diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md
index acdfa02d7..446d26bfe 100644
--- a/modules/secret-manager/README.md
+++ b/modules/secret-manager/README.md
@@ -72,17 +72,37 @@ module "secret-manager" {
}
# tftest modules=1 resources=5 inventory=versions.yaml
```
+
+### Secret with customer managed encryption key
+
+Secrets will be used if an encryption key is set in the `encryption_key` variable for the secret region.
+
+```hcl
+module "secret-manager" {
+ source = "./fabric/modules/secret-manager"
+ project_id = "my-project"
+ secrets = {
+ test-encryption = ["europe-west1", "europe-west4"]
+ }
+ encryption_key = {
+ europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
+ europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
+ }
+}
+# tftest modules=1 resources=1
+```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L29) | Project id where the keyring will be created. | string | ✓ | |
-| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} |
-| [labels](variables.tf#L23) | Optional labels for each secret. | map(map(string)) | | {} |
-| [secrets](variables.tf#L34) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | map(list(string)) | | {} |
-| [versions](variables.tf#L40) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} |
+| [project_id](variables.tf#L35) | Project id where the keyring will be created. | string | ✓ | |
+| [encryption_key](variables.tf#L17) | Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations. | map(string) | | null |
+| [iam](variables.tf#L23) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} |
+| [labels](variables.tf#L29) | Optional labels for each secret. | map(map(string)) | | {} |
+| [secrets](variables.tf#L40) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | map(list(string)) | | {} |
+| [versions](variables.tf#L46) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} |
## Outputs
diff --git a/modules/secret-manager/main.tf b/modules/secret-manager/main.tf
index ed0af26bf..73932b5e0 100644
--- a/modules/secret-manager/main.tf
+++ b/modules/secret-manager/main.tf
@@ -36,7 +36,6 @@ locals {
}
resource "google_secret_manager_secret" "default" {
- provider = google-beta
for_each = var.secrets
project = var.project_id
secret_id = each.key
@@ -59,6 +58,12 @@ resource "google_secret_manager_secret" "default" {
iterator = location
content {
location = location.value
+ dynamic "customer_managed_encryption" {
+ for_each = try(var.encryption_key[location.value] != null ? [""] : [], [])
+ content {
+ kms_key_name = var.encryption_key[location.value]
+ }
+ }
}
}
}
diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf
index f8ed11116..7d7b52848 100644
--- a/modules/secret-manager/variables.tf
+++ b/modules/secret-manager/variables.tf
@@ -14,6 +14,12 @@
* limitations under the License.
*/
+variable "encryption_key" {
+ description = "Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations."
+ type = map(string)
+ default = null
+}
+
variable "iam" {
description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format."
type = map(map(list(string)))