diff --git a/google-beta/resource_sql_database_instance.go b/google-beta/resource_sql_database_instance.go index df4417a14c..47812d061c 100644 --- a/google-beta/resource_sql_database_instance.go +++ b/google-beta/resource_sql_database_instance.go @@ -328,6 +328,14 @@ func resourceSqlDatabaseInstance() *schema.Resource { ForceNew: true, }, + "encryption_key_name": { + Type: schema.TypeString, + Optional: true, + // Property only valid for second-gen. + Computed: true, + ForceNew: true, + }, + "root_password": { Type: schema.TypeString, Optional: true, @@ -581,6 +589,11 @@ func resourceSqlDatabaseInstanceCreate(d *schema.ResourceData, meta interface{}) mutexKV.Lock(instanceMutexKey(project, instance.MasterInstanceName)) defer mutexKV.Unlock(instanceMutexKey(project, instance.MasterInstanceName)) } + if k, ok := d.GetOk("encryption_key_name"); ok { + instance.DiskEncryptionConfiguration = &sqladmin.DiskEncryptionConfiguration{ + KmsKeyName: k.(string), + } + } var op *sqladmin.Operation err = retryTimeDuration(func() (operr error) { @@ -816,6 +829,9 @@ func resourceSqlDatabaseInstanceRead(d *schema.ResourceData, meta interface{}) e if err := d.Set("settings", flattenSettings(instance.Settings)); err != nil { log.Printf("[WARN] Failed to set SQL Database Instance Settings") } + if instance.DiskEncryptionConfiguration != nil { + d.Set("encryption_key_name", instance.DiskEncryptionConfiguration.KmsKeyName) + } if err := d.Set("replica_configuration", flattenReplicaConfiguration(instance.ReplicaConfiguration, d)); err != nil { log.Printf("[WARN] Failed to set SQL Database Instance Replica Configuration") diff --git a/website/docs/r/sql_database_instance.html.markdown b/website/docs/r/sql_database_instance.html.markdown index e3fdffb61a..726c9cd620 100644 --- a/website/docs/r/sql_database_instance.html.markdown +++ b/website/docs/r/sql_database_instance.html.markdown @@ -216,6 +216,16 @@ includes an up-to-date reference of supported versions. * `root_password` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Initial root password. Required for MS SQL Server, ignored by MySQL and PostgreSQL. +* `encryption_key_name` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) + The full path to the encryption key used for the CMEK disk encryption. Setting + up disk encryption currently requires manual steps outside of Terraform. + The provided key must be in the same region as the SQL instance. In order + to use this feature, a special kind of service account must be created and + granted permission on this key. This step can currently only be done + manually, please see [this step](https://cloud.google.com/sql/docs/mysql/configure-cmek#service-account). + That service account needs the `Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter` role on your + key - please see [this step](https://cloud.google.com/sql/docs/mysql/configure-cmek#grantkey). + The required `settings` block supports: * `tier` - (Required) The machine type to use. See [tiers](https://cloud.google.com/sql/docs/admin-api/v1beta4/tiers)