kpt-grpc-demo/google/cloud/functions/v1/functions.proto

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.functions.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/iam/v1/iam_policy.proto";
import "google/iam/v1/policy.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option go_package = "google.golang.org/genproto/googleapis/cloud/functions/v1;functions";
option java_multiple_files = true;
option java_outer_classname = "FunctionsProto";
option java_package = "com.google.cloud.functions.v1";
option objc_class_prefix = "GCF";
option (google.api.resource_definition) = {
  type: "artifactregistry.googleapis.com/Repository"
  pattern: "projects/{project}/locations/{location}/repositories/{repository}"
};
option (google.api.resource_definition) = {
  type: "cloudkms.googleapis.com/CryptoKey"
  pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}"
};

// A service that application uses to manipulate triggers and functions.
service CloudFunctionsService {
  option (google.api.default_host) = "cloudfunctions.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Returns a list of functions that belong to the requested project.
  rpc ListFunctions(ListFunctionsRequest) returns (ListFunctionsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/functions"
    };
  }

  // Returns a function with the given name from the requested project.
  rpc GetFunction(GetFunctionRequest) returns (CloudFunction) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/functions/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a new function. If a function with the given name already exists in
  // the specified project, the long running operation will return
  // `ALREADY_EXISTS` error.
  rpc CreateFunction(CreateFunctionRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{location=projects/*/locations/*}/functions"
      body: "function"
    };
    option (google.api.method_signature) = "location,function";
    option (google.longrunning.operation_info) = {
      response_type: "CloudFunction"
      metadata_type: "OperationMetadataV1"
    };
  }

  // Updates existing function.
  rpc UpdateFunction(UpdateFunctionRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{function.name=projects/*/locations/*/functions/*}"
      body: "function"
    };
    option (google.api.method_signature) = "function";
    option (google.longrunning.operation_info) = {
      response_type: "CloudFunction"
      metadata_type: "OperationMetadataV1"
    };
  }

  // Deletes a function with the given name from the specified project. If the
  // given function is used by some trigger, the trigger will be updated to
  // remove this function.
  rpc DeleteFunction(DeleteFunctionRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/functions/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadataV1"
    };
  }

  // Synchronously invokes a deployed Cloud Function. To be used for testing
  // purposes as very limited traffic is allowed. For more information on
  // the actual limits, refer to
  // [Rate Limits](https://cloud.google.com/functions/quotas#rate_limits).
  rpc CallFunction(CallFunctionRequest) returns (CallFunctionResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/functions/*}:call"
      body: "*"
    };
    option (google.api.method_signature) = "name,data";
  }

  // Returns a signed URL for uploading a function source code.
  // For more information about the signed URL usage see:
  // https://cloud.google.com/storage/docs/access-control/signed-urls.
  // Once the function source code upload is complete, the used signed
  // URL should be provided in CreateFunction or UpdateFunction request
  // as a reference to the function source code.
  //
  // When uploading source code to the generated signed URL, please follow
  // these restrictions:
  //
  // * Source file type should be a zip file.
  // * Source file size should not exceed 100MB limit.
  // * No credentials should be attached - the signed URLs provide access to the
  //   target bucket using internal service identity; if credentials were
  //   attached, the identity from the credentials would be used, but that
  //   identity does not have permissions to upload files to the URL.
  //
  // When making a HTTP PUT request, these two headers need to be specified:
  //
  // * `content-type: application/zip`
  // * `x-goog-content-length-range: 0,104857600`
  //
  // And this header SHOULD NOT be specified:
  //
  // * `Authorization: Bearer YOUR_TOKEN`
  rpc GenerateUploadUrl(GenerateUploadUrlRequest) returns (GenerateUploadUrlResponse) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/functions:generateUploadUrl"
      body: "*"
    };
  }

