feat: [Kms] add the SingleTenantHsm functionality including the management API and resource types (#8871)

* feat: add the SingleTenantHsm functionality including the management API and resource types
docs: A comment for field `crypto_key_backend` in message `.google.cloud.kms.v1.CryptoKey` is expanded to include SingleTenantHsmInstances
docs: A comment for enum value `MODIFIED_CUSTOMER_INITIATED_ACCESS` in enum `AccessReason` is changed
docs: A comment for enum value `MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION` in enum `AccessReason` is changed

PiperOrigin-RevId: 858582271

Source-Link: googleapis/googleapis@d9f058d

Source-Link: googleapis/googleapis-gen@6399b00
Copy-Tag: eyJwIjoiS21zLy5Pd2xCb3QueWFtbCIsImgiOiI2Mzk5YjAwYThkMDhlYWUwZGU5ODJhZGY3NTNkYjYxZjFjMzg0N2UyIn0=

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

Kms/metadata/V1/HsmManagement.php

@@ -0,0 +1,106 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_HsmManagement_ApproveSingleTenantHsmInstanceProposal_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\ApproveSingleTenantHsmInstanceProposalRequest;
+use Google\Cloud\Kms\V1\ApproveSingleTenantHsmInstanceProposalRequest\QuorumReply;
+use Google\Cloud\Kms\V1\ApproveSingleTenantHsmInstanceProposalResponse;
+use Google\Cloud\Kms\V1\ChallengeReply;
+use Google\Cloud\Kms\V1\Client\HsmManagementClient;
+
+/**
+ * Approves a
+ * [SingleTenantHsmInstanceProposal][google.cloud.kms.v1.SingleTenantHsmInstanceProposal]
+ * for a given
+ * [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance]. The
+ * proposal must be in the
+ * [PENDING][google.cloud.kms.v1.SingleTenantHsmInstanceProposal.State.PENDING]
+ * state.
+ *
+ * @param string $formattedName                              The
+ *                                                           [name][google.cloud.kms.v1.SingleTenantHsmInstanceProposal.name] of the
+ *                                                           [SingleTenantHsmInstanceProposal][google.cloud.kms.v1.SingleTenantHsmInstanceProposal]
+ *                                                           to approve. Please see
+ *                                                           {@see HsmManagementClient::singleTenantHsmInstanceProposalName()} for help formatting this field.
+ * @param string $quorumReplyChallengeRepliesSignedChallenge The signed challenge associated with the 2FA key.
+ *                                                           The signature must be RSASSA-PKCS1 v1.5 with a SHA256 digest.
+ * @param string $quorumReplyChallengeRepliesPublicKeyPem    The public key associated with the 2FA key.
+ */
+function approve_single_tenant_hsm_instance_proposal_sample(
+    string $formattedName,
+    string $quorumReplyChallengeRepliesSignedChallenge,
+    string $quorumReplyChallengeRepliesPublicKeyPem
+): void {
+    // Create a client.
+    $hsmManagementClient = new HsmManagementClient();
+
+    // Prepare the request message.
+    $challengeReply = (new ChallengeReply())
+        ->setSignedChallenge($quorumReplyChallengeRepliesSignedChallenge)
+        ->setPublicKeyPem($quorumReplyChallengeRepliesPublicKeyPem);
+    $quorumReplyChallengeReplies = [$challengeReply,];
+    $quorumReply = (new QuorumReply())
+        ->setChallengeReplies($quorumReplyChallengeReplies);
+    $request = (new ApproveSingleTenantHsmInstanceProposalRequest())
+        ->setName($formattedName)
+        ->setQuorumReply($quorumReply);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var ApproveSingleTenantHsmInstanceProposalResponse $response */
+        $response = $hsmManagementClient->approveSingleTenantHsmInstanceProposal($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = HsmManagementClient::singleTenantHsmInstanceProposalName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[SINGLE_TENANT_HSM_INSTANCE]',
+        '[PROPOSAL]'
+    );
+    $quorumReplyChallengeRepliesSignedChallenge = '...';
+    $quorumReplyChallengeRepliesPublicKeyPem = '[PUBLIC_KEY_PEM]';
+
+    approve_single_tenant_hsm_instance_proposal_sample(
+        $formattedName,
+        $quorumReplyChallengeRepliesSignedChallenge,
+        $quorumReplyChallengeRepliesPublicKeyPem
+    );
+}
+// [END cloudkms_v1_generated_HsmManagement_ApproveSingleTenantHsmInstanceProposal_sync]

