1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.assuredworkloads.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/longrunning/operations.proto"; 24import "google/protobuf/duration.proto"; 25import "google/protobuf/empty.proto"; 26import "google/protobuf/field_mask.proto"; 27import "google/protobuf/timestamp.proto"; 28 29option csharp_namespace = "Google.Cloud.AssuredWorkloads.V1"; 30option go_package = "cloud.google.com/go/assuredworkloads/apiv1/assuredworkloadspb;assuredworkloadspb"; 31option java_multiple_files = true; 32option java_outer_classname = "AssuredworkloadsProto"; 33option java_package = "com.google.cloud.assuredworkloads.v1"; 34option php_namespace = "Google\\Cloud\\AssuredWorkloads\\V1"; 35option ruby_package = "Google::Cloud::AssuredWorkloads::V1"; 36option (google.api.resource_definition) = { 37 type: "assuredworkloads.googleapis.com/Location" 38 pattern: "organizations/{organization}/locations/{location}" 39}; 40 41// Service to manage AssuredWorkloads. 42service AssuredWorkloadsService { 43 option (google.api.default_host) = "assuredworkloads.googleapis.com"; 44 option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; 45 46 // Creates Assured Workload. 47 rpc CreateWorkload(CreateWorkloadRequest) returns (google.longrunning.Operation) { 48 option (google.api.http) = { 49 post: "/v1/{parent=organizations/*/locations/*}/workloads" 50 body: "workload" 51 }; 52 option (google.api.method_signature) = "parent,workload"; 53 option (google.longrunning.operation_info) = { 54 response_type: "Workload" 55 metadata_type: "CreateWorkloadOperationMetadata" 56 }; 57 } 58 59 // Updates an existing workload. 60 // Currently allows updating of workload display_name and labels. 61 // For force updates don't set etag field in the Workload. 62 // Only one update operation per workload can be in progress. 63 rpc UpdateWorkload(UpdateWorkloadRequest) returns (Workload) { 64 option (google.api.http) = { 65 patch: "/v1/{workload.name=organizations/*/locations/*/workloads/*}" 66 body: "workload" 67 }; 68 option (google.api.method_signature) = "workload,update_mask"; 69 } 70 71 // Restrict the list of resources allowed in the Workload environment. 72 // The current list of allowed products can be found at 73 // https://cloud.google.com/assured-workloads/docs/supported-products 74 // In addition to assuredworkloads.workload.update permission, the user should 75 // also have orgpolicy.policy.set permission on the folder resource 76 // to use this functionality. 77 rpc RestrictAllowedResources(RestrictAllowedResourcesRequest) returns (RestrictAllowedResourcesResponse) { 78 option (google.api.http) = { 79 post: "/v1/{name=organizations/*/locations/*/workloads/*}:restrictAllowedResources" 80 body: "*" 81 }; 82 } 83 84 // Deletes the workload. Make sure that workload's direct children are already 85 // in a deleted state, otherwise the request will fail with a 86 // FAILED_PRECONDITION error. 87 rpc DeleteWorkload(DeleteWorkloadRequest) returns (google.protobuf.Empty) { 88 option (google.api.http) = { 89 delete: "/v1/{name=organizations/*/locations/*/workloads/*}" 90 }; 91 option (google.api.method_signature) = "name"; 92 } 93 94 // Gets Assured Workload associated with a CRM Node 95 rpc GetWorkload(GetWorkloadRequest) returns (Workload) { 96 option (google.api.http) = { 97 get: "/v1/{name=organizations/*/locations/*/workloads/*}" 98 }; 99 option (google.api.method_signature) = "name"; 100 } 101 102 // Lists Assured Workloads under a CRM Node. 103 rpc ListWorkloads(ListWorkloadsRequest) returns (ListWorkloadsResponse) { 104 option (google.api.http) = { 105 get: "/v1/{parent=organizations/*/locations/*}/workloads" 106 }; 107 option (google.api.method_signature) = "parent"; 108 } 109 110 // Lists the Violations in the AssuredWorkload Environment. 111 // Callers may also choose to read across multiple Workloads as per 112 // [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash 113 // character) as a wildcard character instead of workload-id in the parent. 114 // Format `organizations/{org_id}/locations/{location}/workloads/-` 115 rpc ListViolations(ListViolationsRequest) returns (ListViolationsResponse) { 116 option (google.api.method_signature) = "parent"; 117 } 118 119 // Retrieves Assured Workload Violation based on ID. 120 rpc GetViolation(GetViolationRequest) returns (Violation) { 121 option (google.api.method_signature) = "name"; 122 } 123 124 // Acknowledges an existing violation. By acknowledging a violation, users 125 // acknowledge the existence of a compliance violation in their workload and 126 // decide to ignore it due to a valid business justification. Acknowledgement 127 // is a permanent operation and it cannot be reverted. 