feat: add secret protection (#248)

Author: scaleway-bot

scaleway-async/scaleway_async/secret/v1alpha1/api.py

@@ -363,6 +363,70 @@ async def delete_secret(
         self._throw_on_error(res)
         return None
 
+    async def protect_secret(
+        self,
+        *,
+        secret_id: str,
+        region: Optional[Region] = None,
+    ) -> Secret:
+        """
+        Protect a secret.
+        Protect a given secret specified by the `secret_id` parameter. A protected secret can be read and modified but cannot be deleted.
+        :param region: Region to target. If none is passed will use default region from the config.
+        :param secret_id: ID of the secret to protect.
+        :return: :class:`Secret <Secret>`
+
+        Usage:
+        ::
+
+            result = await api.protect_secret(secret_id="example")
+        """
+
+        param_region = validate_path_param(
+            "region", region or self.client.default_region
+        )
+        param_secret_id = validate_path_param("secret_id", secret_id)
+
+        res = self._request(
+            "POST",
+            f"/secret-manager/v1alpha1/regions/{param_region}/secrets/{param_secret_id}/protect",
+        )
+
+        self._throw_on_error(res)
+        return unmarshal_Secret(res.json())
+
+    async def unprotect_secret(
+        self,
+        *,
+        secret_id: str,
+        region: Optional[Region] = None,
+    ) -> Secret:
+        """
+        Unprotect a secret.
+        Unprotect a given secret specified by the `secret_id` parameter. An unprotected secret can be read, modified and deleted.
+        :param region: Region to target. If none is passed will use default region from the config.
+        :param secret_id: ID of the secret to unprotect.
+        :return: :class:`Secret <Secret>`
+
+        Usage:
+        ::
+
+            result = await api.unprotect_secret(secret_id="example")
+        """
+
+        param_region = validate_path_param(
+            "region", region or self.client.default_region
+        )
+        param_secret_id = validate_path_param("secret_id", secret_id)
+
+        res = self._request(
+            "POST",
+            f"/secret-manager/v1alpha1/regions/{param_region}/secrets/{param_secret_id}/unprotect",
+        )
+
+        self._throw_on_error(res)
+        return unmarshal_Secret(res.json())
+
     async def add_secret_owner(
         self,
         *,

scaleway-async/scaleway_async/secret/v1alpha1/marshalling.py

@@ -48,6 +48,9 @@ def unmarshal_Secret(data: Any) -> Secret:
     field = data.get("is_managed", None)
     args["is_managed"] = field
 
+    field = data.get("is_protected", None)
+    args["is_protected"] = field
+
     field = data.get("name", None)
     args["name"] = field
 

scaleway-async/scaleway_async/secret/v1alpha1/types.py

@@ -194,8 +194,8 @@ class Secret:
     status: SecretStatus
     """
     Current status of the secret.
-    * `ready`: the secret is ready.
-    * `locked`: the secret is locked.
+    * `ready`: the secret can be read, modified and deleted.
+    * `locked`: no action can be performed on the secret. This status can only be applied and removed by Scaleway.
     """
 
     created_at: Optional[datetime]
@@ -228,6 +228,11 @@ class Secret:
     Returns `true` for secrets that are managed by another product.
     """
 
+    is_protected: bool
+    """
+    Returns `true` for protected secrets that cannot be deleted.
+    """
+
     type_: SecretType
     """
     Type of the secret.
@@ -433,6 +438,32 @@ class DeleteSecretRequest:
     """
 
 
+@dataclass
+class ProtectSecretRequest:
+    region: Optional[Region]
+    """
+    Region to target. If none is passed will use default region from the config.
+    """
+
+    secret_id: str
+    """
+    ID of the secret to protect.
+    """
+
+
+@dataclass
+class UnprotectSecretRequest:
+    region: Optional[Region]
+    """
+    Region to target. If none is passed will use default region from the config.
+    """
+
+    secret_id: str
+    """
+    ID of the secret to unprotect.
+    """
+
+
 @dataclass
 class AddSecretOwnerRequest:
     region: Optional[Region]

scaleway/scaleway/secret/v1alpha1/api.py

@@ -363,6 +363,70 @@ def delete_secret(
         self._throw_on_error(res)
         return None
 
