1// Copyright 2021 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.osconfig.agentendpoint.v1; 18 19import "google/api/field_behavior.proto"; 20 21option go_package = "cloud.google.com/go/osconfig/agentendpoint/apiv1/agentendpointpb;agentendpointpb"; 22option java_multiple_files = true; 23option java_outer_classname = "OSPolicyProto"; 24option java_package = "com.google.cloud.osconfig.agentendpoint.v1"; 25 26// An OS policy defines the desired state configuration for an instance. 27message OSPolicy { 28 // Policy mode 29 enum Mode { 30 // Invalid mode 31 MODE_UNSPECIFIED = 0; 32 33 // This mode checks if the configuration resources in the policy are in 34 // their desired state. No actions are performed if they are not in the 35 // desired state. This mode is used for reporting purposes. 36 VALIDATION = 1; 37 38 // This mode checks if the configuration resources in the policy are in 39 // their desired state, and if not, enforces the desired state. 40 ENFORCEMENT = 2; 41 } 42 43 // An OS policy resource is used to define the desired state configuration 44 // and provides a specific functionality like installing/removing packages, 45 // executing a script etc. 46 // 47 // The system ensures that resources are always in their desired state by 48 // taking necessary actions if they have drifted from their desired state. 49 message Resource { 50 // A remote or local file. 51 message File { 52 // Specifies a file available via some URI. 53 message Remote { 54 // Required. URI from which to fetch the object. It should contain both the 55 // protocol and path following the format `{protocol}://{location}`. 56 string uri = 1 [(google.api.field_behavior) = REQUIRED]; 57 58 // SHA256 checksum of the remote file. 59 string sha256_checksum = 2; 60 } 61 62 // Specifies a file available as a Cloud Storage Object. 63 message Gcs { 64 // Required. Bucket of the Cloud Storage object. 65 string bucket = 1 [(google.api.field_behavior) = REQUIRED]; 66 67 // Required. Name of the Cloud Storage object. 68 string object = 2 [(google.api.field_behavior) = REQUIRED]; 69 70 // Generation number of the Cloud Storage object. 71 int64 generation = 3; 72 } 73 74 // A specific type of file. 75 oneof type { 76 // A generic remote file. 77 Remote remote = 1; 78 79 // A Cloud Storage object. 80 Gcs gcs = 2; 81 82 // A local path to use. 83 string local_path = 3; 84 } 85 86 // Defaults to false. When false, files are subject to validations 87 // based on the file type: 88 // 89 // Remote: A checksum must be specified. 90 // Cloud Storage: An object generation number must be specified. 91 bool allow_insecure = 4; 92 } 93 94 // A resource that manages a system package. 95 message PackageResource { 96 // The desired state that the OS Config agent maintains on the VM. 97 enum DesiredState { 98 // Unspecified is invalid. 99 DESIRED_STATE_UNSPECIFIED = 0; 100 101 // Ensure that the package is installed. 102 INSTALLED = 1; 103 104 // The agent ensures that the package is not installed and 105 // uninstalls it if detected. 106 REMOVED = 2; 107 } 108 109 // A deb package file. dpkg packages only support INSTALLED state. 110 message Deb { 111 // Required. A deb package. 112 File source = 1 [(google.api.field_behavior) = REQUIRED]; 113 114 // Whether dependencies should also be installed. 115 // install when false: `dpkg -i package` 116 // install when true: `apt-get update && apt-get -y install 117 // package.deb` 118 bool pull_deps = 2; 119 } 120 121 // A package managed by APT. 122 // install: `apt-get update && apt-get -y install [name]` 123 // remove: `apt-get -y remove [name]` 124 message APT { 125 // Required. Package name. 126 string name = 1 [(google.api.field_behavior) = REQUIRED]; 127 } 128 129 // An RPM package file. RPM packages only support INSTALLED state. 130 message RPM { 131 // Required. An rpm package. 132 File source = 1 [(google.api.field_behavior) = REQUIRED]; 133 134 // Whether dependencies should also be installed. 135 // install when false: `rpm --upgrade --replacepkgs package.rpm` 136 // install when true: `yum -y install package.rpm` or 137 // `zypper -y install package.rpm` 138 bool pull_deps = 2; 139 } 140 141 // A package managed by YUM. 142 // install: `yum -y install package` 143 // remove: `yum -y remove package` 144 message YUM { 145 // Required. Package name. 146 string name = 1 [(google.api.field_behavior) = REQUIRED]; 147 } 148 149 // A package managed by Zypper. 150 // install: `zypper -y install package` 151 // remove: `zypper -y rm package` 152 message Zypper { 153 // Required. Package name. 154 string name = 1 [(google.api.field_behavior) = REQUIRED]; 155 } 156 157 // A package managed by GooGet. 