  // Returns a signed URL for downloading deployed function source code.
  // The URL is only valid for a limited period and should be used within
  // minutes after generation.
  // For more information about the signed URL usage see:
  // https://cloud.google.com/storage/docs/access-control/signed-urls
  rpc GenerateDownloadUrl(GenerateDownloadUrlRequest) returns (GenerateDownloadUrlResponse) {
    option (google.api.http) = {
      post: "/v1/{name=projects/*/locations/*/functions/*}:generateDownloadUrl"
      body: "*"
    };
  }

  // Sets the IAM access control policy on the specified function.
  // Replaces any existing policy.
  rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) {
    option (google.api.http) = {
      post: "/v1/{resource=projects/*/locations/*/functions/*}:setIamPolicy"
      body: "*"
    };
  }

  // Gets the IAM access control policy for a function.
  // Returns an empty policy if the function exists and does not have a policy
  // set.
  rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) {
    option (google.api.http) = {
      get: "/v1/{resource=projects/*/locations/*/functions/*}:getIamPolicy"
    };
  }

  // Tests the specified permissions against the IAM access control policy
  // for a function.
  // If the function does not exist, this will return an empty set of
  // permissions, not a NOT_FOUND error.
  rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) {
    option (google.api.http) = {
      post: "/v1/{resource=projects/*/locations/*/functions/*}:testIamPermissions"
      body: "*"
    };
  }
}

// Describes a Cloud Function that contains user computation executed in
// response to an event. It encapsulate function and triggers configurations.
message CloudFunction {
  option (google.api.resource) = {
    type: "cloudfunctions.googleapis.com/CloudFunction"
    pattern: "projects/{project}/locations/{location}/functions/{function}"
  };

  // Available egress settings.
  //
  // This controls what traffic is diverted through the VPC Access Connector
  // resource. By default PRIVATE_RANGES_ONLY will be used.
  enum VpcConnectorEgressSettings {
    // Unspecified.
    VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED = 0;

    // Use the VPC Access Connector only for private IP space from RFC1918.
    PRIVATE_RANGES_ONLY = 1;

    // Force the use of VPC Access Connector for all egress traffic from the
    // function.
    ALL_TRAFFIC = 2;
  }

  // Available ingress settings.
  //
  // This controls what traffic can reach the function.
  //
  // If unspecified, ALLOW_ALL will be used.
  enum IngressSettings {
    // Unspecified.
    INGRESS_SETTINGS_UNSPECIFIED = 0;

    // Allow HTTP traffic from public and private sources.
    ALLOW_ALL = 1;

    // Allow HTTP traffic from only private VPC sources.
    ALLOW_INTERNAL_ONLY = 2;

    // Allow HTTP traffic from private VPC sources and through GCLB.
    ALLOW_INTERNAL_AND_GCLB = 3;
  }

  // Docker Registry to use for storing function Docker images.
  enum DockerRegistry {
    // Unspecified.
    DOCKER_REGISTRY_UNSPECIFIED = 0;

    // Docker images will be stored in multi-regional Container Registry
    // repositories named `gcf`.
    CONTAINER_REGISTRY = 1;

    // Docker images will be stored in regional Artifact Registry repositories.
    // By default, GCF will create and use repositories named `gcf-artifacts`
    // in every region in which a function is deployed. But the repository to
    // use can also be specified by the user using the `docker_repository`
    // field.
    ARTIFACT_REGISTRY = 2;
  }

  // A user-defined name of the function. Function names must be unique
  // globally and match pattern `projects/*/locations/*/functions/*`
  string name = 1;

  // User-provided description of a function.
  string description = 2;

  // The location of the function source code.
  oneof source_code {
    // The Google Cloud Storage URL, starting with `gs://`, pointing to the zip
    // archive which contains the function.
    string source_archive_url = 3;

    // **Beta Feature**
    //
    // The source repository where a function is hosted.
    SourceRepository source_repository = 4;

    // The Google Cloud Storage signed URL used for source uploading, generated
    // by calling [google.cloud.functions.v1.GenerateUploadUrl].
    //
    // The signature is validated on write methods (Create, Update)
    // The signature is stripped from the Function object on read methods (Get,
    // List)
    string source_upload_url = 16;
  }

