Rework PR to mark fields deprecated first and use secret for key_uri.

mmv1/products/kms/CryptoKeyVersion.yaml

@@ -120,6 +120,22 @@ properties:
             description: |
               Google partition certificate chain corresponding to the attestation.
             output: true
+      - !ruby/object:Api::Type::NestedObject
+        name: 'externalProtectionLevelOptions'
+        description: |
+          ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels.
+        deprecation_message: >-
+          `externalProtectionLevelOptions` is being un-nested from the `attestation` field.
+          Please use the top level `externalProtectionLevelOptions` field instead.
+        properties:
+          - !ruby/object:Api::Type::String
+            name: 'externalKeyUri'
+            description: |
+              The URI for an external resource that this CryptoKeyVersion represents.
+          - !ruby/object:Api::Type::String
+            name: 'ekmConnectionKeyPath'
+            description: |
+              The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection.
   - !ruby/object:Api::Type::NestedObject
     name: 'externalProtectionLevelOptions'
     description: |

mmv1/third_party/terraform/services/kms/resource_kms_crypto_key_test.go

@@ -951,7 +951,7 @@ resource "google_kms_crypto_key" "crypto_key" {
 resource "google_kms_crypto_key_version" "crypto_key_version" {
 	crypto_key = google_kms_crypto_key.crypto_key.id
 	external_protection_level_options {
-		external_key_uri = "https://ekms.example/key_path"
+		external_key_uri = "projects/315636579862/secrets/external-uri/versions/latest"
 	}
 }
 `, projectId, projectId, projectOrg, projectBillingAccount, keyRingName, cryptoKeyName)