feat: EU Regions and Support With Sovereign Controls

Google APIs · copybara-github · commit 85ffeed56bf1 · 2021-12-08T12:33:15.000-08:00
Committer: @Guisin PiperOrigin-RevId: 415069787
diff --git a/google/cloud/assuredworkloads/v1/BUILD.bazel b/google/cloud/assuredworkloads/v1/BUILD.bazel
@@ -128,13 +128,13 @@ go_gapic_library(
     srcs = [":assuredworkloads_proto_with_info"],
     grpc_service_config = "assuredworkloads_grpc_service_config.json",
     importpath = "cloud.google.com/go/assuredworkloads/apiv1;assuredworkloads",
-    service_yaml = "assuredworkloads_v1.yaml",
     metadata = True,
+    service_yaml = "assuredworkloads_v1.yaml",
     deps = [
         ":assuredworkloads_go_proto",
         "//google/longrunning:longrunning_go_proto",
-        "@com_google_cloud_go//longrunning/autogen:go_default_library",
         "@com_google_cloud_go//longrunning:go_default_library",
+        "@com_google_cloud_go//longrunning/autogen:go_default_library",
         "@io_bazel_rules_go//proto/wkt:duration_go_proto",
     ],
 )
@@ -151,8 +151,8 @@ go_gapic_assembly_pkg(
     name = "gapi-cloud-assuredworkloads-v1-go",
     deps = [
         ":assuredworkloads_go_gapic",
-        ":assuredworkloads_go_gapic_srcjar-test.srcjar",
         ":assuredworkloads_go_gapic_srcjar-metadata.srcjar",
+        ":assuredworkloads_go_gapic_srcjar-test.srcjar",
         ":assuredworkloads_go_proto",
     ],
 )
@@ -256,8 +256,8 @@ nodejs_gapic_assembly_pkg(
 ##############################################################################
 load(
     "@com_google_googleapis_imports//:imports.bzl",
-    "ruby_gapic_assembly_pkg",
     "ruby_cloud_gapic_library",
+    "ruby_gapic_assembly_pkg",
     "ruby_grpc_library",
     "ruby_proto_library",
 )
diff --git a/google/cloud/assuredworkloads/v1/assuredworkloads.proto b/google/cloud/assuredworkloads/v1/assuredworkloads.proto
@@ -41,10 +41,12 @@ option (google.api.resource_definition) = {
 // Service to manage AssuredWorkloads.
 service AssuredWorkloadsService {
   option (google.api.default_host) = "assuredworkloads.googleapis.com";
-  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
+  option (google.api.oauth_scopes) =
+      "https://www.googleapis.com/auth/cloud-platform";
 
   // Creates Assured Workload.
-  rpc CreateWorkload(CreateWorkloadRequest) returns (google.longrunning.Operation) {
+  rpc CreateWorkload(CreateWorkloadRequest)
+      returns (google.longrunning.Operation) {
     option (google.api.http) = {
       post: "/v1/{parent=organizations/*/locations/*}/workloads"
       body: "workload"
@@ -109,8 +111,8 @@ message CreateWorkloadRequest {
   // Required. Assured Workload to create
   Workload workload = 2 [(google.api.field_behavior) = REQUIRED];
 
-  // Optional. A identifier associated with the workload and underlying projects which
-  // allows for the break down of billing costs for a workload. The value
+  // Optional. A identifier associated with the workload and underlying projects
+  // which allows for the break down of billing costs for a workload. The value
   // provided for the identifier will add a label to the workload and contained
   // projects with the identifier as the value.
   string external_id = 3 [(google.api.field_behavior) = OPTIONAL];
@@ -125,7 +127,8 @@ message UpdateWorkloadRequest {
   Workload workload = 1 [(google.api.field_behavior) = REQUIRED];
 
   // Required. The list of fields to be updated.
-  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
+  google.protobuf.FieldMask update_mask = 2
+      [(google.api.field_behavior) = REQUIRED];
 }
 
 // Request for deleting a Workload.
@@ -147,8 +150,8 @@ message DeleteWorkloadRequest {
 
