feat: Add Secret Version Delayed Destroy changes for client libraries

docs: Users can now enable secret version delayed destruction
PiperOrigin-RevId: 626820938

4 files changed, 184 insertions, 34 deletions

diff --git a/google/cloud/secretmanager/v1/BUILD.bazel b/google/cloud/secretmanager/v1/BUILD.bazel
index 96e89cf11..ef9e07f48 100644
--- a/google/cloud/secretmanager/v1/BUILD.bazel
+++ b/google/cloud/secretmanager/v1/BUILD.bazel
@@ -76,12 +76,15 @@ java_gapic_library(
     rest_numeric_enums = True,
     service_yaml = "secretmanager_v1.yaml",
     test_deps = [
+        "//google/cloud/location:location_java_grpc",
         ":secretmanager_java_grpc",
         "//google/iam/v1:iam_java_grpc",
     ],
     transport = "grpc+rest",
     deps = [
         ":secretmanager_java_proto",
+        "//google/api:api_java_proto",
+        "//google/cloud/location:location_java_proto",
         "//google/iam/v1:iam_java_proto",
     ],
 )
@@ -141,6 +144,7 @@ go_gapic_library(
     transport = "grpc+rest",
     deps = [
         ":secretmanager_go_proto",
+        "//google/cloud/location:location_go_proto",
         "//google/iam/v1:iam_go_proto",
         "@io_bazel_rules_go//proto/wkt:duration_go_proto",
     ],
diff --git a/google/cloud/secretmanager/v1/resources.proto b/google/cloud/secretmanager/v1/resources.proto
index 7268accfe..7adce715a 100644
--- a/google/cloud/secretmanager/v1/resources.proto
+++ b/google/cloud/secretmanager/v1/resources.proto
@@ -41,6 +41,9 @@ message Secret {
   option (google.api.resource) = {
     type: "secretmanager.googleapis.com/Secret"
     pattern: "projects/{project}/secrets/{secret}"
+    pattern: "projects/{project}/locations/{location}/secrets/{secret}"
+    plural: "secrets"
+    singular: "secret"
   };
 
   // Output only. The resource name of the
@@ -48,13 +51,13 @@ message Secret {
   // `projects/*/secrets/*`.
   string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Required. Immutable. The replication policy of the secret data attached to
+  // Optional. Immutable. The replication policy of the secret data attached to
   // the [Secret][google.cloud.secretmanager.v1.Secret].
   //
   // The replication policy cannot be changed after the Secret has been created.
   Replication replication = 2 [
     (google.api.field_behavior) = IMMUTABLE,
-    (google.api.field_behavior) = REQUIRED
+    (google.api.field_behavior) = OPTIONAL
   ];
 
   // Output only. The time at which the
@@ -120,7 +123,7 @@ message Secret {
   // No more than 50 aliases can be assigned to a given secret.
   //
   // Version-Alias pairs will be viewable via GetSecret and modifiable via
-  // UpdateSecret. At launch access by alias will only be supported on
+  // UpdateSecret. Access by alias is only be supported on
   // GetSecretVersion and AccessSecretVersion.
   map<string, int64> version_aliases = 11
       [(google.api.field_behavior) = OPTIONAL];
@@ -138,6 +141,27 @@ message Secret {
   //
   // The total size of annotation keys and values must be less than 16KiB.
   map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Secret Version TTL after destruction request
+  //
+  // This is a part of the Delayed secret version destroy feature.
+  // For secret with TTL>0, version destruction doesn't happen immediately
+  // on calling destroy instead the version goes to a disabled state and
+  // destruction happens after the TTL expires.
+  google.protobuf.Duration version_destroy_ttl = 14
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The customer-managed encryption configuration of the Regionalised
+  // Secrets. If no configuration is provided, Google-managed default encryption
+  // is used.
+  //
+  // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] encryption
+  // configuration only apply to
+  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added
+  // afterwards. They do not apply retroactively to existing
+  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion].
+  CustomerManagedEncryption customer_managed_encryption = 15
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // A secret version resource in the Secret Manager API.
@@ -145,6 +169,9 @@ message SecretVersion {
   option (google.api.resource) = {
     type: "secretmanager.googleapis.com/SecretVersion"
     pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}"
+    pattern: "projects/{project}/locations/{location}/secrets/{secret}/versions/{secret_version}"
+    plural: "secretVersions"
+    singular: "secretVersion"
   };
 
