feat: Etags in Secret Manager

Users can now use etags for optimistic concurrency control when modifying Secret or SecretVersion. PiperOrigin-RevId: 373836373
googleapis · May 14, 2021 · bff8074 · bff8074
1 parent ed6763d
commit bff8074
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 38 deletions.
diff --git a/.github/workflows/generate_api_index.yaml b/.github/workflows/generate_api_index.yaml
diff --git a/google/cloud/secretmanager/v1/resources.proto b/google/cloud/secretmanager/v1/resources.proto
@@ -91,6 +91,9 @@ message Secret {
     google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY];
   }
 
+  // Optional. Etag of the currently stored [Secret][google.cloud.secretmanager.v1.Secret].
+  string etag = 8 [(google.api.field_behavior) = OPTIONAL];
+
   // Optional. Rotation policy attached to the [Secret][google.cloud.secretmanager.v1.Secret]. May be excluded if there is no
   // rotation policy.
   Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL];
@@ -141,6 +144,9 @@ message SecretVersion {
 
   // The replication status of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   ReplicationStatus replication_status = 5;
+
+  // Output only. Etag of the currently stored [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  string etag = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A policy that defines the replication and encryption configuration of data.
@@ -286,7 +292,9 @@ message Topic {
 // Manager will send a Pub/Sub notification to the topics configured on the
 // Secret. [Secret.topics][google.cloud.secretmanager.v1.Secret.topics] must be set to configure rotation.
 message Rotation {
-  // Optional. Timestamp in UTC at which the [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate.
+  // Optional. Timestamp in UTC at which the [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate. Cannot be
+  // set to less than 300s (5 min) in the future and at most 3153600000s (100
+  // years).
   //
   // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] MUST  be set if [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] is set.
   google.protobuf.Timestamp next_rotation_time = 1 [(google.api.field_behavior) = OPTIONAL];

diff --git a/google/cloud/secretmanager/v1/secretmanager_v1.yaml b/google/cloud/secretmanager/v1/secretmanager_v1.yaml
@@ -15,7 +15,7 @@ documentation:
 backend:
   rules:
   - selector: 'google.cloud.secretmanager.v1.SecretManagerService.*'
-    deadline: 10.0
+    deadline: 60.0
 
 authentication:
   rules:

diff --git a/google/cloud/secretmanager/v1/service.proto b/google/cloud/secretmanager/v1/service.proto
@@ -110,8 +110,8 @@ service SecretManagerService {
 
   // Gets metadata for a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   //
-  // `projects/*/secrets/*/versions/latest` is an alias to the `latest`
-  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   rpc GetSecretVersion(GetSecretVersionRequest) returns (SecretVersion) {
     option (google.api.http) = {
       get: "/v1/{name=projects/*/secrets/*/versions/*}"
@@ -121,8 +121,8 @@ service SecretManagerService {
 
   // Accesses a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. This call returns the secret data.
   //
-  // `projects/*/secrets/*/versions/latest` is an alias to the `latest`
-  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   rpc AccessSecretVersion(AccessSecretVersionRequest) returns (AccessSecretVersionResponse) {
     option (google.api.http) = {
       get: "/v1/{name=projects/*/secrets/*/versions/*}:access"
@@ -325,8 +325,9 @@ message ListSecretVersionsResponse {
 message GetSecretVersionRequest {
   // Required. The resource name of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
   // `projects/*/secrets/*/versions/*`.
-  // `projects/*/secrets/*/versions/latest` is an alias to the `latest`
-  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  //
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -348,6 +349,9 @@ message UpdateSecretRequest {
 message AccessSecretVersionRequest {
   // Required. The resource name of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
   // `projects/*/secrets/*/versions/*`.
+  //
+  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
+  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -378,6 +382,11 @@ message DeleteSecretRequest {
       type: "secretmanager.googleapis.com/Secret"
     }
   ];
+
+  // Optional. Etag of the [Secret][google.cloud.secretmanager.v1.Secret]. The request succeeds if it matches
+  // the etag of the currently stored secret object. If the etag is omitted,
+  // the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Request message for [SecretManagerService.DisableSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.DisableSecretVersion].
@@ -390,6 +399,11 @@ message DisableSecretVersionRequest {
       type: "secretmanager.googleapis.com/SecretVersion"
     }
   ];
+
+  // Optional. Etag of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. The request succeeds if it matches
+  // the etag of the currently stored secret version object. If the etag is
+  // omitted, the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Request message for [SecretManagerService.EnableSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.EnableSecretVersion].
@@ -402,6 +416,11 @@ message EnableSecretVersionRequest {
       type: "secretmanager.googleapis.com/SecretVersion"
     }
   ];
+
+  // Optional. Etag of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. The request succeeds if it matches
+  // the etag of the currently stored secret version object. If the etag is
+  // omitted, the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Request message for [SecretManagerService.DestroySecretVersion][google.cloud.secretmanager.v1.SecretManagerService.DestroySecretVersion].
@@ -414,4 +433,9 @@ message DestroySecretVersionRequest {
       type: "secretmanager.googleapis.com/SecretVersion"
     }
   ];
+
+  // Optional. Etag of the [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. The request succeeds if it matches
+  // the etag of the currently stored secret version object. If the etag is
+  // omitted, the request succeeds.
+  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
 }