feat: added support for CMEK (#188)

- [ ] Regenerate this pull request now. docs: clarified wording around quota usage Clients can now specify the docker registry to use for storing function Docker images and KMS crypto keys for function source code objects. PiperOrigin-RevId: 453234231 Source-Link: googleapis/googleapis@d180952 Source-Link: googleapis/googleapis-gen@836ff24 Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiODM2ZmYyNGI3ZTg4MWVmNDZhY2QxNzgzNmM0NmVkMWE5ODMyYjE5NSJ9
googleapis · Jun 6, 2022 · fa7d695 · fa7d695
1 parent ecd0fff
commit fa7d695
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 16 deletions.
diff --git a/google/cloud/functions_v1/services/cloud_functions_service/async_client.py b/google/cloud/functions_v1/services/cloud_functions_service/async_client.py
@@ -375,7 +375,6 @@ async def sample_get_function():
                 contains user computation executed in
                 response to an event. It encapsulate
                 function and triggers configurations.
-                Next tag: 36
 
         """
         # Create or coerce a protobuf request object.
@@ -500,7 +499,7 @@ async def sample_create_function():
 
                 The result type for the operation will be :class:`google.cloud.functions_v1.types.CloudFunction` Describes a Cloud Function that contains user computation executed in
                    response to an event. It encapsulate function and
-                   triggers configurations. Next tag: 36
+                   triggers configurations.
 
         """
         # Create or coerce a protobuf request object.
@@ -615,7 +614,7 @@ async def sample_update_function():
 
                 The result type for the operation will be :class:`google.cloud.functions_v1.types.CloudFunction` Describes a Cloud Function that contains user computation executed in
                    response to an event. It encapsulate function and
-                   triggers configurations. Next tag: 36
+                   triggers configurations.
 
         """
         # Create or coerce a protobuf request object.

diff --git a/google/cloud/functions_v1/services/cloud_functions_service/client.py b/google/cloud/functions_v1/services/cloud_functions_service/client.py
@@ -625,7 +625,6 @@ def sample_get_function():
                 contains user computation executed in
                 response to an event. It encapsulate
                 function and triggers configurations.
-                Next tag: 36
 
         """
         # Create or coerce a protobuf request object.
@@ -740,7 +739,7 @@ def sample_create_function():
 
                 The result type for the operation will be :class:`google.cloud.functions_v1.types.CloudFunction` Describes a Cloud Function that contains user computation executed in
                    response to an event. It encapsulate function and
-                   triggers configurations. Next tag: 36
+                   triggers configurations.
 
         """
         # Create or coerce a protobuf request object.
@@ -855,7 +854,7 @@ def sample_update_function():
 
                 The result type for the operation will be :class:`google.cloud.functions_v1.types.CloudFunction` Describes a Cloud Function that contains user computation executed in
                    response to an event. It encapsulate function and
-                   triggers configurations. Next tag: 36
+                   triggers configurations.
 
         """
         # Create or coerce a protobuf request object.

diff --git a/google/cloud/functions_v1/types/functions.py b/google/cloud/functions_v1/types/functions.py
@@ -58,7 +58,7 @@ class CloudFunctionStatus(proto.Enum):
 class CloudFunction(proto.Message):
     r"""Describes a Cloud Function that contains user computation
     executed in response to an event. It encapsulate function and
-    triggers configurations. Next tag: 36
+    triggers configurations.
 
     This message has `oneof`_ fields (mutually exclusive fields).
     For each oneof, at most one member field can be set at the same time.
@@ -212,8 +212,10 @@ class CloudFunction(proto.Message):
             repository using the ``docker_repository`` field that was
             created with the same KMS crypto key.
 
-            The following service accounts need to be granted Cloud KMS
-            crypto key encrypter/decrypter roles on the key.
+            The following service accounts need to be granted the role
+            'Cloud KMS CryptoKey Encrypter/Decrypter
+            (roles/cloudkms.cryptoKeyEncrypterDecrypter)' on the
+            Key/KeyRing/Project/Organization (least access preferred).
 
             1. Google Cloud Functions service account
                (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com)
@@ -275,6 +277,14 @@ class CloudFunction(proto.Message):
             Cross-project repositories are not supported. Cross-location
             repositories are not supported. Repository format must be
             'DOCKER'.
+        docker_registry (google.cloud.functions_v1.types.CloudFunction.DockerRegistry):
+            Docker Registry to use for this deployment.
+
+            If ``docker_repository`` field is specified, this field will
+            be automatically set as ``ARTIFACT_REGISTRY``. If
+            unspecified, it currently defaults to
+            ``CONTAINER_REGISTRY``. This field may be overridden by the
+            backend for eligible deployments.
     """
 
     class VpcConnectorEgressSettings(proto.Enum):
@@ -299,6 +309,12 @@ class IngressSettings(proto.Enum):
         ALLOW_INTERNAL_ONLY = 2
         ALLOW_INTERNAL_AND_GCLB = 3
 
