|
| 1 | +// Copyright 2025 Google LLC |
| 2 | +// |
| 3 | +// Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +// you may not use this file except in compliance with the License. |
| 5 | +// You may obtain a copy of the License at |
| 6 | +// |
| 7 | +// http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +// |
| 9 | +// Unless required by applicable law or agreed to in writing, software |
| 10 | +// distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +// See the License for the specific language governing permissions and |
| 13 | +// limitations under the License. |
| 14 | + |
| 15 | +syntax = "proto3"; |
| 16 | + |
| 17 | +package google.cloud.orgpolicy.v2; |
| 18 | + |
| 19 | +import "google/api/field_behavior.proto"; |
| 20 | +import "google/api/resource.proto"; |
| 21 | +import "google/protobuf/struct.proto"; |
| 22 | +import "google/protobuf/timestamp.proto"; |
| 23 | + |
| 24 | +option csharp_namespace = "Google.Cloud.OrgPolicy.V2"; |
| 25 | +option go_package = "cloud.google.com/go/orgpolicy/apiv2/orgpolicypb;orgpolicypb"; |
| 26 | +option java_multiple_files = true; |
| 27 | +option java_outer_classname = "ConstraintProto"; |
| 28 | +option java_package = "com.google.cloud.orgpolicy.v2"; |
| 29 | +option php_namespace = "Google\\Cloud\\OrgPolicy\\V2"; |
| 30 | +option ruby_package = "Google::Cloud::OrgPolicy::V2"; |
| 31 | + |
| 32 | +// A constraint describes a way to restrict resource's configuration. For |
| 33 | +// example, you could enforce a constraint that controls which Google Cloud |
| 34 | +// services can be activated across an organization, or whether a Compute Engine |
| 35 | +// instance can have serial port connections established. Constraints can be |
| 36 | +// configured by the organization policy administrator to fit the needs of the |
| 37 | +// organization by setting a policy that includes constraints at different |
| 38 | +// locations in the organization's resource hierarchy. Policies are inherited |
| 39 | +// down the resource hierarchy from higher levels, but can also be overridden. |
| 40 | +// For details about the inheritance rules, see |
| 41 | +// [`Policy`][google.cloud.orgpolicy.v2.Policy]. |
| 42 | +// |
| 43 | +// Constraints have a default behavior determined by the `constraint_default` |
| 44 | +// field, which is the enforcement behavior that is used in the absence of a |
| 45 | +// policy being defined or inherited for the resource in question. |
| 46 | +message Constraint { |
| 47 | + option (google.api.resource) = { |
| 48 | + type: "orgpolicy.googleapis.com/Constraint" |
| 49 | + pattern: "projects/{project}/constraints/{constraint}" |
| 50 | + pattern: "folders/{folder}/constraints/{constraint}" |
| 51 | + pattern: "organizations/{organization}/constraints/{constraint}" |
| 52 | + }; |
| 53 | + |
| 54 | + // Specifies the default behavior in the absence of any policy for the |
| 55 | + // constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`. |
| 56 | + // |
| 57 | + // Immutable after creation. |
| 58 | + enum ConstraintDefault { |
| 59 | + // This is only used for distinguishing unset values and should never be |
| 60 | + // used. Results in an error. |
| 61 | + CONSTRAINT_DEFAULT_UNSPECIFIED = 0; |
| 62 | + |
| 63 | + // Indicate that all values are allowed for list constraints. |
| 64 | + // Indicate that enforcement is off for boolean constraints. |
| 65 | + ALLOW = 1; |
| 66 | + |
| 67 | + // Indicate that all values are denied for list constraints. |
| 68 | + // Indicate that enforcement is on for boolean constraints. |
| 69 | + DENY = 2; |
| 70 | + } |
| 71 | + |
| 72 | + // A constraint type that allows or disallows a list of string values, which |
| 73 | + // are configured in the |
| 74 | + // [`PolicyRule`][google.cloud.orgpolicy.v2.PolicySpec.PolicyRule]. |
| 75 | + message ListConstraint { |
| 76 | + // Indicates whether values grouped into categories can be used in |
| 77 | + // `Policy.allowed_values` and `Policy.denied_values`. For example, |
| 78 | + // `"in:Python"` would match any value in the 'Python' group. |
| 79 | + bool supports_in = 1; |
| 80 | + |
| 81 | + // Indicates whether subtrees of the Resource Manager resource hierarchy |
| 82 | + // can be used in `Policy.allowed_values` and `Policy.denied_values`. For |
| 83 | + // example, `"under:folders/123"` would match any resource under the |
| 84 | + // 'folders/123' folder. |
| 85 | + bool supports_under = 2; |
| 86 | + } |
| 87 | + |
| 88 | + // Custom constraint definition. Defines this as a managed constraint. |
| 89 | + message CustomConstraintDefinition { |
| 90 | + // The operation for which this constraint will be applied. To apply this |
| 91 | + // constraint only when creating new resources, the `method_types` should be |
| 92 | + // `CREATE` only. To apply this constraint when creating or deleting |
| 93 | + // resources, the `method_types` should be `CREATE` and `DELETE`. |
| 94 | + // |
| 95 | + // `UPDATE`-only custom constraints are not supported. Use `CREATE` or |
| 96 | + // `CREATE, UPDATE`. |
| 97 | + enum MethodType { |
| 98 | + // This is only used for distinguishing unset values and should never be |
| 99 | + // used. Results in an error. |
| 100 | + METHOD_TYPE_UNSPECIFIED = 0; |
| 101 | + |
| 102 | + // Constraint applied when creating the resource. |
| 103 | + CREATE = 1; |
| 104 | + |
| 105 | + // Constraint applied when updating the resource. |
| 106 | + UPDATE = 2; |
| 107 | + |
| 108 | + // Constraint applied when deleting the resource. |
| 109 | + // Not currently supported. |
| 110 | + DELETE = 3; |
| 111 | + |
| 112 | + // Constraint applied when removing an IAM grant. |
| 113 | + REMOVE_GRANT = 4; |
| 114 | + |
| 115 | + // Constraint applied when enforcing forced tagging. |
| 116 | + GOVERN_TAGS = 5; |
| 117 | + } |
| 118 | + |
| 119 | + // Allow or deny type. |
| 120 | + enum ActionType { |
| 121 | + // This is only used for distinguishing unset values and should never be |
| 122 | + // used. Results in an error. |
| 123 | + ACTION_TYPE_UNSPECIFIED = 0; |
| 124 | + |
| 125 | + // Allowed action type. |
| 126 | + ALLOW = 1; |
| 127 | + |
| 128 | + // Deny action type. |
| 129 | + DENY = 2; |
| 130 | + } |
| 131 | + |
| 132 | + // Defines a parameter structure. |
| 133 | + message Parameter { |
| 134 | + // All valid types of parameter. |
| 135 | + enum Type { |
| 136 | + // This is only used for distinguishing unset values and should never be |
| 137 | + // used. Results in an error. |
| 138 | + TYPE_UNSPECIFIED = 0; |
| 139 | + |
| 140 | + // List parameter type. |
| 141 | + LIST = 1; |
| 142 | + |
| 143 | + // String parameter type. |
| 144 | + STRING = 2; |
| 145 | + |
| 146 | + // Boolean parameter type. |
| 147 | + BOOLEAN = 3; |
| 148 | + } |
| 149 | + |
| 150 | + // Defines Metadata structure. |
| 151 | + message Metadata { |
| 152 | + // Detailed description of what this `parameter` is and use of it. |
| 153 | + // Mutable. |
| 154 | + string description = 1; |
| 155 | + } |
| 156 | + |
| 157 | + // Type of the parameter. |
| 158 | + Type type = 1; |
| 159 | + |
| 160 | + // Sets the value of the parameter in an assignment if no value is given. |
| 161 | + google.protobuf.Value default_value = 2; |
| 162 | + |
| 163 | + // Provides a CEL expression to specify the acceptable parameter values |
| 164 | + // during assignment. |
| 165 | + // For example, parameterName in ("parameterValue1", "parameterValue2") |
| 166 | + string valid_values_expr = 3; |
| 167 | + |
| 168 | + // Defines subproperties primarily used by the UI to display user-friendly |
| 169 | + // information. |
| 170 | + Metadata metadata = 4; |
| 171 | + |
| 172 | + // Determines the parameter's value structure. |
| 173 | + // For example, `LIST<STRING>` can be specified by defining `type: LIST`, |
| 174 | + // and `item: STRING`. |
| 175 | + Type item = 5; |
| 176 | + } |
| 177 | + |
| 178 | + // The resource instance type on which this policy applies. Format will be |
| 179 | + // of the form : `<service name>/<type>` Example: |
| 180 | + // |
| 181 | + // * `compute.googleapis.com/Instance`. |
