Add support for regional secret resource google_secret_manager_regional_secret (GoogleCloudPlatform#11678)

Author: abheda-crest

mmv1/products/secretmanager/go_product.yaml

@@ -15,6 +15,7 @@
 ---
 name: 'SecretManager'
 display_name: 'Secret Manager'
+legacy_name: 'secret_manager'
 versions:
   - name: 'ga'
     base_url: 'https://secretmanager.googleapis.com/v1/'

mmv1/products/secretmanager/product.yaml

@@ -14,6 +14,7 @@
 --- !ruby/object:Api::Product
 name: SecretManager
 display_name: Secret Manager
+legacy_name: secret_manager
 versions:
   - !ruby/object:Api::Product::Version
     name: ga

mmv1/products/secretmanagerregional/RegionalSecret.yaml

@@ -0,0 +1,222 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Resource
+name: RegionalSecret
+self_link: projects/{{project}}/locations/{{location}}/secrets/{{secret_id}}
+base_url: projects/{{project}}/locations/{{location}}/secrets
+create_url: projects/{{project}}/locations/{{location}}/secrets?secretId={{secret_id}}
+update_verb: :PATCH
+update_mask: true
+references: !ruby/object:Api::Resource::ReferenceLinks
+  # TODO : Update the below api reference link
+  api: 'https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets'
+description: |
+  A Regional Secret is a logical secret whose value and versions can be created and accessed within a region only.
+iam_policy: !ruby/object:Api::Resource::IamPolicy
+  parent_resource_attribute: secret_id
+  method_name_separator: ':'
+  allowed_iam_role: roles/secretmanager.secretAccessor
+  iam_conditions_request_type: :QUERY_PARAM_NESTED
+  example_config_body: 'templates/terraform/iam/example_config_body/secret_manager_regional_secret.tf.erb'
+  import_format: [
+    'projects/{{project}}/locations/{{location}}/secrets/{{secret_id}}',
+    '{{secret_id}}',
+  ]
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_config_basic'
+    primary_resource_id: 'regional-secret-basic'
+    primary_resource_name: 'fmt.Sprintf("tf-test-tf-reg-secret%s", context["random_suffix"])'
+    vars:
+      secret_id: 'tf-reg-secret'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_with_cmek'
+    primary_resource_id: 'regional-secret-with-cmek'
+    vars:
+      secret_id: 'tf-reg-secret'
+      kms_key_name: 'kms-key'
+    test_vars_overrides:
+      kms_key_name: 'acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_with_rotation'
+    primary_resource_id: 'regional-secret-with-rotation'
+    vars:
+      secret_id: 'tf-reg-secret'
+      topic_id: 'tf-topic'
+      timestamp: '2045-11-30T00:00:00Z'
+    test_vars_overrides:
+      timestamp: '"2122-11-30T00:00:00Z"'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_with_ttl'
+    primary_resource_id: 'regional-secret-with-ttl'
+    vars:
+      secret_id: 'tf-reg-secret'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_with_expire_time'
+    primary_resource_id: 'regional-secret-with-expire-time'
+    vars:
+      secret_id: 'tf-reg-secret'
+      timestamp: '2055-11-30T00:00:00Z'
+    test_vars_overrides:
+      timestamp: '"2122-11-30T00:00:00Z"'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'regional_secret_with_version_destroy_ttl'
+    primary_resource_id: 'regional-secret-with-version-destroy-ttl'
+    vars:
+      secret_id: 'tf-reg-secret'
+import_format: ['projects/{{project}}/locations/{{location}}/secrets/{{secret_id}}']
+custom_code: !ruby/object:Provider::Terraform::CustomCode
+  pre_update: templates/terraform/pre_update/secret_manager_regional_secret.go.erb
+parameters:
+  - !ruby/object:Api::Type::String
+    name: location
+    description: |
+      The location of the regional secret. eg us-central1
+    required: true
+    immutable: true
+    url_param_only: true
+  - !ruby/object:Api::Type::String
+    name: secretId
+    description: |
+      This must be unique within the project.
+    required: true
+    immutable: true
+    url_param_only: true
+properties:
+  - !ruby/object:Api::Type::String
+    name: name
+    output: true
+    description: |
+      The resource name of the regional secret. Format:
+      `projects/{{project}}/locations/{{location}}/secrets/{{secret_id}}`
+  - !ruby/object:Api::Type::String
+    name: createTime
+    output: true
+    description: |
+      The time at which the regional secret was created.
+  - !ruby/object:Api::Type::KeyValueLabels
+    name: labels
+    description: |
+      The labels assigned to this regional secret.
+
+      Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
+      and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}
+
+      Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
+      and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}
+
+      No more than 64 labels can be assigned to a given resource.
+
+      An object containing a list of "key": value pairs. Example:
+      { "name": "wrench", "mass": "1.3kg", "count": "3" }.
