diff --git a/modules/artifact-registry/README.md b/modules/artifact-registry/README.md
index b782c068..26a9c3fb 100644
--- a/modules/artifact-registry/README.md
+++ b/modules/artifact-registry/README.md
@@ -25,13 +25,14 @@ module "docker_artifact_registry" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [id](variables.tf#L35) | Repository id. | string
| ✓ | |
-| [project_id](variables.tf#L52) | Registry project id. | string
| ✓ | |
+| [id](variables.tf#L41) | Repository id. | string
| ✓ | |
+| [project_id](variables.tf#L58) | Registry project id. | string
| ✓ | |
| [description](variables.tf#L17) | An optional description for the repository. | string
| | "Terraform-managed registry"
|
-| [format](variables.tf#L23) | Repository format. One of DOCKER or UNSPECIFIED. | string
| | "DOCKER"
|
-| [iam](variables.tf#L29) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string))
| | {}
|
-| [labels](variables.tf#L40) | Labels to be attached to the registry. | map(string)
| | {}
|
-| [location](variables.tf#L46) | Registry location. Use `gcloud beta artifacts locations list' to get valid values. | string
| | null
|
+| [encryption_key](variables.tf#L23) | The KMS key name to use for encryption at rest. | string
| | null
|
+| [format](variables.tf#L29) | Repository format. One of DOCKER or UNSPECIFIED. | string
| | "DOCKER"
|
+| [iam](variables.tf#L35) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string))
| | {}
|
+| [labels](variables.tf#L46) | Labels to be attached to the registry. | map(string)
| | {}
|
+| [location](variables.tf#L52) | Registry location. Use `gcloud beta artifacts locations list' to get valid values. | string
| | null
|
## Outputs
diff --git a/modules/artifact-registry/main.tf b/modules/artifact-registry/main.tf
index 8b01e096..814aaba1 100644
--- a/modules/artifact-registry/main.tf
+++ b/modules/artifact-registry/main.tf
@@ -22,6 +22,7 @@ resource "google_artifact_registry_repository" "registry" {
format = var.format
labels = var.labels
repository_id = var.id
+ kms_key_name = var.encryption_key
}
resource "google_artifact_registry_repository_iam_binding" "bindings" {
diff --git a/modules/artifact-registry/variables.tf b/modules/artifact-registry/variables.tf
index 907ee976..afdfa8d5 100644
--- a/modules/artifact-registry/variables.tf
+++ b/modules/artifact-registry/variables.tf
@@ -20,6 +20,12 @@ variable "description" {
default = "Terraform-managed registry"
}
+variable "encryption_key" {
+ description = "The KMS key name to use for encryption at rest."
+ type = string
+ default = null
+}
+
variable "format" {
description = "Repository format. One of DOCKER or UNSPECIFIED."
type = string