From 3933a747fe250ff10ef289e8db78957cd73638f5 Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Wed, 26 Jun 2024 08:12:26 +0200
Subject: [PATCH] Fixes related to Apigee KMS keys (#2382)

* Fixes related to Apigee KMS keys

* tfdoc

---------

Co-authored-by: Ludo <ludomagno@google.com>
---
 .../apigee/apigee-x-foundations/README.md     | 34 ++++++----
 .../apigee/apigee-x-foundations/apigee.tf     | 55 +++++++++++-----
 blueprints/apigee/apigee-x-foundations/kms.tf | 65 +++++++++++++++++--
 .../apigee/apigee-x-foundations/variables.tf  | 49 ++++++++++----
 4 files changed, 154 insertions(+), 49 deletions(-)

diff --git a/blueprints/apigee/apigee-x-foundations/README.md b/blueprints/apigee/apigee-x-foundations/README.md
index 2b9b24b3a2..665ef035c9 100644
--- a/blueprints/apigee/apigee-x-foundations/README.md
+++ b/blueprints/apigee/apigee-x-foundations/README.md
@@ -41,7 +41,15 @@ module "apigee-x-foundations" {
       api_security = true
     }
     organization = {
-      analytics_region = "europe-west1"
+      analytics_region           = "europe-west1"
+      api_consumer_data_location = "europe-west1"
+      api_consumer_data_encryption_key_config = {
+        auto_create = true
+      }
+      database_encryption_key_config = {
+        auto_create = true
+      }
+      billing_type = "PAYG"
     }
     envgroups = {
       apis = [
@@ -203,7 +211,7 @@ module "apigee-x-foundations" {
     ]
   }
 }
-# tftest modules=10 resources=62
+# tftest modules=7 resources=50
 ```
 
 ### Apigee X in service project with peering disabled and exposed using Global LB
@@ -279,7 +287,7 @@ module "apigee-x-foundations" {
     }
   }
 }
-# tftest modules=6 resources=36
+# tftest modules=4 resources=28
 ```
 
 ### Apigee X in standalone project with peering enabled and exposed with Regional Internal LB
@@ -361,7 +369,7 @@ module "apigee-x-foundations" {
     }
   }
 }
-# tftest modules=8 resources=48
+# tftest modules=6 resources=40
 ```
 
 ### Apigee X in standalone project with peering disabled and exposed using Global External Application LB
@@ -438,7 +446,7 @@ module "apigee-x-foundations" {
   }
   enable_monitoring = true
 }
-# tftest modules=8 resources=55
+# tftest modules=6 resources=47
 ```
 
 <!-- TFDOC OPTS files:1 show_extra:1 -->
@@ -460,13 +468,13 @@ module "apigee-x-foundations" {
 
