Google CloudGoogle Cloud KMSgoogle_kms_crypto_key_iam_memberPro

How to Import an Google KMS Crypto Key IAM Member into Terraform

To import an existing Google KMS Crypto Key IAM Member into Terraform, scan it with Terraback and run terraback gcp import --method bulk. Terraback writes the matching google_kms_crypto_key_iam_member resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the crypto key path, role, and member separated by spaces: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key} {role} {member}".

Import Google KMS Crypto Key IAM Member with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the Google Cloud KMS resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Google KMS Crypto Key IAM Member to managed Terraform.

1

Scan your Google Cloud account

terraback scan all gcp --project my-gcp-project
2

Generate import blocks and import into state

terraback gcp import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = google_kms_crypto_key_iam_member.encrypter
  id = "projects/my-project/locations/us-central1/keyRings/my-ring/cryptoKeys/my-key roles/cloudkms.cryptoKeyEncrypterDecrypter serviceAccount:app@my-project.iam.gserviceaccount.com"
}

Example google_kms_crypto_key_iam_member configuration

Here is a realistic Google KMS Crypto Key IAM Member block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "google_kms_crypto_key_iam_member" "encrypter" {
  crypto_key_id = google_kms_crypto_key.main.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "serviceAccount:app@my-project.iam.gserviceaccount.com"
}

Gotchas when importing a Google KMS Crypto Key IAM Member

  • An iam_member is additive (non-authoritative): it grants the role to one member without touching other members, so it is the safe choice when bindings are managed elsewhere.
  • Use google_kms_crypto_key_iam_binding instead only when you want one resource to own the entire member list for a role.
  • The import ID is three space-separated parts: the full cryptoKeys path, the role, and the single member.
  • The member string must include its type prefix, for example serviceAccount:, user:, or group:.

Doing it manually with terraform import

The native approach is to write the google_kms_crypto_key_iam_member block by hand, then run terraform import google_kms_crypto_key_iam_member.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole Google Cloud account in minutes

Terraback scans 80+ Google Cloud resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.