feat: Add Secret Version Delayed Destroy changes for client libraries

Google APIs · copybara-github · commit 034570432b14 · 2024-04-21T10:23:24.000-07:00
docs: Users can now enable secret version delayed destruction
PiperOrigin-RevId: 626820938
diff --git a/google/cloud/secretmanager/v1/BUILD.bazel b/google/cloud/secretmanager/v1/BUILD.bazel
@@ -76,12 +76,15 @@ java_gapic_library(
     rest_numeric_enums = True,
     service_yaml = "secretmanager_v1.yaml",
     test_deps = [
+        "//google/cloud/location:location_java_grpc",
         ":secretmanager_java_grpc",
         "//google/iam/v1:iam_java_grpc",
     ],
     transport = "grpc+rest",
     deps = [
         ":secretmanager_java_proto",
+        "//google/api:api_java_proto",
+        "//google/cloud/location:location_java_proto",
         "//google/iam/v1:iam_java_proto",
     ],
 )
@@ -141,6 +144,7 @@ go_gapic_library(
     transport = "grpc+rest",
     deps = [
         ":secretmanager_go_proto",
+        "//google/cloud/location:location_go_proto",
         "//google/iam/v1:iam_go_proto",
         "@io_bazel_rules_go//proto/wkt:duration_go_proto",
     ],
diff --git a/google/cloud/secretmanager/v1/resources.proto b/google/cloud/secretmanager/v1/resources.proto
@@ -41,20 +41,23 @@ message Secret {
   option (google.api.resource) = {
     type: "secretmanager.googleapis.com/Secret"
     pattern: "projects/{project}/secrets/{secret}"
+    pattern: "projects/{project}/locations/{location}/secrets/{secret}"
+    plural: "secrets"
+    singular: "secret"
   };
 
   // Output only. The resource name of the
   // [Secret][google.cloud.secretmanager.v1.Secret] in the format
   // `projects/*/secrets/*`.
   string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Required. Immutable. The replication policy of the secret data attached to
+  // Optional. Immutable. The replication policy of the secret data attached to
   // the [Secret][google.cloud.secretmanager.v1.Secret].
   //
   // The replication policy cannot be changed after the Secret has been created.
   Replication replication = 2 [
     (google.api.field_behavior) = IMMUTABLE,
-    (google.api.field_behavior) = REQUIRED
+    (google.api.field_behavior) = OPTIONAL
   ];
 
   // Output only. The time at which the
@@ -120,7 +123,7 @@ message Secret {
   // No more than 50 aliases can be assigned to a given secret.
   //
   // Version-Alias pairs will be viewable via GetSecret and modifiable via
-  // UpdateSecret. At launch access by alias will only be supported on
+  // UpdateSecret. Access by alias is only be supported on
   // GetSecretVersion and AccessSecretVersion.
   map<string, int64> version_aliases = 11
       [(google.api.field_behavior) = OPTIONAL];
@@ -138,13 +141,37 @@ message Secret {
   //
   // The total size of annotation keys and values must be less than 16KiB.
   map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Secret Version TTL after destruction request
+  //
+  // This is a part of the Delayed secret version destroy feature.
+  // For secret with TTL>0, version destruction doesn't happen immediately
+  // on calling destroy instead the version goes to a disabled state and
+  // destruction happens after the TTL expires.
+  google.protobuf.Duration version_destroy_ttl = 14
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The customer-managed encryption configuration of the Regionalised
+  // Secrets. If no configuration is provided, Google-managed default encryption
+  // is used.
+  //
+  // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] encryption
+  // configuration only apply to
+  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added
+  // afterwards. They do not apply retroactively to existing
+  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion].
+  CustomerManagedEncryption customer_managed_encryption = 15
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // A secret version resource in the Secret Manager API.
 message SecretVersion {
   option (google.api.resource) = {
     type: "secretmanager.googleapis.com/SecretVersion"
     pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}"
+    pattern: "projects/{project}/locations/{location}/secrets/{secret}/versions/{secret_version}"
+    plural: "secretVersions"
+    singular: "secretVersion"
   };
 
   // The state of a
@@ -213,6 +240,22 @@ message SecretVersion {
   // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion].
   bool client_specified_payload_checksum = 7
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Output only. Scheduled destroy time for secret version.
+  // This is a part of the Delayed secret version destroy feature. For a
+  // Secret with a valid version destroy TTL, when a secert version is
+  // destroyed, the version is moved to disabled state and it is scheduled for
+  // destruction. The version is destroyed only after the
+  // `scheduled_destroy_time`.
+  google.protobuf.Timestamp scheduled_destroy_time = 8
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The customer-managed encryption status of the
+  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only
+  // populated if customer-managed encryption is used and
+  // [Secret][google.cloud.secretmanager.v1.Secret] is a Regionalised Secret.
+  CustomerManagedEncryptionStatus customer_managed_encryption = 9
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A policy that defines the replication and encryption configuration of data.
@@ -381,8 +424,9 @@ message Topic {
 
   // Required. The resource name of the Pub/Sub topic that will be published to,
   // in the following format: `projects/*/topics/*`. For publication to succeed,
-  // the Secret Manager P4SA must have `pubsub.publisher` permissions on the
-  // topic.
+  // the Secret Manager service agent must have the `pubsub.topic.publish`
+  // permission on the topic. The Pub/Sub Publisher role
+  // (`roles/pubsub.publisher`) includes this permission.
   string name = 1 [(google.api.field_behavior) = REQUIRED];
 }
 
diff --git a/google/cloud/secretmanager/v1/secretmanager_v1.yaml b/google/cloud/secretmanager/v1/secretmanager_v1.yaml
@@ -4,6 +4,7 @@ name: secretmanager.googleapis.com
 title: Secret Manager API
 
 apis:
+- name: google.cloud.location.Locations
 - name: google.cloud.secretmanager.v1.SecretManagerService
 
 documentation:
@@ -18,15 +19,6 @@ documentation:
   - selector: google.cloud.location.Locations.ListLocations
     description: Lists information about the supported locations for this service.
 
-backend:
-  rules:
-  - selector: google.cloud.location.Locations.GetLocation
-    deadline: 60.0
-  - selector: google.cloud.location.Locations.ListLocations
-    deadline: 60.0
-  - selector: 'google.cloud.secretmanager.v1.SecretManagerService.*'
-    deadline: 60.0
-
 http:
   rules:
   - selector: google.cloud.location.Locations.GetLocation
@@ -48,3 +40,47 @@ authentication:
     oauth:
       canonical_scopes: |-
         https://www.googleapis.com/auth/cloud-platform
+
+publishing:
+  new_issue_uri: https://issuetracker.google.com/issues/new?component=784854&template=1380926
+  documentation_uri: https://cloud.google.com/secret-manager/docs/overview
+  api_short_name: secretmanager
+  github_label: 'api: secretmanager'
+  doc_tag_prefix: secretmanager
+  organization: CLOUD
+  library_settings:
+  - version: google.cloud.secretmanager.v1
+    launch_stage: GA
+    java_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    cpp_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    php_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    python_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    node_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    dotnet_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    ruby_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    go_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+  proto_reference_documentation_uri: https://cloud.google.com/secret-manager/docs/reference/rpc
diff --git a/google/cloud/secretmanager/v1/service.proto b/google/cloud/secretmanager/v1/service.proto
