diff --git a/modules/kms/README.md b/modules/kms/README.md
index 98c5743e..67b98c18 100644
--- a/modules/kms/README.md
+++ b/modules/kms/README.md
@@ -16,7 +16,7 @@ In this module **no lifecycle blocks are set on resources to prevent destroy**,
module "kms" {
source = "../modules/kms"
project_id = "my-project"
- iam_members = {
+ iam = {
"roles/owner" = ["user:user1@example.com"]
}
keyring = { location = "europe-west1", name = "test" }
@@ -31,7 +31,7 @@ module "kms" {
module "kms" {
source = "../modules/kms"
project_id = "my-project"
- key_iam_members = {
+ key_iam = {
key-a = {
"roles/owner" = ["user:user1@example.com"]
}
@@ -72,8 +72,8 @@ module "kms" {
|---|---|:---: |:---:|:---:|
| keyring | Keyring attributes. | object({...})
| ✓ | |
| project_id | Project id where the keyring will be created. | string
| ✓ | |
-| *iam_members* | Keyring IAM members. | map(set(string))
| | {}
|
-| *key_iam_members* | IAM members keyed by key name and role. | map(map(set(string)))
| | {}
|
+| *iam* | Keyring IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string))
| | {}
|
+| *key_iam* | Key IAM bindings for topic in {KEY => {ROLE => [MEMBERS]}} format. | map(map(list(string)))
| | {}
|
| *key_purpose* | Per-key purpose, if not set defaults will be used. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | map(object({...}))
| | {}
|
| *key_purpose_defaults* | Defaults used for key purpose when not defined at the key level. If purpose is not `ENCRYPT_DECRYPT` (the default), `version_template.algorithm` is required. | object({...})
| | ...
|
| *keyring_create* | Set to false to manage keys and IAM bindings in an existing keyring. | bool
| | true
|
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
index a6f4795f..ab3a61aa 100644
--- a/modules/kms/main.tf
+++ b/modules/kms/main.tf
@@ -16,7 +16,7 @@
locals {
key_iam_members = flatten([
- for key, roles in var.key_iam_members : [
+ for key, roles in var.key_iam : [
for role, members in roles : {
key = key
role = role
@@ -51,7 +51,7 @@ resource "google_kms_key_ring" "default" {
}
resource "google_kms_key_ring_iam_binding" "default" {
- for_each = var.iam_members
+ for_each = var.iam
key_ring_id = local.keyring.self_link
role = each.key
members = each.value
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index 1f104cdf..f0586910 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -14,15 +14,15 @@
* limitations under the License.
*/
-variable "iam_members" {
- description = "Keyring IAM members."
- type = map(set(string))
+variable "iam" {
+ description = "Keyring IAM bindings for topic in {ROLE => [MEMBERS]} format."
+ type = map(list(string))
default = {}
}
-variable "key_iam_members" {
- description = "IAM members keyed by key name and role."
- type = map(map(set(string)))
+variable "key_iam" {
+ description = "Key IAM bindings for topic in {KEY => {ROLE => [MEMBERS]}} format."
+ type = map(map(list(string)))
default = {}
}
diff --git a/tests/modules/kms/fixture/main.tf b/tests/modules/kms/fixture/main.tf
index 45fd119b..c58824f8 100644
--- a/tests/modules/kms/fixture/main.tf
+++ b/tests/modules/kms/fixture/main.tf
@@ -16,8 +16,8 @@
module "test" {
source = "../../../../modules/kms"
- iam_members = var.iam_members
- key_iam_members = var.key_iam_members
+ iam = var.iam
+ key_iam = var.key_iam
key_purpose = var.key_purpose
key_purpose_defaults = var.key_purpose_defaults
keyring = var.keyring
diff --git a/tests/modules/kms/fixture/variables.tf b/tests/modules/kms/fixture/variables.tf
index 04b77d84..65124e67 100644
--- a/tests/modules/kms/fixture/variables.tf
+++ b/tests/modules/kms/fixture/variables.tf
@@ -14,14 +14,14 @@
* limitations under the License.
*/
-variable "iam_members" {
+variable "iam" {
type = map(list(string))
default = {
"roles/owner" = ["user:ludo@ludomagno.net"]
}
}
-variable "key_iam_members" {
+variable "key_iam" {
type = map(map(list(string)))
default = {
key-a = {