128 rpc AcknowledgeViolation(AcknowledgeViolationRequest) returns (AcknowledgeViolationResponse) { 129 } 130} 131 132// Request for creating a workload. 133message CreateWorkloadRequest { 134 // Required. The resource name of the new Workload's parent. 135 // Must be of the form `organizations/{org_id}/locations/{location_id}`. 136 string parent = 1 [ 137 (google.api.field_behavior) = REQUIRED, 138 (google.api.resource_reference) = { 139 child_type: "assuredworkloads.googleapis.com/Workload" 140 } 141 ]; 142 143 // Required. Assured Workload to create 144 Workload workload = 2 [(google.api.field_behavior) = REQUIRED]; 145 146 // Optional. A identifier associated with the workload and underlying projects which 147 // allows for the break down of billing costs for a workload. The value 148 // provided for the identifier will add a label to the workload and contained 149 // projects with the identifier as the value. 150 string external_id = 3 [(google.api.field_behavior) = OPTIONAL]; 151} 152 153// Request for Updating a workload. 154message UpdateWorkloadRequest { 155 // Required. The workload to update. 156 // The workload's `name` field is used to identify the workload to be updated. 157 // Format: 158 // organizations/{org_id}/locations/{location_id}/workloads/{workload_id} 159 Workload workload = 1 [(google.api.field_behavior) = REQUIRED]; 160 161 // Required. The list of fields to be updated. 162 google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; 163} 164 165// Request for deleting a Workload. 166message DeleteWorkloadRequest { 167 // Required. The `name` field is used to identify the workload. 168 // Format: 169 // organizations/{org_id}/locations/{location_id}/workloads/{workload_id} 170 string name = 1 [ 171 (google.api.field_behavior) = REQUIRED, 172 (google.api.resource_reference) = { 173 type: "assuredworkloads.googleapis.com/Workload" 174 } 175 ]; 176 177 // Optional. The etag of the workload. 178 // If this is provided, it must match the server's etag. 179 string etag = 2 [(google.api.field_behavior) = OPTIONAL]; 180} 181 182// Request for fetching a workload. 183message GetWorkloadRequest { 184 // Required. The resource name of the Workload to fetch. This is the workload's 185 // relative path in the API, formatted as 186 // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". 187 // For example, 188 // "organizations/123/locations/us-east1/workloads/assured-workload-1". 189 string name = 1 [ 190 (google.api.field_behavior) = REQUIRED, 191 (google.api.resource_reference) = { 192 type: "assuredworkloads.googleapis.com/Workload" 193 } 194 ]; 195} 196 197// Request for fetching workloads in an organization. 198message ListWorkloadsRequest { 199 // Required. Parent Resource to list workloads from. 200 // Must be of the form `organizations/{org_id}/locations/{location}`. 201 string parent = 1 [ 202 (google.api.field_behavior) = REQUIRED, 203 (google.api.resource_reference) = { 204 child_type: "assuredworkloads.googleapis.com/Workload" 205 } 206 ]; 207 208 // Page size. 209 int32 page_size = 2; 210 211 // Page token returned from previous request. Page token contains context from 212 // previous request. Page token needs to be passed in the second and following 213 // requests. 214 string page_token = 3; 215 216 // A custom filter for filtering by properties of a workload. At this time, 217 // only filtering by labels is supported. 218 string filter = 4; 219} 220 221// Response of ListWorkloads endpoint. 222message ListWorkloadsResponse { 223 // List of Workloads under a given parent. 224 repeated Workload workloads = 1; 225 226 // The next page token. Return empty if reached the last page. 227 string next_page_token = 2; 228} 229 230// A Workload object for managing highly regulated workloads of cloud 231// customers. 232message Workload { 233 option (google.api.resource) = { 234 type: "assuredworkloads.googleapis.com/Workload" 235 pattern: "organizations/{organization}/locations/{location}/workloads/{workload}" 236 }; 237 238 // Represent the resources that are children of this Workload. 