Database encryption working.

main.tf

@@ -1,3 +1,16 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "3.74.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.1.0"
+    }
+  }
+}
+
 variable "project" {
   description = "Project ID."
   type        = string
@@ -22,6 +35,10 @@ provider "google" {
   zone    = var.zone
 }
 
+data "google_project" "project" {
+  project = var.project
+}
+
 #################### KMS ##################################
 
 resource "google_project_service" "cloudkms" {
@@ -30,9 +47,13 @@ resource "google_project_service" "cloudkms" {
   disable_dependent_services = true
 }
 
+resource "random_id" "gke_db" {
+  byte_length = 4
+}
+
 resource "google_kms_key_ring" "gke_db" {
   project  = var.project
-  name     = "gke-db"
+  name     = "gke-db-${random_id.gke_db.hex}"
   location = var.region
 
   lifecycle {
@@ -47,6 +68,10 @@ resource "google_kms_key_ring" "gke_db" {
 resource "google_kms_key_ring_iam_policy" "gke_db" {
   key_ring_id = google_kms_key_ring.gke_db.id
   policy_data = data.google_iam_policy.gke_db.policy_data
+
+  depends_on = [
+    google_project_service.cloudkms
+  ]
 }
 
 resource "google_kms_crypto_key" "gke_db" {
@@ -58,7 +83,7 @@ resource "google_kms_crypto_key" "gke_db" {
   }
 
   depends_on = [
-    google_project_service.cloudkms
+    google_project_service.container
   ]
 }
 
@@ -67,7 +92,7 @@ data "google_iam_policy" "gke_db" {
     role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
     members = [
-      "serviceAccount:${google_service_account.gke.email}",
+      "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
     ]
   }
 }