   // The state of a
@@ -213,6 +240,22 @@ message SecretVersion {
   // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion].
   bool client_specified_payload_checksum = 7
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Output only. Scheduled destroy time for secret version.
+  // This is a part of the Delayed secret version destroy feature. For a
+  // Secret with a valid version destroy TTL, when a secert version is
+  // destroyed, the version is moved to disabled state and it is scheduled for
+  // destruction. The version is destroyed only after the
+  // `scheduled_destroy_time`.
+  google.protobuf.Timestamp scheduled_destroy_time = 8
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The customer-managed encryption status of the
+  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only
+  // populated if customer-managed encryption is used and
+  // [Secret][google.cloud.secretmanager.v1.Secret] is a Regionalised Secret.
+  CustomerManagedEncryptionStatus customer_managed_encryption = 9
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A policy that defines the replication and encryption configuration of data.
@@ -381,8 +424,9 @@ message Topic {
 
   // Required. The resource name of the Pub/Sub topic that will be published to,
   // in the following format: `projects/*/topics/*`. For publication to succeed,
-  // the Secret Manager P4SA must have `pubsub.publisher` permissions on the
-  // topic.
+  // the Secret Manager service agent must have the `pubsub.topic.publish`
+  // permission on the topic. The Pub/Sub Publisher role
+  // (`roles/pubsub.publisher`) includes this permission.
   string name = 1 [(google.api.field_behavior) = REQUIRED];
 }
 
diff --git a/google/cloud/secretmanager/v1/secretmanager_v1.yaml b/google/cloud/secretmanager/v1/secretmanager_v1.yaml
index b269b2981..cf3328feb 100644
--- a/google/cloud/secretmanager/v1/secretmanager_v1.yaml
+++ b/google/cloud/secretmanager/v1/secretmanager_v1.yaml
@@ -4,6 +4,7 @@ name: secretmanager.googleapis.com
 title: Secret Manager API
 
 apis:
+- name: google.cloud.location.Locations
 - name: google.cloud.secretmanager.v1.SecretManagerService
 
 documentation:
@@ -18,15 +19,6 @@ documentation:
   - selector: google.cloud.location.Locations.ListLocations
     description: Lists information about the supported locations for this service.
 
