feat: add secret protection (#748)

Author: scaleway-bot

packages/clients/src/api/secret/v1alpha1/api.gen.ts

@@ -44,8 +44,10 @@ import type {
   ListSecretsResponse,
   ListTagsRequest,
   ListTagsResponse,
+  ProtectSecretRequest,
   Secret,
   SecretVersion,
+  UnprotectSecretRequest,
   UpdateSecretRequest,
   UpdateSecretVersionRequest,
 } from './types.gen'
@@ -203,6 +205,52 @@ export class API extends ParentAPI {
       )}/secrets/${validatePathParam('secretId', request.secretId)}`,
     })
 
+  /**
+   * Protect a secret. Protect a given secret specified by the `secret_id`
+   * parameter. A protected secret can be read and modified but cannot be
+   * deleted.
+   *
+   * @param request - The request {@link ProtectSecretRequest}
+   * @returns A Promise of Secret
+   */
+  protectSecret = (request: Readonly<ProtectSecretRequest>) =>
+    this.client.fetch<Secret>(
+      {
+        body: '{}',
+        headers: jsonContentHeaders,
+        method: 'POST',
+        path: `/secret-manager/v1alpha1/regions/${validatePathParam(
+          'region',
+          request.region ?? this.client.settings.defaultRegion,
+        )}/secrets/${validatePathParam('secretId', request.secretId)}/protect`,
+      },
+      unmarshalSecret,
+    )
+
+  /**
+   * Unprotect a secret. Unprotect a given secret specified by the `secret_id`
+   * parameter. An unprotected secret can be read, modified and deleted.
+   *
+   * @param request - The request {@link UnprotectSecretRequest}
+   * @returns A Promise of Secret
+   */
+  unprotectSecret = (request: Readonly<UnprotectSecretRequest>) =>
+    this.client.fetch<Secret>(
+      {
+        body: '{}',
+        headers: jsonContentHeaders,
+        method: 'POST',
+        path: `/secret-manager/v1alpha1/regions/${validatePathParam(
+          'region',
+          request.region ?? this.client.settings.defaultRegion,
+        )}/secrets/${validatePathParam(
+          'secretId',
+          request.secretId,
+        )}/unprotect`,
+      },
+      unmarshalSecret,
+    )
+
   /**
    * Allow a product to use the secret.
    *

packages/clients/src/api/secret/v1alpha1/index.gen.ts

@@ -27,11 +27,13 @@ export type {
   ListTagsResponse,
   PasswordGenerationParams,
   Product,
+  ProtectSecretRequest,
   Secret,
   SecretStatus,
   SecretType,
   SecretVersion,
   SecretVersionStatus,
+  UnprotectSecretRequest,
   UpdateSecretRequest,
   UpdateSecretVersionRequest,
 } from './types.gen'

packages/clients/src/api/secret/v1alpha1/marshalling.gen.ts

@@ -35,6 +35,7 @@ export const unmarshalSecret = (data: unknown) => {
     description: data.description,
     id: data.id,
     isManaged: data.is_managed,
+    isProtected: data.is_protected,
     name: data.name,
     projectId: data.project_id,
     region: data.region,

packages/clients/src/api/secret/v1alpha1/types.gen.ts

@@ -90,8 +90,9 @@ export interface Secret {
   /** Name of the secret. */
   name: string
   /**
-   * Current status of the secret. `ready`: the secret is ready. `locked`: the
-   * secret is locked.
+   * Current status of the secret. `ready`: the secret can be read, modified and
+   * deleted. `locked`: no action can be performed on the secret. This status
+   * can only be applied and removed by Scaleway.
    */
   status: SecretStatus
   /** Date and time of the secret's creation. */
@@ -106,6 +107,8 @@ export interface Secret {
   description?: string
   /** Returns `true` for secrets that are managed by another product. */
   isManaged: boolean
+  /** Returns `true` for protected secrets that cannot be deleted. */
+  isProtected: boolean
   /** Type of the secret. See `Secret.Type` enum for description of values. */
   type: SecretType
   /** Region of the secret. */
@@ -231,6 +234,26 @@ export type DeleteSecretRequest = {
   secretId: string
 }
 
+export type ProtectSecretRequest = {
+  /**
+   * Region to target. If none is passed will use default region from the
+   * config.
+   */
+  region?: Region
+  /** ID of the secret to protect. */
+  secretId: string
+}
+
+export type UnprotectSecretRequest = {
+  /**
+   * Region to target. If none is passed will use default region from the
+   * config.
+   */
+  region?: Region
+  /** ID of the secret to unprotect. */
+  secretId: string
+}
+
 export type AddSecretOwnerRequest = {
   /**
    * Region to target. If none is passed will use default region from the