From 31939c03393d13022c08fbc079816a950896d971 Mon Sep 17 00:00:00 2001
From: Modular Magician <magic-modules@google.com>
Date: Tue, 9 Sep 2025 20:29:53 +0000
Subject: [PATCH] Add new encryption_spec field (#15068)

[upstream:a71440718aca830a9504c23ef92e87e21e34e290]

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 privateca_capool_all_fields/main.tf | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/privateca_capool_all_fields/main.tf b/privateca_capool_all_fields/main.tf
index 3b53b9a3..893a7041 100644
--- a/privateca_capool_all_fields/main.tf
+++ b/privateca_capool_all_fields/main.tf
@@ -1,6 +1,16 @@
+resource "google_project_service_identity" "privateca_sa" {
+  service = "privateca.googleapis.com"
+}
+
+resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_encrypterdecrypter" {
+  crypto_key_id = "projects/keys-project/locations/asia-east1/keyRings/key-ring/cryptoKeys/crypto-key-${local.name_suffix}"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member = google_project_service_identity.privateca_sa.member
+}
+
 resource "google_privateca_ca_pool" "default" {
   name = "my-pool-${local.name_suffix}"
-  location = "us-central1"
+  location = "asia-east1-${local.name_suffix}"
   tier = "ENTERPRISE"
   publishing_options {
     publish_ca_cert = false
@@ -10,6 +20,9 @@ resource "google_privateca_ca_pool" "default" {
   labels = {
     foo = "bar"
   }
+  encryption_spec {
+    cloud_kms_key = "projects/keys-project/locations/asia-east1/keyRings/key-ring/cryptoKeys/crypto-key-${local.name_suffix}"
+  }
   issuance_policy {
     allowed_key_types {
       elliptic_curve {
@@ -87,4 +100,8 @@ resource "google_privateca_ca_pool" "default" {
       }
     }
   }
+
+  depends_on = [
+    google_kms_crypto_key_iam_member.privateca_sa_keyuser_encrypterdecrypter,
+  ]
 }