239 message ResourceInfo { 240 // The type of resource. 241 enum ResourceType { 242 // Unknown resource type. 243 RESOURCE_TYPE_UNSPECIFIED = 0; 244 245 // Consumer project. 246 // AssuredWorkloads Projects are no longer supported. This field will be 247 // ignored only in CreateWorkload requests. ListWorkloads and GetWorkload 248 // will continue to provide projects information. 249 // Use CONSUMER_FOLDER instead. 250 CONSUMER_PROJECT = 1 [deprecated = true]; 251 252 // Consumer Folder. 253 CONSUMER_FOLDER = 4; 254 255 // Consumer project containing encryption keys. 256 ENCRYPTION_KEYS_PROJECT = 2; 257 258 // Keyring resource that hosts encryption keys. 259 KEYRING = 3; 260 } 261 262 // Resource identifier. 263 // For a project this represents project_number. 264 int64 resource_id = 1; 265 266 // Indicates the type of resource. 267 ResourceType resource_type = 2; 268 } 269 270 // Supported Compliance Regimes. 271 enum ComplianceRegime { 272 // Unknown compliance regime. 273 COMPLIANCE_REGIME_UNSPECIFIED = 0; 274 275 // Information protection as per DoD IL4 requirements. 276 IL4 = 1; 277 278 // Criminal Justice Information Services (CJIS) Security policies. 279 CJIS = 2; 280 281 // FedRAMP High data protection controls 282 FEDRAMP_HIGH = 3; 283 284 // FedRAMP Moderate data protection controls 285 FEDRAMP_MODERATE = 4; 286 287 // Assured Workloads For US Regions data protection controls 288 US_REGIONAL_ACCESS = 5; 289 290 // Health Insurance Portability and Accountability Act controls 291 HIPAA = 6; 292 293 // Health Information Trust Alliance controls 294 HITRUST = 7; 295 296 // Assured Workloads For EU Regions and Support controls 297 EU_REGIONS_AND_SUPPORT = 8; 298 299 // Assured Workloads For Canada Regions and Support controls 300 CA_REGIONS_AND_SUPPORT = 9; 301 302 // International Traffic in Arms Regulations 303 ITAR = 10; 304 305 // Assured Workloads for Australia Regions and Support controls 306 // Available for public preview consumption. 307 // Don't create production workloads. 308 AU_REGIONS_AND_US_SUPPORT = 11; 309 310 // Assured Workloads for Partners 311 ASSURED_WORKLOADS_FOR_PARTNERS = 12; 312 } 313 314 // Settings specific to the Key Management Service. 315 // This message is deprecated. 316 // In order to create a Keyring, callers should specify, 317 // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. 318 message KMSSettings { 319 option deprecated = true; 320 321 // Required. Input only. Immutable. The time at which the Key Management Service will automatically create a 322 // new version of the crypto key and mark it as the primary. 323 google.protobuf.Timestamp next_rotation_time = 1 [ 324 (google.api.field_behavior) = REQUIRED, 325 (google.api.field_behavior) = INPUT_ONLY, 326 (google.api.field_behavior) = IMMUTABLE 327 ]; 328 329 // Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key 330 // Management Service automatically rotates a key. Must be at least 24 hours 331 // and at most 876,000 hours. 332 google.protobuf.Duration rotation_period = 2 [ 333 (google.api.field_behavior) = REQUIRED, 334 (google.api.field_behavior) = INPUT_ONLY, 335 (google.api.field_behavior) = IMMUTABLE 336 ]; 337 } 338 339 // Represent the custom settings for the resources to be created. 340 message ResourceSettings { 341 // Resource identifier. 342 // For a project this represents project_id. If the project is already 343 // taken, the workload creation will fail. 344 // For KeyRing, this represents the keyring_id. 345 // For a folder, don't set this value as folder_id is assigned by Google. 346 string resource_id = 1; 347 348 // Indicates the type of resource. This field should be specified to 349 // correspond the id to the right resource type (CONSUMER_FOLDER or 350 // ENCRYPTION_KEYS_PROJECT) 351 ResourceInfo.ResourceType resource_type = 2; 352 353 // User-assigned resource display name. 354 // If not empty it will be used to create a resource with the specified 355 // name. 356 string display_name = 3; 357 } 358 359 // Key Access Justifications(KAJ) Enrollment State. 360 enum KajEnrollmentState { 361 // Default State for KAJ Enrollment. 362 KAJ_ENROLLMENT_STATE_UNSPECIFIED = 0; 363 364 // Pending State for KAJ Enrollment. 365 KAJ_ENROLLMENT_STATE_PENDING = 1; 366 367 // Complete State for KAJ Enrollment. 368 KAJ_ENROLLMENT_STATE_COMPLETE = 2; 369 } 370 371 // Signed Access Approvals (SAA) enrollment response. 