feat: Rotation for Secrets

Google APIs · copybara-github · commit 6c7693680fe3 · 2021-03-29T07:58:57.000-07:00
Users can now configure rotation schedules for their secrets. Secret Manager sends messages to PubSub topics configured on the secret based on the provided rotation frequency and rotation time. Committer: @rlingutla PiperOrigin-RevId: 365574085
diff --git a/google/cloud/secretmanager/v1/BUILD.bazel b/google/cloud/secretmanager/v1/BUILD.bazel
@@ -1,4 +1,13 @@
 # This file was automatically generated by BuildFileGenerator
+# https://github.com/googleapis/rules_gapic/tree/master/bazel
+
+# Most of the manual changes to this file will be overwritten.
+# It's **only** allowed to change the following rule attribute values:
+# - names of *_gapic_assembly_* rules
+# - certain parameters of *_gapic_library rules, including but not limited to:
+#    * extra_protoc_parameters
+#    * extra_protoc_file_parameters
+# The complete list of preserved parameters can be found in the source code.
 
 # This is an API workspace, having public visibility by default makes perfect sense.
 package(default_visibility = ["//visibility:public"])
@@ -120,10 +129,12 @@ go_gapic_library(
     srcs = [":secretmanager_proto_with_info"],
     grpc_service_config = "secretmanager_grpc_service_config.json",
     importpath = "cloud.google.com/go/secretmanager/apiv1;secretmanager",
+    metadata = True,
     service_yaml = "secretmanager_v1.yaml",
     deps = [
         ":secretmanager_go_proto",
         "//google/iam/v1:iam_go_proto",
+        "@io_bazel_rules_go//proto/wkt:duration_go_proto",
     ],
 )
 
@@ -139,6 +150,7 @@ go_gapic_assembly_pkg(
     name = "gapi-cloud-secretmanager-v1-go",
     deps = [
         ":secretmanager_go_gapic",
+        ":secretmanager_go_gapic_srcjar-metadata.srcjar",
         ":secretmanager_go_gapic_srcjar-test.srcjar",
         ":secretmanager_go_proto",
     ],
@@ -159,6 +171,7 @@ py_gapic_library(
     grpc_service_config = "secretmanager_grpc_service_config.json",
 )
 
+# Open Source Packages
 py_gapic_assembly_pkg(
     name = "secretmanager-v1-py",
     deps = [
@@ -244,8 +257,8 @@ nodejs_gapic_assembly_pkg(
 ##############################################################################
 load(
     "@com_google_googleapis_imports//:imports.bzl",
-    "ruby_gapic_assembly_pkg",
     "ruby_cloud_gapic_library",
+    "ruby_gapic_assembly_pkg",
     "ruby_grpc_library",
     "ruby_proto_library",
 )
@@ -265,11 +278,11 @@ ruby_cloud_gapic_library(
     name = "secretmanager_ruby_gapic",
     srcs = [":secretmanager_proto_with_info"],
     extra_protoc_parameters = [
-        "ruby-cloud-gem-name=google-cloud-secret_manager-v1",
-        "ruby-cloud-env-prefix=SECRET_MANAGER",
-        "ruby-cloud-product-url=https://cloud.google.com/secret-manager",
         "ruby-cloud-api-id=secretmanager.googleapis.com",
         "ruby-cloud-api-shortname=secretmanager",
+        "ruby-cloud-env-prefix=SECRET_MANAGER",
+        "ruby-cloud-gem-name=google-cloud-secret_manager-v1",
+        "ruby-cloud-product-url=https://cloud.google.com/secret-manager",
     ],
     grpc_service_config = "secretmanager_grpc_service_config.json",
     ruby_cloud_description = "Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.",
diff --git a/google/cloud/secretmanager/v1/resources.proto b/google/cloud/secretmanager/v1/resources.proto
@@ -90,6 +90,10 @@ message Secret {
     // Input only. The TTL for the [Secret][google.cloud.secretmanager.v1.Secret].
     google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY];
   }
+
+  // Optional. Rotation policy attached to the [Secret][google.cloud.secretmanager.v1.Secret]. May be excluded if there is no
+  // rotation policy.
+  Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // A secret version resource in the Secret Manager API.
@@ -278,6 +282,24 @@ message Topic {
   string name = 1 [(google.api.field_behavior) = REQUIRED];
 }
 
+// The rotation time and period for a [Secret][google.cloud.secretmanager.v1.Secret]. At next_rotation_time, Secret
+// Manager will send a Pub/Sub notification to the topics configured on the
+// Secret. [Secret.topics][google.cloud.secretmanager.v1.Secret.topics] must be set to configure rotation.
+message Rotation {
+  // Optional. Timestamp in UTC at which the [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate.
+  //
+  // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] MUST  be set if [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] is set.
+  google.protobuf.Timestamp next_rotation_time = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Input only. The Duration between rotation notifications. Must be in seconds
+  // and at least 3600s (1h) and at most 3153600000s (100 years).
+  //
+  // If [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] is set, [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] must be set.
+  // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] will be advanced by this period when the service
+  // automatically sends rotation notifications.
+  google.protobuf.Duration rotation_period = 2 [(google.api.field_behavior) = INPUT_ONLY];
+}
+
 // A secret payload resource in the Secret Manager API. This contains the
 // sensitive secret payload that is associated with a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
 message SecretPayload {
