Add encryptionSpec for vertex_ai_index (#15144)

Author: drastiq

mmv1/products/vertexai/Index.yaml

@@ -43,8 +43,11 @@ examples:
     vars:
       display_name: 'test-index'
       bucket_name: 'vertex-ai-index-test'
+      kms_key_name: 'kms-name'
     test_env_vars:
       project: 'PROJECT_NAME'
+    test_vars_overrides:
+      'kms_key_name': 'acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name'
     ignore_read_extra:
       - 'metadata.0.contents_delta_uri'
       - 'metadata.0.is_complete_overwrite'
@@ -53,8 +56,11 @@ examples:
     vars:
       display_name: 'test-index'
       bucket_name: 'vertex-ai-index-test'
+      kms_key_name: 'kms-name'
     test_env_vars:
       project: 'PROJECT_NAME'
+    test_vars_overrides:
+      'kms_key_name': 'acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name'
     ignore_read_extra:
       - 'metadata.0.contents_delta_uri'
       - 'metadata.0.is_complete_overwrite'
@@ -253,3 +259,19 @@ properties:
       * STREAM_UPDATE: user can call indexes.upsertDatapoints/DeleteDatapoints to update the Index and the updates will be applied in corresponding DeployedIndexes in nearly real-time.
     immutable: true
     default_value: "BATCH_UPDATE"
+  - name: 'encryptionSpec'
+    type: NestedObject
+    description:
+      Customer-managed encryption key spec for an Index. If set, this Index and all sub-resources of this Index will be secured by this key.
+    immutable: true
+    properties:
+      - name: 'kmsKeyName'
+        type: String
+        description:
+          'Required. The Cloud KMS resource identifier of the customer managed
+          encryption key used to protect a resource. Has the form:
+          `projects/my-project/locations/my-region/keyRings/my-kr/cryptoKeys/my-key`.
+          The key needs to be in the same region as where the compute resource
+          is created.'
+        required: true
+        immutable: true

mmv1/templates/terraform/examples/vertex_ai_index.tf.tmpl

@@ -1,3 +1,7 @@
+resource "google_project_service_identity" "vertexai_sa" {
+  service = "aiplatform.googleapis.com"
+}
+
 resource "google_storage_bucket" "bucket" {
   name     = "{{index $.Vars "bucket_name"}}"
   location = "us-central1"
@@ -15,6 +19,12 @@ resource "google_storage_bucket_object" "data" {
 EOF
 }
 
+resource "google_kms_crypto_key_iam_member" "vertexai_encrypterdecrypter" {
+  crypto_key_id = "{{index $.Vars "kms_key_name"}}"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        =  google_project_service_identity.vertexai_sa.member
+}
+
 resource "google_vertex_ai_index" "index" {
   labels = {
     foo = "bar"
@@ -37,5 +47,12 @@ resource "google_vertex_ai_index" "index" {
       }
     }
   }
+  encryption_spec {
+  kms_key_name = "{{index $.Vars "kms_key_name"}}"
+  }
   index_update_method = "BATCH_UPDATE"
+
+  depends_on = [
+  google_kms_crypto_key_iam_member.vertexai_encrypterdecrypter,
+  ]
 }