372 message SaaEnrollmentResponse { 373 // Setup state of SAA enrollment. 374 enum SetupState { 375 // Unspecified. 376 SETUP_STATE_UNSPECIFIED = 0; 377 378 // SAA enrollment pending. 379 STATUS_PENDING = 1; 380 381 // SAA enrollment comopleted. 382 STATUS_COMPLETE = 2; 383 } 384 385 // Setup error of SAA enrollment. 386 enum SetupError { 387 // Unspecified. 388 SETUP_ERROR_UNSPECIFIED = 0; 389 390 // Invalid states for all customers, to be redirected to AA UI for 391 // additional details. 392 ERROR_INVALID_BASE_SETUP = 1; 393 394 // Returned when there is not an EKM key configured. 395 ERROR_MISSING_EXTERNAL_SIGNING_KEY = 2; 396 397 // Returned when there are no enrolled services or the customer is 398 // enrolled in CAA only for a subset of services. 399 ERROR_NOT_ALL_SERVICES_ENROLLED = 3; 400 401 // Returned when exception was encountered during evaluation of other 402 // criteria. 403 ERROR_SETUP_CHECK_FAILED = 4; 404 } 405 406 // Indicates SAA enrollment status of a given workload. 407 optional SetupState setup_status = 1; 408 409 // Indicates SAA enrollment setup error if any. 410 repeated SetupError setup_errors = 2; 411 } 412 413 // Supported Assured Workloads Partners. 414 enum Partner { 415 // Unknown partner regime/controls. 416 PARTNER_UNSPECIFIED = 0; 417 418 // S3NS regime/controls. 419 LOCAL_CONTROLS_BY_S3NS = 1; 420 } 421 422 // Optional. The resource name of the workload. 423 // Format: 424 // organizations/{organization}/locations/{location}/workloads/{workload} 425 // 426 // Read-only. 427 string name = 1 [(google.api.field_behavior) = OPTIONAL]; 428 429 // Required. The user-assigned display name of the Workload. 430 // When present it must be between 4 to 30 characters. 431 // Allowed characters are: lowercase and uppercase letters, numbers, 432 // hyphen, and spaces. 433 // 434 // Example: My Workload 435 string display_name = 2 [(google.api.field_behavior) = REQUIRED]; 436 437 // Output only. The resources associated with this workload. 438 // These resources will be created when creating the workload. 439 // If any of the projects already exist, the workload creation will fail. 440 // Always read only. 441 repeated ResourceInfo resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 442 443 // Required. Immutable. Compliance Regime associated with this workload. 444 ComplianceRegime compliance_regime = 4 [ 445 (google.api.field_behavior) = REQUIRED, 446 (google.api.field_behavior) = IMMUTABLE 447 ]; 448 449 // Output only. Immutable. The Workload creation timestamp. 450 google.protobuf.Timestamp create_time = 5 [ 451 (google.api.field_behavior) = OUTPUT_ONLY, 452 (google.api.field_behavior) = IMMUTABLE 453 ]; 454 455 // Optional. The billing account used for the resources which are 456 // direct children of workload. This billing account is initially associated 457 // with the resources created as part of Workload creation. 458 // After the initial creation of these resources, the customer can change 459 // the assigned billing account. 460 // The resource name has the form 461 // `billingAccounts/{billing_account_id}`. For example, 462 // `billingAccounts/012345-567890-ABCDEF`. 463 string billing_account = 6 [(google.api.field_behavior) = OPTIONAL]; 464 465 // Optional. ETag of the workload, it is calculated on the basis 466 // of the Workload contents. It will be used in Update & Delete operations. 467 string etag = 9 [(google.api.field_behavior) = OPTIONAL]; 468 469 // Optional. Labels applied to the workload. 470 map<string, string> labels = 10 [(google.api.field_behavior) = OPTIONAL]; 471 472 // Input only. The parent resource for the resources managed by this Assured Workload. May 473 // be either empty or a folder resource which is a child of the 474 // Workload parent. If not specified all resources are created under the 475 // parent organization. 476 // Format: 477 // folders/{folder_id} 478 string provisioned_resources_parent = 13 [(google.api.field_behavior) = INPUT_ONLY]; 479 480 // Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS 481 // CMEK key is provisioned. 482 // This field is deprecated as of Feb 28, 2022. 483 // In order to create a Keyring, callers should specify, 484 // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. 485 KMSSettings kms_settings = 14 [ 486 deprecated = true, 487 (google.api.field_behavior) = INPUT_ONLY 488 ]; 489 490 // Input only. Resource properties that are used to customize workload resources. 