add conditions to kms iam

[danawillow]

Part of hashicorp/terraform-provider-google#2909.

I opted not to generate these because the generated forms aren't compatible with the current forms- a generated cryptoKey iam resource for example would add a required field key_ring_id, and if we update the base_url so that the crypto_key_id represents the full self link, we would lose the import forms that we currently get.

Release Note Template for Downstream PRs (will be copied)

kms: added support for IAM Conditions to the `google_kms_key_ring_iam_*` and `google_kms_crypto_key_iam_*` resources (beta provider only)

`google_kms_key_ring_iam_*` and `google_kms_crypto_key_iam_*` resources now support IAM Conditions (beta provider only). If any conditions had been created out of band before this release, take extra care to ensure they are present in your Terraform config so the provider doesn't try to create new bindings with no conditions. Terraform will show a diff that it is adding the condition to the resource, which is safe to apply. 

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 22ae502.

Pull request statuses

No diff detected in terraform-google-conversion.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I built this PR into one or more new PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google-beta#1524
depends: hashicorp/terraform-provider-google#5200

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 4e5875e.

Pull request statuses

terraform-provider-google-beta already has an open PR.
No diff detected in terraform-google-conversion.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 4e5875e.

Pull request statuses

terraform-provider-google-beta already has an open PR.
No diff detected in terraform-google-conversion.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

[slevenick]

Makes sense to not generate this at this point due to the parseKmsCryptoKeyId usage

[slevenick]

Do we not need a similar change to the SetIamPolicy calls? Maybe not because the policy would have the policy version attached by that point?

[danawillow]

It's already there in the resource_iam_*.go files

[slevenick]

Keep this consistent with the longer form?
crypto_key_id = "my-gcp-project/us-central1/my-key-ring/my-crypto-key"

[danawillow]

Updated the docs to use more full examples that reference other resources instead of spelling out the ids

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 0918780.

Pull request statuses

terraform-provider-google-beta already has an open PR.
No diff detected in terraform-google-conversion.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.