You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
315 lines
14 KiB
315 lines
14 KiB
// Copyright 2019 Google LLC. |
|
// |
|
// Licensed under the Apache License, Version 2.0 (the "License"); |
|
// you may not use this file except in compliance with the License. |
|
// You may obtain a copy of the License at |
|
// |
|
// http://www.apache.org/licenses/LICENSE-2.0 |
|
// |
|
// Unless required by applicable law or agreed to in writing, software |
|
// distributed under the License is distributed on an "AS IS" BASIS, |
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
// See the License for the specific language governing permissions and |
|
// limitations under the License. |
|
// |
|
|
|
syntax = "proto3"; |
|
|
|
package google.cloud.orgpolicy.v1; |
|
|
|
import "google/protobuf/empty.proto"; |
|
import "google/protobuf/timestamp.proto"; |
|
import "google/api/annotations.proto"; |
|
|
|
option csharp_namespace = "Google.Cloud.OrgPolicy.V1"; |
|
option go_package = "google.golang.org/genproto/googleapis/cloud/orgpolicy/v1;orgpolicy"; |
|
option java_multiple_files = true; |
|
option java_outer_classname = "OrgPolicyProto"; |
|
option java_package = "com.google.cloud.orgpolicy.v1"; |
|
option php_namespace = "Google\\Cloud\\OrgPolicy\\V1"; |
|
option ruby_package = "Google::Cloud::OrgPolicy::V1"; |
|
|
|
// Defines a Cloud Organization `Policy` which is used to specify `Constraints` |
|
// for configurations of Cloud Platform resources. |
|
message Policy { |
|
// Used in `policy_type` to specify how `list_policy` behaves at this |
|
// resource. |
|
// |
|
// `ListPolicy` can define specific values and subtrees of Cloud Resource |
|
// Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that |
|
// are allowed or denied by setting the `allowed_values` and `denied_values` |
|
// fields. This is achieved by using the `under:` and optional `is:` prefixes. |
|
// The `under:` prefix is used to denote resource subtree values. |
|
// The `is:` prefix is used to denote specific values, and is required only |
|
// if the value contains a ":". Values prefixed with "is:" are treated the |
|
// same as values with no prefix. |
|
// Ancestry subtrees must be in one of the following formats: |
|
// - "projects/<project-id>", e.g. "projects/tokyo-rain-123" |
|
// - "folders/<folder-id>", e.g. "folders/1234" |
|
// - "organizations/<organization-id>", e.g. "organizations/1234" |
|
// The `supports_under` field of the associated `Constraint` defines whether |
|
// ancestry prefixes can be used. You can set `allowed_values` and |
|
// `denied_values` in the same `Policy` if `all_values` is |
|
// `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all |
|
// values. If `all_values` is set to either `ALLOW` or `DENY`, |
|
// `allowed_values` and `denied_values` must be unset. |
|
message ListPolicy { |
|
// This enum can be used to set `Policies` that apply to all possible |
|
// configuration values rather than specific values in `allowed_values` or |
|
// `denied_values`. |
|
// |
|
// Settting this to `ALLOW` will mean this `Policy` allows all values. |
|
// Similarly, setting it to `DENY` will mean no values are allowed. If |
|
// set to either `ALLOW` or `DENY, `allowed_values` and `denied_values` |
|
// must be unset. Setting this to `ALL_VALUES_UNSPECIFIED` allows for |
|
// setting `allowed_values` and `denied_values`. |
|
enum AllValues { |
|
// Indicates that allowed_values or denied_values must be set. |
|
ALL_VALUES_UNSPECIFIED = 0; |
|
|
|
// A policy with this set allows all values. |
|
ALLOW = 1; |
|
|
|
// A policy with this set denies all values. |
|
DENY = 2; |
|
} |
|
|
|
// List of values allowed at this resource. Can only be set if `all_values` |
|
// is set to `ALL_VALUES_UNSPECIFIED`. |
|
repeated string allowed_values = 1; |
|
|
|
// List of values denied at this resource. Can only be set if `all_values` |
|
// is set to `ALL_VALUES_UNSPECIFIED`. |
|
repeated string denied_values = 2; |
|
|
|
// The policy all_values state. |
|
AllValues all_values = 3; |
|
|
|
// Optional. The Google Cloud Console will try to default to a configuration |
|
// that matches the value specified in this `Policy`. If `suggested_value` |
|
// is not set, it will inherit the value specified higher in the hierarchy, |
|
// unless `inherit_from_parent` is `false`. |
|
string suggested_value = 4; |
|
|
|
// Determines the inheritance behavior for this `Policy`. |
|
// |
|
// By default, a `ListPolicy` set at a resource supercedes any `Policy` set |
|
// anywhere up the resource hierarchy. However, if `inherit_from_parent` is |
|
// set to `true`, then the values from the effective `Policy` of the parent |
|
// resource are inherited, meaning the values set in this `Policy` are |
|
// added to the values inherited up the hierarchy. |
|
// |
|
// Setting `Policy` hierarchies that inherit both allowed values and denied |
|
// values isn't recommended in most circumstances to keep the configuration |
|
// simple and understandable. However, it is possible to set a `Policy` with |
|
// `allowed_values` set that inherits a `Policy` with `denied_values` set. |
|
// In this case, the values that are allowed must be in `allowed_values` and |
|
// not present in `denied_values`. |
|
// |
|
// For example, suppose you have a `Constraint` |
|
// `constraints/serviceuser.services`, which has a `constraint_type` of |
|
// `list_constraint`, and with `constraint_default` set to `ALLOW`. |
|
// Suppose that at the Organization level, a `Policy` is applied that |
|
// restricts the allowed API activations to {`E1`, `E2`}. Then, if a |
|
// `Policy` is applied to a project below the Organization that has |
|
// `inherit_from_parent` set to `false` and field all_values set to DENY, |
|
// then an attempt to activate any API will be denied. |
|
// |
|
// The following examples demonstrate different possible layerings for |
|
// `projects/bar` parented by `organizations/foo`: |
|
// |
|
// Example 1 (no inherited values): |
|
// `organizations/foo` has a `Policy` with values: |
|
// {allowed_values: "E1" allowed_values:"E2"} |
|
// `projects/bar` has `inherit_from_parent` `false` and values: |
|
// {allowed_values: "E3" allowed_values: "E4"} |
|
// The accepted values at `organizations/foo` are `E1`, `E2`. |
|
// The accepted values at `projects/bar` are `E3`, and `E4`. |
|
// |
|
// Example 2 (inherited values): |
|
// `organizations/foo` has a `Policy` with values: |
|
// {allowed_values: "E1" allowed_values:"E2"} |
|
// `projects/bar` has a `Policy` with values: |
|
// {value: "E3" value: "E4" inherit_from_parent: true} |
|
// The accepted values at `organizations/foo` are `E1`, `E2`. |
|
// The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. |
|
// |
|
// Example 3 (inheriting both allowed and denied values): |
|
// `organizations/foo` has a `Policy` with values: |
|
// {allowed_values: "E1" allowed_values: "E2"} |
|
// `projects/bar` has a `Policy` with: |
|
// {denied_values: "E1"} |
|
// The accepted values at `organizations/foo` are `E1`, `E2`. |
|
// The value accepted at `projects/bar` is `E2`. |
|
// |
|
// Example 4 (RestoreDefault): |
|
// `organizations/foo` has a `Policy` with values: |
|
// {allowed_values: "E1" allowed_values:"E2"} |
|
// `projects/bar` has a `Policy` with values: |
|
// {RestoreDefault: {}} |
|
// The accepted values at `organizations/foo` are `E1`, `E2`. |
|
// The accepted values at `projects/bar` are either all or none depending on |
|
// the value of `constraint_default` (if `ALLOW`, all; if |
|
// `DENY`, none). |
|
// |
|
// Example 5 (no policy inherits parent policy): |
|
// `organizations/foo` has no `Policy` set. |
|
// `projects/bar` has no `Policy` set. |
|
// The accepted values at both levels are either all or none depending on |
|
// the value of `constraint_default` (if `ALLOW`, all; if |
|
// `DENY`, none). |
|
// |
|
// Example 6 (ListConstraint allowing all): |
|
// `organizations/foo` has a `Policy` with values: |
|
// {allowed_values: "E1" allowed_values: "E2"} |
|
// `projects/bar` has a `Policy` with: |
|
// {all: ALLOW} |
|
// The accepted values at `organizations/foo` are `E1`, E2`. |
|
// Any value is accepted at `projects/bar`. |
|
// |
|
// Example 7 (ListConstraint allowing none): |
|
// `organizations/foo` has a `Policy` with values: |
|
// {allowed_values: "E1" allowed_values: "E2"} |
|
// `projects/bar` has a `Policy` with: |
|
// {all: DENY} |
|
// The accepted values at `organizations/foo` are `E1`, E2`. |
|
// No value is accepted at `projects/bar`. |
|
// |
|
// Example 10 (allowed and denied subtrees of Resource Manager hierarchy): |
|
// Given the following resource hierarchy |
|
// O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, |
|
// `organizations/foo` has a `Policy` with values: |
|
// {allowed_values: "under:organizations/O1"} |
|
// `projects/bar` has a `Policy` with: |
|
// {allowed_values: "under:projects/P3"} |
|
// {denied_values: "under:folders/F2"} |
|
// The accepted values at `organizations/foo` are `organizations/O1`, |
|
// `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, |
|
// `projects/P3`. |
|
// The accepted values at `projects/bar` are `organizations/O1`, |
|
// `folders/F1`, `projects/P1`. |
|
bool inherit_from_parent = 5; |
|
} |
|
|
|
// Used in `policy_type` to specify how `boolean_policy` will behave at this |
|
// resource. |
|
message BooleanPolicy { |
|
// If `true`, then the `Policy` is enforced. If `false`, then any |
|
// configuration is acceptable. |
|
// |
|
// Suppose you have a `Constraint` |
|
// `constraints/compute.disableSerialPortAccess` with `constraint_default` |
|
// set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following |