+    def protect_secret(
+        self,
+        *,
+        secret_id: str,
+        region: Optional[Region] = None,
+    ) -> Secret:
+        """
+        Protect a secret.
+        Protect a given secret specified by the `secret_id` parameter. A protected secret can be read and modified but cannot be deleted.
+        :param region: Region to target. If none is passed will use default region from the config.
+        :param secret_id: ID of the secret to protect.
+        :return: :class:`Secret <Secret>`
+
+        Usage:
+        ::
+
+            result = api.protect_secret(secret_id="example")
+        """
+
+        param_region = validate_path_param(
+            "region", region or self.client.default_region
+        )
+        param_secret_id = validate_path_param("secret_id", secret_id)
+
+        res = self._request(
+            "POST",
+            f"/secret-manager/v1alpha1/regions/{param_region}/secrets/{param_secret_id}/protect",
+        )
+
+        self._throw_on_error(res)
+        return unmarshal_Secret(res.json())
+
+    def unprotect_secret(
+        self,
+        *,
+        secret_id: str,
+        region: Optional[Region] = None,
+    ) -> Secret:
+        """
+        Unprotect a secret.
+        Unprotect a given secret specified by the `secret_id` parameter. An unprotected secret can be read, modified and deleted.
+        :param region: Region to target. If none is passed will use default region from the config.
+        :param secret_id: ID of the secret to unprotect.
+        :return: :class:`Secret <Secret>`
+
+        Usage:
+        ::
+
+            result = api.unprotect_secret(secret_id="example")
+        """
+
+        param_region = validate_path_param(
+            "region", region or self.client.default_region
+        )
+        param_secret_id = validate_path_param("secret_id", secret_id)
+
+        res = self._request(
+            "POST",
+            f"/secret-manager/v1alpha1/regions/{param_region}/secrets/{param_secret_id}/unprotect",
+        )
+
+        self._throw_on_error(res)
+        return unmarshal_Secret(res.json())
+
     def add_secret_owner(
         self,
         *,

scaleway/scaleway/secret/v1alpha1/marshalling.py

@@ -48,6 +48,9 @@ def unmarshal_Secret(data: Any) -> Secret:
     field = data.get("is_managed", None)
     args["is_managed"] = field
 
+    field = data.get("is_protected", None)
+    args["is_protected"] = field
+
     field = data.get("name", None)
     args["name"] = field
 

scaleway/scaleway/secret/v1alpha1/types.py

@@ -194,8 +194,8 @@ class Secret:
     status: SecretStatus
     """
     Current status of the secret.
-    * `ready`: the secret is ready.
-    * `locked`: the secret is locked.
+    * `ready`: the secret can be read, modified and deleted.
+    * `locked`: no action can be performed on the secret. This status can only be applied and removed by Scaleway.
     """
 
     created_at: Optional[datetime]
@@ -228,6 +228,11 @@ class Secret:
     Returns `true` for secrets that are managed by another product.
     """
 
+    is_protected: bool
+    """
+    Returns `true` for protected secrets that cannot be deleted.
+    """
+
     type_: SecretType
     """
     Type of the secret.
@@ -433,6 +438,32 @@ class DeleteSecretRequest:
     """
 
 
+@dataclass
+class ProtectSecretRequest:
+    region: Optional[Region]
+    """
+    Region to target. If none is passed will use default region from the config.
+    """
+
+    secret_id: str
+    """
+    ID of the secret to protect.
+    """
+
+
+@dataclass
+class UnprotectSecretRequest:
+    region: Optional[Region]
+    """
+    Region to target. If none is passed will use default region from the config.
+    """
+
+    secret_id: str
+    """
+    ID of the secret to unprotect.
+    """
+
+
 @dataclass
 class AddSecretOwnerRequest:
     region: Optional[Region]