  // An event that triggers the function.
  oneof trigger {
    // An HTTPS endpoint type of source that can be triggered via URL.
    HttpsTrigger https_trigger = 5;

    // A source that fires events in response to a condition in another service.
    EventTrigger event_trigger = 6;
  }

  // Output only. Status of the function deployment.
  CloudFunctionStatus status = 7 [(google.api.field_behavior) = OUTPUT_ONLY];

  // The name of the function (as defined in source code) that will be
  // executed. Defaults to the resource name suffix, if not specified. For
  // backward compatibility, if function with given name is not found, then the
  // system will try to use function named "function".
  // For Node.js this is name of a function exported by the module specified
  // in `source_location`.
  string entry_point = 8;

  // The runtime in which to run the function. Required when deploying a new
  // function, optional when updating an existing function. For a complete
  // list of possible choices, see the
  // [`gcloud` command
  // reference](https://cloud.google.com/sdk/gcloud/reference/functions/deploy#--runtime).
  string runtime = 19;

  // The function execution timeout. Execution is considered failed and
  // can be terminated if the function is not completed at the end of the
  // timeout period. Defaults to 60 seconds.
  google.protobuf.Duration timeout = 9;

  // The amount of memory in MB available for a function.
  // Defaults to 256MB.
  int32 available_memory_mb = 10;

  // The email of the function's service account. If empty, defaults to
  // `{project_id}@appspot.gserviceaccount.com`.
  string service_account_email = 11;

  // Output only. The last update timestamp of a Cloud Function.
  google.protobuf.Timestamp update_time = 12 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The version identifier of the Cloud Function. Each deployment attempt
  // results in a new version of a function being created.
  int64 version_id = 14 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Labels associated with this Cloud Function.
  map<string, string> labels = 15;

  // Environment variables that shall be available during function execution.
  map<string, string> environment_variables = 17;

  // Build environment variables that shall be available during build time.
  map<string, string> build_environment_variables = 28;

  // The VPC Network that this cloud function can connect to. It can be
  // either the fully-qualified URI, or the short name of the network resource.
  // If the short network name is used, the network must belong to the same
  // project. Otherwise, it must belong to a project within the same
  // organization. The format of this field is either
  // `projects/{project}/global/networks/{network}` or `{network}`, where
  // `{project}` is a project id where the network is defined, and `{network}`
  // is the short name of the network.
  //
  // This field is mutually exclusive with `vpc_connector` and will be replaced
  // by it.
  //
  // See [the VPC documentation](https://cloud.google.com/compute/docs/vpc) for
  // more information on connecting Cloud projects.
  string network = 18;

  // The limit on the maximum number of function instances that may coexist at a
  // given time.
  //
  // In some cases, such as rapid traffic surges, Cloud Functions may, for a
  // short period of time, create more instances than the specified max
  // instances limit. If your function cannot tolerate this temporary behavior,
  // you may want to factor in a safety margin and set a lower max instances
  // value than your function can tolerate.
  //
  // See the [Max
  // Instances](https://cloud.google.com/functions/docs/max-instances) Guide for
  // more details.
  int32 max_instances = 20;

  // A lower bound for the number function instances that may coexist at a
  // given time.
  int32 min_instances = 32;

  // The VPC Network Connector that this cloud function can connect to. It can
  // be either the fully-qualified URI, or the short name of the network
  // connector resource. The format of this field is
  // `projects/*/locations/*/connectors/*`
  //
  // This field is mutually exclusive with `network` field and will eventually
  // replace it.
  //
  // See [the VPC documentation](https://cloud.google.com/compute/docs/vpc) for
  // more information on connecting Cloud projects.
  string vpc_connector = 22;

  // The egress settings for the connector, controlling what traffic is diverted
  // through it.
  VpcConnectorEgressSettings vpc_connector_egress_settings = 23;

  // The ingress settings for the function, controlling what traffic can reach
  // it.
  IngressSettings ingress_settings = 24;

