feat: add support for Coordinated External Keys

Google APIs · copybara-github · commit de50ec65ee99 · 2023-03-06T10:24:56.000-08:00
PiperOrigin-RevId: 514450927
diff --git a/google/cloud/kms/v1/ekm_service.proto b/google/cloud/kms/v1/ekm_service.proto
@@ -83,6 +83,25 @@ service EkmService {
     };
     option (google.api.method_signature) = "ekm_connection,update_mask";
   }
+
+  // Returns the [EkmConfig][google.cloud.kms.v1.EkmConfig] singleton resource
+  // for a given project and location.
+  rpc GetEkmConfig(GetEkmConfigRequest) returns (EkmConfig) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/ekmConfig}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Updates the [EkmConfig][google.cloud.kms.v1.EkmConfig] singleton resource
+  // for a given project and location.
+  rpc UpdateEkmConfig(UpdateEkmConfigRequest) returns (EkmConfig) {
+    option (google.api.http) = {
+      patch: "/v1/{ekm_config.name=projects/*/locations/*/ekmConfig}"
+      body: "ekm_config"
+    };
+    option (google.api.method_signature) = "ekm_config,update_mask";
+  }
 }
 
 // Request message for
@@ -187,6 +206,30 @@ message UpdateEkmConnectionRequest {
       [(google.api.field_behavior) = REQUIRED];
 }
 
+// Request message for
+// [EkmService.GetEkmConfig][google.cloud.kms.v1.EkmService.GetEkmConfig].
+message GetEkmConfigRequest {
+  // Required. The [name][google.cloud.kms.v1.EkmConfig.name] of the
+  // [EkmConfig][google.cloud.kms.v1.EkmConfig] to get.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "cloudkms.googleapis.com/EkmConfig"
+    }
+  ];
+}
+
+// Request message for
+// [EkmService.UpdateEkmConfig][google.cloud.kms.v1.EkmService.UpdateEkmConfig].
+message UpdateEkmConfigRequest {
+  // Required. [EkmConfig][google.cloud.kms.v1.EkmConfig] with updated values.
+  EkmConfig ekm_config = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. List of fields to be updated in this request.
+  google.protobuf.FieldMask update_mask = 2
+      [(google.api.field_behavior) = REQUIRED];
+}
+
 // A [Certificate][google.cloud.kms.v1.Certificate] represents an X.509
 // certificate used to authenticate HTTPS connections to EKM replicas.
 message Certificate {
@@ -274,6 +317,44 @@ message EkmConnection {
         [(google.api.field_behavior) = REQUIRED];
   }
 
