feat: Etags in Secret Manager

Users can now use etags for optimistic concurrency control when modifying Secret or SecretVersion. PiperOrigin-RevId: 373836373
4 years ago · bff807490f
parent ed6763de88
commit bff807490f
4 changed files with 40 additions and 38 deletions
--- a/.github/workflows/generate_api_index.yaml
+++ b/.github/workflows/generate_api_index.yaml
@ -1,30 +0,0 @@
-name: Generate API Index
-on:
-  push:
-    branches: [master]
-  workflow_dispatch:
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Setup .NET Core SDK
-        uses: actions/setup-dotnet@v1.8.0
-      - name: Checkout googleapis (this repository)
-        uses: actions/checkout@v2
-      - name: Checkout index generator
-        uses: actions/checkout@v2
-        with:
-          repository: googleapis/googleapis-api-index-generator
-          path: gen
-      - name: Generate API index
-        run: |
-          gen/scripts/generate-schema.sh
-          gen/scripts/generate-index.sh $PWD
-          cp gen/tmp/api-index-v1.json $PWD
-      - name: Commit API index
-        run: |
-          [[ ! $(git diff --exit-code api-index-v1.json) ]] && echo "Nothing to commit." && exit 0
-          git config user.name "Google APIs"
-          git add api-index-v1.json
-          git commit -m "chore: regenerate API index"
-          git push
--- a/google/cloud/secretmanager/v1/resources.proto
+++ b/google/cloud/secretmanager/v1/resources.proto
@ -91,6 +91,9 @@ message Secret {
    google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY];
  }

+  // Optional. Etag of the currently stored [Secret][google.cloud.secretmanager.v1.Secret].
+  string etag = 8 [(google.api.field_behavior) = OPTIONAL];
+
  // Optional. Rotation policy attached to the [Secret][google.cloud.secretmanager.v1.Secret]. May be excluded if there is no
  // rotation policy.
  Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL];
@ -141,6 +144,9 @@ message SecretVersion {

  // The replication status of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
  ReplicationStatus replication_status = 5;
+
+  // Output only. Etag of the currently stored [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  string etag = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
 }

 // A policy that defines the replication and encryption configuration of data.
@ -286,7 +292,9 @@ message Topic {
 // Manager will send a Pub/Sub notification to the topics configured on the
 // Secret. [Secret.topics][google.cloud.secretmanager.v1.Secret.topics] must be set to configure rotation.
 message Rotation {
-  // Optional. Timestamp in UTC at which the [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate.
+  // Optional. Timestamp in UTC at which the [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate. Cannot be
+  // set to less than 300s (5 min) in the future and at most 3153600000s (100
+  // years).
  //
  // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] MUST  be set if [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] is set.
  google.protobuf.Timestamp next_rotation_time = 1 [(google.api.field_behavior) = OPTIONAL];
--- a/google/cloud/secretmanager/v1/secretmanager_v1.yaml
+++ b/google/cloud/secretmanager/v1/secretmanager_v1.yaml
@ -15,7 +15,7 @@ documentation:
 backend:
  rules:
  - selector: 'google.cloud.secretmanager.v1.SecretManagerService.*'
-    deadline: 10.0
+    deadline: 60.0

 authentication:
  rules:
--- a/google/cloud/secretmanager/v1/service.proto
+++ b/google/cloud/secretmanager/v1/service.proto
@ -110,8 +110,8 @@ service SecretManagerService {

  // Gets metadata for a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
  //
-  // `projects/*/secrets/*/versions/latest` is an alias to the `latest`
-  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
  rpc GetSecretVersion(GetSecretVersionRequest) returns (SecretVersion) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/secrets/*/versions/*}"
@ -121,8 +121,8 @@ service SecretManagerService {

  // Accesses a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. This call returns the secret data.
  //
-  // `projects/*/secrets/*/versions/latest` is an alias to the `latest`
-  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
  rpc AccessSecretVersion(AccessSecretVersionRequest) returns (AccessSecretVersionResponse) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/secrets/*/versions/*}:access"
@ -325,8 +325,9 @@ message ListSecretVersionsResponse {
 message GetSecretVersionRequest {
  // Required. The resource name of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
  // `projects/*/secrets/*/versions/*`.
-  // `projects/*/secrets/*/versions/latest` is an alias to the `latest`
-  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  //
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
@ -348,6 +349,9 @@ message UpdateSecretRequest {
 message AccessSecretVersionRequest {
  // Required. The resource name of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
  // `projects/*/secrets/*/versions/*`.
+  //
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
@ -378,6 +382,11 @@ message DeleteSecretRequest {
      type: "secretmanager.googleapis.com/Secret"
    }
  ];
+
+  // Optional. Etag of the [Secret][google.cloud.secretmanager.v1.Secret]. The request succeeds if it matches
+  // the etag of the currently stored secret object. If the etag is omitted,
+  // the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }

 // Request message for [SecretManagerService.DisableSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.DisableSecretVersion].
@ -390,6 +399,11 @@ message DisableSecretVersionRequest {
      type: "secretmanager.googleapis.com/SecretVersion"
    }
  ];
+
+  // Optional. Etag of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. The request succeeds if it matches
+  // the etag of the currently stored secret version object. If the etag is
+  // omitted, the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }

 // Request message for [SecretManagerService.EnableSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.EnableSecretVersion].
@ -402,6 +416,11 @@ message EnableSecretVersionRequest {
      type: "secretmanager.googleapis.com/SecretVersion"
    }
  ];
+
+  // Optional. Etag of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. The request succeeds if it matches
+  // the etag of the currently stored secret version object. If the etag is
+  // omitted, the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }

 // Request message for [SecretManagerService.DestroySecretVersion][google.cloud.secretmanager.v1.SecretManagerService.DestroySecretVersion].
@ -414,4 +433,9 @@ message DestroySecretVersionRequest {
      type: "secretmanager.googleapis.com/SecretVersion"
    }
  ];
+
+  // Optional. Etag of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. The request succeeds if it matches
+  // the etag of the currently stored secret version object. If the etag is
+  // omitted, the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }