feat: [secretmanager] Add Secret Version Delayed Destroy changes for client libraries (#5273)

* feat: Add Secret Version Delayed Destroy changes for client libraries

docs: Users can now enable secret version delayed destruction
PiperOrigin-RevId: 626820938

Source-Link: googleapis/googleapis@0345704

Source-Link: googleapis/googleapis-gen@2532a56
Copy-Tag: eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLXNlY3JldG1hbmFnZXIvLk93bEJvdC55YW1sIiwiaCI6IjI1MzJhNTY3ZWE0NzQ5YzVmNWUxYzBiYjdhM2Y3MTBiMDYyNzkzOTAifQ==

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: sofisl <55454395+sofisl@users.noreply.github.com>

Author: gcf-owl-bot[bot]

packages/google-cloud-secretmanager/protos/google/cloud/secretmanager/v1/resources.proto

@@ -41,20 +41,23 @@ message Secret {
   option (google.api.resource) = {
     type: "secretmanager.googleapis.com/Secret"
     pattern: "projects/{project}/secrets/{secret}"
+    pattern: "projects/{project}/locations/{location}/secrets/{secret}"
+    plural: "secrets"
+    singular: "secret"
   };
 
   // Output only. The resource name of the
   // [Secret][google.cloud.secretmanager.v1.Secret] in the format
   // `projects/*/secrets/*`.
   string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
 
-  // Required. Immutable. The replication policy of the secret data attached to
+  // Optional. Immutable. The replication policy of the secret data attached to
   // the [Secret][google.cloud.secretmanager.v1.Secret].
   //
   // The replication policy cannot be changed after the Secret has been created.
   Replication replication = 2 [
     (google.api.field_behavior) = IMMUTABLE,
-    (google.api.field_behavior) = REQUIRED
+    (google.api.field_behavior) = OPTIONAL
   ];
 
   // Output only. The time at which the
@@ -120,7 +123,7 @@ message Secret {
   // No more than 50 aliases can be assigned to a given secret.
   //
   // Version-Alias pairs will be viewable via GetSecret and modifiable via
-  // UpdateSecret. At launch access by alias will only be supported on
+  // UpdateSecret. Access by alias is only be supported on
   // GetSecretVersion and AccessSecretVersion.
   map<string, int64> version_aliases = 11
       [(google.api.field_behavior) = OPTIONAL];
@@ -138,13 +141,37 @@ message Secret {
   //
   // The total size of annotation keys and values must be less than 16KiB.
   map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Secret Version TTL after destruction request
+  //
+  // This is a part of the Delayed secret version destroy feature.
+  // For secret with TTL>0, version destruction doesn't happen immediately
+  // on calling destroy instead the version goes to a disabled state and
+  // destruction happens after the TTL expires.
+  google.protobuf.Duration version_destroy_ttl = 14
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The customer-managed encryption configuration of the Regionalised
+  // Secrets. If no configuration is provided, Google-managed default encryption
+  // is used.
+  //
+  // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] encryption
+  // configuration only apply to
+  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added
+  // afterwards. They do not apply retroactively to existing
+  // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion].
+  CustomerManagedEncryption customer_managed_encryption = 15
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // A secret version resource in the Secret Manager API.
 message SecretVersion {
   option (google.api.resource) = {
     type: "secretmanager.googleapis.com/SecretVersion"
     pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}"
+    pattern: "projects/{project}/locations/{location}/secrets/{secret}/versions/{secret_version}"
+    plural: "secretVersions"
+    singular: "secretVersion"
   };
 
   // The state of a
@@ -213,6 +240,22 @@ message SecretVersion {
   // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion].
   bool client_specified_payload_checksum = 7
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Output only. Scheduled destroy time for secret version.
+  // This is a part of the Delayed secret version destroy feature. For a
+  // Secret with a valid version destroy TTL, when a secert version is
+  // destroyed, the version is moved to disabled state and it is scheduled for
+  // destruction. The version is destroyed only after the
+  // `scheduled_destroy_time`.
+  google.protobuf.Timestamp scheduled_destroy_time = 8
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The customer-managed encryption status of the
+  // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only
+  // populated if customer-managed encryption is used and
+  // [Secret][google.cloud.secretmanager.v1.Secret] is a Regionalised Secret.
+  CustomerManagedEncryptionStatus customer_managed_encryption = 9
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A policy that defines the replication and encryption configuration of data.
@@ -381,8 +424,9 @@ message Topic {
 
   // Required. The resource name of the Pub/Sub topic that will be published to,
   // in the following format: `projects/*/topics/*`. For publication to succeed,
-  // the Secret Manager P4SA must have `pubsub.publisher` permissions on the
-  // topic.
+  // the Secret Manager service agent must have the `pubsub.topic.publish`
+  // permission on the topic. The Pub/Sub Publisher role
+  // (`roles/pubsub.publisher`) includes this permission.
   string name = 1 [(google.api.field_behavior) = REQUIRED];
 }