 | name | description | type | required | default | producer |
 |---|---|:---:|:---:|:---:|:---:|
-| [apigee_config](variables.tf#L17) | Apigee configuration. | <code title="object&#40;&#123;&#10;  addons_config &#61; optional&#40;object&#40;&#123;&#10;    advanced_api_ops    &#61; optional&#40;bool, false&#41;&#10;    api_security        &#61; optional&#40;bool, false&#41;&#10;    connectors_platform &#61; optional&#40;bool, false&#41;&#10;    integration         &#61; optional&#40;bool, false&#41;&#10;    monetization        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  organization &#61; object&#40;&#123;&#10;    analytics_region                 &#61; optional&#40;string&#41;&#10;    api_consumer_data_encryption_key &#61; optional&#40;string&#41;&#10;    api_consumer_data_location       &#61; optional&#40;string&#41;&#10;    authorized_network               &#61; optional&#40;string&#41;&#10;    billing_type                     &#61; optional&#40;string&#41;&#10;    control_plane_encryption_key     &#61; optional&#40;string&#41;&#10;    database_encryption_key          &#61; optional&#40;string&#41;&#10;    description                      &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;    disable_vpc_peering              &#61; optional&#40;bool, false&#41;&#10;    display_name                     &#61; optional&#40;string&#41;&#10;    properties                       &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    retention                        &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#10;  envgroups &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  environments &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description  &#61; optional&#40;string&#41;&#10;    display_name &#61; optional&#40;string&#41;&#10;    envgroups    &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    iam          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      role    &#61; string&#10;      members &#61; list&#40;string&#41;&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      role   &#61; string&#10;      member &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    node_config &#61; optional&#40;object&#40;&#123;&#10;      min_node_count &#61; optional&#40;number&#41;&#10;      max_node_count &#61; optional&#40;number&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    type &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  instances &#61; optional&#40;map&#40;object&#40;&#123;&#10;    disk_encryption_key           &#61; optional&#40;string&#41;&#10;    environments                  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    external                      &#61; optional&#40;bool, true&#41;&#10;    runtime_ip_cidr_range         &#61; optional&#40;string&#41;&#10;    troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  endpoint_attachments &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region             &#61; string&#10;    service_attachment &#61; string&#10;    dns_names          &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
-| [project_config](variables.tf#L276) | Project configuration. | <code title="object&#40;&#123;&#10;  billing_account_id      &#61; optional&#40;string&#41;&#10;  compute_metadata        &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  contacts                &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  custom_roles            &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  default_service_account &#61; optional&#40;string, &#34;keep&#34;&#41;&#10;  descriptive_name        &#61; optional&#40;string&#41;&#10;  iam                     &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  group_iam               &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  labels              &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  lien_reason         &#61; optional&#40;string&#41;&#10;  logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10;  log_exclusions      &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10;    bq_partitioned_table &#61; optional&#40;bool&#41;&#10;    description          &#61; optional&#40;string&#41;&#10;    destination          &#61; string&#10;    disabled             &#61; optional&#40;bool, false&#41;&#10;    exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    filter               &#61; string&#10;    iam                  &#61; optional&#40;bool, true&#41;&#10;    type                 &#61; string&#10;    unique_writer        &#61; optional&#40;bool, true&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  metric_scopes &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  name          &#61; string&#10;  org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;    inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;    reset               &#61; optional&#40;bool&#41;&#10;    rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;      allow &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      deny &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        description &#61; optional&#40;string&#41;&#10;        expression  &#61; optional&#40;string&#41;&#10;        location    &#61; optional&#40;string&#41;&#10;        title       &#61; optional&#40;string&#41;&#10;      &#125;&#41;, &#123;&#125;&#41;&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  parent         &#61; optional&#40;string&#41;&#10;  prefix         &#61; optional&#40;string&#41;&#10;  project_create &#61; optional&#40;bool, true&#41;&#10;  vpc_sc &#61; optional&#40;object&#40;&#123;&#10;    perimeter_name    &#61; string&#10;    perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    is_dry_run        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  services &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  shared_vpc_host_config &#61; optional&#40;object&#40;&#123;&#10;    enabled          &#61; bool&#10;    service_projects &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;&#10;  shared_vpc_service_config &#61; optional&#40;object&#40;&#123;&#10;    host_project         &#61; string&#10;    service_identity_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    service_iam_grants   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;&#10;  skip_delete  &#61; optional&#40;bool, false&#41;&#10;  tag_bindings &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
