Update cloud-api protos to v0.14.0 (#1240)

* Update cloud-api protos to v0.14.0

Author: chndler

crates/client/src/grpc.rs

@@ -521,6 +521,10 @@ macro_rules! proxier_impl {
         }
         dyn_clone::clone_trait_object!($trait_name);
 
+        // `allow(deprecated)`: upstream proto deprecations (e.g. cloud-api
+        // AddNamespaceRegion) generate calls to deprecated tonic client
+        // methods inside the impls; we still wire them for back-compat.
+        #[allow(deprecated)]
         impl<RC> $trait_name for RC
         where
             RC: RawGrpcCaller + RawClientProducer + Clone + Unpin,
@@ -533,6 +537,7 @@ macro_rules! proxier_impl {
 
         impl<T: Send + Sync + 'static> RawGrpcCaller for $client_type<T> {}
 
+        #[allow(deprecated)]
         impl<T> $trait_name for $client_type<T>
         where
             T: GrpcService<Body> + Clone + Send + Sync + 'static,
@@ -1798,6 +1803,11 @@ proxier! {
     (get_namespace_capacity_info, cloudreq::GetNamespaceCapacityInfoRequest, cloudreq::GetNamespaceCapacityInfoResponse);
     (create_billing_report, cloudreq::CreateBillingReportRequest, cloudreq::CreateBillingReportResponse);
     (get_billing_report, cloudreq::GetBillingReportRequest, cloudreq::GetBillingReportResponse);
+    (get_custom_roles, cloudreq::GetCustomRolesRequest, cloudreq::GetCustomRolesResponse);
+    (get_custom_role, cloudreq::GetCustomRoleRequest, cloudreq::GetCustomRoleResponse);
+    (create_custom_role, cloudreq::CreateCustomRoleRequest, cloudreq::CreateCustomRoleResponse);
+    (update_custom_role, cloudreq::UpdateCustomRoleRequest, cloudreq::UpdateCustomRoleResponse);
+    (delete_custom_role, cloudreq::DeleteCustomRoleRequest, cloudreq::DeleteCustomRoleResponse);
 }
 
 proxier! {

crates/common/protos/api_cloud_upstream/README.md

@@ -15,7 +15,7 @@ To use the Cloud Ops API in your project, preform the following 4 steps:
 
 The client is expected to pass in a `temporal-cloud-api-version` header with the api version identifier with every request it makes to the apis. The backend will use the version to safely mutate resources. The `temporal:versioning:min_version` label specifies the minimum version of the API that supports the field.
 
-Current Version `v0.7.1`
+Current Version `v0.14.0`
 
 ### URL
 

crates/common/protos/api_cloud_upstream/VERSION

@@ -1 +1 @@
-v0.12.0
+v0.14.0

crates/common/protos/api_cloud_upstream/temporal/api/cloud/cloudservice/v1/request_response.proto