+    class DockerRegistry(proto.Enum):
+        r"""Docker Registry to use for storing function Docker images."""
+        DOCKER_REGISTRY_UNSPECIFIED = 0
+        CONTAINER_REGISTRY = 1
+        ARTIFACT_REGISTRY = 2
+
     name = proto.Field(
         proto.STRING,
         number=1,
@@ -445,6 +461,11 @@ class IngressSettings(proto.Enum):
         proto.STRING,
         number=34,
     )
+    docker_registry = proto.Field(
+        proto.ENUM,
+        number=35,
+        enum=DockerRegistry,
+    )
 
 
 class SourceRepository(proto.Message):
@@ -626,9 +647,7 @@ class Retry(proto.Message):
 class SecretEnvVar(proto.Message):
     r"""Configuration for a secret environment variable. It has the
     information necessary to fetch the secret value from secret
-    manager and expose it as an environment variable. Secret value
-    is not a part of the configuration. Secret values are only
-    fetched when a new clone starts.
+    manager and expose it as an environment variable.
 
     Attributes:
         key (str):
@@ -648,7 +667,7 @@ class SecretEnvVar(proto.Message):
             string 'latest'). It is recommended to use a
             numeric version for secret environment variables
             as any updates to the secret value is not
-            reflected until new clones start.
+            reflected until new instances start.
     """
 
     key = proto.Field(
@@ -779,8 +798,8 @@ class UpdateFunctionRequest(proto.Message):
         function (google.cloud.functions_v1.types.CloudFunction):
             Required. New version of the function.
         update_mask (google.protobuf.field_mask_pb2.FieldMask):
-            Required list of fields to be updated in this
-            request.
+            Required. The list of fields in ``CloudFunction`` that have
+            to be updated.
     """
 
     function = proto.Field(
@@ -956,12 +975,37 @@ class GenerateUploadUrlRequest(proto.Message):
             The project and location in which the Google Cloud Storage
             signed URL should be generated, specified in the format
             ``projects/*/locations/*``.
+        kms_key_name (str):
+            Resource name of a KMS crypto key (managed by the user) used
+            to encrypt/decrypt function source code objects in staging
+            Cloud Storage buckets. When you generate an upload url and
+            upload your source code, it gets copied to a staging Cloud
+            Storage bucket in an internal regional project. The source
+            code is then copied to a versioned directory in the sources
+            bucket in the consumer project during the function
+            deployment.
+
+            It must match the pattern
+            ``projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}``.
+
+            The Google Cloud Functions service account
+            (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com)
+            must be granted the role 'Cloud KMS CryptoKey
+            Encrypter/Decrypter
+            (roles/cloudkms.cryptoKeyEncrypterDecrypter)' on the
+            Key/KeyRing/Project/Organization (least access preferred).
+            GCF will delegate access to the Google Storage service
+            account in the internal project.
     """
 
     parent = proto.Field(
         proto.STRING,
         number=1,
     )
+    kms_key_name = proto.Field(
+        proto.STRING,
+        number=2,
+    )
 
 
 class GenerateUploadUrlResponse(proto.Message):

diff --git a/scripts/fixup_functions_v1_keywords.py b/scripts/fixup_functions_v1_keywords.py
@@ -43,7 +43,7 @@ class functionsCallTransformer(cst.CSTTransformer):
         'create_function': ('location', 'function', ),
         'delete_function': ('name', ),
         'generate_download_url': ('name', 'version_id', ),
-        'generate_upload_url': ('parent', ),
+        'generate_upload_url': ('parent', 'kms_key_name', ),
         'get_function': ('name', ),
         'get_iam_policy': ('resource', 'options', ),
         'list_functions': ('parent', 'page_size', 'page_token', ),

diff --git a/tests/unit/gapic/functions_v1/test_cloud_functions_service.py b/tests/unit/gapic/functions_v1/test_cloud_functions_service.py
@@ -1073,6 +1073,7 @@ def test_get_function(request_type, transport: str = "grpc"):
             build_name="build_name_value",
             source_token="source_token_value",
             docker_repository="docker_repository_value",
+            docker_registry=functions.CloudFunction.DockerRegistry.CONTAINER_REGISTRY,
             source_archive_url="source_archive_url_value",
             https_trigger=functions.HttpsTrigger(url="url_value"),
         )
@@ -1110,6 +1111,10 @@ def test_get_function(request_type, transport: str = "grpc"):
     assert response.build_name == "build_name_value"
     assert response.source_token == "source_token_value"
     assert response.docker_repository == "docker_repository_value"
+    assert (
+        response.docker_registry
+        == functions.CloudFunction.DockerRegistry.CONTAINER_REGISTRY
+    )
 
 
 def test_get_function_empty_call():
@@ -1166,6 +1171,7 @@ async def test_get_function_async(
                 build_name="build_name_value",
                 source_token="source_token_value",
                 docker_repository="docker_repository_value",
+                docker_registry=functions.CloudFunction.DockerRegistry.CONTAINER_REGISTRY,
             )
         )
         response = await client.get_function(request)
@@ -1202,6 +1208,10 @@ async def test_get_function_async(
     assert response.build_name == "build_name_value"
     assert response.source_token == "source_token_value"
     assert response.docker_repository == "docker_repository_value"
+    assert (
+        response.docker_registry
+        == functions.CloudFunction.DockerRegistry.CONTAINER_REGISTRY
+    )
 
 
 @pytest.mark.asyncio