Using customer managed keys will give administrators control over how data is encrypted to better meet compliance regulations, as well as allow for a more specific key rotation period. Using system-generated keys can sometimes lead to expired or exposed keys remaining in use, leading to insecure data. It is often recommended to use a customer managed key when the service is available.
In GCP Console -
In Terraform -
References:
https://cloud.google.com/dataflow/docs/guides/customer-managed-encryption-keys#cloud_console
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dataflow_job#kms_key_name