-| [enable_monitoring](variables.tf#L92) | Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. | <code>bool</code> |  | <code>false</code> |  |
-| [ext_lb_config](variables.tf#L98) | External application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  security_policy &#61; optional&#40;object&#40;&#123;&#10;    advanced_options_config &#61; optional&#40;object&#40;&#123;&#10;      json_parsing &#61; optional&#40;object&#40;&#123;&#10;        enable        &#61; optional&#40;bool, false&#41;&#10;        content_types &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      log_level &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    adaptive_protection_config &#61; optional&#40;object&#40;&#123;&#10;      layer_7_ddos_defense_config &#61; optional&#40;object&#40;&#123;&#10;        enable          &#61; optional&#40;bool, false&#41;&#10;        rule_visibility &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;      auto_deploy_config &#61; optional&#40;object&#40;&#123;&#10;        load_threshold              &#61; optional&#40;number&#41;&#10;        confidence_threshold        &#61; optional&#40;number&#41;&#10;        impacted_baseline_threshold &#61; optional&#40;number&#41;&#10;        expiration_sec              &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    rate_limit_threshold &#61; optional&#40;object&#40;&#123;&#10;      count        &#61; number&#10;      interval_sec &#61; number&#10;    &#125;&#41;&#41;&#10;    forbidden_src_ip_ranges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    forbidden_regions       &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    preconfigured_waf_rules &#61; optional&#40;map&#40;object&#40;&#123;&#10;      sensitivity      &#61; optional&#40;number&#41;&#10;      opt_in_rule_ids  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;      opt_out_rule_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ssl_certificates &#61; object&#40;&#123;&#10;    certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      certificate &#61; string&#10;      private_key &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    managed_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      domains     &#61; list&#40;string&#41;&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    self_signed_configs &#61; optional&#40;list&#40;string&#41;, null&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
-| [int_cross_region_lb_config](variables.tf#L169) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  certificate_manager_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
-| [int_lb_config](variables.tf#L197) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ssl_certificates &#61; object&#40;&#123;&#10;    certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      certificate &#61; string&#10;      private_key &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    self_signed_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
-| [network_config](variables.tf#L233) | Network configuration. | <code title="object&#40;&#123;&#10;  shared_vpc &#61; optional&#40;object&#40;&#123;&#10;    name        &#61; string&#10;    subnets     &#61; map&#40;string&#41;&#10;    subnets_psc &#61; map&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  apigee_vpc &#61; optional&#40;object&#40;&#123;&#10;    name        &#61; optional&#40;string&#41;&#10;    auto_create &#61; optional&#40;bool, true&#41;&#10;    subnets &#61; optional&#40;map&#40;object&#40;&#123;&#10;      id            &#61; optional&#40;string&#41;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    subnets_proxy_only &#61; optional&#40;map&#40;object&#40;&#123;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    subnets_psc &#61; optional&#40;map&#40;object&#40;&#123;&#10;      id            &#61; optional&#40;string&#41;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
+| [apigee_config](variables.tf#L17) | Apigee configuration. | <code title="object&#40;&#123;&#10;  addons_config &#61; optional&#40;object&#40;&#123;&#10;    advanced_api_ops    &#61; optional&#40;bool, false&#41;&#10;    api_security        &#61; optional&#40;bool, false&#41;&#10;    connectors_platform &#61; optional&#40;bool, false&#41;&#10;    integration         &#61; optional&#40;bool, false&#41;&#10;    monetization        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  organization &#61; object&#40;&#123;&#10;    analytics_region &#61; optional&#40;string&#41;&#10;    api_consumer_data_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10;      auto_create &#61; optional&#40;bool, false&#41;&#10;      id          &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    api_consumer_data_location &#61; optional&#40;string&#41;&#10;    billing_type               &#61; optional&#40;string&#41;&#10;    control_plane_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10;      auto_create &#61; optional&#40;bool, false&#41;&#10;      id          &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    database_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10;      auto_create &#61; optional&#40;bool, false&#41;&#10;      id          &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    description         &#61; optional&#40;string, &#34;Terraform-managed&#34;&#41;&#10;    disable_vpc_peering &#61; optional&#40;bool, false&#41;&#10;    display_name        &#61; optional&#40;string&#41;&#10;    properties          &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    retention           &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#10;  envgroups &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  environments &#61; optional&#40;map&#40;object&#40;&#123;&#10;    description  &#61; optional&#40;string&#41;&#10;    display_name &#61; optional&#40;string&#41;&#10;    envgroups    &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    iam          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;      role    &#61; string&#10;      members &#61; list&#40;string&#41;&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;      role   &#61; string&#10;      member &#61; string&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        expression  &#61; string&#10;        title       &#61; string&#10;        description &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    node_config &#61; optional&#40;object&#40;&#123;&#10;      min_node_count &#61; optional&#40;number&#41;&#10;      max_node_count &#61; optional&#40;number&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    type &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  instances &#61; optional&#40;map&#40;object&#40;&#123;&#10;    disk_encryption_key_config &#61; optional&#40;object&#40;&#123;&#10;      auto_create &#61; optional&#40;bool, false&#41;&#10;      id          &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    environments                  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    external                      &#61; optional&#40;bool, true&#41;&#10;    runtime_ip_cidr_range         &#61; optional&#40;string&#41;&#10;    troubleshooting_ip_cidr_range &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  endpoint_attachments &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region             &#61; string&#10;    service_attachment &#61; string&#10;    dns_names          &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
+| [project_config](variables.tf#L299) | Project configuration. | <code title="object&#40;&#123;&#10;  billing_account_id      &#61; optional&#40;string&#41;&#10;  compute_metadata        &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  contacts                &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  custom_roles            &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  default_service_account &#61; optional&#40;string, &#34;keep&#34;&#41;&#10;  descriptive_name        &#61; optional&#40;string&#41;&#10;  iam                     &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  group_iam               &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  labels              &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  lien_reason         &#61; optional&#40;string&#41;&#10;  logging_data_access &#61; optional&#40;map&#40;map&#40;list&#40;string&#41;&#41;&#41;, &#123;&#125;&#41;&#10;  log_exclusions      &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  logging_sinks &#61; optional&#40;map&#40;object&#40;&#123;&#10;    bq_partitioned_table &#61; optional&#40;bool&#41;&#10;    description          &#61; optional&#40;string&#41;&#10;    destination          &#61; string&#10;    disabled             &#61; optional&#40;bool, false&#41;&#10;    exclusions           &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    filter               &#61; string&#10;    iam                  &#61; optional&#40;bool, true&#41;&#10;    type                 &#61; string&#10;    unique_writer        &#61; optional&#40;bool, true&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  metric_scopes &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  name          &#61; string&#10;  org_policies &#61; optional&#40;map&#40;object&#40;&#123;&#10;    inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;    reset               &#61; optional&#40;bool&#41;&#10;    rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;      allow &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      deny &#61; optional&#40;object&#40;&#123;&#10;        all    &#61; optional&#40;bool&#41;&#10;        values &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;      condition &#61; optional&#40;object&#40;&#123;&#10;        description &#61; optional&#40;string&#41;&#10;        expression  &#61; optional&#40;string&#41;&#10;        location    &#61; optional&#40;string&#41;&#10;        title       &#61; optional&#40;string&#41;&#10;      &#125;&#41;, &#123;&#125;&#41;&#10;    &#125;&#41;&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  parent         &#61; optional&#40;string&#41;&#10;  prefix         &#61; optional&#40;string&#41;&#10;  project_create &#61; optional&#40;bool, true&#41;&#10;  vpc_sc &#61; optional&#40;object&#40;&#123;&#10;    perimeter_name    &#61; string&#10;    perimeter_bridges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    is_dry_run        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  services &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  shared_vpc_host_config &#61; optional&#40;object&#40;&#123;&#10;    enabled          &#61; bool&#10;    service_projects &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;&#10;  shared_vpc_service_config &#61; optional&#40;object&#40;&#123;&#10;    host_project         &#61; string&#10;    service_identity_iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;    service_iam_grants   &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#41;&#10;  skip_delete  &#61; optional&#40;bool, false&#41;&#10;  tag_bindings &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |  |
