The way we manage keys is documented in KMS encryption for GCP resources . All things mentioned here were taken from https://cloud.google.com/docs/security/encryption/default-encryption .
Brief overview of our encryption at rest:
Everything in GCP is encrypted at rest by default.
Everything that allows us to manage the encryption keys has them managed by us.
All the things regarding encryption that were setup by us, are handled in Terraform.