 // Request for fetching a workload.
 message GetWorkloadRequest {
-  // Required. The resource name of the Workload to fetch. This is the workloads's
-  // relative path in the API, formatted as
+  // Required. The resource name of the Workload to fetch. This is the
+  // workloads's relative path in the API, formatted as
   // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}".
   // For example,
   // "organizations/123/locations/us-east1/workloads/assured-workload-1".
@@ -228,17 +231,18 @@ message Workload {
 
   // Settings specific to the Key Management Service.
   message KMSSettings {
-    // Required. Input only. Immutable. The time at which the Key Management Service will automatically create a
-    // new version of the crypto key and mark it as the primary.
+    // Required. Input only. Immutable. The time at which the Key Management
+    // Service will automatically create a new version of the crypto key and
+    // mark it as the primary.
     google.protobuf.Timestamp next_rotation_time = 1 [
       (google.api.field_behavior) = REQUIRED,
       (google.api.field_behavior) = INPUT_ONLY,
       (google.api.field_behavior) = IMMUTABLE
     ];
 
-    // Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key
-    // Management Service automatically rotates a key. Must be at least 24 hours
-    // and at most 876,000 hours.
+    // Required. Input only. Immutable. [next_rotation_time] will be advanced by
+    // this period when the Key Management Service automatically rotates a key.
+    // Must be at least 24 hours and at most 876,000 hours.
     google.protobuf.Duration rotation_period = 2 [
       (google.api.field_behavior) = REQUIRED,
       (google.api.field_behavior) = INPUT_ONLY,
@@ -264,6 +268,48 @@ message Workload {
     string display_name = 3;
   }
 
+  // Signed Access Approvals (SAA) enrollment response.
+  message SaaEnrollmentResponse {
+    // Setup state of SAA enrollment.
+    enum SetupState {
+      // Unspecified.
+      SETUP_STATE_UNSPECIFIED = 0;
+
+      // SAA enrollment pending.
+      STATUS_PENDING = 1;
+
+      // SAA enrollment comopleted.
+      STATUS_COMPLETE = 2;
+    }
+
+    // Setup error of SAA enrollment.
+    enum SetupError {
+      // Unspecified.
+      SETUP_ERROR_UNSPECIFIED = 0;
+
+      // Invalid states for all customers, to be redirected to AA UI for
+      // additional details.
+      ERROR_INVALID_BASE_SETUP = 1;
+
+      // Returned when there is not an EKM key configured.
+      ERROR_MISSING_EXTERNAL_SIGNING_KEY = 2;
+
+      // Returned when there are no enrolled services or the customer is
+      // enrolled in CAA only for a subset of services.
+      ERROR_NOT_ALL_SERVICES_ENROLLED = 3;
+
+      // Returned when exception was encountered during evaluation of other
+      // criteria.
+      ERROR_SETUP_CHECK_FAILED = 4;
+    }
+
+    // Indicates SAA enrollment status of a given workload.
+    optional SetupState setup_status = 1;
+
+    // Indicates SAA enrollment setup error if any.
+    repeated SetupError setup_errors = 2;
+  }
+
   // Supported Compliance Regimes.
   enum ComplianceRegime {
     // Unknown compliance regime.
@@ -297,6 +343,18 @@ message Workload {
     CA_REGIONS_AND_SUPPORT = 9;
   }
 
+  // Key Access Justifications(KAJ) Enrollment State.
+  enum KajEnrollmentState {
+    // Default State for KAJ Enrollment.
+    KAJ_ENROLLMENT_STATE_UNSPECIFIED = 0;
+
+    // Pending State for KAJ Enrollment.
+    KAJ_ENROLLMENT_STATE_PENDING = 1;
+
+    // Complete State for KAJ Enrollment.
+    KAJ_ENROLLMENT_STATE_COMPLETE = 2;
+  }
+
   // Optional. The resource name of the workload.
   // Format:
   // organizations/{organization}/locations/{location}/workloads/{workload}
@@ -316,7 +374,8 @@ message Workload {
   // These resources will be created when creating the workload.
   // If any of the projects already exist, the workload creation will fail.
   // Always read only.
-  repeated ResourceInfo resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+  repeated ResourceInfo resources = 3
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 
   // Required. Immutable. Compliance Regime associated with this workload.
   ComplianceRegime compliance_regime = 4 [
@@ -350,37 +409,55 @@ message Workload {
   // Optional. Labels applied to the workload.
   map<string, string> labels = 10 [(google.api.field_behavior) = OPTIONAL];
 
