使用tf 0.12+从output.tf继承具有条件资源的值

我在GCP中有一个服务帐户模块，用于填充kubernetes机密

这是我的模块

resource "google_service_account" "service_account" {
count        = var.enabled ? 1 : 0
account_id   = var.account_id
display_name = var.display_name
}
resource "google_project_iam_member" "service_account_roles" {
count  = var.enabled ? length(var.roles) : 0
role   = "roles/${element(var.roles, count.index)}"
member = "serviceAccount:${google_service_account.service_account[0].email}"
}
resource "google_service_account_key" "service_account_key" {
count              = var.enabled ? 1 : 0
service_account_id = google_service_account.service_account[0].name
}

"output.tf"包含以下

output "private_decoded_key" {
value = base64decode(
element(
concat(
google_service_account_key.service_account_key.*.private_key,
[""],
),
0,
),
)
description = "The base 64 decoded version of the credentials"
}

由于有一个条件，即这些资源都不能在没有enabled标志的情况下创建，因此我不得不在tf0.11.14中以这种方式处理它，而tf0.12自动升级工具在这里没有做太多更改。

我如何在Terraform 0.12.24中简化它，我试着将输出修改为简单的

value = base64decode(google_service_account_key.service_account_key[0].private_key)

但问题是，如果相应的kubernetes集群在删除过程中被删除，并且由于地形而中途出现错误，我将无法使用`地形摧毁

如下所示，尝试将count转换为for_each时出现以下错误

resource "google_service_account" "service_account" {
# count        = var.enabled ? 1 : 0
for_each     = var.enabled ? 1 : 0
account_id   = var.account_id
display_name = var.display_name
}
resource "google_project_iam_member" "service_account_roles" {
# count  = var.enabled ? length(var.roles) : 0
for_each = var.enabled ? toset(var.roles) : 0
# role   = "roles/${element(var.roles, count.index)}"
role     = "roles/${each.value}" 
member   = "serviceAccount:${google_service_account.service_account[0].email}"
}

for_each = var.enabled ? toset(var.roles) : 0
The true and false result expressions must have consistent types. The given
expressions are set of dynamic and number, respectively.

我上面做错了什么？