| 182 | + repeated string resource_types = 1; |
| 183 | + |
| 184 | + // All the operations being applied for this constraint. |
| 185 | + repeated MethodType method_types = 2; |
| 186 | + |
| 187 | + // Org policy condition/expression. For example: |
| 188 | + // `resource.instanceName.matches("[production|test]_.*_(\d)+")` or, |
| 189 | + // `resource.management.auto_upgrade == true` |
| 190 | + // |
| 191 | + // The max length of the condition is 1000 characters. |
| 192 | + string condition = 3; |
| 193 | + |
| 194 | + // Allow or deny type. |
| 195 | + ActionType action_type = 4; |
| 196 | + |
| 197 | + // Stores the structure of |
| 198 | + // [`Parameters`][google.cloud.orgpolicy.v2.Constraint.CustomConstraintDefinition.Parameter] |
| 199 | + // used by the constraint condition. The key of `map` represents the name of |
| 200 | + // the parameter. |
| 201 | + map<string, Parameter> parameters = 5; |
| 202 | + } |
| 203 | + |
| 204 | + // A constraint type is enforced or not enforced, which is configured in the |
| 205 | + // [`PolicyRule`][google.cloud.orgpolicy.v2.PolicySpec.PolicyRule]. |
| 206 | + // |
| 207 | + // If `customConstraintDefinition` is defined, this constraint is a managed |
| 208 | + // constraint. |
| 209 | + message BooleanConstraint { |
| 210 | + // Custom constraint definition. Defines this as a managed constraint. |
| 211 | + CustomConstraintDefinition custom_constraint_definition = 1; |
| 212 | + } |
| 213 | + |
| 214 | + // Immutable. The resource name of the constraint. Must be in one of |
| 215 | + // the following forms: |
| 216 | + // |
| 217 | + // * `projects/{project_number}/constraints/{constraint_name}` |
| 218 | + // * `folders/{folder_id}/constraints/{constraint_name}` |
| 219 | + // * `organizations/{organization_id}/constraints/{constraint_name}` |
| 220 | + // |
| 221 | + // For example, "/projects/123/constraints/compute.disableSerialPortAccess". |
| 222 | + string name = 1 [(google.api.field_behavior) = IMMUTABLE]; |
| 223 | + |
| 224 | + // The human readable name. |
| 225 | + // |
| 226 | + // Mutable. |
| 227 | + string display_name = 2; |
| 228 | + |
| 229 | + // Detailed description of what this constraint controls as well as how and |
| 230 | + // where it is enforced. |
| 231 | + // |
| 232 | + // Mutable. |
| 233 | + string description = 3; |
| 234 | + |
| 235 | + // The evaluation behavior of this constraint in the absence of a policy. |
| 236 | + ConstraintDefault constraint_default = 4; |
| 237 | + |
| 238 | + // The type of restrictions for this `Constraint`. |
| 239 | + // |
| 240 | + // Immutable after creation. |
| 241 | + oneof constraint_type { |
| 242 | + // Defines this constraint as being a list constraint. |
| 243 | + ListConstraint list_constraint = 5; |
| 244 | + |
| 245 | + // Defines this constraint as being a boolean constraint. |
| 246 | + BooleanConstraint boolean_constraint = 6; |
| 247 | + } |
| 248 | + |
| 249 | + // Shows if dry run is supported for this constraint or not. |
| 250 | + bool supports_dry_run = 7; |
| 251 | + |
| 252 | + // Managed constraint and canned constraint sometimes can have |
| 253 | + // equivalents. This field is used to store the equivalent constraint name. |
| 254 | + string equivalent_constraint = 8; |
| 255 | + |
| 256 | + // Shows if simulation is supported for this constraint or not. |
| 257 | + bool supports_simulation = 9; |
| 258 | +} |
| 259 | + |
| 260 | +// A custom constraint defined by customers which can *only* be applied to the |
| 261 | +// given resource types and organization. |
| 262 | +// |
| 263 | +// By creating a custom constraint, customers can apply policies of this |
| 264 | +// custom constraint. *Creating a custom constraint itself does NOT apply any |
| 265 | +// policy enforcement*. |
| 266 | +message CustomConstraint { |
| 267 | + option (google.api.resource) = { |
| 268 | + type: "orgpolicy.googleapis.com/CustomConstraint" |
| 269 | + pattern: "organizations/{organization}/customConstraints/{custom_constraint}" |
