1- // Copyright 2022 Google LLC
1+ // Copyright 2023 Google LLC
22//
33// Licensed under the Apache License, Version 2.0 (the "License");
44// you may not use this file except in compliance with the License.
@@ -28,20 +28,20 @@ option java_package = "com.google.cloud.orgpolicy.v2";
2828option php_namespace = "Google\\Cloud\\OrgPolicy\\V2" ;
2929option ruby_package = "Google::Cloud::OrgPolicy::V2" ;
3030
31- // A ` constraint` describes a way to restrict resource's configuration. For
32- // example, you could enforce a constraint that controls which cloud services
33- // can be activated across an organization, or whether a Compute Engine instance
34- // can have serial port connections established. ` Constraints` can be configured
35- // by the organization's policy administrator to fit the needs of the
36- // organization by setting a ` policy` that includes ` constraints` at different
31+ // A constraint describes a way to restrict resource's configuration. For
32+ // example, you could enforce a constraint that controls which Google Cloud
33+ // services can be activated across an organization, or whether a Compute Engine
34+ // instance can have serial port connections established. Constraints can be
35+ // configured by the organization policy administrator to fit the needs of the
36+ // organization by setting a policy that includes constraints at different
3737// locations in the organization's resource hierarchy. Policies are inherited
3838// down the resource hierarchy from higher levels, but can also be overridden.
3939// For details about the inheritance rules please read about
4040// [`policies`][google.cloud.OrgPolicy.v2.Policy].
4141//
42- // ` Constraints` have a default behavior determined by the `constraint_default`
42+ // Constraints have a default behavior determined by the `constraint_default`
4343// field, which is the enforcement behavior that is used in the absence of a
44- // ` policy` being defined or inherited for the resource in question.
44+ // policy being defined or inherited for the resource in question.
4545message Constraint {
4646 option (google.api.resource ) = {
4747 type : "orgpolicy.googleapis.com/Constraint"
@@ -50,8 +50,8 @@ message Constraint {
5050 pattern : "organizations/{organization}/constraints/{constraint}"
5151 };
5252
53- // Specifies the default behavior in the absence of any `Policy` for the
54- // `Constraint` . This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
53+ // Specifies the default behavior in the absence of any policy for the
54+ // constraint . This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
5555 //
5656 // Immutable after creation.
5757 enum ConstraintDefault {
@@ -68,30 +68,31 @@ message Constraint {
6868 DENY = 2 ;
6969 }
7070
71- // A `Constraint` that allows or disallows a list of string values, which are
72- // configured by an Organization's policy administrator with a `Policy` .
71+ // A constraint that allows or disallows a list of string values, which are
72+ // configured by an Organization Policy administrator with a policy .
7373 message ListConstraint {
7474 // Indicates whether values grouped into categories can be used in
7575 // `Policy.allowed_values` and `Policy.denied_values`. For example,
7676 // `"in:Python"` would match any value in the 'Python' group.
7777 bool supports_in = 1 ;
7878
79- // Indicates whether subtrees of Cloud Resource Manager resource hierarchy
79+ // Indicates whether subtrees of the Resource Manager resource hierarchy
8080 // can be used in `Policy.allowed_values` and `Policy.denied_values`. For
8181 // example, `"under:folders/123"` would match any resource under the
8282 // 'folders/123' folder.
8383 bool supports_under = 2 ;
8484 }
8585
86- // A `Constraint` that is either enforced or not.
86+ // A constraint that is either enforced or not.
8787 //
88- // For example a constraint `constraints/compute.disableSerialPortAccess`.
88+ // For example, a constraint `constraints/compute.disableSerialPortAccess`.
8989 // If it is enforced on a VM instance, serial port connections will not be
9090 // opened to that instance.
9191 message BooleanConstraint {}
9292
93- // Immutable. The resource name of the Constraint . Must be in one of
93+ // Immutable. The resource name of the constraint . Must be in one of
9494 // the following forms:
95+ //
9596 // * `projects/{project_number}/constraints/{constraint_name}`
9697 // * `folders/{folder_id}/constraints/{constraint_name}`
9798 // * `organizations/{organization_id}/constraints/{constraint_name}`
@@ -104,13 +105,13 @@ message Constraint {
104105 // Mutable.
105106 string display_name = 2 ;
106107
107- // Detailed description of what this `Constraint` controls as well as how and
108+ // Detailed description of what this constraint controls as well as how and
108109 // where it is enforced.