@@ -1093,4 +1093,78 @@ message GetBillingReportRequest {
 message GetBillingReportResponse {
     // The billing report retrieved.
     temporal.api.cloud.billing.v1.BillingReport billing_report = 1;
-}
+}
+
+message GetCustomRolesRequest {
+    // The requested size of the page to retrieve.
+    // Cannot exceed 1000. Defaults to 100.
+    int32 page_size = 1;
+    // The page token if this is continuing from another response.
+    string page_token = 2;
+}
+
+message GetCustomRolesResponse {
+    // The list of custom roles in ascending ID order.
+    repeated temporal.api.cloud.identity.v1.CustomRole custom_roles = 1;
+    // The next page token.
+    string next_page_token = 2;
+}
+
+message GetCustomRoleRequest {
+    // The ID of the custom role to retrieve.
+    string role_id = 1;
+}
+
+message GetCustomRoleResponse {
+    // The custom role retrieved.
+    temporal.api.cloud.identity.v1.CustomRole custom_role = 1;
+}
+
+message CreateCustomRoleRequest {
+    // The specification for the custom role to create.
+    temporal.api.cloud.identity.v1.CustomRoleSpec spec = 1;
+    // The ID to use for this async operation.
+    // Optional, if not provided a random ID will be generated.
+    string async_operation_id = 2;
+}
+
+message CreateCustomRoleResponse {
+    // The ID of the custom role created.
+    string role_id = 1;
+    // The async operation.
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 2;
+}
+
+message UpdateCustomRoleRequest {
+    // The ID of the custom role to update.
+    string role_id = 1;
+    // The new custom role specification.
+    temporal.api.cloud.identity.v1.CustomRoleSpec spec = 2;
+    // The version of the custom role for which this update is intended.
+    // The latest version can be found in the GetCustomRole operation response.
+    string resource_version = 3;
+    // The ID to use for this async operation.
+    // Optional, if not provided a random ID will be generated.
+    string async_operation_id = 4;
+}
+
+message UpdateCustomRoleResponse {
+    // The async operation.
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
+}
+
+message DeleteCustomRoleRequest {
+    // The ID of the custom role to delete.
+    string role_id = 1;
+    // The version of the custom role for which this delete is intended.
+    // The latest version can be found in the GetCustomRole operation response.
+    string resource_version = 2;
+    // The ID to use for this async operation.
+    // Optional, if not provided a random ID will be generated.
+    string async_operation_id = 3;
+}
+
+message DeleteCustomRoleResponse {
+    // The async operation.
+    temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
+}

crates/common/protos/api_cloud_upstream/temporal/api/cloud/cloudservice/v1/service.proto

@@ -48,6 +48,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
         {name: "Connectivity Rules"; description: "Manage network connectivity rules"},
         {name: "Regions"; description: "Query available regions"},
         {name: "Account"; description: "Manage account settings and usage"},
+        {name: "Custom Roles"; description: "Manage custom roles and their permissions"},
         {name: "Operations"; description: "Query async operation status"}
     ];
 };
@@ -285,7 +286,9 @@ service CloudService {
     }
 
     // Add a new region to a namespace
+    // Deprecated: Use the UpdateNamespace() to add new replica in the namespace spec instead.
     rpc AddNamespaceRegion (AddNamespaceRegionRequest) returns (AddNamespaceRegionResponse) {
+        option deprecated = true;
         option (google.api.http) = {
             post: "/cloud/namespaces/{namespace}/add-region",
             body: "*"
@@ -302,7 +305,9 @@ service CloudService {
     }
 
     // Delete a region from a namespace
+    // Deprecated: Use the UpdateNamespace() to delete a replica in the namespace spec instead.
     rpc DeleteNamespaceRegion (DeleteNamespaceRegionRequest) returns (DeleteNamespaceRegionResponse) {
+        option deprecated = true;
         option (google.api.http) = {
             delete: "/cloud/namespaces/{namespace}/regions/{region}",
         };
@@ -1153,4 +1158,86 @@ service CloudService {
             };
         };
     }
+
+    // Get custom roles
+    rpc GetCustomRoles(GetCustomRolesRequest) returns (GetCustomRolesResponse) {
+        option (google.api.http) = {
+            get: "/cloud/custom-roles"
+        };
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Custom Roles"];
+            summary: "List custom roles";
+            description: "Returns a list of custom roles in the account";
+            external_docs: {
+                url: "https://docs.temporal.io/cloud/custom-roles";
+                description: "Custom roles documentation";
+            };
+        };
+    }
+
+    // Get a custom role
+    rpc GetCustomRole(GetCustomRoleRequest) returns (GetCustomRoleResponse) {
+        option (google.api.http) = {
+            get: "/cloud/custom-roles/{role_id}"
+        };
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Custom Roles"];
+            summary: "Get custom role by ID";
+            description: "Returns details for a specific custom role";
+            external_docs: {
+                url: "https://docs.temporal.io/cloud/custom-roles";
+                description: "Custom roles documentation";
+            };
+        };
+    }
+
+    // Create a custom role
+    rpc CreateCustomRole(CreateCustomRoleRequest) returns (CreateCustomRoleResponse) {
+        option (google.api.http) = {
+            post: "/cloud/custom-roles"
+            body: "*"
+        };
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Custom Roles"];
+            summary: "Create a custom role";
+            description: "Creates a new custom role in the account";
+            external_docs: {
+                url: "https://docs.temporal.io/cloud/custom-roles";
+                description: "Custom roles documentation";
+            };
+        };
+    }
+
+    // Update a custom role
+    rpc UpdateCustomRole(UpdateCustomRoleRequest) returns (UpdateCustomRoleResponse) {
+        option (google.api.http) = {
+            post: "/cloud/custom-roles/{role_id}"
+            body: "*"
+        };
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Custom Roles"];
+            summary: "Update a custom role";
+            description: "Updates an existing custom role";
+            external_docs: {
+                url: "https://docs.temporal.io/cloud/custom-roles";
+                description: "Custom roles documentation";
+            };
+        };
+    }
+
+    // Delete a custom role
+    rpc DeleteCustomRole(DeleteCustomRoleRequest) returns (DeleteCustomRoleResponse) {
+        option (google.api.http) = {
+            delete: "/cloud/custom-roles/{role_id}"
+        };
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Custom Roles"];
+            summary: "Delete a custom role";
+            description: "Deletes a custom role from the account";
+            external_docs: {
+                url: "https://docs.temporal.io/cloud/custom-roles";
+                description: "Custom roles documentation";
+            };
+        };
+    }
 }