-backend:
-  rules:
-  - selector: google.cloud.location.Locations.GetLocation
-    deadline: 60.0
-  - selector: google.cloud.location.Locations.ListLocations
-    deadline: 60.0
-  - selector: 'google.cloud.secretmanager.v1.SecretManagerService.*'
-    deadline: 60.0
-
 http:
   rules:
   - selector: google.cloud.location.Locations.GetLocation
@@ -48,3 +40,47 @@ authentication:
     oauth:
       canonical_scopes: |-
         https://www.googleapis.com/auth/cloud-platform
+
+publishing:
+  new_issue_uri: https://issuetracker.google.com/issues/new?component=784854&template=1380926
+  documentation_uri: https://cloud.google.com/secret-manager/docs/overview
+  api_short_name: secretmanager
+  github_label: 'api: secretmanager'
+  doc_tag_prefix: secretmanager
+  organization: CLOUD
+  library_settings:
+  - version: google.cloud.secretmanager.v1
+    launch_stage: GA
+    java_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    cpp_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    php_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    python_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    node_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    dotnet_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    ruby_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+    go_settings:
+      common:
+        destinations:
+        - PACKAGE_MANAGER
+  proto_reference_documentation_uri: https://cloud.google.com/secret-manager/docs/reference/rpc
diff --git a/google/cloud/secretmanager/v1/service.proto b/google/cloud/secretmanager/v1/service.proto
index a079e9e36..ad23183b0 100644
--- a/google/cloud/secretmanager/v1/service.proto
+++ b/google/cloud/secretmanager/v1/service.proto
@@ -52,6 +52,7 @@ service SecretManagerService {
   rpc ListSecrets(ListSecretsRequest) returns (ListSecretsResponse) {
     option (google.api.http) = {
       get: "/v1/{parent=projects/*}/secrets"
+      additional_bindings { get: "/v1/{parent=projects/*/locations/*}/secrets" }
     };
     option (google.api.method_signature) = "parent";
   }
@@ -62,6 +63,10 @@ service SecretManagerService {
     option (google.api.http) = {
       post: "/v1/{parent=projects/*}/secrets"
       body: "secret"
+      additional_bindings {
+        post: "/v1/{parent=projects/*/locations/*}/secrets"
+        body: "secret"
+      }
     };
     option (google.api.method_signature) = "parent,secret_id,secret";
   }
@@ -73,6 +78,10 @@ service SecretManagerService {
     option (google.api.http) = {
       post: "/v1/{parent=projects/*/secrets/*}:addVersion"
       body: "*"
+      additional_bindings {
+        post: "/v1/{parent=projects/*/locations/*/secrets/*}:addVersion"
+        body: "*"
+      }
     };
     option (google.api.method_signature) = "parent,payload";
   }
@@ -81,6 +90,7 @@ service SecretManagerService {
   rpc GetSecret(GetSecretRequest) returns (Secret) {
     option (google.api.http) = {
       get: "/v1/{name=projects/*/secrets/*}"
+      additional_bindings { get: "/v1/{name=projects/*/locations/*/secrets/*}" }
     };
     option (google.api.method_signature) = "name";
   }
@@ -91,6 +101,10 @@ service SecretManagerService {
     option (google.api.http) = {
       patch: "/v1/{secret.name=projects/*/secrets/*}"
       body: "secret"
+      additional_bindings {
+        patch: "/v1/{secret.name=projects/*/locations/*/secrets/*}"
+        body: "secret"
+      }
     };
     option (google.api.method_signature) = "secret,update_mask";
   }
@@ -99,6 +113,9 @@ service SecretManagerService {
   rpc DeleteSecret(DeleteSecretRequest) returns (google.protobuf.Empty) {
     option (google.api.http) = {
       delete: "/v1/{name=projects/*/secrets/*}"
+      additional_bindings {
+        delete: "/v1/{name=projects/*/locations/*/secrets/*}"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -109,6 +126,9 @@ service SecretManagerService {
       returns (ListSecretVersionsResponse) {
     option (google.api.http) = {
       get: "/v1/{parent=projects/*/secrets/*}/versions"
+      additional_bindings {
+        get: "/v1/{parent=projects/*/locations/*/secrets/*}/versions"
+      }
     };
     option (google.api.method_signature) = "parent";
   }
@@ -121,6 +141,9 @@ service SecretManagerService {
   rpc GetSecretVersion(GetSecretVersionRequest) returns (SecretVersion) {
     option (google.api.http) = {
       get: "/v1/{name=projects/*/secrets/*/versions/*}"
+      additional_bindings {
+        get: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -134,6 +157,9 @@ service SecretManagerService {
       returns (AccessSecretVersionResponse) {
     option (google.api.http) = {
       get: "/v1/{name=projects/*/secrets/*/versions/*}:access"
+      additional_bindings {
+        get: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:access"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -148,6 +174,10 @@ service SecretManagerService {
     option (google.api.http) = {
       post: "/v1/{name=projects/*/secrets/*/versions/*}:disable"
       body: "*"
+      additional_bindings {
+        post: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:disable"
+        body: "*"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -161,6 +191,10 @@ service SecretManagerService {
     option (google.api.http) = {
       post: "/v1/{name=projects/*/secrets/*/versions/*}:enable"
       body: "*"
+      additional_bindings {
+        post: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:enable"
+        body: "*"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -176,6 +210,10 @@ service SecretManagerService {
     option (google.api.http) = {
       post: "/v1/{name=projects/*/secrets/*/versions/*}:destroy"
       body: "*"
+      additional_bindings {
+        post: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:destroy"
+        body: "*"
+      }
     };
     option (google.api.method_signature) = "name";
   }
@@ -192,6 +230,10 @@ service SecretManagerService {
     option (google.api.http) = {
       post: "/v1/{resource=projects/*/secrets/*}:setIamPolicy"
       body: "*"
+      additional_bindings {
+        post: "/v1/{resource=projects/*/locations/*/secrets/*}:setIamPolicy"
+        body: "*"
+      }
     };
   }
 
@@ -201,6 +243,9 @@ service SecretManagerService {
       returns (google.iam.v1.Policy) {
     option (google.api.http) = {
       get: "/v1/{resource=projects/*/secrets/*}:getIamPolicy"
+      additional_bindings {
+        get: "/v1/{resource=projects/*/locations/*/secrets/*}:getIamPolicy"
+      }
     };
   }
 
@@ -216,6 +261,10 @@ service SecretManagerService {
     option (google.api.http) = {
       post: "/v1/{resource=projects/*/secrets/*}:testIamPermissions"
       body: "*"
+      additional_bindings {
+        post: "/v1/{resource=projects/*/locations/*/secrets/*}:testIamPermissions"
+        body: "*"
+      }
     };
   }
 }
@@ -224,12 +273,12 @@ service SecretManagerService {
 // [SecretManagerService.ListSecrets][google.cloud.secretmanager.v1.SecretManagerService.ListSecrets].
 message ListSecretsRequest {
   // Required. The resource name of the project associated with the
-  // [Secrets][google.cloud.secretmanager.v1.Secret], in the format
-  // `projects/*`.
+  // [Secrets][google.cloud.secretmanager.v1.Secret], in the format `projects/*`
+  // or `projects/*/locations/*`
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
-      type: "cloudresourcemanager.googleapis.com/Project"
+      child_type: "secretmanager.googleapis.com/Secret"
     }
   ];
 
@@ -262,7 +311,10 @@ message ListSecretsResponse {
   // to retrieve the next page.
   string next_page_token = 2;
 