+| [enable_monitoring](variables.tf#L115) | Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. | <code>bool</code> |  | <code>false</code> |  |
+| [ext_lb_config](variables.tf#L121) | External application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  security_policy &#61; optional&#40;object&#40;&#123;&#10;    advanced_options_config &#61; optional&#40;object&#40;&#123;&#10;      json_parsing &#61; optional&#40;object&#40;&#123;&#10;        enable        &#61; optional&#40;bool, false&#41;&#10;        content_types &#61; optional&#40;list&#40;string&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      log_level &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    adaptive_protection_config &#61; optional&#40;object&#40;&#123;&#10;      layer_7_ddos_defense_config &#61; optional&#40;object&#40;&#123;&#10;        enable          &#61; optional&#40;bool, false&#41;&#10;        rule_visibility &#61; optional&#40;string&#41;&#10;      &#125;&#41;&#41;&#10;      auto_deploy_config &#61; optional&#40;object&#40;&#123;&#10;        load_threshold              &#61; optional&#40;number&#41;&#10;        confidence_threshold        &#61; optional&#40;number&#41;&#10;        impacted_baseline_threshold &#61; optional&#40;number&#41;&#10;        expiration_sec              &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    rate_limit_threshold &#61; optional&#40;object&#40;&#123;&#10;      count        &#61; number&#10;      interval_sec &#61; number&#10;    &#125;&#41;&#41;&#10;    forbidden_src_ip_ranges &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    forbidden_regions       &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    preconfigured_waf_rules &#61; optional&#40;map&#40;object&#40;&#123;&#10;      sensitivity      &#61; optional&#40;number&#41;&#10;      opt_in_rule_ids  &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;      opt_out_rule_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ssl_certificates &#61; object&#40;&#123;&#10;    certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      certificate &#61; string&#10;      private_key &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    managed_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      domains     &#61; list&#40;string&#41;&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    self_signed_configs &#61; optional&#40;list&#40;string&#41;, null&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [int_cross_region_lb_config](variables.tf#L192) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  certificate_manager_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [int_lb_config](variables.tf#L220) | Internal application load balancer configuration. | <code title="object&#40;&#123;&#10;  log_sample_rate &#61; optional&#40;number&#41;&#10;  outlier_detection &#61; optional&#40;object&#40;&#123;&#10;    consecutive_errors                    &#61; optional&#40;number&#41;&#10;    consecutive_gateway_failure           &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_errors          &#61; optional&#40;number&#41;&#10;    enforcing_consecutive_gateway_failure &#61; optional&#40;number&#41;&#10;    enforcing_success_rate                &#61; optional&#40;number&#41;&#10;    max_ejection_percent                  &#61; optional&#40;number&#41;&#10;    success_rate_minimum_hosts            &#61; optional&#40;number&#41;&#10;    success_rate_request_volume           &#61; optional&#40;number&#41;&#10;    success_rate_stdev_factor             &#61; optional&#40;number&#41;&#10;    base_ejection_time &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    interval &#61; optional&#40;object&#40;&#123;&#10;      seconds &#61; number&#10;      nanos   &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  ssl_certificates &#61; object&#40;&#123;&#10;    certificate_ids &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;    create_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10;      certificate &#61; string&#10;      private_key &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    self_signed_configs &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |  |
+| [network_config](variables.tf#L256) | Network configuration. | <code title="object&#40;&#123;&#10;  shared_vpc &#61; optional&#40;object&#40;&#123;&#10;    name        &#61; string&#10;    subnets     &#61; map&#40;string&#41;&#10;    subnets_psc &#61; map&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  apigee_vpc &#61; optional&#40;object&#40;&#123;&#10;    name        &#61; optional&#40;string&#41;&#10;    auto_create &#61; optional&#40;bool, true&#41;&#10;    subnets &#61; optional&#40;map&#40;object&#40;&#123;&#10;      id            &#61; optional&#40;string&#41;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    subnets_proxy_only &#61; optional&#40;map&#40;object&#40;&#123;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; string&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;    subnets_psc &#61; optional&#40;map&#40;object&#40;&#123;&#10;      id            &#61; optional&#40;string&#41;&#10;      name          &#61; optional&#40;string&#41;&#10;      ip_cidr_range &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |  |
 