  // Resource name of a KMS crypto key (managed by the user) used to
  // encrypt/decrypt function resources.
  //
  // It must match the pattern
  // `projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`.
  //
  // If specified, you must also provide an artifact registry repository using
  // the `docker_repository` field that was created with the same KMS crypto
  // key.
  //
  // The following service accounts need to be granted the role 'Cloud KMS
  // CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)'
  // on the Key/KeyRing/Project/Organization (least access preferred).
  //
  // 1. Google Cloud Functions service account
  //    (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com) -
  //    Required to protect the function's image.
  // 2. Google Storage service account
  //    (service-{project_number}@gs-project-accounts.iam.gserviceaccount.com) -
  //    Required to protect the function's source code.
  //    If this service account does not exist, deploying a function without a
  //    KMS key or retrieving the service agent name provisions it. For more
  //    information, see
  //    https://cloud.google.com/storage/docs/projects#service-agents and
  //    https://cloud.google.com/storage/docs/getting-service-agent#gsutil.
  //
  // Google Cloud Functions delegates access to service agents to protect
  // function resources in internal projects that are not accessible by the
  // end user.
  string kms_key_name = 25 [(google.api.resource_reference) = {
                              type: "cloudkms.googleapis.com/CryptoKey"
                            }];

  // Name of the Cloud Build Custom Worker Pool that should be used to build the
  // function. The format of this field is
  // `projects/{project}/locations/{region}/workerPools/{workerPool}` where
  // `{project}` and `{region}` are the project id and region respectively where
  // the worker pool is defined and `{workerPool}` is the short name of the
  // worker pool.
  //
  // If the project id is not the same as the function, then the Cloud
  // Functions Service Agent
  // (`service-<project_number>@gcf-admin-robot.iam.gserviceaccount.com`) must
  // be granted the role Cloud Build Custom Workers Builder
  // (`roles/cloudbuild.customworkers.builder`) in the project.
  string build_worker_pool = 26;

  // Output only. The Cloud Build ID of the latest successful deployment of the
  // function.
  string build_id = 27 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The Cloud Build Name of the function deployment.
  // `projects/<project-number>/locations/<region>/builds/<build-id>`.
  string build_name = 33 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Secret environment variables configuration.
  repeated SecretEnvVar secret_environment_variables = 29;

  // Secret volumes configuration.
  repeated SecretVolume secret_volumes = 30;

  // Input only. An identifier for Firebase function sources. Disclaimer: This field is only
  // supported for Firebase function deployments.
  string source_token = 31 [(google.api.field_behavior) = INPUT_ONLY];

  // User managed repository created in Artifact Registry optionally with a
  // customer managed encryption key. If specified, deployments will use
  // Artifact Registry. If unspecified and the deployment is eligible to use
  // Artifact Registry, GCF will create and use a repository named
  // 'gcf-artifacts' for every deployed region. This is the repository to which
  // the function docker image will be pushed after it is built by Cloud Build.
  //
  // It must match the pattern
  // `projects/{project}/locations/{location}/repositories/{repository}`.
  //
  // Cross-project repositories are not supported.
  // Cross-location repositories are not supported.
  // Repository format must be 'DOCKER'.
  string docker_repository = 34 [(google.api.resource_reference) = {
                                   type: "artifactregistry.googleapis.com/Repository"
                                 }];

  // Docker Registry to use for this deployment.
  //
  // If `docker_repository` field is specified, this field will be automatically
  // set as `ARTIFACT_REGISTRY`.
  // If unspecified, it currently defaults to `CONTAINER_REGISTRY`.
  // This field may be overridden by the backend for eligible deployments.
  DockerRegistry docker_registry = 35;
}

