Add CMEK to vertexai IndexEndpoint (#15214)

Author: drastiq

mmv1/products/vertexai/IndexEndpoint.yaml

@@ -47,8 +47,10 @@ examples:
     primary_resource_id: 'index_endpoint'
     vars:
       network_name: 'network-name'
+      kms_key_name: 'kms-name'
     test_vars_overrides:
       'network_name': 'acctest.BootstrapSharedServiceNetworkingConnection(t, "vpc-network-1")'
+      'kms_key_name': 'acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name'
     exclude_docs: true
   - name: 'vertex_ai_index_endpoint_with_psc'
     primary_resource_id: 'index_endpoint'
@@ -137,3 +139,19 @@ properties:
     type: String
     description: If publicEndpointEnabled is true, this field will be populated with the domain name to use for this index endpoint.
     output: true
+  - name: 'encryptionSpec'
+    type: NestedObject
+    description:
+      Customer-managed encryption key spec for an IndexEndpoint. If set, this IndexEndpoint and all sub-resources of this IndexEndpoint will be secured by this key.
+    immutable: true
+    properties:
+      - name: 'kmsKeyName'
+        type: String
+        description:
+          'Required. The Cloud KMS resource identifier of the customer managed
+          encryption key used to protect a resource. Has the form:
+          `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`.
+          The key needs to be in the same region as where the compute resource
+          is created.'
+        required: true
+        immutable: true

mmv1/templates/terraform/examples/vertex_ai_index_endpoint_test.tf.tmpl

@@ -1,3 +1,13 @@
+resource "google_project_service_identity" "vertexai_sa" {
+  service = "aiplatform.googleapis.com"
+}
+
+resource "google_kms_crypto_key_iam_member" "vertexai_encrypterdecrypter" {
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        =  google_project_service_identity.vertexai_sa.member
+}
+
 resource "google_vertex_ai_index_endpoint" "{{$.PrimaryResourceId}}" {
   display_name = "sample-endpoint"
   description  = "A sample vertex endpoint"
@@ -6,6 +16,14 @@ resource "google_vertex_ai_index_endpoint" "{{$.PrimaryResourceId}}" {
     label-one = "value-one"
   }
   network      = "projects/${data.google_project.project.number}/global/networks/${data.google_compute_network.vertex_network.name}"
+
+  encryption_spec {
+    kms_key_name = "{{index $.Vars "kms_key_name"}}"
+  }
+
+  depends_on = [
+    google_kms_crypto_key_iam_member.vertexai_encrypterdecrypter,
+  ]
 }
 
 data "google_compute_network" "vertex_network" {