diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
index 213398d7..d5c050c8 100644
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@@ -93,6 +93,59 @@ module "db" {
 }
 # tftest modules=1 resources=6
 ```
+
+### CMEK encryption pippo
+```hcl
+
+module "project" {
+  source          = "./modules/project"
+  billing_account = var.billing_account_id
+  parent          = var.organization_id
+  name            = "my-db-project"
+  services = [
+    "servicenetworking.googleapis.com"
+  ]
+}
+
+resource "google_project_service_identity" "jit_si" {
+  provider   = google-beta
+  project    = module.project.project_id
+  service    = "sqladmin.googleapis.com"
+}
+
+module "kms" {
+  source     = "./modules/kms"
+  project_id = module.project.project_id
+  keyring = {
+    name     = "keyring"
+    location = var.region
+  }
+  keys = {
+    key-sql = null
+  }
+  key_iam = {
+    key-sql = {
+      "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+        "serviceAccount:${google_project_service_identity.jit_si.email}"
+      ]
+    }
+  }
+}
+
+module "db" {
+  source              = "./modules/cloudsql-instance"
+  project_id          = module.project.project_id
+  encryption_key_name = module.kms.keys["key-sql"].id
+  network             = var.vpc.self_link
+  name                = "db"
+  region              = var.region
+  database_version    = "POSTGRES_13"
+  tier                = "db-g1-small"
+}
+
+# tftest modules=3 resources=8
+```
+
 <!-- BEGIN TFDOC -->
 
 ## Variables
diff --git a/modules/cloudsql-instance/main.tf b/modules/cloudsql-instance/main.tf
index 0f817b29..dcf92fe1 100644
--- a/modules/cloudsql-instance/main.tf
+++ b/modules/cloudsql-instance/main.tf
@@ -43,10 +43,12 @@ locals {
 }
 
 resource "google_sql_database_instance" "primary" {
-  project          = var.project_id
-  name             = "${local.prefix}${var.name}"
-  region           = var.region
-  database_version = var.database_version
+  provider            = google-beta
+  project             = var.project_id
+  name                = "${local.prefix}${var.name}"
+  region              = var.region
+  database_version    = var.database_version
+  encryption_key_name = var.encryption_key_name
 
   settings {
     tier              = var.tier
@@ -104,11 +106,13 @@ resource "google_sql_database_instance" "primary" {
 }
 
 resource "google_sql_database_instance" "replicas" {
-  for_each             = local.has_replicas ? var.replicas : {}
+  provider             = google-beta
+  for_each             = length(var.replicas) > 0 ? var.replicas : {}
   project              = var.project_id
   name                 = "${local.prefix}${each.key}"
-  region               = each.value
+  region               = each.value.region
   database_version     = var.database_version
+  encryption_key_name  = each.value.encryption_key_name
   master_instance_name = google_sql_database_instance.primary.name
 
   settings {
diff --git a/modules/cloudsql-instance/outputs.tf b/modules/cloudsql-instance/outputs.tf
index e2ca316d..38bfc951 100644
--- a/modules/cloudsql-instance/outputs.tf
+++ b/modules/cloudsql-instance/outputs.tf
@@ -66,6 +66,19 @@ output "ips" {
   }
 }
 
+output "name" {
+  description = "Name of the primary instance."
+  value       = google_sql_database_instance.primary.name
+}
+
+output "names" {
+  description = "Names of all instances."
+  value = {
+    for id, instance in local._all_intances :
+    id => instance.name
+  }
+}
+
 output "self_link" {
   description = "Self link of the primary instance."
   value       = google_sql_database_instance.primary.self_link
diff --git a/modules/cloudsql-instance/variables.tf b/modules/cloudsql-instance/variables.tf
index e59736ba..00130045 100644
--- a/modules/cloudsql-instance/variables.tf
+++ b/modules/cloudsql-instance/variables.tf
@@ -76,6 +76,12 @@ variable "disk_type" {
   default     = "PD_SSD"
 }
 
+variable "encryption_key_name" {
+  description = "The full path to the encryption key used for the CMEK disk encryption."
+  type        = string
+  default     = null
+}
+
 variable "flags" {
   description = "Map FLAG_NAME=>VALUE for database-specific tuning."
   type        = map(string)
@@ -115,9 +121,12 @@ variable "region" {
 }
 
 variable "replicas" {
-  description = "Map of NAME=>REGION for additional read replicas. Set to null to disable replica creation."
-  type        = map(any)
-  default     = null
+  description = "Map of NAME=> {REGION, KMS_KEY} for additional read replicas. Set to null to disable replica creation."
+  type = map(object({
+    region              = string
+    encryption_key_name = string
+  }))
+  default = {}
 }
 
 variable "tier" {
diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf
index eae98e23..f5cffed4 100644
--- a/modules/project/service-accounts.tf
+++ b/modules/project/service-accounts.tf
@@ -42,6 +42,7 @@ locals {
     gcf           = "service-%s@gcf-admin-robot"
     pubsub        = "service-%s@gcp-sa-pubsub"
     secretmanager = "service-%s@gcp-sa-secretmanager"
+    sql           = "service-%s@gcp-sa-cloud-sql"
     storage       = "service-%s@gs-project-accounts"
   }
   service_accounts_default = {
@@ -56,9 +57,10 @@ locals {
     k => "${format(v, local.project.number)}.iam.gserviceaccount.com"
   }
   service_accounts_jit_services = [
-    "secretmanager.googleapis.com",
+    "cloudasset.googleapis.com",
     "pubsub.googleapis.com",
-    "cloudasset.googleapis.com"
+    "secretmanager.googleapis.com",
+    "sqladmin.googleapis.com"
   ]
   service_accounts_cmek_service_keys = distinct(flatten([
     for s in keys(var.service_encryption_key_ids) : [