// Describes SourceRepository, used to represent parameters related to
// source repository where a function is hosted.
message SourceRepository {
  // The URL pointing to the hosted repository where the function is defined.
  // There are supported Cloud Source Repository URLs in the following
  // formats:
  //
  // To refer to a specific commit:
  // `https://source.developers.google.com/projects/*/repos/*/revisions/*/paths/*`
  // To refer to a moveable alias (branch):
  // `https://source.developers.google.com/projects/*/repos/*/moveable-aliases/*/paths/*`
  // In particular, to refer to HEAD use `master` moveable alias.
  // To refer to a specific fixed alias (tag):
  // `https://source.developers.google.com/projects/*/repos/*/fixed-aliases/*/paths/*`
  //
  // You may omit `paths/*` if you want to use the main directory.
  string url = 1;

  // Output only. The URL pointing to the hosted repository where the function
  // were defined at the time of deployment. It always points to a specific
  // commit in the format described above.
  string deployed_url = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Describes HttpsTrigger, could be used to connect web hooks to function.
message HttpsTrigger {
  // Available security level settings.
  //
  // This controls the methods to enforce security (HTTPS) on a URL.
  //
  // If unspecified, SECURE_OPTIONAL will be used.
  enum SecurityLevel {
    // Unspecified.
    SECURITY_LEVEL_UNSPECIFIED = 0;

    // Requests for a URL that match this handler that do not use HTTPS are
    // automatically redirected to the HTTPS URL with the same path. Query
    // parameters are reserved for the redirect.
    SECURE_ALWAYS = 1;

    // Both HTTP and HTTPS requests with URLs that match the handler succeed
    // without redirects. The application can examine the request to determine
    // which protocol was used and respond accordingly.
    SECURE_OPTIONAL = 2;
  }

  // Output only. The deployed url for the function.
  string url = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // The security level for the function.
  SecurityLevel security_level = 2;
}

// Describes EventTrigger, used to request events be sent from another
// service.
message EventTrigger {
  // Required. The type of event to observe. For example:
  // `providers/cloud.storage/eventTypes/object.change` and
  // `providers/cloud.pubsub/eventTypes/topic.publish`.
  //
  // Event types match pattern `providers/*/eventTypes/*.*`.
  // The pattern contains:
  //
  // 1. namespace: For example, `cloud.storage` and
  //    `google.firebase.analytics`.
  // 2. resource type: The type of resource on which event occurs. For
  //    example, the Google Cloud Storage API includes the type `object`.
  // 3. action: The action that generates the event. For example, action for
  //    a Google Cloud Storage Object is 'change'.
  // These parts are lower case.
  string event_type = 1;

  // Required. The resource(s) from which to observe events, for example,
  // `projects/_/buckets/myBucket`.
  //
  // Not all syntactically correct values are accepted by all services. For
  // example:
  //
  // 1. The authorization model must support it. Google Cloud Functions
  //    only allows EventTriggers to be deployed that observe resources in the
  //    same project as the `CloudFunction`.
  // 2. The resource type must match the pattern expected for an
  //    `event_type`. For example, an `EventTrigger` that has an
  //    `event_type` of "google.pubsub.topic.publish" should have a resource
  //    that matches Google Cloud Pub/Sub topics.
  //
  // Additionally, some services may support short names when creating an
  // `EventTrigger`. These will always be returned in the normalized "long"
  // format.
  //
  // See each *service's* documentation for supported formats.
  string resource = 2;

  // The hostname of the service that should be observed.
  //
  // If no string is provided, the default service implementing the API will
  // be used. For example, `storage.googleapis.com` is the default for all
  // event types in the `google.storage` namespace.
  string service = 3;

  // Specifies policy for failed executions.
  FailurePolicy failure_policy = 5;
}

// Describes the policy in case of function's execution failure.
// If empty, then defaults to ignoring failures (i.e. not retrying them).
message FailurePolicy {
  // Describes the retry policy in case of function's execution failure.
  // A function execution will be retried on any failure.
  // A failed execution will be retried up to 7 days with an exponential backoff
  // (capped at 10 seconds).
  // Retried execution is charged as any other execution.
  message Retry {