 ## Outputs
 
@@ -478,4 +486,4 @@ module "apigee-x-foundations" {
 | [int_cross_region_lb_ip_addresses](outputs.tf#L32) | Internal IP addresses. |  |  |
 | [int_lb_ip_addresses](outputs.tf#L37) | Internal IP addresses. |  |  |
 | [project_id](outputs.tf#L42) | Project. |  |  |
-<!-- END TFDOC -->
\ No newline at end of file
+<!-- END TFDOC -->
diff --git a/blueprints/apigee/apigee-x-foundations/apigee.tf b/blueprints/apigee/apigee-x-foundations/apigee.tf
index 86c738b859..e7a99bacaa 100644
--- a/blueprints/apigee/apigee-x-foundations/apigee.tf
+++ b/blueprints/apigee/apigee-x-foundations/apigee.tf
@@ -14,24 +14,45 @@
  * limitations under the License.
  */
 
-module "apigee" {
-  source     = "../../../modules/apigee"
-  project_id = module.project.project_id
-  organization = merge(var.apigee_config.organization, var.network_config.apigee_vpc != null && !var.apigee_config.organization.disable_vpc_peering ? {
-    authorized_network = module.apigee_vpc[0].id
-    } : var.network_config.shared_vpc != null && !var.apigee_config.organization.disable_vpc_peering ? {
-    authorized_network = module.shared_vpc[0].id
-    } : {},
-    var.apigee_config.organization.database_encryption_key == null ? {} : {
-      database_encryption_key = module.database_kms[0].keys["database-key"].id
-      }, {
+locals {
+  control_plan_in_eu_or_us = (
+    try(contains(["europe", "us"],
+    split("-", var.apigee_config.organization.api_consumer_data_location)[0]), false)
+  )
+  organization = merge(var.apigee_config.organization,
+    {
+      authorized_network = (var.apigee_config.organization.disable_vpc_peering
+        ? null :
+        try(module.apigee_vpc[0].id, module.shared_vpc[0].id)
+      )
+      database_encryption_key = try(
+        module.database_kms[0].key_ids["database-key"],
+      var.apigee_config.organization.database_encryption_key_config.id)
+      api_consumer_data_encryption_key = try(
+        module.api_consumer_data_kms[0].key_ids["api-consumer-data-key"],
+      var.apigee_config.organization.api_consumer_data_encryption_key_config.id)
+      control_plane_encryption_key = try(
+        module.control_plane_kms[0].key_ids["control-plane-key"],
+      var.apigee_config.organization.control_plane_encryption_key_config.id)
       runtime_type = "CLOUD"
-  })
-  envgroups    = var.apigee_config.envgroups
-  environments = var.apigee_config.environments
-  instances = { for k, v in var.apigee_config.instances : k => merge(v, v.disk_encryption_key == null ? {
-    disk_encryption_key = module.disks_kms[k].key_ids["disk-key"]
-  } : {}) }
+    }
+  )
+  instances = { for k, v in var.apigee_config.instances : k => merge(v, {
+    disk_encryption_key = try(
+      module.disks_kms[k].key_ids["disk-key"],
+      v.disk_encryption_key_config.id,
+      null
+    )
+  }) }
+}
+
+module "apigee" {
+  source               = "../../../modules/apigee"
+  project_id           = module.project.project_id
+  organization         = local.organization
+  envgroups            = var.apigee_config.envgroups
+  environments         = var.apigee_config.environments
+  instances            = local.instances
   endpoint_attachments = var.apigee_config.endpoint_attachments
   addons_config        = var.apigee_config.addons_config
 }
diff --git a/blueprints/apigee/apigee-x-foundations/kms.tf b/blueprints/apigee/apigee-x-foundations/kms.tf
index 120a118ca3..58b1d48d7c 100644
--- a/blueprints/apigee/apigee-x-foundations/kms.tf
+++ b/blueprints/apigee/apigee-x-foundations/kms.tf
@@ -15,21 +15,33 @@
  */
 
 resource "random_id" "database_kms" {
+  count       = var.apigee_config.organization.database_encryption_key_config.auto_create ? 1 : 0
+  byte_length = 4
+}
+
+resource "random_id" "control_plane_kms" {
+  count = (var.apigee_config.organization.control_plane_encryption_key_config.auto_create &&
+  local.control_plan_in_eu_or_us) ? 1 : 0
+  byte_length = 4
+}
+
+resource "random_id" "api_consumer_data_kms" {
+  count       = var.apigee_config.organization.api_consumer_data_encryption_key_config.auto_create ? 1 : 0
   byte_length = 4
 }
 
 resource "random_id" "disks_kms" {
-  for_each    = var.apigee_config.instances
+  for_each    = toset([for k, v in var.apigee_config.instances : k if v.disk_encryption_key_config.auto_create])
   byte_length = 4
 }
 
 module "database_kms" {
-  count      = try(var.apigee_config.organization.database_encryption_key, null) == null ? 1 : 0
+  count      = var.apigee_config.organization.database_encryption_key_config.auto_create ? 1 : 0
   source     = "../../../modules/kms"
   project_id = module.project.project_id
   keyring = {
-    location = "global"
-    name     = "apigee-${random_id.database_kms.hex}"
+    location = var.apigee_config.organization.api_consumer_data_location == null ? "global" : var.apigee_config.organization.api_consumer_data_location
+    name     = "apigee-database-${random_id.database_kms[0].hex}"
   }
   keys = {
     database-key = {
@@ -43,13 +55,54 @@ module "database_kms" {
   }
 }
 
