diff --git a/specification/DigitalOcean-public.v2.yaml b/specification/DigitalOcean-public.v2.yaml index a560078b1..4f2b97085 100644 --- a/specification/DigitalOcean-public.v2.yaml +++ b/specification/DigitalOcean-public.v2.yaml @@ -534,7 +534,7 @@ tags: - name: Security description: |- - Security CSPM endpoints for scans, scan findings, and settings. + Security endpoints for CSPM scans, scan findings, settings, and Secrets Manager. - name: Sizes description: |- @@ -2294,6 +2294,31 @@ paths: delete: $ref: "resources/security/security_suppression_delete.yml" + /v2/security/secrets: + get: + $ref: "resources/security/security_secrets_list.yml" + + post: + $ref: "resources/security/security_secret_create.yml" + + /v2/security/secrets/{secret}: + get: + $ref: "resources/security/security_secret_get.yml" + + put: + $ref: "resources/security/security_secret_update.yml" + + delete: + $ref: "resources/security/security_secret_delete.yml" + + /v2/security/secrets/{secret}/versions: + get: + $ref: "resources/security/security_secret_list_versions.yml" + + /v2/security/secrets/{secret}/restore: + post: + $ref: "resources/security/security_secret_restore.yml" + /v2/sizes: get: $ref: "resources/sizes/sizes_list.yml" diff --git a/specification/resources/security/examples/curl/security_secret_create.yml b/specification/resources/security/examples/curl/security_secret_create.yml new file mode 100644 index 000000000..db61d8693 --- /dev/null +++ b/specification/resources/security/examples/curl/security_secret_create.yml @@ -0,0 +1,7 @@ +lang: cURL +source: |- + curl -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + -d '{"name":"my-database-password","region":"nyc3","values":{"password":"s3cr3t"}}' \ + "https://api.digitalocean.com/v2/security/secrets" diff --git a/specification/resources/security/examples/curl/security_secret_delete.yml b/specification/resources/security/examples/curl/security_secret_delete.yml new file mode 100644 index 000000000..048087173 --- /dev/null +++ b/specification/resources/security/examples/curl/security_secret_delete.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X DELETE \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/secrets/my-database-password?region=nyc3" diff --git a/specification/resources/security/examples/curl/security_secret_get.yml b/specification/resources/security/examples/curl/security_secret_get.yml new file mode 100644 index 000000000..09b0334bd --- /dev/null +++ b/specification/resources/security/examples/curl/security_secret_get.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/secrets/my-database-password?region=nyc3" diff --git a/specification/resources/security/examples/curl/security_secret_list_versions.yml b/specification/resources/security/examples/curl/security_secret_list_versions.yml new file mode 100644 index 000000000..498b03947 --- /dev/null +++ b/specification/resources/security/examples/curl/security_secret_list_versions.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/secrets/my-database-password/versions?region=nyc3" diff --git a/specification/resources/security/examples/curl/security_secret_restore.yml b/specification/resources/security/examples/curl/security_secret_restore.yml new file mode 100644 index 000000000..2f179540a --- /dev/null +++ b/specification/resources/security/examples/curl/security_secret_restore.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/secrets/my-database-password/restore?region=nyc3" diff --git a/specification/resources/security/examples/curl/security_secret_update.yml b/specification/resources/security/examples/curl/security_secret_update.yml new file mode 100644 index 000000000..0a9bfc893 --- /dev/null +++ b/specification/resources/security/examples/curl/security_secret_update.yml @@ -0,0 +1,7 @@ +lang: cURL +source: |- + curl -X PUT \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + -d '{"region":"nyc3","version":1,"values":{"password":"n3w-s3cr3t"}}' \ + "https://api.digitalocean.com/v2/security/secrets/my-database-password" diff --git a/specification/resources/security/examples/curl/security_secrets_list.yml b/specification/resources/security/examples/curl/security_secrets_list.yml new file mode 100644 index 000000000..8b74c0c69 --- /dev/null +++ b/specification/resources/security/examples/curl/security_secrets_list.yml @@ -0,0 +1,6 @@ +lang: cURL +source: |- + curl -X GET \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" \ + "https://api.digitalocean.com/v2/security/secrets?page=1&per_page=20" diff --git a/specification/resources/security/models/secret.yml b/specification/resources/security/models/secret.yml new file mode 100644 index 000000000..77fcd1fbe --- /dev/null +++ b/specification/resources/security/models/secret.yml @@ -0,0 +1,140 @@ +secret: + type: object + properties: + secret: + title: secret + type: string + example: my-database-password + description: The name of the secret. + + region: + title: region + type: string + example: nyc3 + description: The region where the secret is stored. + + version: + title: version + type: integer + format: int32 + example: 1 + description: The current version of the secret. + + values: + title: values + type: object + additionalProperties: + type: string + example: + password: s3cr3t + description: Key-value pairs stored in the secret. + + created_at: + title: created_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When the secret was created. + + updated_at: + title: updated_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When the secret was last updated. + + delete_requested_at: + title: delete_requested_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When deletion was requested for the secret. + +secret_list_item: + type: object + properties: + secret: + title: secret + type: string + example: my-database-password + description: The name of the secret. + + region: + title: region + type: string + example: nyc3 + description: The region where the secret is stored. + + version: + title: version + type: integer + format: int32 + example: 1 + description: The current version of the secret. + + created_at: + title: created_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When the secret was created. + + updated_at: + title: updated_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When the secret was last updated. + + delete_requested_at: + title: delete_requested_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When deletion was requested for the secret. + +secret_version: + type: object + properties: + version: + title: version + type: integer + format: int32 + example: 1 + description: The version number. + + created_at: + title: created_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When this version was created. + + updated_at: + title: updated_at + type: string + format: date-time + example: "2025-12-04T00:00:00Z" + description: When this version was last updated. + +create_secret_response: + type: object + properties: + name: + title: name + type: string + example: my-database-password + description: The name of the secret. + + region: + title: region + type: string + example: nyc3 + description: The region where the secret is stored. + + version: + title: version + type: integer + format: int32 + example: 1 + description: The version of the secret after the operation. diff --git a/specification/resources/security/parameters.yml b/specification/resources/security/parameters.yml index cd5b7db87..a6f2de16a 100644 --- a/specification/resources/security/parameters.yml +++ b/specification/resources/security/parameters.yml @@ -41,3 +41,12 @@ suppression_uuid: type: string format: uuid example: 5b3b2b2d-5c9c-4a61-9e2f-4d8f80f30a12 + +secret: + in: path + name: secret + description: The name of the secret. + required: true + schema: + type: string + example: my-database-password diff --git a/specification/resources/security/responses/create_secret.yml b/specification/resources/security/responses/create_secret.yml new file mode 100644 index 000000000..c1b208456 --- /dev/null +++ b/specification/resources/security/responses/create_secret.yml @@ -0,0 +1,14 @@ +description: The response will be a JSON object containing the secret name, region, and version. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + $ref: '../models/secret.yml#/create_secret_response' diff --git a/specification/resources/security/responses/secret.yml b/specification/resources/security/responses/secret.yml new file mode 100644 index 000000000..75b67d92f --- /dev/null +++ b/specification/resources/security/responses/secret.yml @@ -0,0 +1,14 @@ +description: The response will be a JSON object containing the secret and its values. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + $ref: '../models/secret.yml#/secret' diff --git a/specification/resources/security/responses/secret_versions.yml b/specification/resources/security/responses/secret_versions.yml new file mode 100644 index 000000000..98a98ef06 --- /dev/null +++ b/specification/resources/security/responses/secret_versions.yml @@ -0,0 +1,19 @@ +description: The response will be a JSON object with a key called `versions`. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + type: object + properties: + versions: + type: array + items: + $ref: '../models/secret.yml#/secret_version' diff --git a/specification/resources/security/responses/secrets.yml b/specification/resources/security/responses/secrets.yml new file mode 100644 index 000000000..2b9e598d8 --- /dev/null +++ b/specification/resources/security/responses/secrets.yml @@ -0,0 +1,67 @@ +description: The response will be a JSON object with a key called `secrets`. This will be set to + an array of objects, each of which will contain the standard attributes associated with a secret. + +headers: + ratelimit-limit: + $ref: '../../../shared/headers.yml#/ratelimit-limit' + ratelimit-remaining: + $ref: '../../../shared/headers.yml#/ratelimit-remaining' + ratelimit-reset: + $ref: '../../../shared/headers.yml#/ratelimit-reset' + +content: + application/json: + schema: + type: object + properties: + secrets: + type: array + items: + $ref: '../models/secret.yml#/secret_list_item' + meta: + type: object + properties: + page: + type: integer + format: int32 + example: 1 + description: The current page number. + pages: + type: integer + format: int32 + example: 5 + description: The total number of pages. + total: + type: integer + format: int32 + example: 42 + description: The total number of secrets across all regions. + links: + type: object + properties: + pages: + type: object + properties: + first: + type: string + example: "https://api.digitalocean.com/v2/security/secrets?page=1&per_page=20" + description: URL for the first page of results. + prev: + type: string + example: "https://api.digitalocean.com/v2/security/secrets?page=1&per_page=20" + description: URL for the previous page of results. + next: + type: string + example: "https://api.digitalocean.com/v2/security/secrets?page=3&per_page=20" + description: URL for the next page of results. + last: + type: string + example: "https://api.digitalocean.com/v2/security/secrets?page=5&per_page=20" + description: URL for the last page of results. + unavailable_regions: + type: array + items: + type: string + example: + - sfo3 + description: Regions that could not be queried while building the list response. diff --git a/specification/resources/security/security_secret_create.yml b/specification/resources/security/security_secret_create.yml new file mode 100644 index 000000000..15d45aa9b --- /dev/null +++ b/specification/resources/security/security_secret_create.yml @@ -0,0 +1,61 @@ +operationId: security_create_secret + +summary: Create Secret + +description: To create a secret, send a POST request to `/v2/security/secrets`. + +tags: + - Security + +requestBody: + required: true + content: + application/json: + schema: + type: object + required: + - name + - region + - values + properties: + name: + type: string + example: my-database-password + description: The name of the secret to create. + region: + type: string + example: nyc3 + description: The region where the secret will be stored. + values: + type: object + additionalProperties: + type: string + example: + password: s3cr3t + description: Key-value pairs to store in the secret. + +responses: + '200': + $ref: 'responses/create_secret.yml' + + '400': + $ref: '../../shared/responses/bad_request.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_secret_create.yml' + +security: + - bearer_auth: + - 'security:create' diff --git a/specification/resources/security/security_secret_delete.yml b/specification/resources/security/security_secret_delete.yml new file mode 100644 index 000000000..26d895dff --- /dev/null +++ b/specification/resources/security/security_secret_delete.yml @@ -0,0 +1,38 @@ +operationId: security_delete_secret + +summary: Delete Secret + +description: To request deletion of a secret, send a DELETE request to `/v2/security/secrets/{secret}`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/secret' + - $ref: '../../shared/parameters.yml#/region' + +responses: + '204': + $ref: '../../shared/responses/no_content.