feat(s2s_vpn): use secret manager to store connection psk (#1337)

scaleway-bot · web-flow · commit f1ffd141b322 · 2025-10-28T14:58:22.000Z
diff --git a/scaleway-async/scaleway_async/s2s_vpn/v1alpha1/marshalling.py b/scaleway-async/scaleway_async/s2s_vpn/v1alpha1/marshalling.py
@@ -154,6 +154,24 @@ def unmarshal_Connection(data: Any) -> Connection:
     else:
         args["is_ipv6"] = False
 
+    field = data.get("initiation_policy", None)
+    if field is not None:
+        args["initiation_policy"] = field
+    else:
+        args["initiation_policy"] = ConnectionInitiationPolicy.UNKNOWN_INITIATION_POLICY
+
+    field = data.get("secret_id", None)
+    if field is not None:
+        args["secret_id"] = field
+    else:
+        args["secret_id"] = None
+
+    field = data.get("secret_revision", None)
+    if field is not None:
+        args["secret_revision"] = field
+    else:
+        args["secret_revision"] = 0
+
     field = data.get("created_at", None)
     if field is not None:
         args["created_at"] = parser.isoparse(field) if isinstance(field, str) else field
@@ -166,12 +184,6 @@ def unmarshal_Connection(data: Any) -> Connection:
     else:
         args["updated_at"] = None
 
-    field = data.get("initiation_policy", None)
-    if field is not None:
-        args["initiation_policy"] = field
-    else:
-        args["initiation_policy"] = ConnectionInitiationPolicy.UNKNOWN_INITIATION_POLICY
-
     field = data.get("ikev2_ciphers", None)
     if field is not None:
         args["ikev2_ciphers"] = (
@@ -564,18 +576,18 @@ def unmarshal_CreateConnectionResponse(data: Any) -> CreateConnectionResponse:
 
     args: dict[str, Any] = {}
 
-    field = data.get("pre_shared_key", None)
-    if field is not None:
-        args["pre_shared_key"] = field
-    else:
-        args["pre_shared_key"] = None
-
     field = data.get("connection", None)
     if field is not None:
         args["connection"] = unmarshal_Connection(field)
     else:
         args["connection"] = None
 
+    field = data.get("pre_shared_key", None)
+    if field is not None:
+        args["pre_shared_key"] = field
+    else:
+        args["pre_shared_key"] = None
+
     return CreateConnectionResponse(**args)
 
 
@@ -747,18 +759,18 @@ def unmarshal_RenewConnectionPskResponse(data: Any) -> RenewConnectionPskRespons
 
     args: dict[str, Any] = {}
 
-    field = data.get("pre_shared_key", None)
-    if field is not None:
-        args["pre_shared_key"] = field
-    else:
-        args["pre_shared_key"] = None
-
     field = data.get("connection", None)
     if field is not None:
         args["connection"] = unmarshal_Connection(field)
     else:
         args["connection"] = None
 
+    field = data.get("pre_shared_key", None)
+    if field is not None:
+        args["pre_shared_key"] = field
+    else:
+        args["pre_shared_key"] = None
+
     return RenewConnectionPskResponse(**args)
 
 
diff --git a/scaleway-async/scaleway_async/s2s_vpn/v1alpha1/types.py b/scaleway-async/scaleway_async/s2s_vpn/v1alpha1/types.py
@@ -237,6 +237,16 @@ class Connection:
     Who initiates the IPsec tunnel.
     """
 
+    secret_id: str
+    """
+    ID of the secret in Secret Manager which contains the PSK.
+    """
+
+    secret_revision: int
+    """
+    Version number of the secret in Secret Manager which contains the PSK.
+    """
+
     ikev2_ciphers: list[ConnectionCipher]
     """
     List of IKE v2 ciphers proposed for the IPsec tunnel.
@@ -593,14 +603,14 @@ class CreateConnectionRequest:
 
 @dataclass
 class CreateConnectionResponse:
-    pre_shared_key: str
+    connection: Optional[Connection] = None
     """
-    New PSK generated for this connection.
+    This connection.
     """
 
-    connection: Optional[Connection] = None
+    pre_shared_key: Optional[str] = None
     """
-    This connection.
+    Deprecated, use secret_id & secret_revision fields.
     """
 
 
@@ -1178,14 +1188,14 @@ class RenewConnectionPskRequest:
 
 @dataclass
 class RenewConnectionPskResponse:
-    pre_shared_key: str
+    connection: Optional[Connection] = None
     """
-    New PSK generated for this connection.
+    This connection.
     """
 