+  - !ruby/object:Api::Type::KeyValueAnnotations
+    name: annotations
+    description: |
+      Custom metadata about the regional secret.
+
+      Annotations are distinct from various forms of labels. Annotations exist to allow
+      client tools to store their own state information without requiring a database.
+
+      Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of
+      maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and
+      may have dashes (-), underscores (_), dots (.), and alphanumerics in between these
+      symbols.
+
+      The total size of annotation keys and values must be less than 16KiB.
+
+      An object containing a list of "key": value pairs. Example:
+      { "name": "wrench", "mass": "1.3kg", "count": "3" }.
+  # TODO : Add versionAliases field support once google_secret_manager_regional_secret_version is added
+  # - !ruby/object:Api::Type::KeyValuePairs
+  #   name: versionAliases
+  #   description: |
+  #     Mapping from version alias to version name.
+
+  #     A version alias is a string with a maximum length of 63 characters and can contain
+  #     uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_')
+  #     characters. An alias string must start with a letter and cannot be the string
+  #     'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.
+
+  #     An object containing a list of "key": value pairs. Example:
+  #     { "name": "wrench", "mass": "1.3kg", "count": "3" }.
+  - !ruby/object:Api::Type::NestedObject
+    name: customerManagedEncryption
+    description: |
+      The customer-managed encryption configuration of the regional secret.
+    properties:
+      - !ruby/object:Api::Type::String
+        name: kmsKeyName
+        required: true
+        description: |
+          The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.
+  - !ruby/object:Api::Type::Array
+    name: topics
+    description: |
+      A list of up to 10 Pub/Sub topics to which messages are published when control plane
+      operations are called on the regional secret or its versions.
+    item_type: !ruby/object:Api::Type::NestedObject
+      properties:
+        - !ruby/object:Api::Type::String
+          name: name
+          required: true
+          description: |
+            The resource name of the Pub/Sub topic that will be published to, in the following
+            format: projects/*/topics/*. For publication to succeed, the Secret Manager Service
+            Agent service account must have pubsub.publisher permissions on the topic.
+  - !ruby/object:Api::Type::NestedObject
+    name: rotation
+    required_with:
+      - topics
+    description: |
+      The rotation time and period for a regional secret. At `next_rotation_time`, Secret Manager
+      will send a Pub/Sub notification to the topics configured on the Secret. `topics` must be
+      set to configure rotation.
+    properties:
+      - !ruby/object:Api::Type::String
+        name: nextRotationTime
+        description: |
+          Timestamp in UTC at which the Secret is scheduled to rotate.
+          A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
+          fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
+      - !ruby/object:Api::Type::String
+        name: rotationPeriod
+        description: |
+          The Duration between rotation notifications. Must be in seconds and at least 3600s (1h)
+          and at most 3153600000s (100 years). If rotationPeriod is set, `next_rotation_time` must
+          be set. `next_rotation_time` will be advanced by this period when the service
+          automatically sends rotation notifications.
+        required_with:
+          - rotation.0.next_rotation_time
+  - !ruby/object:Api::Type::String
+    name: expireTime
+    description: |
+      Timestamp in UTC when the regional secret is scheduled to expire. This is always provided on
+      output, regardless of what was sent on input. A timestamp in RFC3339 UTC "Zulu" format, with
+      nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and
+      "2014-10-02T15:01:23.045123456Z". Only one of `expire_time` or `ttl` can be provided.
+    default_from_api: true
+  - !ruby/object:Api::Type::String
+    name: ttl
+    description: |
+      The TTL for the regional secret. A duration in seconds with up to nine fractional digits,
+      terminated by 's'. Example: "3.5s". Only one of `ttl` or `expire_time` can be provided.
+    ignore_read: true
+  - !ruby/object:Api::Type::String
+    name: versionDestroyTtl
+    description: |
+      Secret Version TTL after destruction request.
+      This is a part of the delayed delete feature on Secret Version.
+      For secret with versionDestroyTtl>0, version destruction doesn't happen immediately
+      on calling destroy instead the version goes to a disabled state and
+      the actual destruction happens after this TTL expires. It must be atleast 24h.