491 // These properties (such as custom project id) will be used to create 492 // workload resources if possible. This field is optional. 493 repeated ResourceSettings resource_settings = 15 [(google.api.field_behavior) = INPUT_ONLY]; 494 495 // Output only. Represents the KAJ enrollment state of the given workload. 496 KajEnrollmentState kaj_enrollment_state = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; 497 498 // Optional. Indicates the sovereignty status of the given workload. 499 // Currently meant to be used by Europe/Canada customers. 500 bool enable_sovereign_controls = 18 [(google.api.field_behavior) = OPTIONAL]; 501 502 // Output only. Represents the SAA enrollment response of the given workload. 503 // SAA enrollment response is queried during GetWorkload call. 504 // In failure cases, user friendly error message is shown in SAA details page. 505 SaaEnrollmentResponse saa_enrollment_response = 20 [(google.api.field_behavior) = OUTPUT_ONLY]; 506 507 // Output only. Urls for services which are compliant for this Assured Workload, but which 508 // are currently disallowed by the ResourceUsageRestriction org policy. 509 // Invoke RestrictAllowedResources endpoint to allow your project developers 510 // to use these services in their environment." 511 repeated string compliant_but_disallowed_services = 24 [(google.api.field_behavior) = OUTPUT_ONLY]; 512 513 // Optional. Compliance Regime associated with this workload. 514 Partner partner = 25 [(google.api.field_behavior) = OPTIONAL]; 515} 516 517// Operation metadata to give request details of CreateWorkload. 518message CreateWorkloadOperationMetadata { 519 // Optional. Time when the operation was created. 520 google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OPTIONAL]; 521 522 // Optional. The display name of the workload. 523 string display_name = 2 [(google.api.field_behavior) = OPTIONAL]; 524 525 // Optional. The parent of the workload. 526 string parent = 3 [(google.api.field_behavior) = OPTIONAL]; 527 528 // Optional. Compliance controls that should be applied to the resources managed by 529 // the workload. 530 Workload.ComplianceRegime compliance_regime = 4 [(google.api.field_behavior) = OPTIONAL]; 531} 532 533// Request for restricting list of available resources in Workload environment. 534message RestrictAllowedResourcesRequest { 535 // The type of restriction. 536 enum RestrictionType { 537 // Unknown restriction type. 538 RESTRICTION_TYPE_UNSPECIFIED = 0; 539 540 // Allow the use all of all gcp products, irrespective of the compliance 541 // posture. This effectively removes gcp.restrictServiceUsage OrgPolicy 542 // on the AssuredWorkloads Folder. 543 ALLOW_ALL_GCP_RESOURCES = 1; 544 545 // Based on Workload's compliance regime, allowed list changes. 546 // See - https://cloud.google.com/assured-workloads/docs/supported-products 547 // for the list of supported resources. 548 ALLOW_COMPLIANT_RESOURCES = 2; 549 } 550 551 // Required. The resource name of the Workload. This is the workloads's 552 // relative path in the API, formatted as 553 // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". 554 // For example, 555 // "organizations/123/locations/us-east1/workloads/assured-workload-1". 556 string name = 1 [(google.api.field_behavior) = REQUIRED]; 557 558 // Required. The type of restriction for using gcp products in the Workload environment. 559 RestrictionType restriction_type = 2 [(google.api.field_behavior) = REQUIRED]; 560} 561 562// Response for restricting the list of allowed resources. 563message RestrictAllowedResourcesResponse { 564 565} 566 567// Request for acknowledging the violation 568// Next Id: 4 569message AcknowledgeViolationRequest { 570 // Required. The resource name of the Violation to acknowledge. 571 // Format: 572 // organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation} 573 string name = 1 [(google.api.field_behavior) = REQUIRED]; 574 575 // Required. Business justification explaining the need for violation acknowledgement 576 string comment = 2 [(google.api.field_behavior) = REQUIRED]; 577 578 // Optional. This field is deprecated and will be removed in future version of the API. 579 // Name of the OrgPolicy which was modified with non-compliant change and 580 // resulted in this violation. 