109110 //
110111 // Mutable.
111112 string description = 3 ;
112113
113- // The evaluation behavior of this constraint in the absence of 'Policy' .
114+ // The evaluation behavior of this constraint in the absence of a policy .
114115 ConstraintDefault constraint_default = 4 ;
115116
116117 // The type of restrictions for this `Constraint`.
@@ -123,4 +124,98 @@ message Constraint {
123124 // Defines this constraint as being a BooleanConstraint.
124125 BooleanConstraint boolean_constraint = 6 ;
125126 }
127+
128+ // Shows if dry run is supported for this constraint or not.
129+ bool supports_dry_run = 7 ;
130+ }
131+
132+ // A custom constraint defined by customers which can *only* be applied to the
133+ // given resource types and organization.
134+ //
135+ // By creating a custom constraint, customers can apply policies of this
136+ // custom constraint. *Creating a custom constraint itself does NOT apply any
137+ // policy enforcement*.
138+ message CustomConstraint {
139+ option (google.api.resource ) = {
140+ type : "orgpolicy.googleapis.com/CustomConstraint"
141+ pattern : "organizations/{organization}/customConstraints/{custom_constraint}"
142+ };
143+
144+ // The operation for which this constraint will be applied. To apply this
145+ // constraint only when creating new VMs, the `method_types` should be
146+ // `CREATE` only. To apply this constraint when creating or deleting
147+ // VMs, the `method_types` should be `CREATE` and `DELETE`.
148+ //
149+ // `UPDATE` only custom constraints are not supported. Use `CREATE` or
150+ // `CREATE, UPDATE`.
151+ enum MethodType {
152+ // Unspecified. Results in an error.
153+ METHOD_TYPE_UNSPECIFIED = 0 ;
154+
155+ // Constraint applied when creating the resource.
156+ CREATE = 1 ;
157+
158+ // Constraint applied when updating the resource.
159+ UPDATE = 2 ;
160+
161+ // Constraint applied when deleting the resource.
162+ // Not supported yet.
163+ DELETE = 3 ;
164+ }
165+
166+ // Allow or deny type.
167+ enum ActionType {
168+ // Unspecified. Results in an error.
169+ ACTION_TYPE_UNSPECIFIED = 0 ;
170+
171+ // Allowed action type.
172+ ALLOW = 1 ;
173+
174+ // Deny action type.
175+ DENY = 2 ;
176+ }
177+
178+ // Immutable. Name of the constraint. This is unique within the organization.
179+ // Format of the name should be
180+ //
181+ // * `organizations/{organization_id}/customConstraints/{custom_constraint_id}`
182+ //
183+ // Example: `organizations/123/customConstraints/custom.createOnlyE2TypeVms`
184+ //
185+ // The max length is 70 characters and the minimum length is 1. Note that the
186+ // prefix `organizations/{organization_id}/customConstraints/` is not counted.
187+ string name = 1 [(google.api.field_behavior ) = IMMUTABLE ];
188+
189+ // Immutable. The resource instance type on which this policy applies. Format
190+ // will be of the form : `<canonical service name>/<type>` Example:
191+ //
192+ // * `compute.googleapis.com/Instance`.
193+ repeated string resource_types = 2 [(google.api.field_behavior ) = IMMUTABLE ];
194+
195+ // All the operations being applied for this constraint.
196+ repeated MethodType method_types = 3 ;
197+
198+ // Org policy condition/expression. For example:
199+ // `resource.instanceName.matches("[production|test]_.*_(\d)+")` or,
200+ // `resource.management.auto_upgrade == true`
201+ //
202+ // The max length of the condition is 1000 characters.
203+ string condition = 4 ;
204+
205+ // Allow or deny type.
206+ ActionType action_type = 5 ;
207+
208+ // One line display name for the UI.
209+ // The max length of the display_name is 200 characters.
210+ string display_name = 6 ;
211+
212+ // Detailed information about this custom policy constraint.
213+ // The max length of the description is 2000 characters.
214+ string description = 7 ;
215+
216+ // Output only. The last time this custom constraint was updated. This
217+ // represents the last time that the `CreateCustomConstraint` or
218+ // `UpdateCustomConstraint` RPC was called
219+ google.protobuf.Timestamp update_time = 8
220+ [(google.api.field_behavior ) = OUTPUT_ONLY ];
126221}
0 commit comments