mmv1/products/secretmanagerregional/product.yaml

@@ -0,0 +1,26 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Product
+name: SecretManagerRegional
+display_name: Secret Manager
+legacy_name: secret_manager
+versions:
+  - !ruby/object:Api::Product::Version
+    name: ga
+    base_url: https://secretmanager.{{location}}.rep.googleapis.com/v1/
+  - !ruby/object:Api::Product::Version
+    name: beta
+    base_url: https://secretmanager.{{location}}.rep.googleapis.com/v1/
+scopes:
+  - https://www.googleapis.com/auth/cloud-platform

mmv1/templates/terraform/examples/regional_secret_config_basic.tf.erb

@@ -0,0 +1,14 @@
+resource "google_secret_manager_regional_secret" "<%= ctx[:primary_resource_id] %>" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+
+  labels = {
+    label = "my-label"
+  }
+
+  annotations = {
+    key1 = "value1",
+    key2 = "value2",
+    key3 = "value3"
+  }
+}

mmv1/templates/terraform/examples/regional_secret_with_cmek.tf.erb

@@ -0,0 +1,18 @@
+data "google_project" "project" {}
+
+resource "google_kms_crypto_key_iam_member" "kms-secret-binding" {
+  crypto_key_id = "<%= ctx[:vars]['kms_key_name'] %>"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+  member        = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com"
+}
+
+resource "google_secret_manager_regional_secret" "<%= ctx[:primary_resource_id] %>" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+
+  customer_managed_encryption {
+    kms_key_name = "<%= ctx[:vars]['kms_key_name'] %>"
+  }
+
+  depends_on = [ google_kms_crypto_key_iam_member.kms-secret-binding ]
+}

mmv1/templates/terraform/examples/regional_secret_with_expire_time.tf.erb

@@ -0,0 +1,16 @@
+resource "google_secret_manager_regional_secret" "<%= ctx[:primary_resource_id] %>" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+
+  labels = {
+    label = "my-label"
+  }
+
+  annotations = {
+    key1 = "value1",
+    key2 = "value2",
+    key3 = "value3"
+  }
+
+  expire_time = "<%= ctx[:vars]['timestamp'] %>"
+}

mmv1/templates/terraform/examples/regional_secret_with_rotation.tf.erb

@@ -0,0 +1,29 @@
+data "google_project" "project" {}
+
+resource "google_pubsub_topic" "topic" {
+  name = "<%= ctx[:vars]['topic_id'] %>"
+}
+
+resource "google_pubsub_topic_iam_member" "secrets_manager_access" {
+  topic  = google_pubsub_topic.topic.name
+  role   = "roles/pubsub.publisher"
+  member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com"
+}
+
+resource "google_secret_manager_regional_secret" "<%= ctx[:primary_resource_id] %>" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+
+  topics {
+    name = google_pubsub_topic.topic.id
+  }
+
+  rotation {
+    rotation_period = "3600s"
+    next_rotation_time = "<%= ctx[:vars]['timestamp'] %>"
+  }
+
+  depends_on = [
+    google_pubsub_topic_iam_member.secrets_manager_access,
+  ]
+}

mmv1/templates/terraform/examples/regional_secret_with_ttl.tf.erb

@@ -0,0 +1,16 @@
+resource "google_secret_manager_regional_secret" "<%= ctx[:primary_resource_id] %>" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+
+  labels = {
+    label = "my-label"
+  }
+
+  annotations = {
+    key1 = "value1",
+    key2 = "value2",
+    key3 = "value3"
+  }
+
+  ttl = "36000s"
+}

mmv1/templates/terraform/examples/regional_secret_with_version_destroy_ttl.tf.erb

@@ -0,0 +1,16 @@
+resource "google_secret_manager_regional_secret" "<%= ctx[:primary_resource_id] %>" {
+  secret_id = "<%= ctx[:vars]['secret_id'] %>"
+  location = "us-central1"
+
+  labels = {
+    label = "my-label"
+  }
+
+  annotations = {
+    key1 = "value1",
+    key2 = "value2",
+    key3 = "value3"
+  }
+
+  version_destroy_ttl = "86400s"
+}

mmv1/templates/terraform/iam/example_config_body/secret_manager_regional_secret.tf.erb

@@ -0,0 +1,3 @@
+  project = google_secret_manager_regional_secret.regional-secret-basic.project
+  location = google_secret_manager_regional_secret.regional-secret-basic.location
+  secret_id = google_secret_manager_regional_secret.regional-secret-basic.secret_id