| 270 | + }; |
| 271 | + |
| 272 | + // The operation for which this constraint will be applied. To apply this |
| 273 | + // constraint only when creating new resources, the `method_types` should be |
| 274 | + // `CREATE` only. To apply this constraint when creating or deleting |
| 275 | + // resources, the `method_types` should be `CREATE` and `DELETE`. |
| 276 | + // |
| 277 | + // `UPDATE` only custom constraints are not supported. Use `CREATE` or |
| 278 | + // `CREATE, UPDATE`. |
| 279 | + enum MethodType { |
| 280 | + // This is only used for distinguishing unset values and should never be |
| 281 | + // used. Results in an error. |
| 282 | + METHOD_TYPE_UNSPECIFIED = 0; |
| 283 | + |
| 284 | + // Constraint applied when creating the resource. |
| 285 | + CREATE = 1; |
| 286 | + |
| 287 | + // Constraint applied when updating the resource. |
| 288 | + UPDATE = 2; |
| 289 | + |
| 290 | + // Constraint applied when deleting the resource. |
| 291 | + // Not currently supported. |
| 292 | + DELETE = 3; |
| 293 | + |
| 294 | + // Constraint applied when removing an IAM grant. |
| 295 | + REMOVE_GRANT = 4; |
| 296 | + |
| 297 | + // Constraint applied when enforcing forced tagging. |
| 298 | + GOVERN_TAGS = 5; |
| 299 | + } |
| 300 | + |
| 301 | + // Allow or deny type. |
| 302 | + enum ActionType { |
| 303 | + // This is only used for distinguishing unset values and should never be |
| 304 | + // used. Results in an error. |
| 305 | + ACTION_TYPE_UNSPECIFIED = 0; |
| 306 | + |
| 307 | + // Allowed action type. |
| 308 | + ALLOW = 1; |
| 309 | + |
| 310 | + // Deny action type. |
| 311 | + DENY = 2; |
| 312 | + } |
| 313 | + |
| 314 | + // Immutable. Name of the constraint. This is unique within the organization. |
| 315 | + // Format of the name should be |
| 316 | + // |
| 317 | + // * `organizations/{organization_id}/customConstraints/{custom_constraint_id}` |
| 318 | + // |
| 319 | + // Example: `organizations/123/customConstraints/custom.createOnlyE2TypeVms` |
| 320 | + // |
| 321 | + // The max length is 70 characters and the minimum length is 1. Note that the |
| 322 | + // prefix `organizations/{organization_id}/customConstraints/` is not counted. |
| 323 | + string name = 1 [(google.api.field_behavior) = IMMUTABLE]; |
| 324 | + |
| 325 | + // Immutable. The resource instance type on which this policy applies. Format |
| 326 | + // will be of the form : `<service name>/<type>` Example: |
| 327 | + // |
| 328 | + // * `compute.googleapis.com/Instance`. |
| 329 | + repeated string resource_types = 2 [(google.api.field_behavior) = IMMUTABLE]; |
| 330 | + |
| 331 | + // All the operations being applied for this constraint. |
| 332 | + repeated MethodType method_types = 3; |
| 333 | + |
| 334 | + // A Common Expression Language (CEL) condition which is used in the |
| 335 | + // evaluation of the constraint. For example: |
| 336 | + // `resource.instanceName.matches("[production|test]_.*_(\d)+")` or, |
| 337 | + // `resource.management.auto_upgrade == true` |
| 338 | + // |
| 339 | + // The max length of the condition is 1000 characters. |
| 340 | + string condition = 4; |
| 341 | + |
| 342 | + // Allow or deny type. |
| 343 | + ActionType action_type = 5; |
| 344 | + |
| 345 | + // One line display name for the UI. |
| 346 | + // The max length of the display_name is 200 characters. |
| 347 | + string display_name = 6; |
| 348 | + |
| 349 | + // Detailed information about this custom policy constraint. |
| 350 | + // The max length of the description is 2000 characters. |
| 351 | + string description = 7; |
| 352 | + |
| 353 | + // Output only. The last time this custom constraint was updated. This |
| 354 | + // represents the last time that the `CreateCustomConstraint` or |
| 355 | + // `UpdateCustomConstraint` methods were called. |
| 356 | + google.protobuf.Timestamp update_time = 8 |
| 357 | + [(google.api.field_behavior) = OUTPUT_ONLY]; |
| 358 | +} |
![gcf-owl-bot[bot]](https://avatars.githubusercontent.com/in/99011?v=4&size=40){kind=avatar}
0 commit comments