Add Vector Search collection CMEK support (GoogleCloudPlatform#17129)

kkanska · web-flow · commit 779cf6bdeb0e · 2026-04-16T21:46:58.000Z
diff --git a/mmv1/products/vectorsearch/Collection.yaml b/mmv1/products/vectorsearch/Collection.yaml
@@ -26,6 +26,10 @@ examples:
     primary_resource_id: "example-collection"
     vars:
       collection_id: "example-collection"
+  - name: vectorsearch_collection_cmek
+    primary_resource_id: "example-cmek-collection"
+    vars:
+      collection_id: "example-cmek-collection"
 autogen_async: true
 async:
   operation:
@@ -81,6 +85,23 @@ properties:
   - name: displayName
     type: String
     description: User-specified display name of the collection
+  - name: encryptionSpec
+    type: NestedObject
+    description: |-
+      Represents a customer-managed encryption key specification that can be
+      applied to a Vector Search collection.
+    immutable: true
+    properties:
+      - name: cryptoKeyName
+        type: String
+        required: true
+        immutable: true
+        description: |-
+          Resource name of the Cloud KMS key used to protect the resource.
+
+          The Cloud KMS key must be in the same region as the resource. It must have
+          the format
+          `projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`.
   - name: labels
     type: KeyValueLabels
     description: Labels as key value pairs.
diff --git a/mmv1/templates/terraform/examples/vectorsearch_collection_cmek.tf.tmpl b/mmv1/templates/terraform/examples/vectorsearch_collection_cmek.tf.tmpl
@@ -0,0 +1,64 @@
+resource "google_vector_search_collection" "{{$.PrimaryResourceId}}" {
+  location      = "us-central1"
+  collection_id = "{{index $.Vars "collection_id"}}"
+
+  display_name = "My Awesome Encrypted Collection"
+  description  = "This collection stores important data."
+
+  encryption_spec {
+    crypto_key_name = google_kms_crypto_key.crypto_key.id
+  }
+
+  labels = {
+    env  = "dev"
+    team = "my-team"
+  }
+
+  data_schema = <<EOF
+{
+  "type": "object",
+  "properties": {
+    "title": {
+      "type": "string"
+    },
+    "plot": {
+      "type": "string"
+    }
+  }
+}
+EOF
+
+  vector_schema {
+    field_name = "text_embedding"
+    dense_vector {
+      dimensions = 768
+      vertex_embedding_config {
+        model_id   = "textembedding-gecko@003"
+        task_type  = "RETRIEVAL_DOCUMENT"
+        text_template = "Title: {title} ---- Plot: {plot}"
+      }
+    }
+  }
+
+  depends_on = [google_kms_crypto_key_iam_member.crypto_key_member_vs_sa]
+}
+
+resource "google_kms_crypto_key" "crypto_key" {
+  name     = "{{index $.Vars "collection_id"}}"
+  key_ring = google_kms_key_ring.key_ring.id
+}
+
+resource "google_kms_key_ring" "key_ring" {
+  name     = "{{index $.Vars "collection_id"}}"
+  location = "us-central1"
+}
+
+resource "google_kms_crypto_key_iam_member" "crypto_key_member_vs_sa" {
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-vectorsearch.iam.gserviceaccount.com"
+}
+
+data "google_project" "project" {}
+