|
// behavior: |
|
// - If the `Policy` at this resource has enforced set to `false`, serial |
|
// port connection attempts will be allowed. |
|
// - If the `Policy` at this resource has enforced set to `true`, serial |
|
// port connection attempts will be refused. |
|
// - If the `Policy` at this resource is `RestoreDefault`, serial port |
|
// connection attempts will be allowed. |
|
// - If no `Policy` is set at this resource or anywhere higher in the |
|
// resource hierarchy, serial port connection attempts will be allowed. |
|
// - If no `Policy` is set at this resource, but one exists higher in the |
|
// resource hierarchy, the behavior is as if the`Policy` were set at |
|
// this resource. |
|
// |
|
// The following examples demonstrate the different possible layerings: |
|
// |
|
// Example 1 (nearest `Constraint` wins): |
|
// `organizations/foo` has a `Policy` with: |
|
// {enforced: false} |
|
// `projects/bar` has no `Policy` set. |
|
// The constraint at `projects/bar` and `organizations/foo` will not be |
|
// enforced. |
|
// |
|
// Example 2 (enforcement gets replaced): |
|
// `organizations/foo` has a `Policy` with: |
|
// {enforced: false} |
|
// `projects/bar` has a `Policy` with: |
|
// {enforced: true} |
|
// The constraint at `organizations/foo` is not enforced. |
|
// The constraint at `projects/bar` is enforced. |
|
// |
|
// Example 3 (RestoreDefault): |
|
// `organizations/foo` has a `Policy` with: |
|
// {enforced: true} |
|
// `projects/bar` has a `Policy` with: |
|
// {RestoreDefault: {}} |
|
// The constraint at `organizations/foo` is enforced. |
|
// The constraint at `projects/bar` is not enforced, because |
|
// `constraint_default` for the `Constraint` is `ALLOW`. |
|
bool enforced = 1; |
|
} |
|
|
|
// Ignores policies set above this resource and restores the |
|
// `constraint_default` enforcement behavior of the specific `Constraint` at |
|
// this resource. |
|
// |
|
// Suppose that `constraint_default` is set to `ALLOW` for the |
|
// `Constraint` `constraints/serviceuser.services`. Suppose that organization |
|
// foo.com sets a `Policy` at their Organization resource node that restricts |
|
// the allowed service activations to deny all service activations. They |
|
// could then set a `Policy` with the `policy_type` `restore_default` on |
|
// several experimental projects, restoring the `constraint_default` |
|
// enforcement of the `Constraint` for only those projects, allowing those |
|
// projects to have all services activated. |
|
message RestoreDefault { |
|
|
|
} |
|
|
|
// Version of the `Policy`. Default version is 0; |
|
int32 version = 1; |
|
|
|
// The name of the `Constraint` the `Policy` is configuring, for example, |
|
// `constraints/serviceuser.services`. |
|
// |
|
// Immutable after creation. |
|
string constraint = 2; |
|
|
|
// An opaque tag indicating the current version of the `Policy`, used for |
|
// concurrency control. |
|
// |
|
// When the `Policy` is returned from either a `GetPolicy` or a |
|
// `ListOrgPolicy` request, this `etag` indicates the version of the current |
|
// `Policy` to use when executing a read-modify-write loop. |
|
// |
|
// When the `Policy` is returned from a `GetEffectivePolicy` request, the |
|
// `etag` will be unset. |
|
// |
|
// When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value |
|
// that was returned from a `GetOrgPolicy` request as part of a |
|
// read-modify-write loop for concurrency control. Not setting the `etag`in a |
|
// `SetOrgPolicy` request will result in an unconditional write of the |
|
// `Policy`. |
|
bytes etag = 3; |
|
|
|
// The time stamp the `Policy` was previously updated. This is set by the |
|
// server, not specified by the caller, and represents the last time a call to |
|
// `SetOrgPolicy` was made for that `Policy`. Any value set by the client will |
|
// be ignored. |
|
google.protobuf.Timestamp update_time = 4; |
|
|
|
// The field to populate is based on the `constraint_type` value in the |
|
// `Constraint`. |
|
// `list_constraint` => `list_policy` |
|
// `boolean_constraint` => `boolean_policy` |
|
// |
|
// A `restore_default` message may be used with any `Constraint` type. |
|
// |
|
// Providing a *_policy that is incompatible with the `constraint_type` will |
|
// result in an `invalid_argument` error. |
|
// |
|
// Attempting to set a `Policy` with a `policy_type` not set will result in an |
|
// `invalid_argument` error. |
|
oneof policy_type { |
|
// List of values either allowed or disallowed. |
|
ListPolicy list_policy = 5; |
|
|
|
// For boolean `Constraints`, whether to enforce the `Constraint` or not. |
|
BooleanPolicy boolean_policy = 6; |
|
|
|
// Restores the default behavior of the constraint; independent of |
|
// `Constraint` type. |
|
RestoreDefault restore_default = 7; |
|
} |
|
}
|
|
|