Add support for Access Approval custom signing key

[johnethomas]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Access Approval has added support for custom signing keys, see the documentation here:
https://cloud.google.com/cloud-provider-access-management/access-approval/docs/review-approve-access-requests-custom-keys.
Adding this feature will allow full configuration of Access Approval through Terraform.

New or Affected Resource(s)

Existing affected resources:

• google_folder_access_approval_settings
• google_organization_access_approval_settings
• google_project_access_approval_settings

New data sources:

• google_access_approval_folder_service_account
• google_access_approval_organization_service_account
• google_access_approval_project_service_account

Potential Terraform Configuration

Potential configuration for an organization (project and folder should be similar)

data "google_access_approval_organization_service_account" "service_account" {
  organization_id = "123456789"
}

resource "google_kms_crypto_key_iam_member" "iam" {
  crypto_key_id = google_kms_crypto_key.crypto_key.id
  role          = "roles/cloudkms.signerVerifier"
  member        = "serviceAccount:${data.google_access_approval_organization_service_account.service_account.account_email}"
}

data "google_kms_crypto_key_version" "crypto_key_version" {
  crypto_key = google_kms_crypto_key.crypto_key.id
}

resource "google_organization_access_approval_settings" "<%= ctx[:primary_resource_id] %>" {
  organization_id     = "123456789"
  active_key_version  = data.google_kms_crypto_key_version.crypto_key_version.name

  enrolled_services {
  	cloud_product = "all"
  }

  depends_on = [google_kms_crypto_key_iam_member.iam]
}

[johnethomas]

I will be working on adding this feature

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.