  }

  // Defines the action taken in case of a function execution failure.
  oneof action {
    // If specified, then the function will be retried in case of a failure.
    Retry retry = 1;
  }
}

// Describes the current stage of a deployment.
enum CloudFunctionStatus {
  // Not specified. Invalid state.
  CLOUD_FUNCTION_STATUS_UNSPECIFIED = 0;

  // Function has been successfully deployed and is serving.
  ACTIVE = 1;

  // Function deployment failed and the function isn’t serving.
  OFFLINE = 2;

  // Function is being created or updated.
  DEPLOY_IN_PROGRESS = 3;

  // Function is being deleted.
  DELETE_IN_PROGRESS = 4;

  // Function deployment failed and the function serving state is undefined.
  // The function should be updated or deleted to move it out of this state.
  UNKNOWN = 5;
}

// Configuration for a secret environment variable. It has the information
// necessary to fetch the secret value from secret manager and expose it as an
// environment variable.
message SecretEnvVar {
  // Name of the environment variable.
  string key = 1;

  // Project identifier (preferrably project number but can also be the project
  // ID) of the project that contains the secret. If not set, it will be
  // populated with the function's project assuming that the secret exists in
  // the same project as of the function.
  string project_id = 2;

  // Name of the secret in secret manager (not the full resource name).
  string secret = 3;

  // Version of the secret (version number or the string 'latest'). It is
  // recommended to use a numeric version for secret environment variables as
  // any updates to the secret value is not reflected until new instances start.
  string version = 4;
}

// Configuration for a secret volume. It has the information necessary to fetch
// the secret value from secret manager and make it available as files mounted
// at the requested paths within the application container. Secret value is not
// a part of the configuration. Every filesystem read operation performs a
// lookup in secret manager to retrieve the secret value.
message SecretVolume {
  // Configuration for a single version.
  message SecretVersion {
    // Version of the secret (version number or the string 'latest'). It is
    // preferrable to use `latest` version with secret volumes as secret value
    // changes are reflected immediately.
    string version = 1;

    // Relative path of the file under the mount path where the secret value for
    // this version will be fetched and made available. For example, setting the
    // mount_path as '/etc/secrets' and path as `/secret_foo` would mount the
    // secret value file at `/etc/secrets/secret_foo`.
    string path = 2;
  }

  // The path within the container to mount the secret volume. For example,
  // setting the mount_path as `/etc/secrets` would mount the secret value files
  // under the `/etc/secrets` directory. This directory will also be completely
  // shadowed and unavailable to mount any other secrets.
  //
  // Recommended mount paths: /etc/secrets
  // Restricted mount paths: /cloudsql, /dev/log, /pod, /proc, /var/log
  string mount_path = 1;

  // Project identifier (preferrably project number but can also be the project
  // ID) of the project that contains the secret. If not set, it will be
  // populated with the function's project assuming that the secret exists in
  // the same project as of the function.
  string project_id = 2;

  // Name of the secret in secret manager (not the full resource name).
  string secret = 3;

  // List of secret versions to mount for this secret. If empty, the `latest`
  // version of the secret will be made available in a file named after the
  // secret under the mount point.
  repeated SecretVersion versions = 4;
}

// Request for the `CreateFunction` method.
message CreateFunctionRequest {
  // Required. The project and location in which the function should be created, specified
  // in the format `projects/*/locations/*`
  string location = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. Function to be created.
  CloudFunction function = 2 [(google.api.field_behavior) = REQUIRED];
}

// Request for the `UpdateFunction` method.
message UpdateFunctionRequest {
  // Required. New version of the function.
  CloudFunction function = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The list of fields in `CloudFunction` that have to be updated.
  google.protobuf.FieldMask update_mask = 2;
}

// Request for the `GetFunction` method.
message GetFunctionRequest {
  // Required. The name of the function which details should be obtained.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudfunctions.googleapis.com/CloudFunction"
    }
  ];
}