+  // [KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode]
+  // describes who can perform control plane cryptographic operations using this
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection].
+  enum KeyManagementMode {
+    // Not specified.
+    KEY_MANAGEMENT_MODE_UNSPECIFIED = 0;
+
+    // EKM-side key management operations on
+    // [CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
+    // [EkmConnection][google.cloud.kms.v1.EkmConnection] must be initiated from
+    // the EKM directly and cannot be performed from Cloud KMS. This means that:
+    // * When creating a
+    // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] associated with
+    // this
+    //   [EkmConnection][google.cloud.kms.v1.EkmConnection], the caller must
+    //   supply the key path of pre-existing external key material that will be
+    //   linked to the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
+    // * Destruction of external key material cannot be requested via the
+    //   Cloud KMS API and must be performed directly in the EKM.
+    // * Automatic rotation of key material is not supported.
+    MANUAL = 1;
+
+    // All [CryptoKeys][google.cloud.kms.v1.CryptoKey] created with this
+    // [EkmConnection][google.cloud.kms.v1.EkmConnection] use EKM-side key
+    // management operations initiated from Cloud KMS. This means that:
+    // * When a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]
+    // associated with this [EkmConnection][google.cloud.kms.v1.EkmConnection]
+    // is
+    //   created, the EKM automatically generates new key material and a new
+    //   key path. The caller cannot supply the key path of pre-existing
+    //   external key material.
+    // * Destruction of external key material associated with this
+    //   [EkmConnection][google.cloud.kms.v1.EkmConnection] can be requested by
+    //   calling [DestroyCryptoKeyVersion][EkmService.DestroyCryptoKeyVersion].
+    // * Automatic rotation of key material is supported.
+    CLOUD_KMS = 2;
+  }
+
   // Output only. The resource name for the
   // [EkmConnection][google.cloud.kms.v1.EkmConnection] in the format
   // `projects/*/locations/*/ekmConnections/*`.
@@ -295,4 +376,46 @@ message EkmConnection {
   // Optional. Etag of the currently stored
   // [EkmConnection][google.cloud.kms.v1.EkmConnection].
   string etag = 5 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Describes who can perform control plane operations on the EKM. If
+  // unset, this defaults to
+  // [MANUAL][google.cloud.kms.v1.EkmConnection.KeyManagementMode.MANUAL].
+  KeyManagementMode key_management_mode = 6
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Identifies the EKM Crypto Space that this
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection] maps to. Note: This
+  // field is required if
+  // [KeyManagementMode][google.cloud.kms.v1.EkmConnection.KeyManagementMode] is
+  // [CLOUD_KMS][google.cloud.kms.v1.EkmConnection.KeyManagementMode.CLOUD_KMS].
+  string crypto_space_path = 7 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// An [EkmConfig][google.cloud.kms.v1.EkmConfig] is a singleton resource that
+// represents configuration parameters that apply to all
+// [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
+// [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] with a
+// [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] of
+// [EXTERNAL_VPC][CryptoKeyVersion.ProtectionLevel.EXTERNAL_VPC] in a given
+// project and location.
+message EkmConfig {
+  option (google.api.resource) = {
+    type: "cloudkms.googleapis.com/EkmConfig"
+    pattern: "projects/{project}/locations/{location}/ekmConfig"
+  };
+
+  // Output only. The resource name for the
+  // [EkmConfig][google.cloud.kms.v1.EkmConfig] in the format
+  // `projects/*/locations/*/ekmConfig`.
+  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Resource name of the default
+  // [EkmConnection][google.cloud.kms.v1.EkmConnection]. Setting this field to
+  // the empty string removes the default.
+  string default_ekm_connection = 2 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.resource_reference) = {
+      type: "cloudkms.googleapis.com/EkmConnection"
+    }
+  ];
 }
diff --git a/google/cloud/kms/v1/resources.proto b/google/cloud/kms/v1/resources.proto
@@ -473,6 +473,23 @@ message CryptoKeyVersion {
     // Additional details can be found in
     // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason].
     IMPORT_FAILED = 7;
+
+    // This version was not generated successfully. It may not be used, enabled,
+    // disabled, or destroyed. Additional details can be found in
+    // [CryptoKeyVersion.generation_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.generation_failure_reason].
+    GENERATION_FAILED = 8;
+
+    // This version was destroyed, and it may not be used or enabled again.
+    // Cloud KMS is waiting for the corresponding key material residing in an
+    // external key manager to be destroyed.
+    PENDING_EXTERNAL_DESTRUCTION = 9;
+
+    // This version was destroyed, and it may not be used or enabled again.
+    // However, Cloud KMS could not confirm that the corresponding key material
+    // residing in an external key manager was destroyed. Additional details can
+    // be found in
+    // [CryptoKeyVersion.external_destruction_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.external_destruction_failure_reason].
+    EXTERNAL_DESTRUCTION_FAILED = 10;
   }
 
   // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s.
@@ -567,6 +584,19 @@ message CryptoKeyVersion {
   // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
   string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY];
 
+  // Output only. The root cause of the most recent generation failure. Only
+  // present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+  // [GENERATION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.GENERATION_FAILED].
+  string generation_failure_reason = 19
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The root cause of the most recent external destruction
+  // failure. Only present if
+  // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
+  // [EXTERNAL_DESTRUCTION_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.EXTERNAL_DESTRUCTION_FAILED].
+  string external_destruction_failure_reason = 20
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
   // ExternalProtectionLevelOptions stores a group of additional fields for
   // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that
   // are specific to the
