Hi
we are trying to build a terraform script where it will attaches the policy(which contains list of "xyzAccountId-role"s in principals>identifiers section. where xyzAccountId is dynamic value ) to the customer managed KMS key.
In initial run/deployment the policy is able to create aws_kms_key_policy(xyzAccountId-role (eg 12345-role)) for KMS key but when there is change in xyzAccountId(ex . 98765) value, the policy is getting replaced with new xyzAccountId(ex . 98765) value instead of appending it .
Can someone please help on this scenario !!!
scenario : whenever there is change in xyzAccountId the existing policy should concat of append to existing policy 
script used is :
data “aws_iam_policy_document” “kms_decrypt_policy_doc” {
statement {
sid = “policy to Allow use of the key”
effect = “Allow”
principals {
identifiers = [“arn:aws:iam::{var.xyzAccountId}:role/{var.GUID}-snapshot-role”,“arn:aws:iam::{var.xyzAccountId2}:role/{var.CloudKGUID}-snapshot-role”]
type = “AWS”
}
actions = [
“kms:Decrypt”,
“kms:GenerateDataKey*”
]
resources = [“"]
}
statement {
sid = “Enable IAM User Permissions”
effect = “Allow”
principals {
identifiers = [“arn:aws:iam::${var.xyzAccountId}:root”]
type = “AWS”
}
actions = [
"kms:”
]
resources = [“*”]
}
}
resource “aws_kms_key_policy” “kms_decrypt_policy” {
depends_on = [data.aws_kms_key.es_kms_key]
key_id = data.aws_kms_key.es_kms_key.key_id
policy = data.aws_iam_policy_document.kms_key_decrypt_policy_document.json
}
can someone please help on this ?
thanks in advance 