Support setting role `role/cloudkms.cryptoKeyEncrypterDecrypter`

[InvoluntaryG17HubUser]

TL;DR

Provide the possibility to add the role/cloudkms.cryptoKeyEncrypterDecrypter to service accounts

Terraform Resources

module "kms" {
  source  = "terraform-google-modules/kms/google"
  version = "~> 4.1"

  project_id = "1234"
  location   = "us-east-1"
  keyring    = "test-keyring"
  keys       = ["test-cmek"]

  set_decrypters_for = ["test-cmek"]
  decrypters         = ["serviceAccount:service-${var.gcp_project_no}@gcp-sa-artifactregistry.iam.gserviceaccount.com"]

  set_encrypters_for = ["test-cmek"]
  encrypters         = ["serviceAccount:service-${var.gcp_project_no}@gcp-sa-artifactregistry.iam.gserviceaccount.com"]

  key_protection_level = "SOFTWARE"
  key_algorithm        = "GOOGLE_SYMMETRIC_ENCRYPTION"
}

Detailed design

TBA,

Additional information

I stumbled upon the need to specifically set the role/cloudkms.cryptoKeyEncrypterDecrypter for the artifact registry services account, since it seems that the API is just checking for the aforementioned role, and does not care whether role/cloudkms.cryptoKeyDecrypter and role/cloudkms.cryptoKeyEncrypter both are set.

I would provide a MR if this feature is wanted.