1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.securityposture.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/protobuf/timestamp.proto"; 21import "google/type/expr.proto"; 22 23option go_package = "cloud.google.com/go/securityposture/apiv1/securityposturepb;securityposturepb"; 24option java_multiple_files = true; 25option java_outer_classname = "OrgPolicyConfigProto"; 26option java_package = "com.google.cloud.securityposture.v1"; 27 28// A rule used to express this policy. 29message PolicyRule { 30 // A message that holds specific allowed and denied values. 31 // This message can define specific values and subtrees of the Resource 32 // Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 33 // are allowed or denied. This is achieved by using the `under:` and 34 // optional `is:` prefixes. 35 // The `under:` prefix is used to denote resource subtree values. 36 // The `is:` prefix is used to denote specific values, and is required only 37 // if the value contains a ":". Values prefixed with "is:" are treated the 38 // same as values with no prefix. 39 // Ancestry subtrees must be in one of the following formats: 40 // 41 // - `projects/<project-id>` (for example, `projects/tokyo-rain-123`) 42 // - `folders/<folder-id>` (for example, `folders/1234`) 43 // - `organizations/<organization-id>` (for example, `organizations/1234`) 44 // 45 // The `supports_under` field of the associated `Constraint` defines 46 // whether ancestry prefixes can be used. 47 message StringValues { 48 // List of values allowed at this resource. 49 repeated string allowed_values = 1; 50 51 // List of values denied at this resource. 52 repeated string denied_values = 2; 53 } 54 55 oneof kind { 56 // List of values to be used for this policy rule. This field can be set 57 // only in policies for list constraints. 58 StringValues values = 1; 59 60 // Setting this to true means that all values are allowed. This field can 61 // be set only in policies for list constraints. 62 bool allow_all = 2; 63 64 // Setting this to true means that all values are denied. This field can 65 // be set only in policies for list constraints. 66 bool deny_all = 3; 67 68 // If `true`, then the policy is enforced. If `false`, then any 69 // configuration is acceptable. 70 // This field can be set only in policies for boolean constraints. 71 bool enforce = 4; 72 } 73 74 // A condition which determines whether this rule is used 75 // in the evaluation of the policy. When set, the `expression` field in 76 // the `Expr' must include from 1 to 10 subexpressions, joined by the "||" 77 // or "&&" operators. Each subexpression must be of the form 78 // "resource.matchTag('<ORG_ID>/tag_key_short_name, 79 // 'tag_value_short_name')" or "resource.matchTagId('tagKeys/key_id', 80 // 'tagValues/value_id')" where key_name and value_name are the resource 81 // names for Label Keys and Values. These names are available from the Tag 82 // Manager Service. An example expression is: 83 // "resource.matchTag('123456789/environment, 84 // 'prod')" or "resource.matchTagId('tagKeys/123', 85 // 'tagValues/456')". 86 google.type.Expr condition = 5; 87} 88 89// A custom constraint defined by customers which can *only* be applied to the 90// given resource types and organization. 91// 92// By creating a custom constraint, customers can apply policies of this 93// custom constraint. *Creating a custom constraint itself does NOT apply any 94// policy enforcement*. 95message CustomConstraint { 96 // The operation for which this constraint will be applied. To apply this 97 // constraint only when creating new VMs, the `method_types` should be 98 // `CREATE` only. To apply this constraint when creating or deleting 99 // VMs, the `method_types` should be `CREATE` and `DELETE`. 100 // 101 // `UPDATE` only custom constraints are not supported. Use `CREATE` or 102 // `CREATE, UPDATE`. 103 enum MethodType { 104 // Unspecified. Results in an error. 105 METHOD_TYPE_UNSPECIFIED = 0; 106 107 // Constraint applied when creating the resource. 108 CREATE = 1; 109 110 // Constraint applied when updating the resource. 111 UPDATE = 2; 112 113 // Constraint applied when deleting the resource. 114 // Not supported yet. 115 DELETE = 3; 116 } 117 118 // Allow or deny type. 119 enum ActionType { 120 // Unspecified. Results in an error. 121 ACTION_TYPE_UNSPECIFIED = 0; 122 123 // Allowed action type. 124 ALLOW = 1; 125 126 // Deny action type. 127 DENY = 2; 128 } 129 130 // Immutable. Name of the constraint. This is unique within the organization. 131 // Format of the name should be 132 // 133 // - 134 // `organizations/{organization_id}/customConstraints/{custom_constraint_id}` 135 // 136 // Example: `organizations/123/customConstraints/custom.createOnlyE2TypeVms` 137 // 138 // The max length is 70 characters and the minimum length is 1. Note that the 139 // prefix `organizations/{organization_id}/customConstraints/` is not counted. 140 string name = 1 [(google.api.field_behavior) = IMMUTABLE]; 141 142 // Immutable. The resource instance type on which this policy applies. Format 143 // will be of the form : `<canonical service name>/<type>` Example: 144 // 145 // - `compute.googleapis.com/Instance`. 146 repeated string resource_types = 2 [(google.api.field_behavior) = IMMUTABLE]; 147 148 // All the operations being applied for this constraint. 149 repeated MethodType method_types = 3; 150 151 // Org policy condition/expression. For example: 152 // `resource.instanceName.matches("[production|test]_.*_(\d)+")` or, 153 // `resource.management.auto_upgrade == true` 154 // 155 // The max length of the condition is 1000 characters. 156 string condition = 4; 157 158 // Allow or deny type. 159 ActionType action_type = 5; 160 161 // One line display name for the UI. 162 // The max length of the display_name is 200 characters. 163 string display_name = 6; 164 165 // Detailed information about this custom policy constraint. 166 // The max length of the description is 2000 characters. 167 string description = 7; 168 169 // Output only. The last time this custom constraint was updated. This 170 // represents the last time that the `CreateCustomConstraint` or 171 // `UpdateCustomConstraint` RPC was called 172 google.protobuf.Timestamp update_time = 8 173 [(google.api.field_behavior) = OUTPUT_ONLY]; 174} 175