Kms/metadata/V1/Resources.php

@@ -0,0 +1,104 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_HsmManagement_CreateSingleTenantHsmInstance_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\OperationResponse;
+use Google\Cloud\Kms\V1\Client\HsmManagementClient;
+use Google\Cloud\Kms\V1\CreateSingleTenantHsmInstanceRequest;
+use Google\Cloud\Kms\V1\SingleTenantHsmInstance;
+use Google\Cloud\Kms\V1\SingleTenantHsmInstance\QuorumAuth;
+use Google\Rpc\Status;
+
+/**
+ * Creates a new
+ * [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance] in a
+ * given Project and Location. User must create a RegisterTwoFactorAuthKeys
+ * proposal with this single-tenant HSM instance to finish setup of the
+ * instance.
+ *
+ * @param string $formattedParent                                     The resource name of the location associated with the
+ *                                                                    [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance], in
+ *                                                                    the format `projects/&#42;/locations/*`. Please see
+ *                                                                    {@see HsmManagementClient::locationName()} for help formatting this field.
+ * @param int    $singleTenantHsmInstanceQuorumAuthTotalApproverCount The total number of approvers. This is the N value used
+ *                                                                    for M of N quorum auth. Must be greater than or equal to 3 and less than
+ *                                                                    or equal to 16.
+ */
+function create_single_tenant_hsm_instance_sample(
+    string $formattedParent,
+    int $singleTenantHsmInstanceQuorumAuthTotalApproverCount
+): void {
+    // Create a client.
+    $hsmManagementClient = new HsmManagementClient();
+
+    // Prepare the request message.
+    $singleTenantHsmInstanceQuorumAuth = (new QuorumAuth())
+        ->setTotalApproverCount($singleTenantHsmInstanceQuorumAuthTotalApproverCount);
+    $singleTenantHsmInstance = (new SingleTenantHsmInstance())
+        ->setQuorumAuth($singleTenantHsmInstanceQuorumAuth);
+    $request = (new CreateSingleTenantHsmInstanceRequest())
+        ->setParent($formattedParent)
+        ->setSingleTenantHsmInstance($singleTenantHsmInstance);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var OperationResponse $response */
+        $response = $hsmManagementClient->createSingleTenantHsmInstance($request);
+        $response->pollUntilComplete();
+
+        if ($response->operationSucceeded()) {
+            /** @var SingleTenantHsmInstance $result */
+            $result = $response->getResult();
+            printf('Operation successful with response data: %s' . PHP_EOL, $result->serializeToJsonString());
+        } else {
+            /** @var Status $error */
+            $error = $response->getError();
+            printf('Operation failed with error data: %s' . PHP_EOL, $error->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = HsmManagementClient::locationName('[PROJECT]', '[LOCATION]');
+    $singleTenantHsmInstanceQuorumAuthTotalApproverCount = 0;
+
+    create_single_tenant_hsm_instance_sample(
+        $formattedParent,
+        $singleTenantHsmInstanceQuorumAuthTotalApproverCount
+    );
+}
+// [END cloudkms_v1_generated_HsmManagement_CreateSingleTenantHsmInstance_sync]