158 // install: `googet -noconfirm install package` 159 // remove: `googet -noconfirm remove package` 160 message GooGet { 161 // Required. Package name. 162 string name = 1 [(google.api.field_behavior) = REQUIRED]; 163 } 164 165 // An MSI package. MSI packages only support INSTALLED state. 166 message MSI { 167 // Required. The MSI package. 168 File source = 1 [(google.api.field_behavior) = REQUIRED]; 169 170 // Additional properties to use during installation. 171 // This should be in the format of Property=Setting. 172 // Appended to the defaults of "ACTION=INSTALL 173 // REBOOT=ReallySuppress". 174 repeated string properties = 2; 175 } 176 177 // Required. The desired state the agent should maintain for this package. The 178 // default is to ensure the package is installed. 179 DesiredState desired_state = 1 [(google.api.field_behavior) = REQUIRED]; 180 181 // A system package. 182 oneof system_package { 183 // A package managed by Apt. 184 APT apt = 2; 185 186 // A deb package file. 187 Deb deb = 3; 188 189 // A package managed by YUM. 190 YUM yum = 4; 191 192 // A package managed by Zypper. 193 Zypper zypper = 5; 194 195 // An rpm package file. 196 RPM rpm = 6; 197 198 // A package managed by GooGet. 199 GooGet googet = 7; 200 201 // An MSI package. 202 MSI msi = 8; 203 } 204 } 205 206 // A resource that manages a package repository. 207 message RepositoryResource { 208 // Represents a single apt package repository. These will be added to 209 // a repo file that will be managed at 210 // /etc/apt/sources.list.d/google_osconfig.list. 211 message AptRepository { 212 // Type of archive. 213 enum ArchiveType { 214 // Unspecified is invalid. 215 ARCHIVE_TYPE_UNSPECIFIED = 0; 216 217 // Deb indicates that the archive contains binary files. 218 DEB = 1; 219 220 // Deb-src indicates that the archive contains source files. 221 DEB_SRC = 2; 222 } 223 224 // Required. Type of archive files in this repository. The default behavior is 225 // DEB. 226 ArchiveType archive_type = 1 [(google.api.field_behavior) = REQUIRED]; 227 228 // Required. URI for this repository. 229 string uri = 2 [(google.api.field_behavior) = REQUIRED]; 230 231 // Required. Distribution of this repository. 232 string distribution = 3 [(google.api.field_behavior) = REQUIRED]; 233 234 // Required. List of components for this repository. Must contain at least one 235 // item. 236 repeated string components = 4 [(google.api.field_behavior) = REQUIRED]; 237 238 // URI of the key file for this repository. The agent maintains a 239 // keyring at /etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg. 240 string gpg_key = 5; 241 } 242 243 // Represents a single yum package repository. These are added to a 244 // repo file that is managed at 245 // `/etc/yum.repos.d/google_osconfig.repo`. 246 message YumRepository { 247 // Required. A one word, unique name for this repository. This is the `repo 248 // id` in the yum config file and also the `display_name` if 249 // `display_name` is omitted. This id is also used as the unique 250 // identifier when checking for resource conflicts. 251 string id = 1 [(google.api.field_behavior) = REQUIRED]; 252 253 // The display name of the repository. 254 string display_name = 2; 255 256 // Required. The location of the repository directory. 257 string base_url = 3 [(google.api.field_behavior) = REQUIRED]; 258 259 // URIs of GPG keys. 260 repeated string gpg_keys = 4; 261 } 262 263 // Represents a single zypper package repository. These are added to a 264 // repo file that is managed at 265 // `/etc/zypp/repos.d/google_osconfig.repo`. 266 message ZypperRepository { 267 // Required. A one word, unique name for this repository. This is the `repo 268 // id` in the zypper config file and also the `display_name` if 269 // `display_name` is omitted. This id is also used as the unique 270 // identifier when checking for GuestPolicy conflicts. 271 string id = 1 [(google.api.field_behavior) = REQUIRED]; 272 273 // The display name of the repository. 274 string display_name = 2; 275 276 // Required. The location of the repository directory. 277 string base_url = 3 [(google.api.field_behavior) = REQUIRED]; 278 279 // URIs of GPG keys. 280 repeated string gpg_keys = 4; 281 } 282 283 // Represents a Goo package repository. These are added to a repo file 284 // that is managed at 285 // `C:/ProgramData/GooGet/repos/google_osconfig.repo`. 286 message GooRepository { 287 // Required. The name of the repository. 288 string name = 1 [(google.api.field_behavior) = REQUIRED]; 289 290 // Required. The url of the repository. 291 string url = 2 [(google.api.field_behavior) = REQUIRED]; 292 } 293 294 // A specific type of repository. 