This example creates a sample centralized [Cloud KMS](https://cloud.google.com/kms?hl=it) configuration, and uses it to implement CMEK for [Cloud Storage](https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys) and [Compute Engine](https://cloud.google.com/compute/docs/disks/customer-managed-encryption) in a separate project.
The example is designed to match real-world use cases with a minimum amount of resources, and be used as a starting point for scenarios where application projects implement CMEK using keys managed by a central team. It also includes the IAM wiring needed to make such scenarios work.
| root_node | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id. | <codetitle="">string</code> | ✓ | |
| *location* | The location where resources will be deployed. | <codetitle="">string</code> | | <codetitle="">europe</code> |
| *vpc_ip_cidr_range* | Ip range used in the subnet deployef in the Service Project. | <codetitle="">string</code> | | <codetitle="">10.0.0.0/20</code> |
| *vpc_name* | Name of the VPC created in the Service Project. | <codetitle="">string</code> | | <codetitle="">local</code> |
| *vpc_subnet_name* | Name of the subnet created in the Service Project. | <codetitle="">string</code> | | <codetitle="">subnet</code> |