Nested Loops with google provider

Hello I am using google provider to create projects

Runtime Input for project creation is like -

project_attributes = {
  "project_3" = {
    "cos"               = "dev"
    "region"            = ["us-central1","asia-south1"]
    "billing_account"   = 1234
    "org_id"            = 123

   "project_4" = {
     "cos"               = "dev"
     "region"            = ["us-central1","europe-west1"]
     "billing_account"   = 1234
     "org_id"            = 123

Another variable map is for cmek_keys based on cos and region passed in project_attributes it will return the key to use.

cmek_keys = {
  "prod" = {
    "us-central1" = "key_prod_us-central1",
    "asia-south1" = "key_prod_asia-south1",
  "dev" = {
    "us-central1" = "key_dev_us-central1",
    "asia-south1" = "key_dev_asia-south1",
    "europe-west2" = "key_dev_europe-west2",


Problem is region in project_attributes i want to be as a list , i want to make sure this resource below runs for all regions, giving acccess to keys in all different regions.

I am able to run this resource below when region is just a string

resource "google_kms_crypto_key_iam_member" "cmek_auth_permissions" {
  for_each = var.project_attributes
  crypto_key_id = var.cmek_keys[each.value["cos"]][each.value["region"]]
  role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member = "serviceAccount:service-${google_project.project[each.key].number}"

What would be the best to do this , making sure my input given is concise .

Hi @riteshnanda09!

A good building block for this sort of situation is to use the flatten function to reduce your nested structure into a flat structure so that each element corresponds to one instance of google_kms_crypto_key_iam_member.cmek_auth_permissions.

I usually do this in two steps, doing the flattening first as a named local value:

local {
  project_regions = toset(flatten([
    for n, p in var.project_attributes : [
      for r in p.region : {
        project = n
        region  = r
        cos     = p.cos
        key_id  = var.cmek_keys[p.cos][p.region]

The nested for expressions produce a list of lists of objects, and then flatten reduces that into a single list of objects. Then I used toset just to be explicit that the ordering of this result isn’t significant and so it isn’t meaningful to use it as a list.

for_each requires a map where each object has a unique key though, so we’ll need to do one more transform in the for_each argument to meet that requirement:

resource "google_kms_crypto_key_iam_member" "cmek_auth_permissions" {
  for_each = {
    for pr in local.project_regions : "${pr.project}.${pr.region}" => pr

  crypto_key_id = each.value.key_id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "serviceAccount:service-${google_project.project[each.value.project].number}"

This will produce instances with addresses like google_kms_crypto_key_iam_member.cmek_auth_permissions[""], so Terraform can track which instance belongs to each pairing of project and region.

Perfect @apparentlymart works like a charm .