295 oneof repository { 296 // An Apt Repository. 297 AptRepository apt = 1; 298 299 // A Yum Repository. 300 YumRepository yum = 2; 301 302 // A Zypper Repository. 303 ZypperRepository zypper = 3; 304 305 // A Goo Repository. 306 GooRepository goo = 4; 307 } 308 } 309 310 // A resource that contains custom validation and enforcement steps. 311 message ExecResource { 312 // A file or script to execute. 313 message Exec { 314 // The interpreter to use. 315 enum Interpreter { 316 // Invalid value, the request will return validation error. 317 INTERPRETER_UNSPECIFIED = 0; 318 319 // If no interpreter is specified the 320 // source will be executed directly, which will likely only 321 // succeed for executables and scripts with shebang lines. 322 // [Wikipedia 323 // shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)). 324 NONE = 1; 325 326 // Indicates that the script will be run with /bin/sh on Linux and 327 // cmd.exe on windows. 328 SHELL = 2; 329 330 // Indicates that the script will be run with powershell. 331 POWERSHELL = 3; 332 } 333 334 // What to execute. 335 oneof source { 336 // A remote or local file. 337 File file = 1; 338 339 // An inline script. 340 string script = 2; 341 } 342 343 // Optional arguments to pass to the source during execution. 344 repeated string args = 3; 345 346 // Required. The script interpreter to use. 347 Interpreter interpreter = 4 [(google.api.field_behavior) = REQUIRED]; 348 349 // Only recorded for enforce Exec. 350 // Path to an output file (that is created by this Exec) whose 351 // content will be recorded in OSPolicyResourceCompliance after a 352 // successful run. Absence or failure to read this file will result in 353 // this ExecResource being non-compliant. Output file size is limited to 354 // 100K bytes. 355 string output_file_path = 5; 356 } 357 358 // Required. What to run to validate this resource is in the desired state. 359 // An exit code of 100 indicates "in desired state", and exit code of 101 360 // indicates "not in desired state". Any other exit code indicates a 361 // failure running validate. 362 Exec validate = 1 [(google.api.field_behavior) = REQUIRED]; 363 364 // What to run to bring this resource into the desired state. 365 // A exit code of 100 indicates "success", any other exit code idicates a 366 // failure running enforce. 367 Exec enforce = 2; 368 } 369 370 // A resource that manages the state of a file. 371 message FileResource { 372 // Desired state of the file. 373 enum DesiredState { 374 // Unspecified is invalid. 375 DESIRED_STATE_UNSPECIFIED = 0; 376 377 // Ensure file at path is present. 378 PRESENT = 1; 379 380 // Ensure file at path is absent. 381 ABSENT = 2; 382 383 // Ensure the contents of the file at path matches. If the file does 384 // not exist it will be created. 385 CONTENTS_MATCH = 3; 386 } 387 388 // The source for the contents of the file. 389 oneof source { 390 // A remote or local source. 391 File file = 1; 392 393 // A a file with this content. 394 string content = 2; 395 } 396 397 // Required. The absolute path of the file. 398 string path = 3 [(google.api.field_behavior) = REQUIRED]; 399 400 // Required. Desired state of the file. 401 DesiredState state = 4 [(google.api.field_behavior) = REQUIRED]; 402 403 // Consists of three octal digits which represent, in 404 // order, the permissions of the owner, group, and other users for the 405 // file (similarly to the numeric mode used in the linux chmod 406 // utility). Each digit represents a three bit number with the 4 bit 407 // corresponding to the read permissions, the 2 bit corresponds to the 408 // write bit, and the one bit corresponds to the execute permission. 409 // Default behavior is 755. 410 // 411 // Below are some examples of permissions and their associated values: 412 // read, write, and execute: 7 413 // read and execute: 5 414 // read and write: 6 415 // read only: 4 416 string permissions = 5; 417 } 418 419 // Required. The id of the resource with the following restrictions: 420 // 421 // * Must contain only lowercase letters, numbers, and hyphens. 422 // * Must start with a letter. 423 // * Must be between 1-63 characters. 424 // * Must end with a number or a letter. 425 // * Must be unique within the OS policy. 426 string id = 1 [(google.api.field_behavior) = REQUIRED]; 427 428 // Resource type. 429 oneof resource_type { 430 // Package resource 431 PackageResource pkg = 2; 432 433 // Package repository resource 434 RepositoryResource repository = 3; 435 436 // Exec resource 437 ExecResource exec = 4; 438 439 // File resource 440 FileResource file = 5; 441 } 442 } 443 444 445} 446