-  // Input only. The parent resource for the resources managed by this Assured Workload. May
-  // be either empty or a folder resource which is a child of the
+  // Input only. The parent resource for the resources managed by this Assured
+  // Workload. May be either empty or a folder resource which is a child of the
   // Workload parent. If not specified all resources are created under the
   // parent organization.
   // Format:
   // folders/{folder_id}
-  string provisioned_resources_parent = 13 [(google.api.field_behavior) = INPUT_ONLY];
+  string provisioned_resources_parent = 13
+      [(google.api.field_behavior) = INPUT_ONLY];
 
-  // Input only. Settings used to create a CMEK crypto key. When set a project with a KMS
-  // CMEK key is provisioned. This field is mandatory for a subset of Compliance
-  // Regimes.
+  // Input only. Settings used to create a CMEK crypto key. When set a project
+  // with a KMS CMEK key is provisioned. This field is mandatory for a subset of
+  // Compliance Regimes.
   KMSSettings kms_settings = 14 [(google.api.field_behavior) = INPUT_ONLY];
 
-  // Input only. Resource properties that are used to customize workload resources.
-  // These properties (such as custom project id) will be used to create
-  // workload resources if possible. This field is optional.
-  repeated ResourceSettings resource_settings = 15 [(google.api.field_behavior) = INPUT_ONLY];
+  // Input only. Resource properties that are used to customize workload
+  // resources. These properties (such as custom project id) will be used to
+  // create workload resources if possible. This field is optional.
+  repeated ResourceSettings resource_settings = 15
+      [(google.api.field_behavior) = INPUT_ONLY];
+
+  // Output only. Represents the KAJ enrollment state of the given workload.
+  KajEnrollmentState kaj_enrollment_state = 17
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Indicates the sovereignty status of the given workload.
+  // Currently meant to be used by Europe/Canada customers.
+  bool enable_sovereign_controls = 18 [(google.api.field_behavior) = OPTIONAL];
+
+  // Output only. Represents the SAA enrollment response of the given workload.
+  // SAA enrollment response is queried during GetWorkload call.
+  // In failure cases, user friendly error message is shown in SAA details page.
+  SaaEnrollmentResponse saa_enrollment_response = 20
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // Operation metadata to give request details of CreateWorkload.
 message CreateWorkloadOperationMetadata {
   // Optional. Time when the operation was created.
-  google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OPTIONAL];
+  google.protobuf.Timestamp create_time = 1
+      [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. The display name of the workload.
   string display_name = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. The parent of the workload.
   string parent = 3 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. Compliance controls that should be applied to the resources managed by
-  // the workload.
-  Workload.ComplianceRegime compliance_regime = 4 [(google.api.field_behavior) = OPTIONAL];
+  // Optional. Compliance controls that should be applied to the resources
+  // managed by the workload.
+  Workload.ComplianceRegime compliance_regime = 4
+      [(google.api.field_behavior) = OPTIONAL];
 }
diff --git a/google/cloud/assuredworkloads/v1beta1/BUILD.bazel b/google/cloud/assuredworkloads/v1beta1/BUILD.bazel
@@ -348,4 +348,20 @@ csharp_gapic_assembly_pkg(
 ##############################################################################
 # C++
 ##############################################################################
-# Put your C++ rules here
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "cc_grpc_library",
+    "cc_proto_library",
+)
+
+cc_proto_library(
+    name = "assuredworkloads_cc_proto",
+    deps = [":assuredworkloads_proto"],
+)
+
+cc_grpc_library(
+    name = "assuredworkloads_cc_grpc",
+    srcs = [":assuredworkloads_proto"],
+    grpc_only = True,
+    deps = [":assuredworkloads_cc_proto"],
+)
diff --git a/google/cloud/assuredworkloads/v1beta1/assuredworkloads_v1beta1.proto b/google/cloud/assuredworkloads/v1beta1/assuredworkloads_v1beta1.proto