581 // Format: 582 // projects/{project_number}/policies/{constraint_name} 583 // folders/{folder_id}/policies/{constraint_name} 584 // organizations/{organization_id}/policies/{constraint_name} 585 string non_compliant_org_policy = 3 [ 586 deprecated = true, 587 (google.api.field_behavior) = OPTIONAL 588 ]; 589} 590 591// Response for violation acknowledgement 592message AcknowledgeViolationResponse { 593 594} 595 596// Interval defining a time window. 597message TimeWindow { 598 // The start of the time window. 599 google.protobuf.Timestamp start_time = 1; 600 601 // The end of the time window. 602 google.protobuf.Timestamp end_time = 2; 603} 604 605// Request for fetching violations in an organization. 606message ListViolationsRequest { 607 // Required. The Workload name. 608 // Format `organizations/{org_id}/locations/{location}/workloads/{workload}`. 609 string parent = 1 [ 610 (google.api.field_behavior) = REQUIRED, 611 (google.api.resource_reference) = { 612 child_type: "assuredworkloads.googleapis.com/Violation" 613 } 614 ]; 615 616 // Optional. Specifies the time window for retrieving active Violations. 617 // When specified, retrieves Violations that were active between start_time 618 // and end_time. 619 TimeWindow interval = 2 [(google.api.field_behavior) = OPTIONAL]; 620 621 // Optional. Page size. 622 int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL]; 623 624 // Optional. Page token returned from previous request. 625 string page_token = 4 [(google.api.field_behavior) = OPTIONAL]; 626 627 // Optional. A custom filter for filtering by the Violations properties. 628 string filter = 5 [(google.api.field_behavior) = OPTIONAL]; 629} 630 631// Response of ListViolations endpoint. 632message ListViolationsResponse { 633 // List of Violations under a Workload. 634 repeated Violation violations = 1; 635 636 // The next page token. Returns empty if reached the last page. 637 string next_page_token = 2; 638} 639 640// Request for fetching a Workload Violation. 641message GetViolationRequest { 642 // Required. The resource name of the Violation to fetch (ie. Violation.name). 643 // Format: 644 // organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation} 645 string name = 1 [ 646 (google.api.field_behavior) = REQUIRED, 647 (google.api.resource_reference) = { 648 type: "assuredworkloads.googleapis.com/Violation" 649 } 650 ]; 651} 652 653// Workload monitoring Violation. 654message Violation { 655 option (google.api.resource) = { 656 type: "assuredworkloads.googleapis.com/Violation" 657 pattern: "organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}" 658 }; 659 660 // Violation State Values 661 enum State { 662 // Unspecified state. 663 STATE_UNSPECIFIED = 0; 664 665 // Violation is resolved. 666 RESOLVED = 2; 667 668 // Violation is Unresolved 669 UNRESOLVED = 3; 670 671 // Violation is Exception 672 EXCEPTION = 4; 673 } 674 675 // Represents remediation guidance to resolve compliance violation for 676 // AssuredWorkload 677 message Remediation { 678 // Classifying remediation into various types based on the kind of 679 // violation. For example, violations caused due to changes in boolean org 680 // policy requires different remediation instructions compared to violation 681 // caused due to changes in allowed values of list org policy. 682 enum RemediationType { 683 // Unspecified remediation type 684 REMEDIATION_TYPE_UNSPECIFIED = 0; 685 686 // Remediation type for boolean org policy 687 REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1; 688 689 // Remediation type for list org policy which have allowed values in the 690 // monitoring rule 691 REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2; 692 693 // Remediation type for list org policy which have denied values in the 694 // monitoring rule 695 REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3; 696 697 // Remediation type for gcp.restrictCmekCryptoKeyProjects 698 REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4; 699 } 700 701 // Instructions to remediate violation 702 message Instructions { 703 // Remediation instructions to resolve violation via gcloud cli 704 message Gcloud { 705 // Gcloud command to resolve violation 706 repeated string gcloud_commands = 1; 707 708 // Steps to resolve violation via gcloud cli 709 repeated string steps = 2; 710 711 // Additional urls for more information about steps 712 repeated string additional_links = 3; 713 } 