feat: [Kms] Added DeleteCryptoKey and DeleteCryptoKeyVersion RPCs to permanently remove resources (#8919)

* feat: Added DeleteCryptoKey and DeleteCryptoKeyVersion RPCs to permanently remove resources
feat: Introduced the RetiredResource resource to track records of deleted keys and prevent the reuse of their resource names
feat: Added ListRetiredResources and GetRetiredResource RPCs to manage and view these records

PiperOrigin-RevId: 868670725

Source-Link: googleapis/googleapis@f248ed0

Source-Link: googleapis/googleapis-gen@78b3172
Copy-Tag: eyJwIjoiS21zLy5Pd2xCb3QueWFtbCIsImgiOiI3OGIzMTcyMTZhOTYxZTEwZjQyNjQ4N2YxMDk3MjgwNDkxMmI4NWVjIn0=

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

Kms/metadata/V1/Resources.php

@@ -0,0 +1,91 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_DeleteCryptoKey_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\OperationResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DeleteCryptoKeyRequest;
+use Google\Rpc\Status;
+
+/**
+ * Permanently deletes the given [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ * All child [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] must
+ * have been previously deleted using
+ * [KeyManagementService.DeleteCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.DeleteCryptoKeyVersion].
+ * The specified crypto key will be immediately and permanently deleted upon
+ * calling this method. This action cannot be undone.
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKey.name] of the
+ *                              [CryptoKey][google.cloud.kms.v1.CryptoKey] to delete. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyName()} for help formatting this field.
+ */
+function delete_crypto_key_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new DeleteCryptoKeyRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var OperationResponse $response */
+        $response = $keyManagementServiceClient->deleteCryptoKey($request);
+        $response->pollUntilComplete();
+
+        if ($response->operationSucceeded()) {
+            printf('Operation completed successfully.' . PHP_EOL);
+        } else {
+            /** @var Status $error */
+            $error = $response->getError();
+            printf('Operation failed with error data: %s' . PHP_EOL, $error->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]'
+    );
+
+    delete_crypto_key_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_DeleteCryptoKey_sync]

Kms/metadata/V1/Service.php

@@ -0,0 +1,97 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_DeleteCryptoKeyVersion_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\OperationResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\DeleteCryptoKeyVersionRequest;
+use Google\Rpc\Status;
+
+/**
+ * Permanently deletes the given
+ * [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only possible if
+ * the version has not been previously imported and if its
+ * [state][google.cloud.kms.v1.CryptoKeyVersion.state] is one of
+ * [DESTROYED][CryptoKeyVersionState.DESTROYED],
+ * [IMPORT_FAILED][CryptoKeyVersionState.IMPORT_FAILED], or
+ * [GENERATION_FAILED][CryptoKeyVersionState.GENERATION_FAILED].
+ * Successfully imported
+ * [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] cannot be deleted
+ * at this time. The specified version will be immediately and permanently
+ * deleted upon calling this method. This action cannot be undone.
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the
+ *                              [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] to delete. Please see
+ *                              {@see KeyManagementServiceClient::cryptoKeyVersionName()} for help formatting this field.
+ */
+function delete_crypto_key_version_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new DeleteCryptoKeyVersionRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var OperationResponse $response */
+        $response = $keyManagementServiceClient->deleteCryptoKeyVersion($request);
+        $response->pollUntilComplete();
+
+        if ($response->operationSucceeded()) {
+            printf('Operation completed successfully.' . PHP_EOL);
+        } else {
+            /** @var Status $error */
+            $error = $response->getError();
+            printf('Operation failed with error data: %s' . PHP_EOL, $error->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::cryptoKeyVersionName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[KEY_RING]',
+        '[CRYPTO_KEY]',
+        '[CRYPTO_KEY_VERSION]'
+    );
+
+    delete_crypto_key_version_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_DeleteCryptoKeyVersion_sync]

Kms/samples/V1/KeyManagementServiceClient/delete_crypto_key.php

@@ -0,0 +1,78 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_GetRetiredResource_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\GetRetiredResourceRequest;
+use Google\Cloud\Kms\V1\RetiredResource;
+
+/**
+ * Retrieves a specific [RetiredResource][google.cloud.kms.v1.RetiredResource]
+ * resource, which represents the record of a deleted
+ * [CryptoKey][google.cloud.kms.v1.CryptoKey].
+ *
+ * @param string $formattedName The [name][google.cloud.kms.v1.RetiredResource.name] of the
+ *                              [RetiredResource][google.cloud.kms.v1.RetiredResource] to get. Please see
+ *                              {@see KeyManagementServiceClient::retiredResourceName()} for help formatting this field.
+ */
+function get_retired_resource_sample(string $formattedName): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new GetRetiredResourceRequest())
+        ->setName($formattedName);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var RetiredResource $response */
+        $response = $keyManagementServiceClient->getRetiredResource($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedName = KeyManagementServiceClient::retiredResourceName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[RETIRED_RESOURCE]'
+    );
+
+    get_retired_resource_sample($formattedName);
+}
+// [END cloudkms_v1_generated_KeyManagementService_GetRetiredResource_sync]

Kms/samples/V1/KeyManagementServiceClient/delete_crypto_key_version.php

@@ -0,0 +1,80 @@
+<?php
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START cloudkms_v1_generated_KeyManagementService_ListRetiredResources_sync]
+use Google\ApiCore\ApiException;
+use Google\ApiCore\PagedListResponse;
+use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
+use Google\Cloud\Kms\V1\ListRetiredResourcesRequest;
+use Google\Cloud\Kms\V1\RetiredResource;
+
+/**
+ * Lists the [RetiredResources][google.cloud.kms.v1.RetiredResource] which are
+ * the records of deleted [CryptoKeys][google.cloud.kms.v1.CryptoKey].
+ * RetiredResources prevent the reuse of these resource names after deletion.
+ *
+ * @param string $formattedParent The project-specific location holding the
+ *                                [RetiredResources][google.cloud.kms.v1.RetiredResource], in the format
+ *                                `projects/&#42;/locations/*`. Please see
+ *                                {@see KeyManagementServiceClient::locationName()} for help formatting this field.
+ */
+function list_retired_resources_sample(string $formattedParent): void
+{
+    // Create a client.
+    $keyManagementServiceClient = new KeyManagementServiceClient();
+
+    // Prepare the request message.
+    $request = (new ListRetiredResourcesRequest())
+        ->setParent($formattedParent);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var PagedListResponse $response */
+        $response = $keyManagementServiceClient->listRetiredResources($request);
+
+        /** @var RetiredResource $element */
+        foreach ($response as $element) {
+            printf('Element data: %s' . PHP_EOL, $element->serializeToJsonString());
+        }
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedParent = KeyManagementServiceClient::locationName('[PROJECT]', '[LOCATION]');
+
+    list_retired_resources_sample($formattedParent);
+}
+// [END cloudkms_v1_generated_KeyManagementService_ListRetiredResources_sync]