-  // The total number of [Secrets][google.cloud.secretmanager.v1.Secret].
+  // The total number of [Secrets][google.cloud.secretmanager.v1.Secret] but 0
+  // when the
+  // [ListSecretsRequest.filter][google.cloud.secretmanager.v1.ListSecretsRequest.filter]
+  // field is set.
   int32 total_size = 3;
 }
 
@@ -270,11 +322,12 @@ message ListSecretsResponse {
 // [SecretManagerService.CreateSecret][google.cloud.secretmanager.v1.SecretManagerService.CreateSecret].
 message CreateSecretRequest {
   // Required. The resource name of the project to associate with the
-  // [Secret][google.cloud.secretmanager.v1.Secret], in the format `projects/*`.
+  // [Secret][google.cloud.secretmanager.v1.Secret], in the format `projects/*`
+  // or `projects/*/locations/*`.
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
-      type: "cloudresourcemanager.googleapis.com/Project"
+      child_type: "secretmanager.googleapis.com/Secret"
     }
   ];
 
@@ -296,7 +349,7 @@ message AddSecretVersionRequest {
   // Required. The resource name of the
   // [Secret][google.cloud.secretmanager.v1.Secret] to associate with the
   // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
-  // `projects/*/secrets/*`.
+  // `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`.
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -314,7 +367,7 @@ message AddSecretVersionRequest {
 message GetSecretRequest {
   // Required. The resource name of the
   // [Secret][google.cloud.secretmanager.v1.Secret], in the format
-  // `projects/*/secrets/*`.
+  // `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -329,7 +382,7 @@ message ListSecretVersionsRequest {
   // Required. The resource name of the
   // [Secret][google.cloud.secretmanager.v1.Secret] associated with the
   // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] to list, in
-  // the format `projects/*/secrets/*`.
+  // the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`.
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -367,7 +420,10 @@ message ListSecretVersionsResponse {
   string next_page_token = 2;
 
   // The total number of
-  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion].
+  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] but 0 when
+  // the
+  // [ListSecretsRequest.filter][google.cloud.secretmanager.v1.ListSecretsRequest.filter]
+  // field is set.
   int32 total_size = 3;
 }
 
@@ -376,10 +432,13 @@ message ListSecretVersionsResponse {
 message GetSecretVersionRequest {
   // Required. The resource name of the
   // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
-  // `projects/*/secrets/*/versions/*`.
+  // `projects/*/secrets/*/versions/*` or
+  // `projects/*/locations/*/secrets/*/versions/*`.
   //
-  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
-  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  // `projects/*/secrets/*/versions/latest` or
+  // `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most
+  // recently created
+  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -405,10 +464,13 @@ message UpdateSecretRequest {
 message AccessSecretVersionRequest {
   // Required. The resource name of the
   // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
-  // `projects/*/secrets/*/versions/*`.
+  // `projects/*/secrets/*/versions/*` or
+  // `projects/*/locations/*/secrets/*/versions/*`.
   //
-  // `projects/*/secrets/*/versions/latest` is an alias to the most recently
-  // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+  // `projects/*/secrets/*/versions/latest` or
+  // `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most
+  // recently created
+  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -422,7 +484,8 @@ message AccessSecretVersionRequest {
 message AccessSecretVersionResponse {
   // The resource name of the
   // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format
-  // `projects/*/secrets/*/versions/*`.
+  // `projects/*/secrets/*/versions/*` or
+  // `projects/*/locations/*/secrets/*/versions/*`.
   string name = 1 [(google.api.resource_reference) = {
     type: "secretmanager.googleapis.com/SecretVersion"
   }];
@@ -455,7 +518,8 @@ message DeleteSecretRequest {
 message DisableSecretVersionRequest {
   // Required. The resource name of the
   // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] to disable in
-  // the format `projects/*/secrets/*/versions/*`.
+  // the format `projects/*/secrets/*/versions/*` or
+  // `projects/*/locations/*/secrets/*/versions/*`.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -475,7 +539,8 @@ message DisableSecretVersionRequest {
 message EnableSecretVersionRequest {
   // Required. The resource name of the
   // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] to enable in
-  // the format `projects/*/secrets/*/versions/*`.
+  // the format `projects/*/secrets/*/versions/*` or
+  // `projects/*/locations/*/secrets/*/versions/*`.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -495,7 +560,8 @@ message EnableSecretVersionRequest {
 message DestroySecretVersionRequest {
   // Required. The resource name of the
   // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] to destroy in
-  // the format `projects/*/secrets/*/versions/*`.
+  // the format `projects/*/secrets/*/versions/*` or
+  // `projects/*/locations/*/secrets/*/versions/*`.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {