Add new encryption_spec field (#15068)

rohanchawla23 · web-flow · commit a71440718aca · 2025-09-09T20:08:50.000Z
diff --git a/mmv1/products/privateca/CaPool.yaml b/mmv1/products/privateca/CaPool.yaml
@@ -58,6 +58,11 @@ examples:
     primary_resource_id: 'default'
     vars:
       name: 'my-pool'
+      pool_location: 'asia-east1'
+      cloud_kms_key: 'projects/keys-project/locations/asia-east1/keyRings/key-ring/cryptoKeys/crypto-key'
+    test_vars_overrides:
+      'pool_location': '"asia-east1"'
+      'cloud_kms_key': 'acctest.BootstrapKMSKeyWithPurposeInLocation(t, "ENCRYPT_DECRYPT", "asia-east1").CryptoKey.Name'
   - name: 'privateca_quickstart'
     primary_resource_id: 'default'
     vars:
@@ -507,3 +512,17 @@ properties:
 
       An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass":
       "1.3kg", "count": "3" }.
+  - name: 'encryptionSpec'
+    type: NestedObject
+    description: |
+      Used when customer would like to encrypt data at rest. The customer-provided key will be used
+      to encrypt the Subject, SubjectAltNames and PEM-encoded certificate fields. When unspecified,
+      customer data will remain unencrypted.
+    immutable: true
+    properties:
+      - name: 'cloudKmsKey'
+        type: String
+        description: |
+          The resource name for an existing Cloud KMS key in the format
+          `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
+        immutable: true
diff --git a/mmv1/templates/terraform/examples/privateca_capool_all_fields.tf.tmpl b/mmv1/templates/terraform/examples/privateca_capool_all_fields.tf.tmpl
@@ -1,6 +1,16 @@
+resource "google_project_service_identity" "privateca_sa" {
+  service = "privateca.googleapis.com"
+}
+
+resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_encrypterdecrypter" {
+  crypto_key_id = "{{index $.Vars "cloud_kms_key"}}"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member = google_project_service_identity.privateca_sa.member
+}
+
 resource "google_privateca_ca_pool" "{{$.PrimaryResourceId}}" {
   name = "{{index $.Vars "name"}}"
-  location = "us-central1"
+  location = "{{index $.Vars "pool_location"}}"
   tier = "ENTERPRISE"
   publishing_options {
     publish_ca_cert = false
@@ -10,6 +20,9 @@ resource "google_privateca_ca_pool" "{{$.PrimaryResourceId}}" {
   labels = {
     foo = "bar"
   }
+  encryption_spec {
+    cloud_kms_key = "{{index $.Vars "cloud_kms_key"}}"
+  }
   issuance_policy {
     allowed_key_types {
       elliptic_curve {
@@ -87,4 +100,8 @@ resource "google_privateca_ca_pool" "{{$.PrimaryResourceId}}" {
       }
     }
   }
+
+  depends_on = [
+    google_kms_crypto_key_iam_member.privateca_sa_keyuser_encrypterdecrypter,
+  ]
 }