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_secret_delete.yml' + +security: + - bearer_auth: + - 'security:delete' diff --git a/specification/resources/security/security_secret_get.yml b/specification/resources/security/security_secret_get.yml new file mode 100644 index 000000000..d8ffaf87f --- /dev/null +++ b/specification/resources/security/security_secret_get.yml @@ -0,0 +1,38 @@ +operationId: security_get_secret + +summary: Get Secret + +description: To retrieve a secret and its values, send a GET request to `/v2/security/secrets/{secret}`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/secret' + - $ref: '../../shared/parameters.yml#/region' + +responses: + '200': + $ref: 'responses/secret.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_secret_get.yml' + +security: + - bearer_auth: + - 'security:read' diff --git a/specification/resources/security/security_secret_list_versions.yml b/specification/resources/security/security_secret_list_versions.yml new file mode 100644 index 000000000..653654c9f --- /dev/null +++ b/specification/resources/security/security_secret_list_versions.yml @@ -0,0 +1,38 @@ +operationId: security_list_secret_versions + +summary: List Secret Versions + +description: To list all versions of a secret, send a GET request to `/v2/security/secrets/{secret}/versions`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/secret' + - $ref: '../../shared/parameters.yml#/region' + +responses: + '200': + $ref: 'responses/secret_versions.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_secret_list_versions.yml' + +security: + - bearer_auth: + - 'security:read' diff --git a/specification/resources/security/security_secret_restore.yml b/specification/resources/security/security_secret_restore.yml new file mode 100644 index 000000000..445701d83 --- /dev/null +++ b/specification/resources/security/security_secret_restore.yml @@ -0,0 +1,38 @@ +operationId: security_post_restore_secret + +summary: Restore Secret + +description: To restore a deleted secret, send a POST request to `/v2/security/secrets/{secret}/restore`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/secret' + - $ref: '../../shared/parameters.yml#/region' + +responses: + '200': + $ref: 'responses/secret.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_secret_restore.yml' + +security: + - bearer_auth: + - 'security:create' diff --git a/specification/resources/security/security_secret_update.yml b/specification/resources/security/security_secret_update.yml new file mode 100644 index 000000000..8fd237d8d --- /dev/null +++ b/specification/resources/security/security_secret_update.yml @@ -0,0 +1,68 @@ +operationId: security_update_secret + +summary: Update Secret + +description: To update a secret, send a PUT request to `/v2/security/secrets/{secret}`. + +tags: + - Security + +parameters: + - $ref: 'parameters.yml#/secret' + +requestBody: + required: true + content: + application/json: + schema: + type: object + required: + - region + - version + - values + properties: + region: + type: string + example: nyc3 + description: The region where the secret is stored. + version: + type: integer + format: int32 + example: 1 + description: The current version of the secret to update. + values: + type: object + additionalProperties: + type: string + example: + password: n3w-s3cr3t + description: Updated key-value pairs for the secret. + +responses: + '200': + $ref: 'responses/create_secret.yml' + + '400': + $ref: '../../shared/responses/bad_request.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '404': + $ref: '../../shared/responses/not_found.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_secret_update.yml' + +security: + - bearer_auth: + - 'security:update' diff --git a/specification/resources/security/security_secrets_list.yml b/specification/resources/security/security_secrets_list.yml new file mode 100644 index 000000000..aef905932 --- /dev/null +++ b/specification/resources/security/security_secrets_list.yml @@ -0,0 +1,35 @@ +operationId: security_list_secrets + +summary: List Secrets + +description: To list secrets across all configured regions, send a GET request to `/v2/security/secrets`. + +tags: + - Security + +parameters: + - $ref: '../../shared/parameters.yml#/per_page' + - $ref: '../../shared/parameters.yml#/page' + +responses: + '200': + $ref: 'responses/secrets.yml' + + '401': + $ref: '../../shared/responses/unauthorized.yml' + + '429': + $ref: '../../shared/responses/too_many_requests.yml' + + '500': + $ref: '../../shared/responses/server_error.yml' + + default: + $ref: '../../shared/responses/unexpected_error.yml' + +x-codeSamples: + - $ref: 'examples/curl/security_secrets_list.yml' + +security: + - bearer_auth: + - 'security:read'