-    connection: Optional[Connection] = None
+    pre_shared_key: Optional[str] = None
     """
-    This connection.
+    Deprecated, use secret_id & secret_revision fields.
     """
 
 
diff --git a/scaleway/scaleway/s2s_vpn/v1alpha1/marshalling.py b/scaleway/scaleway/s2s_vpn/v1alpha1/marshalling.py
@@ -154,6 +154,24 @@ def unmarshal_Connection(data: Any) -> Connection:
     else:
         args["is_ipv6"] = False
 
+    field = data.get("initiation_policy", None)
+    if field is not None:
+        args["initiation_policy"] = field
+    else:
+        args["initiation_policy"] = ConnectionInitiationPolicy.UNKNOWN_INITIATION_POLICY
+
+    field = data.get("secret_id", None)
+    if field is not None:
+        args["secret_id"] = field
+    else:
+        args["secret_id"] = None
+
+    field = data.get("secret_revision", None)
+    if field is not None:
+        args["secret_revision"] = field
+    else:
+        args["secret_revision"] = 0
+
     field = data.get("created_at", None)
     if field is not None:
         args["created_at"] = parser.isoparse(field) if isinstance(field, str) else field
@@ -166,12 +184,6 @@ def unmarshal_Connection(data: Any) -> Connection:
     else:
         args["updated_at"] = None
 
-    field = data.get("initiation_policy", None)
-    if field is not None:
-        args["initiation_policy"] = field
-    else:
-        args["initiation_policy"] = ConnectionInitiationPolicy.UNKNOWN_INITIATION_POLICY
-
     field = data.get("ikev2_ciphers", None)
     if field is not None:
         args["ikev2_ciphers"] = (
@@ -564,18 +576,18 @@ def unmarshal_CreateConnectionResponse(data: Any) -> CreateConnectionResponse:
 
     args: dict[str, Any] = {}
 
-    field = data.get("pre_shared_key", None)
-    if field is not None:
-        args["pre_shared_key"] = field
-    else:
-        args["pre_shared_key"] = None
-
     field = data.get("connection", None)
     if field is not None:
         args["connection"] = unmarshal_Connection(field)
     else:
         args["connection"] = None
 
+    field = data.get("pre_shared_key", None)
+    if field is not None:
+        args["pre_shared_key"] = field
+    else:
+        args["pre_shared_key"] = None
+
     return CreateConnectionResponse(**args)
 
 
@@ -747,18 +759,18 @@ def unmarshal_RenewConnectionPskResponse(data: Any) -> RenewConnectionPskRespons
 
     args: dict[str, Any] = {}
 
-    field = data.get("pre_shared_key", None)
-    if field is not None:
-        args["pre_shared_key"] = field
-    else:
-        args["pre_shared_key"] = None
-
     field = data.get("connection", None)
     if field is not None:
         args["connection"] = unmarshal_Connection(field)
     else:
         args["connection"] = None
 
+    field = data.get("pre_shared_key", None)
+    if field is not None:
+        args["pre_shared_key"] = field
+    else:
+        args["pre_shared_key"] = None
+
     return RenewConnectionPskResponse(**args)
 
 
diff --git a/scaleway/scaleway/s2s_vpn/v1alpha1/types.py b/scaleway/scaleway/s2s_vpn/v1alpha1/types.py
@@ -237,6 +237,16 @@ class Connection:
     Who initiates the IPsec tunnel.
     """
 
+    secret_id: str
+    """
+    ID of the secret in Secret Manager which contains the PSK.
+    """
+
+    secret_revision: int
+    """
+    Version number of the secret in Secret Manager which contains the PSK.
+    """
+
     ikev2_ciphers: list[ConnectionCipher]
     """
     List of IKE v2 ciphers proposed for the IPsec tunnel.
@@ -593,14 +603,14 @@ class CreateConnectionRequest:
 
 @dataclass
 class CreateConnectionResponse:
-    pre_shared_key: str
+    connection: Optional[Connection] = None
     """
-    New PSK generated for this connection.
+    This connection.
     """
 
-    connection: Optional[Connection] = None
+    pre_shared_key: Optional[str] = None
     """
-    This connection.
+    Deprecated, use secret_id & secret_revision fields.
     """
 
 
@@ -1178,14 +1188,14 @@ class RenewConnectionPskRequest:
 
 @dataclass
 class RenewConnectionPskResponse:
-    pre_shared_key: str
+    connection: Optional[Connection] = None
     """
-    New PSK generated for this connection.
+    This connection.
     """
 
-    connection: Optional[Connection] = None
+    pre_shared_key: Optional[str] = None
     """
-    This connection.
+    Deprecated, use secret_id & secret_revision fields.
     """
 
 
