Comment 1 for bug 1475091

> So far, most other Keystone DBMS objects (tables) have a name, which Puppet has been able to use to identify resources.

or, for example, keystone_user_role works like the following::

    keystone_user_role { 'username@projectname':
      roles => ['admin', 'manager']

The name is easily constructed from the username and projectname, and provides a mapping back to the role assignment list where it uniquely identifies the role assignment.

I'm not sure how it is possible to do this with trusts.