cloud/audit/audit_log.proto

*d5c09012SAndroid Build Coastguard Worker// Copyright 2022 Google LLC
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License");
*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License.
*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker//     http://www.apache.org/licenses/LICENSE-2.0
*d5c09012SAndroid Build Coastguard Worker//
*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software
*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS,
*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and
*d5c09012SAndroid Build Coastguard Worker// limitations under the License.
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workersyntax = "proto3";
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workerpackage google.cloud.audit;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workerimport "google/api/field_behavior.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/any.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/struct.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/rpc/context/attribute_context.proto";
*d5c09012SAndroid Build Coastguard Workerimport "google/rpc/status.proto";
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Workeroption cc_enable_arenas = true;
*d5c09012SAndroid Build Coastguard Workeroption go_package = "google.golang.org/genproto/googleapis/cloud/audit;audit";
*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true;
*d5c09012SAndroid Build Coastguard Workeroption java_outer_classname = "AuditLogProto";
*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.cloud.audit";
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Common audit log format for Google Cloud Platform API operations.
*d5c09012SAndroid Build Coastguard Workermessage AuditLog {
*d5c09012SAndroid Build Coastguard Worker  // The name of the API service performing the operation. For example,
*d5c09012SAndroid Build Coastguard Worker  // `"compute.googleapis.com"`.
*d5c09012SAndroid Build Coastguard Worker  string service_name = 7;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The name of the service method or operation.
*d5c09012SAndroid Build Coastguard Worker  // For API calls, this should be the name of the API method.
*d5c09012SAndroid Build Coastguard Worker  // For example,
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //     "google.cloud.bigquery.v2.TableService.InsertTable"
*d5c09012SAndroid Build Coastguard Worker  //     "google.logging.v2.ConfigServiceV2.CreateSink"
*d5c09012SAndroid Build Coastguard Worker  string method_name = 8;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The resource or collection that is the target of the operation.
*d5c09012SAndroid Build Coastguard Worker  // The name is a scheme-less URI, not including the API service name.
*d5c09012SAndroid Build Coastguard Worker  // For example:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //     "projects/PROJECT_ID/zones/us-central1-a/instances"
*d5c09012SAndroid Build Coastguard Worker  //     "projects/PROJECT_ID/datasets/DATASET_ID"
*d5c09012SAndroid Build Coastguard Worker  string resource_name = 11;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The resource location information.
*d5c09012SAndroid Build Coastguard Worker  ResourceLocation resource_location = 20;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The resource's original state before mutation. Present only for
*d5c09012SAndroid Build Coastguard Worker  // operations which have successfully modified the targeted resource(s).
*d5c09012SAndroid Build Coastguard Worker  // In general, this field should contain all changed fields, except those
*d5c09012SAndroid Build Coastguard Worker  // that are already been included in `request`, `response`, `metadata` or
*d5c09012SAndroid Build Coastguard Worker  // `service_data` fields.
*d5c09012SAndroid Build Coastguard Worker  // When the JSON object represented here has a proto equivalent,
*d5c09012SAndroid Build Coastguard Worker  // the proto name will be indicated in the `@type` property.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Struct resource_original_state = 19;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The number of items returned from a List or Query API method,
*d5c09012SAndroid Build Coastguard Worker  // if applicable.
*d5c09012SAndroid Build Coastguard Worker  int64 num_response_items = 12;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The status of the overall operation.
*d5c09012SAndroid Build Coastguard Worker  google.rpc.Status status = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Authentication information.
*d5c09012SAndroid Build Coastguard Worker  AuthenticationInfo authentication_info = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Authorization information. If there are multiple
*d5c09012SAndroid Build Coastguard Worker  // resources or permissions involved, then there is
*d5c09012SAndroid Build Coastguard Worker  // one AuthorizationInfo element for each {resource, permission} tuple.
*d5c09012SAndroid Build Coastguard Worker  repeated AuthorizationInfo authorization_info = 9;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Indicates the policy violations for this request. If the request
*d5c09012SAndroid Build Coastguard Worker  // is denied by the policy, violation information will be logged
*d5c09012SAndroid Build Coastguard Worker  // here.
*d5c09012SAndroid Build Coastguard Worker  PolicyViolationInfo policy_violation_info = 25;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Metadata about the operation.
