feat(api-key): add custom_grants support for multi-NRN grants

nullplatform/api_key/locals.tf

@@ -1,6 +1,6 @@
 locals {
-  nrn_without_namespace = join(":", slice(split(":", var.nrn), 0, 2))
-  nrn_parts             = { for part in split(":", var.nrn) : split("=", part)[0] => split("=", part)[1] }
+  nrn_without_namespace = var.nrn != null ? join(":", slice(split(":", var.nrn), 0, 2)) : null
+  nrn_parts             = var.nrn != null ? { for part in split(":", var.nrn) : split("=", part)[0] => split("=", part)[1] } : {}
   nrn_tags = [
     for key in ["organization", "account", "namespace"] : {
       key   = key
@@ -44,7 +44,7 @@ locals {
 
   config = local.configs[var.type]
 
-  grants = [
+  grants = length(var.custom_grants) > 0 ? var.custom_grants : [
     for slug in local.config.role_slugs : {
       nrn       = local.nrn_without_namespace
       role_slug = slug

nullplatform/api_key/main.tf

@@ -30,8 +30,28 @@ resource "nullplatform_api_key" "this" {
     }
 
     precondition {
-      condition     = var.type != "custom" || length(var.custom_role_slugs) > 0
-      error_message = "custom_role_slugs must have at least 1 role when type is 'custom'"
+      condition     = var.type != "custom" || length(var.custom_role_slugs) > 0 || length(var.custom_grants) > 0
+      error_message = "custom_role_slugs or custom_grants must have at least 1 entry when type is 'custom'"
+    }
+
+    precondition {
+      condition     = var.type == "custom" || var.nrn != null
+      error_message = "nrn is required for predefined types (agent, scope_notification, service_notification)"
+    }
+
+    precondition {
+      condition     = var.type != "custom" || length(var.custom_grants) == 0 || var.nrn == null
+      error_message = "when using custom_grants, do not set nrn — define the NRN per grant entry instead"
+    }
+
+    precondition {
+      condition     = var.type != "custom" || length(var.custom_grants) == 0 || length(var.custom_role_slugs) == 0
+      error_message = "use either custom_role_slugs or custom_grants, not both"
+    }
+
+    precondition {
+      condition     = !contains(["scope_notification", "service_notification"], var.type) || (var.specification_slug != null && var.specification_slug != "")
+      error_message = "specification_slug is required for scope_notification and service_notification types"
     }
   }
 }

nullplatform/api_key/variables.tf

@@ -13,8 +13,9 @@ variable "type" {
 }
 
 variable "nrn" {
-  description = "Nullplatform Resource Name (e.g., organization=123:account=456:namespace=789)"
+  description = "Nullplatform Resource Name (e.g., organization=123:account=456:namespace=789). Required for predefined types (agent, scope_notification, service_notification). Optional for custom type when using custom_grants."
   type        = string
+  default     = null
 }
 
 variable "specification_slug" {
@@ -34,11 +35,20 @@ variable "custom_name" {
 }
 
 variable "custom_role_slugs" {
-  description = "List of role slugs to assign (required when type is 'custom', must have at least 1)"
+  description = "List of role slugs to assign using the module-level NRN (used when type is 'custom' and custom_grants is empty)"
   type        = list(string)
   default     = []
 }
 
+variable "custom_grants" {
+  description = "List of grants with explicit NRN and role_slug pairs. Allows assigning different NRNs per grant (used when type is 'custom')."
+  type = list(object({
+    nrn       = string
+    role_slug = string
+  }))
+  default = []
+}
+
 variable "custom_tags" {
   description = "Additional tags to apply to the API key (optional, only used when type is 'custom')"
   type = list(object({