crates/common/protos/api_cloud_upstream/temporal/api/cloud/identity/v1/message.proto

@@ -37,6 +37,10 @@ message AccountAccess {
         ROLE_READ = 5; // Gives read only access to the account.
         ROLE_METRICS_READ = 6; // Gives read only access to the account metrics.
     }
+
+    // List of custom role IDs assigned to the user or service account.
+    // temporal:versioning:min_version=v0.13.0
+    repeated string custom_roles = 3;
 }
 
 message NamespaceAccess {
@@ -73,6 +77,10 @@ message Access {
     // The map of namespace accesses
     // The key is the namespace name and the value is the access to the namespace
     map<string, NamespaceAccess> namespace_accesses = 2;
+    // List of custom role IDs assigned to the user or service account.
+    // Deprecated: Not supported after v0.12.0 api version. Use account_access.custom_roles instead.
+    // temporal:versioning:max_version=v0.12.0
+    repeated string custom_roles_deprecated = 4 [deprecated = true];
 }
 
 message NamespaceScopedAccess {
@@ -294,3 +302,48 @@ message ApiKeySpec {
     // True if the API key is disabled.
     bool disabled = 6;
 }
+
+message CustomRoleSpec {
+    // The name of the custom role.
+    string name = 1;
+    // The description of the custom role.
+    string description = 2;
+    // The permissions assigned to the custom role.
+    repeated Permission permissions = 3;
+
+    message Resources {
+        // The resource type the permission applies to.
+        string resource_type = 1;
+        // The resource IDs the permission applies to. Can be empty if allow_all is true.
+        repeated string resource_ids = 2;
+        // Whether the permission applies to all resources of the given type.
+        bool allow_all = 3;
+    }
+
+    message Permission {
+        // The resources the permission applies to.
+        Resources resources = 1;
+        // The actions allowed by the permission.
+        repeated string actions = 2;
+    }
+}
+
+message CustomRole {
+    // The id of the custom role.
+    string id = 1;
+    // The current version of the custom role specification.
+    // The next update operation will have to include this version.
+    string resource_version = 2;
+    // The custom role specification.
+    CustomRoleSpec spec = 3;
+    // The current state of the custom role.
+    // For any failed state, reach out to Temporal Cloud support for remediation.
+    temporal.api.cloud.resource.v1.ResourceState state = 4;
+    // The id of the async operation that is creating/updating/deleting the custom role, if any.
+    string async_operation_id = 5;
+    // The date and time when the custom role was created.
+    google.protobuf.Timestamp created_time = 6;
+    // The date and time when the custom role was last modified.
+    // Will not be set if the custom role has never been modified.
+    google.protobuf.Timestamp last_modified_time = 7;
+}