feat: add a new EkmService API (#532)

PiperOrigin-RevId: 425982419 Source-Link: googleapis/googleapis@8dff569 Source-Link: https://github.com/googleapis/googleapis-gen/commit/b1538df1643922606d00ec0365c1e0a51bfbcabf Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiYjE1MzhkZjE2NDM5MjI2MDZkMDBlYzAzNjVjMWUwYTUxYmZiY2FiZiJ9 See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
googleapis · Feb 3, 2022 · f62a19c · f62a19c
1 parent ac2209d
commit f62a19c
Show file tree

Hide file tree

Showing 48 changed files with 13,041 additions and 4,198 deletions.
diff --git a/protos/google/cloud/kms/v1/ekm_service.proto b/protos/google/cloud/kms/v1/ekm_service.proto
@@ -0,0 +1,293 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.kms.v1;
+
+import "google/api/annotations.proto";
+import "google/api/client.proto";
+import "google/api/field_behavior.proto";
+import "google/api/resource.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Kms.V1";
+option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms";
+option java_multiple_files = true;
+option java_outer_classname = "EkmServiceProto";
+option java_package = "com.google.cloud.kms.v1";
+option php_namespace = "Google\\Cloud\\Kms\\V1";
+option (google.api.resource_definition) = {
+  type: "servicedirectory.googleapis.com/Service"
+  pattern: "projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}"
+};
+
+// Google Cloud Key Management EKM Service
+//
+// Manages external cryptographic keys and operations using those keys.
+// Implements a REST model with the following objects:
+// * [EkmConnection][google.cloud.kms.v1.EkmConnection]
+service EkmService {
+  option (google.api.default_host) = "cloudkms.googleapis.com";
+  option (google.api.oauth_scopes) =
+      "https://www.googleapis.com/auth/cloud-platform,"
+      "https://www.googleapis.com/auth/cloudkms";
+
+  // Lists [EkmConnections][google.cloud.kms.v1.EkmConnection].
+  rpc ListEkmConnections(ListEkmConnectionsRequest)
+      returns (ListEkmConnectionsResponse) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*}/ekmConnections"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Returns metadata for a given
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection].
+  rpc GetEkmConnection(GetEkmConnectionRequest) returns (EkmConnection) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/ekmConnections/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Creates a new [EkmConnection][google.cloud.kms.v1.EkmConnection] in a given
+  // Project and Location.
+  rpc CreateEkmConnection(CreateEkmConnectionRequest) returns (EkmConnection) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*}/ekmConnections"
+      body: "ekm_connection"
+    };
+    option (google.api.method_signature) =
+        "parent,ekm_connection_id,ekm_connection";
+  }
+
+  // Updates an [EkmConnection][google.cloud.kms.v1.EkmConnection]'s metadata.
+  rpc UpdateEkmConnection(UpdateEkmConnectionRequest) returns (EkmConnection) {
+    option (google.api.http) = {
+      patch: "/v1/{ekm_connection.name=projects/*/locations/*/ekmConnections/*}"
+      body: "ekm_connection"
+    };
+    option (google.api.method_signature) = "ekm_connection,update_mask";
+  }
+}
+
+// Request message for [KeyManagementService.ListEkmConnections][].
+message ListEkmConnectionsRequest {
+  // Required. The resource name of the location associated with the
+  // [EkmConnections][google.cloud.kms.v1.EkmConnection] to list, in the format
+  // `projects/*/locations/*`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "locations.googleapis.com/Location"
+    }
+  ];
+
+  // Optional. Optional limit on the number of
+  // [EkmConnections][google.cloud.kms.v1.EkmConnection] to include in the
+  // response. Further [EkmConnections][google.cloud.kms.v1.EkmConnection] can
+  // subsequently be obtained by including the
+  // [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token]
+  // in a subsequent request. If unspecified, the server will pick an
+  // appropriate default.
+  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Optional pagination token, returned earlier via
+  // [ListEkmConnectionsResponse.next_page_token][google.cloud.kms.v1.ListEkmConnectionsResponse.next_page_token].
+  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Only include resources that match the filter in the response. For
+  // more information, see
+  // [Sorting and filtering list
+  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+  string filter = 4 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Specify how the results should be sorted. If not specified, the
+  // results will be sorted in the default order.  For more information, see
+  // [Sorting and filtering list
+  // results](https://cloud.google.com/kms/docs/sorting-and-filtering).
+  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Response message for [KeyManagementService.ListEkmConnections][].
+message ListEkmConnectionsResponse {
+  // The list of [EkmConnections][google.cloud.kms.v1.EkmConnection].
+  repeated EkmConnection ekm_connections = 1;
+
+  // A token to retrieve next page of results. Pass this value in
+  // [ListEkmConnectionsRequest.page_token][google.cloud.kms.v1.ListEkmConnectionsRequest.page_token]
+  // to retrieve the next page of results.
+  string next_page_token = 2;
+
+  // The total number of [EkmConnections][google.cloud.kms.v1.EkmConnection]
+  // that matched the query.
+  int32 total_size = 3;
+}
+
+// Request message for [KeyManagementService.GetEkmConnection][].
+message GetEkmConnectionRequest {
+  // Required. The [name][google.cloud.kms.v1.EkmConnection.name] of the
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection] to get.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudkms.googleapis.com/EkmConnection"
+    }
+  ];
+}
+
+// Request message for [KeyManagementService.CreateEkmConnection][].
+message CreateEkmConnectionRequest {
+  // Required. The resource name of the location associated with the