// Request for the `ListFunctions` method.
message ListFunctionsRequest {
  // The project and location from which the function should be listed,
  // specified in the format `projects/*/locations/*`
  // If you want to list functions in all locations, use "-" in place of a
  // location. When listing functions in all locations, if one or more
  // location(s) are unreachable, the response will contain functions from all
  // reachable locations along with the names of any unreachable locations.
  string parent = 1 [(google.api.resource_reference) = {
                       type: "locations.googleapis.com/Location"
                     }];

  // Maximum number of functions to return per call.
  int32 page_size = 2;

  // The value returned by the last
  // `ListFunctionsResponse`; indicates that
  // this is a continuation of a prior `ListFunctions` call, and that the
  // system should return the next page of data.
  string page_token = 3;
}

// Response for the `ListFunctions` method.
message ListFunctionsResponse {
  // The functions that match the request.
  repeated CloudFunction functions = 1;

  // If not empty, indicates that there may be more functions that match
  // the request; this value should be passed in a new
  // [google.cloud.functions.v1.ListFunctionsRequest][google.cloud.functions.v1.ListFunctionsRequest]
  // to get more functions.
  string next_page_token = 2;

  // Locations that could not be reached. The response does not include any
  // functions from these locations.
  repeated string unreachable = 3;
}

// Request for the `DeleteFunction` method.
message DeleteFunctionRequest {
  // Required. The name of the function which should be deleted.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudfunctions.googleapis.com/CloudFunction"
    }
  ];
}

// Request for the `CallFunction` method.
message CallFunctionRequest {
  // Required. The name of the function to be called.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudfunctions.googleapis.com/CloudFunction"
    }
  ];

  // Required. Input to be passed to the function.
  string data = 2 [(google.api.field_behavior) = REQUIRED];
}

// Response of `CallFunction` method.
message CallFunctionResponse {
  // Execution id of function invocation.
  string execution_id = 1;

  // Result populated for successful execution of synchronous function. Will
  // not be populated if function does not return a result through context.
  string result = 2;

  // Either system or user-function generated error. Set if execution
  // was not successful.
  string error = 3;
}

// Request of `GenerateSourceUploadUrl` method.
message GenerateUploadUrlRequest {
  // The project and location in which the Google Cloud Storage signed URL
  // should be generated, specified in the format `projects/*/locations/*`.
  string parent = 1;

  // Resource name of a KMS crypto key (managed by the user) used to
  // encrypt/decrypt function source code objects in staging Cloud Storage
  // buckets. When you generate an upload url and upload your source code, it
  // gets copied to a staging Cloud Storage bucket in an internal regional
  // project. The source code is then copied to a versioned directory in the
  // sources bucket in the consumer project during the function deployment.
  //
  // It must match the pattern
  // `projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`.
  //
  // The Google Cloud Functions service account
  // (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com) must be
  // granted the role 'Cloud KMS CryptoKey Encrypter/Decrypter
  // (roles/cloudkms.cryptoKeyEncrypterDecrypter)' on the
  // Key/KeyRing/Project/Organization (least access preferred). GCF will
  // delegate access to the Google Storage service account in the internal
  // project.
  string kms_key_name = 2 [(google.api.resource_reference) = {
                             type: "cloudkms.googleapis.com/CryptoKey"
                           }];
}

// Response of `GenerateSourceUploadUrl` method.
message GenerateUploadUrlResponse {
  // The generated Google Cloud Storage signed URL that should be used for a
  // function source code upload. The uploaded file should be a zip archive
  // which contains a function.
  string upload_url = 1;
}

// Request of `GenerateDownloadUrl` method.
message GenerateDownloadUrlRequest {
  // The name of function for which source code Google Cloud Storage signed
  // URL should be generated.
  string name = 1;

  // The optional version of function. If not set, default, current version
  // is used.
  uint64 version_id = 2;
}

// Response of `GenerateDownloadUrl` method.
message GenerateDownloadUrlResponse {
  // The generated Google Cloud Storage signed URL that should be used for
  // function source code download.
  string download_url = 1;
}