From 649e9a4a6ec87fdec8ec6f233ef05d0de541c21a Mon Sep 17 00:00:00 2001
From: Darrell Pappa <darrell.pappa@streamnative.io>
Date: Fri, 10 May 2024 13:39:14 -0400
Subject: [PATCH 1/3] Added required kms_iam_binding for gke encryption

---
 main.tf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/main.tf b/main.tf
index ce1172f..7d37635 100644
--- a/main.tf
+++ b/main.tf
@@ -16,6 +16,11 @@ data "google_compute_zones" "available" {
   project = var.project_id
 }
 
+# Declared to infer the project number
+data "google_project" "project" {
+  project = var.project_id
+}
+
 resource "google_kms_key_ring" "keyring" {
   count = var.enable_database_encryption && var.database_encryption_key_name == "" ? 1 : 0 # Only create if the feature is enabled and the customer didn't provide a key
   name     = "streamnative-keyring"
@@ -29,6 +34,14 @@ resource "google_kms_crypto_key" "gke_encryption_key" {
   rotation_period = "12960000s" #150 days
 }
 
+# Required for GKE to use the encryption key
+resource "google_project_iam_member" "kms_iam_binding" {
+  count = var.enable_database_encryption ? 1 : 0 # Only create if the feature is enabled
+  project = var.project_id
+  role    = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member  = "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
+}
+
 locals {
 
   ### Node Pools

From 86d2af2c126c6bbdb01451afb6f5f2a0ee40758f Mon Sep 17 00:00:00 2001
From: Darrell Pappa <darrell.pappa@streamnative.io>
Date: Fri, 10 May 2024 13:42:28 -0400
Subject: [PATCH 2/3] Added docs

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index b98b575..d1bd816 100644
--- a/README.md
+++ b/README.md
@@ -67,6 +67,7 @@ tf apply
 | [kubernetes_storage_class.sn_default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.sn_ssd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [google_compute_zones.available](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
+| [google_project.number](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 
 ## Inputs
 

From 45f32cae7cba165e7326fd264a783ab2a0252528 Mon Sep 17 00:00:00 2001
From: Darrell Pappa <darrell.pappa@streamnative.io>
Date: Fri, 10 May 2024 13:51:49 -0400
Subject: [PATCH 3/3] Updated the project argument

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 7d37635..a016685 100644
--- a/main.tf
+++ b/main.tf
@@ -18,7 +18,7 @@ data "google_compute_zones" "available" {
 
 # Declared to infer the project number
 data "google_project" "project" {
-  project = var.project_id
+  project_id = var.project_id
 }
 
 resource "google_kms_key_ring" "keyring" {