diff --git a/modules/project/README.md b/modules/project/README.md
index 8000082e..099feb0d 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -177,6 +177,7 @@ module "project-host" {
| *prefix* | Prefix used to generate project id and name. | string
| | null
|
| *project_create* | Create project. When set to false, uses a data source to reference existing project. | bool
| | true
|
| *service_config* | Configure service API activation. | object({...})
| | ...
|
+| *service_encryption_key_ids* | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | map(list(string))
| | {}
|
| *service_perimeter_bridges* | Name of VPC-SC Bridge perimeters to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | list(string)
| | null
|
| *service_perimeter_standard* | Name of VPC-SC Standard perimeter to add project into. Specify the name in the form of 'accessPolicies/ACCESS_POLICY_NAME/servicePerimeters/PERIMETER_NAME'. | string
| | null
|
| *services* | Service APIs to enable. | list(string)
| | []
|
diff --git a/modules/project/main.tf b/modules/project/main.tf
index c13e7bd3..80b8b7c3 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -65,7 +65,7 @@ locals {
if sink.iam && sink.type == type
}
}
- service_encryption_key_ids_flatten = flatten([
+ service_encryption_key_ids = flatten([
for service in keys(var.service_encryption_key_ids) : [
for key in var.service_encryption_key_ids[service] : {
service = service
@@ -367,7 +367,7 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
resource "google_kms_crypto_key_iam_member" "crypto_key" {
for_each = {
- for service_key in local.service_encryption_key_ids_flatten : "${service_key.service}.${service_key.key}" => service_key
+ for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
}
crypto_key_id = each.value.key
role = "roles/cloudkms.cryptoKeyEncrypter"