diff --git a/modules/logging-bucket/README.md b/modules/logging-bucket/README.md
index f3b3dbe6..73a28fcc 100644
--- a/modules/logging-bucket/README.md
+++ b/modules/logging-bucket/README.md
@@ -64,11 +64,12 @@ module "bucket-billing-account" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [id](variables.tf#L23) | Name of the logging bucket. | string
| ✓ | |
-| [parent](variables.tf#L34) | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string
| ✓ | |
-| [parent_type](variables.tf#L39) | Parent object type for the bucket (project, folder, organization, billing_account). | string
| ✓ | |
+| [parent](variables.tf#L40) | ID of the parentresource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string
| ✓ | |
+| [parent_type](variables.tf#L45) | Parent object type for the bucket (project, folder, organization, billing_account). | string
| ✓ | |
| [description](variables.tf#L17) | Human-readable description for the logging bucket. | string
| | null
|
-| [location](variables.tf#L28) | Location of the bucket. | string
| | "global"
|
-| [retention](variables.tf#L44) | Retention time in days for the logging bucket. | number
| | 30
|
+| [kms_key_name](variables.tf#L28) | To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key. | string
| | null
|
+| [location](variables.tf#L34) | Location of the bucket. | string
| | "global"
|
+| [retention](variables.tf#L50) | Retention time in days for the logging bucket. | number
| | 30
|
## Outputs
diff --git a/modules/logging-bucket/main.tf b/modules/logging-bucket/main.tf
index 743f77cd..679cd6b9 100644
--- a/modules/logging-bucket/main.tf
+++ b/modules/logging-bucket/main.tf
@@ -21,6 +21,13 @@ resource "google_logging_project_bucket_config" "bucket" {
retention_days = var.retention
bucket_id = var.id
description = var.description
+
+ dynamic "cmek_settings" {
+ for_each = var.kms_key_name == null ? [] : [""]
+ content {
+ kms_key_name = var.kms_key_name
+ }
+ }
}
resource "google_logging_folder_bucket_config" "bucket" {
diff --git a/modules/logging-bucket/variables.tf b/modules/logging-bucket/variables.tf
index 350cad68..451dcce9 100644
--- a/modules/logging-bucket/variables.tf
+++ b/modules/logging-bucket/variables.tf
@@ -25,6 +25,12 @@ variable "id" {
type = string
}
+variable "kms_key_name" {
+ description = "To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key."
+ type = string
+ default = null
+}
+
variable "location" {
description = "Location of the bucket."
type = string