feat: Rotation for Secrets

Users can now configure rotation schedules for their secrets. Secret Manager sends messages to PubSub topics configured on the secret based on the provided rotation frequency and rotation time. Committer: @rlingutla PiperOrigin-RevId: 365574085
googleapis · Mar 29, 2021 · 6c76936 · 6c76936
1 parent 6ce40ff
commit 6c76936
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 4 deletions.
diff --git a/google/cloud/secretmanager/v1/BUILD.bazel b/google/cloud/secretmanager/v1/BUILD.bazel
@@ -1,4 +1,13 @@
 # This file was automatically generated by BuildFileGenerator
+# https://github.com/googleapis/rules_gapic/tree/master/bazel
+
+# Most of the manual changes to this file will be overwritten.
+# It's **only** allowed to change the following rule attribute values:
+# - names of *_gapic_assembly_* rules
+# - certain parameters of *_gapic_library rules, including but not limited to:
+#    * extra_protoc_parameters
+#    * extra_protoc_file_parameters
+# The complete list of preserved parameters can be found in the source code.
 
 # This is an API workspace, having public visibility by default makes perfect sense.
 package(default_visibility = ["//visibility:public"])
@@ -120,10 +129,12 @@ go_gapic_library(
     srcs = [":secretmanager_proto_with_info"],
     grpc_service_config = "secretmanager_grpc_service_config.json",
     importpath = "cloud.google.com/go/secretmanager/apiv1;secretmanager",
+    metadata = True,
     service_yaml = "secretmanager_v1.yaml",
     deps = [
         ":secretmanager_go_proto",
         "//google/iam/v1:iam_go_proto",
+        "@io_bazel_rules_go//proto/wkt:duration_go_proto",
     ],
 )
 
@@ -139,6 +150,7 @@ go_gapic_assembly_pkg(
     name = "gapi-cloud-secretmanager-v1-go",
     deps = [
         ":secretmanager_go_gapic",
+        ":secretmanager_go_gapic_srcjar-metadata.srcjar",
         ":secretmanager_go_gapic_srcjar-test.srcjar",
         ":secretmanager_go_proto",
     ],
@@ -159,6 +171,7 @@ py_gapic_library(
     grpc_service_config = "secretmanager_grpc_service_config.json",
 )
 
+# Open Source Packages
 py_gapic_assembly_pkg(
     name = "secretmanager-v1-py",
     deps = [
@@ -244,8 +257,8 @@ nodejs_gapic_assembly_pkg(
 ##############################################################################
 load(
     "@com_google_googleapis_imports//:imports.bzl",
-    "ruby_gapic_assembly_pkg",
     "ruby_cloud_gapic_library",
+    "ruby_gapic_assembly_pkg",
     "ruby_grpc_library",
     "ruby_proto_library",
 )
@@ -265,11 +278,11 @@ ruby_cloud_gapic_library(
     name = "secretmanager_ruby_gapic",
     srcs = [":secretmanager_proto_with_info"],
     extra_protoc_parameters = [
-        "ruby-cloud-gem-name=google-cloud-secret_manager-v1",
-        "ruby-cloud-env-prefix=SECRET_MANAGER",
-        "ruby-cloud-product-url=https://cloud.google.com/secret-manager",
         "ruby-cloud-api-id=secretmanager.googleapis.com",
         "ruby-cloud-api-shortname=secretmanager",
+        "ruby-cloud-env-prefix=SECRET_MANAGER",
+        "ruby-cloud-gem-name=google-cloud-secret_manager-v1",
+        "ruby-cloud-product-url=https://cloud.google.com/secret-manager",
     ],
     grpc_service_config = "secretmanager_grpc_service_config.json",
     ruby_cloud_description = "Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.",

diff --git a/google/cloud/secretmanager/v1/resources.proto b/google/cloud/secretmanager/v1/resources.proto
@@ -90,6 +90,10 @@ message Secret {
     // Input only. The TTL for the [Secret][google.cloud.secretmanager.v1.Secret].
     google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY];
   }
+
+  // Optional. Rotation policy attached to the [Secret][google.cloud.secretmanager.v1.Secret]. May be excluded if there is no
+  // rotation policy.
+  Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // A secret version resource in the Secret Manager API.
@@ -278,6 +282,24 @@ message Topic {
   string name = 1 [(google.api.field_behavior) = REQUIRED];
 }
 
+// The rotation time and period for a [Secret][google.cloud.secretmanager.v1.Secret]. At next_rotation_time, Secret
+// Manager will send a Pub/Sub notification to the topics configured on the
+// Secret. [Secret.topics][google.cloud.secretmanager.v1.Secret.topics] must be set to configure rotation.
+message Rotation {
+  // Optional. Timestamp in UTC at which the [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate.
+  //
+  // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] MUST  be set if [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] is set.
+  google.protobuf.Timestamp next_rotation_time = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Input only. The Duration between rotation notifications. Must be in seconds
+  // and at least 3600s (1h) and at most 3153600000s (100 years).
+  //
+  // If [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] is set, [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] must be set.
+  // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] will be advanced by this period when the service
+  // automatically sends rotation notifications.
+  google.protobuf.Duration rotation_period = 2 [(google.api.field_behavior) = INPUT_ONLY];
+}
+
 // A secret payload resource in the Secret Manager API. This contains the
 // sensitive secret payload that is associated with a [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
 message SecretPayload {