714 715 // Remediation instructions to resolve violation via cloud console 716 message Console { 717 // Link to console page where violations can be resolved 718 repeated string console_uris = 1; 719 720 // Steps to resolve violation via cloud console 721 repeated string steps = 2; 722 723 // Additional urls for more information about steps 724 repeated string additional_links = 3; 725 } 726 727 // Remediation instructions to resolve violation via gcloud cli 728 Gcloud gcloud_instructions = 1; 729 730 // Remediation instructions to resolve violation via cloud console 731 Console console_instructions = 2; 732 } 733 734 // Required. Remediation instructions to resolve violations 735 Instructions instructions = 1 [(google.api.field_behavior) = REQUIRED]; 736 737 // Values that can resolve the violation 738 // For example: for list org policy violations, this will either be the list 739 // of allowed or denied values 740 repeated string compliant_values = 2; 741 742 // Output only. Reemediation type based on the type of org policy values violated 743 RemediationType remediation_type = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 744 } 745 746 // Output only. Immutable. Name of the Violation. 747 // Format: 748 // organizations/{organization}/locations/{location}/workloads/{workload_id}/violations/{violations_id} 749 string name = 1 [ 750 (google.api.field_behavior) = OUTPUT_ONLY, 751 (google.api.field_behavior) = IMMUTABLE 752 ]; 753 754 // Output only. Description for the Violation. 755 // e.g. OrgPolicy gcp.resourceLocations has non compliant value. 756 string description = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 757 758 // Output only. Time of the event which triggered the Violation. 759 google.protobuf.Timestamp begin_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 760 761 // Output only. The last time when the Violation record was updated. 762 google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 763 764 // Output only. Time of the event which fixed the Violation. 765 // If the violation is ACTIVE this will be empty. 766 google.protobuf.Timestamp resolve_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 767 768 // Output only. Category under which this violation is mapped. 769 // e.g. Location, Service Usage, Access, Encryption, etc. 770 string category = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 771 772 // Output only. State of the violation 773 State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 774 775 // Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in 776 // this violation. 777 string org_policy_constraint = 8 [ 778 (google.api.field_behavior) = OUTPUT_ONLY, 779 (google.api.field_behavior) = IMMUTABLE 780 ]; 781 782 // Output only. Immutable. Audit Log Link for violated resource 783 // Format: 784 // https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{timeRange}{folder} 785 string audit_log_link = 11 [ 786 (google.api.field_behavior) = OUTPUT_ONLY, 787 (google.api.field_behavior) = IMMUTABLE 788 ]; 789 790 // Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and 791 // resulted this violation. 792 // Format: 793 // projects/{project_number}/policies/{constraint_name} 794 // folders/{folder_id}/policies/{constraint_name} 795 // organizations/{organization_id}/policies/{constraint_name} 796 string non_compliant_org_policy = 12 [ 797 (google.api.field_behavior) = OUTPUT_ONLY, 798 (google.api.field_behavior) = IMMUTABLE 799 ]; 800 801 // Output only. Compliance violation remediation 802 Remediation remediation = 13 [(google.api.field_behavior) = OUTPUT_ONLY]; 803 804 // Output only. A boolean that indicates if the violation is acknowledged 805 bool acknowledged = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; 806 807 // Optional. Timestamp when this violation was acknowledged last. 808 // This will be absent when acknowledged field is marked as false. 809 optional google.protobuf.Timestamp acknowledgement_time = 15 [(google.api.field_behavior) = OPTIONAL]; 810 811 // Output only. Immutable. Audit Log link to find business justification provided for violation 812 // exception. Format: 813 // https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{protoPayload.methodName}{timeRange}{organization} 814 string exception_audit_log_link = 16 [ 815 (google.api.field_behavior) = OUTPUT_ONLY, 816 (google.api.field_behavior) = IMMUTABLE 817 ]; 818} 819