+module "api_consumer_data_kms" {
+  count      = var.apigee_config.organization.api_consumer_data_encryption_key_config.auto_create ? 1 : 0
+  source     = "../../../modules/kms"
+  project_id = module.project.project_id
+  keyring = {
+    location = var.apigee_config.organization.api_consumer_data_location
+    name     = "apigee-api-consumer-data-${random_id.api_consumer_data_kms[0].hex}"
+  }
+  keys = {
+    api-consumer-data-key = {
+      purpose         = "ENCRYPT_DECRYPT"
+      rotation_period = "2592000s"
+      labels          = null
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+      }
+    }
+  }
+}
+
+module "control_plane_kms" {
+  count = (var.apigee_config.organization.control_plane_encryption_key_config.auto_create
+  && local.control_plan_in_eu_or_us ? 1 : 0)
+  source     = "../../../modules/kms"
+  project_id = module.project.project_id
+  keyring = {
+    location = var.apigee_config.organization.api_consumer_data_location
+    name     = "apigee-control-plane-${random_id.control_plane_kms[0].hex}"
+  }
+  keys = {
+    control-plane-key = {
+      purpose         = "ENCRYPT_DECRYPT"
+      rotation_period = "2592000s"
+      labels          = null
+      iam = {
+        "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+      }
+    }
+  }
+}
+
 module "disks_kms" {
-  for_each   = var.apigee_config.instances
+  for_each   = toset([for k, v in var.apigee_config.instances : k if v.disk_encryption_key_config.auto_create])
   source     = "../../../modules/kms"
   project_id = module.project.project_id
   keyring = {
     location = each.key
-    name     = "apigee-${each.key}-${random_id.disks_kms[each.key].hex}"
+    name     = "apigee-disk-${each.value}-${random_id.disks_kms[each.value].hex}"
   }
   keys = {
     disk-key = {
diff --git a/blueprints/apigee/apigee-x-foundations/variables.tf b/blueprints/apigee/apigee-x-foundations/variables.tf
index 673493edb4..74f22acc71 100644
--- a/blueprints/apigee/apigee-x-foundations/variables.tf
+++ b/blueprints/apigee/apigee-x-foundations/variables.tf
@@ -25,18 +25,26 @@ variable "apigee_config" {
       monetization        = optional(bool, false)
     }))
     organization = object({
-      analytics_region                 = optional(string)
-      api_consumer_data_encryption_key = optional(string)
-      api_consumer_data_location       = optional(string)
-      authorized_network               = optional(string)
-      billing_type                     = optional(string)
-      control_plane_encryption_key     = optional(string)
-      database_encryption_key          = optional(string)
-      description                      = optional(string, "Terraform-managed")
-      disable_vpc_peering              = optional(bool, false)
-      display_name                     = optional(string)
-      properties                       = optional(map(string), {})
-      retention                        = optional(string)
+      analytics_region = optional(string)
+      api_consumer_data_encryption_key_config = optional(object({
+        auto_create = optional(bool, false)
+        id          = optional(string)
+      }), {})
+      api_consumer_data_location = optional(string)
+      billing_type               = optional(string)
+      control_plane_encryption_key_config = optional(object({
+        auto_create = optional(bool, false)
+        id          = optional(string)
+      }), {})
+      database_encryption_key_config = optional(object({
+        auto_create = optional(bool, false)
+        id          = optional(string)
+      }), {})
+      description         = optional(string, "Terraform-managed")
+      disable_vpc_peering = optional(bool, false)
+      display_name        = optional(string)
+      properties          = optional(map(string), {})
+      retention           = optional(string)
     })
     envgroups = optional(map(list(string)), {})
     environments = optional(map(object({
@@ -69,7 +77,10 @@ variable "apigee_config" {
       type = optional(string)
     })), {})
     instances = optional(map(object({
-      disk_encryption_key           = optional(string)
+      disk_encryption_key_config = optional(object({
+        auto_create = optional(bool, false)
+        id          = optional(string)
+      }), {})
       environments                  = optional(list(string), [])
       external                      = optional(bool, true)
       runtime_ip_cidr_range         = optional(string)
@@ -86,6 +97,18 @@ variable "apigee_config" {
     alltrue([for k, v in var.apigee_config.endpoint_attachments : length(v.dns_names) == 0]))
     error_message = "If disable_vpc_peering is true for the organization, DNS names cannot be used for endpoint attachments."
   }
+  validation {
+    condition     = !(var.apigee_config.organization.database_encryption_key_config.auto_create && var.apigee_config.organization.database_encryption_key_config.id != null)
+    error_message = "If the database encryption key is to be created you should not be passing an id."
+  }
+  validation {
+    condition     = !(var.apigee_config.organization.api_consumer_data_encryption_key_config.auto_create && var.apigee_config.organization.api_consumer_data_encryption_key_config.id != null)
+    error_message = "If the api consumer data encryption key is to be created you should not be passing an id."
+  }
+  validation {
+    condition     = !(var.apigee_config.organization.control_plane_encryption_key_config.auto_create && var.apigee_config.organization.control_plane_encryption_key_config.id != null)
+    error_message = "If the control plane encryption key is to be created you should not be passing an id."
+  }
   nullable = false
 }