].self_link
- members = lookup(
- lookup(var.key_iam_members, each.value.name, {}), each.value.role, []
- )
+ crypto_key_id = google_kms_crypto_key.default[each.value.key].self_link
+ members = each.value.members
}
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index 42ec689b..1f104cdf 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -16,25 +16,13 @@
variable "iam_members" {
description = "Keyring IAM members."
- type = map(list(string))
+ type = map(set(string))
default = {}
}
-variable "iam_roles" {
- description = "Keyring IAM roles."
- type = list(string)
- default = []
-}
-
variable "key_iam_members" {
description = "IAM members keyed by key name and role."
- type = map(map(list(string)))
- default = {}
-}
-
-variable "key_iam_roles" {
- description = "IAM roles keyed by key name."
- type = map(list(string))
+ type = map(map(set(string)))
default = {}
}
diff --git a/tests/modules/kms/fixture/main.tf b/tests/modules/kms/fixture/main.tf
index f027f978..45fd119b 100644
--- a/tests/modules/kms/fixture/main.tf
+++ b/tests/modules/kms/fixture/main.tf
@@ -17,9 +17,7 @@
module "test" {
source = "../../../../modules/kms"
iam_members = var.iam_members
- iam_roles = var.iam_roles
key_iam_members = var.key_iam_members
- key_iam_roles = var.key_iam_roles
key_purpose = var.key_purpose
key_purpose_defaults = var.key_purpose_defaults
keyring = var.keyring
diff --git a/tests/modules/kms/fixture/variables.tf b/tests/modules/kms/fixture/variables.tf
index 10f3f318..04b77d84 100644
--- a/tests/modules/kms/fixture/variables.tf
+++ b/tests/modules/kms/fixture/variables.tf
@@ -21,11 +21,6 @@ variable "iam_members" {
}
}
-variable "iam_roles" {
- type = list(string)
- default = ["roles/owner"]
-}
-
variable "key_iam_members" {
type = map(map(list(string)))
default = {
@@ -35,13 +30,6 @@ variable "key_iam_members" {
}
}
-variable "key_iam_roles" {
- type = map(list(string))
- default = {
- key-a = ["roles/owner"]
- }
-}
-
variable "key_purpose" {
type = map(object({
purpose = string