Kms/metadata/V1/Service.php

@@ -0,0 +1,95 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_HsmManagement_CreateSingleTenantHsmInstanceProposal_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\OperationResponse;
+use Google\Cloud\Kms\V1\Client\HsmManagementClient;
+use Google\Cloud\Kms\V1\CreateSingleTenantHsmInstanceProposalRequest;
+use Google\Cloud\Kms\V1\SingleTenantHsmInstanceProposal;
+use Google\Rpc\Status;
+
+/**
+ * Creates a new
+ * [SingleTenantHsmInstanceProposal][google.cloud.kms.v1.SingleTenantHsmInstanceProposal]
+ * for a given
+ * [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance].
+ *
+ * @param string $formattedParent The [name][google.cloud.kms.v1.SingleTenantHsmInstance.name] of
+ *                                the [SingleTenantHsmInstance][google.cloud.kms.v1.SingleTenantHsmInstance]
+ *                                associated with the
+ *                                [SingleTenantHsmInstanceProposals][google.cloud.kms.v1.SingleTenantHsmInstanceProposal]. Please see
+ *                                {@see HsmManagementClient::singleTenantHsmInstanceName()} for help formatting this field.
+ */
+function create_single_tenant_hsm_instance_proposal_sample(string $formattedParent): void
+{
+    // Create a client.
+    $hsmManagementClient = new HsmManagementClient();
+
+    // Prepare the request message.
+    $singleTenantHsmInstanceProposal = new SingleTenantHsmInstanceProposal();
+    $request = (new CreateSingleTenantHsmInstanceProposalRequest())
+        ->setParent($formattedParent)
+        ->setSingleTenantHsmInstanceProposal($singleTenantHsmInstanceProposal);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var OperationResponse $response */
+        $response = $hsmManagementClient->createSingleTenantHsmInstanceProposal($request);
+        $response->pollUntilComplete();
+
+        if ($response->operationSucceeded()) {
+            /** @var SingleTenantHsmInstanceProposal $result */
+            $result = $response->getResult();
+            printf('Operation successful with response data: %s' . PHP_EOL, $result->serializeToJsonString());
+        } else {
+            /** @var Status $error */
+            $error = $response->getError();
+            printf('Operation failed with error data: %s' . PHP_EOL, $error->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = HsmManagementClient::singleTenantHsmInstanceName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[SINGLE_TENANT_HSM_INSTANCE]'
+    );
+
+    create_single_tenant_hsm_instance_proposal_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_HsmManagement_CreateSingleTenantHsmInstanceProposal_sync]

Kms/samples/V1/HsmManagementClient/approve_single_tenant_hsm_instance_proposal.php

@@ -0,0 +1,78 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_HsmManagement_DeleteSingleTenantHsmInstanceProposal_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\HsmManagementClient;
+use Google\Cloud\Kms\V1\DeleteSingleTenantHsmInstanceProposalRequest;
+
+/**
+ * Deletes a
+ * [SingleTenantHsmInstanceProposal][google.cloud.kms.v1.SingleTenantHsmInstanceProposal].
+ *
+ * @param string $formattedName The
+ *                              [name][google.cloud.kms.v1.SingleTenantHsmInstanceProposal.name] of the
+ *                              [SingleTenantHsmInstanceProposal][google.cloud.kms.v1.SingleTenantHsmInstanceProposal]
+ *                              to delete. Please see
+ *                              {@see HsmManagementClient::singleTenantHsmInstanceProposalName()} for help formatting this field.
+ */
+function delete_single_tenant_hsm_instance_proposal_sample(string $formattedName): void
+{
+    // Create a client.
+    $hsmManagementClient = new HsmManagementClient();
+
+    // Prepare the request message.
+    $request = (new DeleteSingleTenantHsmInstanceProposalRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        $hsmManagementClient->deleteSingleTenantHsmInstanceProposal($request);
+        printf('Call completed successfully.' . PHP_EOL);
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = HsmManagementClient::singleTenantHsmInstanceProposalName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[SINGLE_TENANT_HSM_INSTANCE]',
+        '[PROPOSAL]'
+    );
+
+    delete_single_tenant_hsm_instance_proposal_sample($formattedName);
+}
+// [END cloudkms_v1_generated_HsmManagement_DeleteSingleTenantHsmInstanceProposal_sync]