feat: A new field ssl_config is added to message .google.cloud.datastream.v1.PostgresqlProfile

Google APIs · copybara-github · commit 5c2ccb6470e6 · 2025-01-20T07:21:29.000-08:00
feat: A new message `PostgresqlSslConfig` is added
docs: A comment for message `OracleAsmConfig` is changed
docs: A comment for field `password` in message `.google.cloud.datastream.v1.OracleAsmConfig` is changed
docs: A comment for field `name` in message `.google.cloud.datastream.v1.PrivateConnection` is changed
docs: A comment for field `name` in message `.google.cloud.datastream.v1.Route` is changed
docs: A comment for field `name` in message `.google.cloud.datastream.v1.ConnectionProfile` is changed
docs: A comment for field `name` in message `.google.cloud.datastream.v1.Stream` is changed
docs: A comment for field `name` in message `.google.cloud.datastream.v1.StreamObject` is changed

PiperOrigin-RevId: 717526711
diff --git a/google/cloud/datastream/v1/datastream_resources.proto b/google/cloud/datastream/v1/datastream_resources.proto
@@ -70,6 +70,7 @@ message OracleProfile {
 }
 
 // Configuration for Oracle Automatic Storage Management (ASM) connection.
+// .
 message OracleAsmConfig {
   // Required. Hostname for the Oracle ASM connection.
   string hostname = 1 [(google.api.field_behavior) = REQUIRED];
@@ -80,8 +81,8 @@ message OracleAsmConfig {
   // Required. Username for the Oracle ASM connection.
   string username = 3 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. Password for the Oracle ASM connection.
-  string password = 4 [(google.api.field_behavior) = REQUIRED];
+  // Optional. Password for the Oracle ASM connection.
+  string password = 4 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. ASM service name for the Oracle ASM connection.
   string asm_service = 5 [(google.api.field_behavior) = REQUIRED];
@@ -135,6 +136,12 @@ message PostgresqlProfile {
 
   // Required. Database for the PostgreSQL connection.
   string database = 5 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. SSL configuration for the PostgreSQL connection.
+  // In case PostgresqlSslConfig is not set, the connection will use the default
+  // SSL mode, which is `prefer` (i.e. this mode will only use encryption if
+  // enabled from database side, otherwise will use unencrypted communication)
+  PostgresqlSslConfig ssl_config = 7 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // SQLServer database profile.
@@ -239,8 +246,11 @@ message PrivateConnection {
     FAILED_TO_DELETE = 5;
   }
 
-  // Output only. The resource's name.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Identifier. The resource's name.
+  string name = 1 [
+    (google.api.field_behavior) = IDENTIFIER,
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
 
   // Output only. The create time of the resource.
   google.protobuf.Timestamp create_time = 2
@@ -287,8 +297,11 @@ message Route {
     pattern: "projects/{project}/locations/{location}/privateConnections/{private_connection}/routes/{route}"
   };
 
-  // Output only. The resource's name.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Identifier. The resource's name.
+  string name = 1 [
+    (google.api.field_behavior) = IDENTIFIER,
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
 
   // Output only. The create time of the resource.
   google.protobuf.Timestamp create_time = 2
@@ -348,6 +361,67 @@ message OracleSslConfig {
   bool ca_certificate_set = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
+// PostgreSQL SSL configuration information.
+message PostgresqlSslConfig {
+  // Message represents the option where Datastream will enforce the encryption
+  // and authenticate the server identity. ca_certificate must be set if user
+  // selects this option.
+  message ServerVerification {
+    // Required. Input only. PEM-encoded server root CA certificate.
+    string ca_certificate = 1 [
+      (google.api.field_behavior) = INPUT_ONLY,
+      (google.api.field_behavior) = REQUIRED
+    ];
+  }
+
+  // Message represents the option where Datastream will enforce the encryption
+  // and authenticate the server identity as well as the client identity.
+  // ca_certificate, client_certificate and client_key must be set if user
+  // selects this option.
+  message ServerAndClientVerification {
+    // Required. Input only. PEM-encoded certificate used by the source database
+    // to authenticate the client identity (i.e., the Datastream's identity).
+    // This certificate is signed by either a root certificate trusted by the
+    // server or one or more intermediate certificates (which is stored with the
+    // leaf certificate) to link the this certificate to the trusted root
+    // certificate.
+    string client_certificate = 1 [
+      (google.api.field_behavior) = INPUT_ONLY,
+      (google.api.field_behavior) = REQUIRED
+    ];
+
+    // Required. Input only. PEM-encoded private key associated with the client
+    // certificate. This value will be used during the SSL/TLS handshake,
+    // allowing the PostgreSQL server to authenticate the client's identity,
+    // i.e. identity of the Datastream.
+    string client_key = 2 [
+      (google.api.field_behavior) = INPUT_ONLY,
+      (google.api.field_behavior) = REQUIRED
+    ];
+
+    // Required. Input only. PEM-encoded server root CA certificate.
+    string ca_certificate = 3 [
+      (google.api.field_behavior) = INPUT_ONLY,
+      (google.api.field_behavior) = REQUIRED
+    ];
+  }
+
+  // The encryption settings available for PostgreSQL connection profiles.
+  // This captures various SSL mode supported by PostgreSQL, which includes
+  // TLS encryption with server verification, TLS encryption with both server
+  // and client verification and no TLS encryption.
+  oneof encryption_setting {
+    //  If this field is set, the communication will be encrypted with TLS
+    //  encryption and the server identity will be authenticated.
+    ServerVerification server_verification = 1;
+
+    // If this field is set, the communication will be encrypted with TLS
+    // encryption and both the server identity and the client identity will be
+    // authenticated.
+    ServerAndClientVerification server_and_client_verification = 2;
+  }
+}
+
 // A set of reusable connection configurations to be used as a source or
 // destination for a stream.
 message ConnectionProfile {
@@ -356,8 +430,11 @@ message ConnectionProfile {
     pattern: "projects/{project}/locations/{location}/connectionProfiles/{connection_profile}"
   };
 
-  // Output only. The resource's name.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Identifier. The resource's name.
+  string name = 1 [
+    (google.api.field_behavior) = IDENTIFIER,
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
 
   // Output only. The create time of the resource.
   google.protobuf.Timestamp create_time = 2
@@ -1024,8 +1101,11 @@ message Stream {
   // Backfill strategy to disable automatic backfill for the Stream's objects.
   message BackfillNoneStrategy {}
 
-  // Output only. The stream's name.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Identifier. The stream's name.
+  string name = 1 [
+    (google.api.field_behavior) = IDENTIFIER,
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
 
   // Output only. The creation time of the stream.
   google.protobuf.Timestamp create_time = 2
@@ -1084,8 +1164,11 @@ message StreamObject {
     pattern: "projects/{project}/locations/{location}/streams/{stream}/objects/{object}"
   };
 
-  // Output only. The object resource's name.
-  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  // Output only. Identifier. The object resource's name.
+  string name = 1 [
+    (google.api.field_behavior) = IDENTIFIER,
+    (google.api.field_behavior) = OUTPUT_ONLY
+  ];
 
   // Output only. The creation time of the object.
   google.protobuf.Timestamp create_time = 2