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection], in the format
+  // `projects/*/locations/*`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "locations.googleapis.com/Location"
+    }
+  ];
+
+  // Required. It must be unique within a location and match the regular
+  // expression `[a-zA-Z0-9_-]{1,63}`.
+  string ekm_connection_id = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. An [EkmConnection][google.cloud.kms.v1.EkmConnection] with
+  // initial field values.
+  EkmConnection ekm_connection = 3 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Request message for [KeyManagementService.UpdateEkmConnection][].
+message UpdateEkmConnectionRequest {
+  // Required. [EkmConnection][google.cloud.kms.v1.EkmConnection] with updated
+  // values.
+  EkmConnection ekm_connection = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. List of fields to be updated in this request.
+  google.protobuf.FieldMask update_mask = 2
+      [(google.api.field_behavior) = REQUIRED];
+}
+
+// A [Certificate][google.cloud.kms.v1.Certificate] represents an X.509
+// certificate used to authenticate HTTPS connections to EKM replicas.
+message Certificate {
+  // Required. The raw certificate bytes in DER format.
+  bytes raw_der = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Output only. True if the certificate was parsed successfully.
+  bool parsed = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The issuer distinguished name in RFC 2253 format. Only present
+  // if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+  string issuer = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The subject distinguished name in RFC 2253 format. Only
+  // present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+  string subject = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The subject Alternative DNS names. Only present if
+  // [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+  repeated string subject_alternative_dns_names = 5
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The certificate is not valid before this time. Only present if
+  // [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+  google.protobuf.Timestamp not_before_time = 6
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The certificate is not valid after this time. Only present if
+  // [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+  google.protobuf.Timestamp not_after_time = 7
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The certificate serial number as a hex string. Only present if
+  // [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+  string serial_number = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The SHA-256 certificate fingerprint as a hex string. Only
+  // present if [parsed][google.cloud.kms.v1.Certificate.parsed] is true.
+  string sha256_fingerprint = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
+// An [EkmConnection][google.cloud.kms.v1.EkmConnection] represents an
+// individual EKM connection. It can be used for creating
+// [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] with a
+// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+// [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC], as well as
+// performing cryptographic operations using keys created within the
+// [EkmConnection][google.cloud.kms.v1.EkmConnection].
+message EkmConnection {
+  option (google.api.resource) = {
+    type: "cloudkms.googleapis.com/EkmConnection"
+    pattern: "projects/{project}/locations/{location}/ekmConnections/{ekm_connection}"
+  };
+
+  // A [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver]
+  // represents an EKM replica that can be reached within an
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection].
+  message ServiceResolver {
+    // Required. The resource name of the Service Directory service pointing to
+    // an EKM replica, in the format
+    // `projects/*/locations/*/namespaces/*/services/*`.
+    string service_directory_service = 1 [
+      (google.api.field_behavior) = REQUIRED,
+      (google.api.resource_reference) = {
+        type: "servicedirectory.googleapis.com/Service"
+      }
+    ];
+
+    // Optional. The filter applied to the endpoints of the resolved service. If
+    // no filter is specified, all endpoints will be considered. An endpoint
+    // will be chosen arbitrarily from the filtered list for each request.
+    //
+    // For endpoint filter syntax and examples, see
+    // https://cloud.google.com/service-directory/docs/reference/rpc/google.cloud.servicedirectory.v1#resolveservicerequest.
+    string endpoint_filter = 2 [(google.api.field_behavior) = OPTIONAL];
+
+    // Required. The hostname of the EKM replica used at TLS and HTTP layers.
+    string hostname = 3 [(google.api.field_behavior) = REQUIRED];
+
+    // Required. A list of leaf server certificates used to authenticate HTTPS
+    // connections to the EKM replica.
+    repeated Certificate server_certificates = 4
+        [(google.api.field_behavior) = REQUIRED];
+  }
+
+  // Output only. The resource name for the
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection] in the format
+  // `projects/*/locations/*/ekmConnections/*`.
+  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The time at which the
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection] was created.
+  google.protobuf.Timestamp create_time = 2
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // A list of
+  // [ServiceResolvers][google.cloud.kms.v1.EkmConnection.ServiceResolver] where
+  // the EKM can be reached. There should be one ServiceResolver per EKM
+  // replica. Currently, only a single
+  // [ServiceResolver][google.cloud.kms.v1.EkmConnection.ServiceResolver] is
+  // supported.
+  repeated ServiceResolver service_resolvers = 3;
+
+  // This checksum is computed by the server based on the value of other fields,
+  // and may be sent on update requests to ensure the client has an up-to-date
+  // value before proceeding.
+  string etag = 5;
+}