hashicorp · modular-magician · Feb 5, 2020 · Feb 5, 2020
diff --git a/google-beta/resource_sql_database_instance.go b/google-beta/resource_sql_database_instance.go
@@ -328,6 +328,14 @@ func resourceSqlDatabaseInstance() *schema.Resource {
 				ForceNew: true,
 			},
 
+			"encryption_key_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				// Property only valid for second-gen.
+				Computed: true,
+				ForceNew: true,
+			},
+
 			"root_password": {
 				Type:      schema.TypeString,
 				Optional:  true,
@@ -581,6 +589,11 @@ func resourceSqlDatabaseInstanceCreate(d *schema.ResourceData, meta interface{})
 		mutexKV.Lock(instanceMutexKey(project, instance.MasterInstanceName))
 		defer mutexKV.Unlock(instanceMutexKey(project, instance.MasterInstanceName))
 	}
+	if k, ok := d.GetOk("encryption_key_name"); ok {
+		instance.DiskEncryptionConfiguration = &sqladmin.DiskEncryptionConfiguration{
+			KmsKeyName: k.(string),
+		}
+	}
 
 	var op *sqladmin.Operation
 	err = retryTimeDuration(func() (operr error) {
@@ -816,6 +829,9 @@ func resourceSqlDatabaseInstanceRead(d *schema.ResourceData, meta interface{}) e
 	if err := d.Set("settings", flattenSettings(instance.Settings)); err != nil {
 		log.Printf("[WARN] Failed to set SQL Database Instance Settings")
 	}
+	if instance.DiskEncryptionConfiguration != nil {
+		d.Set("encryption_key_name", instance.DiskEncryptionConfiguration.KmsKeyName)
+	}
 
 	if err := d.Set("replica_configuration", flattenReplicaConfiguration(instance.ReplicaConfiguration, d)); err != nil {
 		log.Printf("[WARN] Failed to set SQL Database Instance Replica Configuration")

diff --git a/website/docs/r/sql_database_instance.html.markdown b/website/docs/r/sql_database_instance.html.markdown
@@ -216,6 +216,16 @@ includes an up-to-date reference of supported versions.
 
 * `root_password` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Initial root password. Required for MS SQL Server, ignored by MySQL and PostgreSQL.
 
+* `encryption_key_name` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+    The full path to the encryption key used for the CMEK disk encryption.  Setting
+    up disk encryption currently requires manual steps outside of Terraform.
+    The provided key must be in the same region as the SQL instance.  In order
+    to use this feature, a special kind of service account must be created and
+    granted permission on this key.  This step can currently only be done
+    manually, please see [this step](https://cloud.google.com/sql/docs/mysql/configure-cmek#service-account).
+    That service account needs the `Cloud KMS > Cloud KMS CryptoKey Encrypter/Decrypter` role on your
+    key - please see [this step](https://cloud.google.com/sql/docs/mysql/configure-cmek#grantkey).
+
 The required `settings` block supports:
 
 * `tier` - (Required) The machine type to use. See [tiers](https://cloud.google.com/sql/docs/admin-api/v1beta4/tiers)