*d5c09012SAndroid Build Coastguard Worker  RequestMetadata request_metadata = 4;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The operation request. This may not include all request parameters,
*d5c09012SAndroid Build Coastguard Worker  // such as those that are too large, privacy-sensitive, or duplicated
*d5c09012SAndroid Build Coastguard Worker  // elsewhere in the log record.
*d5c09012SAndroid Build Coastguard Worker  // It should never include user-generated data, such as file contents.
*d5c09012SAndroid Build Coastguard Worker  // When the JSON object represented here has a proto equivalent, the proto
*d5c09012SAndroid Build Coastguard Worker  // name will be indicated in the `@type` property.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Struct request = 16;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The operation response. This may not include all response elements,
*d5c09012SAndroid Build Coastguard Worker  // such as those that are too large, privacy-sensitive, or duplicated
*d5c09012SAndroid Build Coastguard Worker  // elsewhere in the log record.
*d5c09012SAndroid Build Coastguard Worker  // It should never include user-generated data, such as file contents.
*d5c09012SAndroid Build Coastguard Worker  // When the JSON object represented here has a proto equivalent, the proto
*d5c09012SAndroid Build Coastguard Worker  // name will be indicated in the `@type` property.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Struct response = 17;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Other service-specific data about the request, response, and other
*d5c09012SAndroid Build Coastguard Worker  // information associated with the current audited event.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Struct metadata = 18;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Deprecated. Use the `metadata` field instead.
*d5c09012SAndroid Build Coastguard Worker  // Other service-specific data about the request, response, and other
*d5c09012SAndroid Build Coastguard Worker  // activities.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Any service_data = 15 [deprecated = true];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Authentication information for the operation.
*d5c09012SAndroid Build Coastguard Workermessage AuthenticationInfo {
*d5c09012SAndroid Build Coastguard Worker  // The email address of the authenticated user (or service account on behalf
*d5c09012SAndroid Build Coastguard Worker  // of third party principal) making the request. For third party identity
*d5c09012SAndroid Build Coastguard Worker  // callers, the `principal_subject` field is populated instead of this field.
*d5c09012SAndroid Build Coastguard Worker  // For privacy reasons, the principal email address is sometimes redacted.
*d5c09012SAndroid Build Coastguard Worker  // For more information, see [Caller identities in audit
*d5c09012SAndroid Build Coastguard Worker  // logs](https://cloud.google.com/logging/docs/audit#user-id).
*d5c09012SAndroid Build Coastguard Worker  string principal_email = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The authority selector specified by the requestor, if any.
*d5c09012SAndroid Build Coastguard Worker  // It is not guaranteed that the principal was allowed to use this authority.
*d5c09012SAndroid Build Coastguard Worker  string authority_selector = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The third party identification (if any) of the authenticated user making
*d5c09012SAndroid Build Coastguard Worker  // the request.
*d5c09012SAndroid Build Coastguard Worker  // When the JSON object represented here has a proto equivalent, the proto
*d5c09012SAndroid Build Coastguard Worker  // name will be indicated in the `@type` property.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Struct third_party_principal = 4;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The name of the service account key used to create or exchange
*d5c09012SAndroid Build Coastguard Worker  // credentials for authenticating the service account making the request.
*d5c09012SAndroid Build Coastguard Worker  // This is a scheme-less URI full resource name. For example:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"
*d5c09012SAndroid Build Coastguard Worker  string service_account_key_name = 5;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Identity delegation history of an authenticated service account that makes
*d5c09012SAndroid Build Coastguard Worker  // the request. It contains information on the real authorities that try to
*d5c09012SAndroid Build Coastguard Worker  // access GCP resources by delegating on a service account. When multiple
*d5c09012SAndroid Build Coastguard Worker  // authorities present, they are guaranteed to be sorted based on the original
*d5c09012SAndroid Build Coastguard Worker  // ordering of the identity delegation events.
*d5c09012SAndroid Build Coastguard Worker  repeated ServiceAccountDelegationInfo service_account_delegation_info = 6;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // String representation of identity of requesting party.
*d5c09012SAndroid Build Coastguard Worker  // Populated for both first and third party identities.
*d5c09012SAndroid Build Coastguard Worker  string principal_subject = 8;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Authorization information for the operation.
*d5c09012SAndroid Build Coastguard Workermessage AuthorizationInfo {
*d5c09012SAndroid Build Coastguard Worker  // The resource being accessed, as a REST-style or cloud resource string.
*d5c09012SAndroid Build Coastguard Worker  // For example:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //     bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID
*d5c09012SAndroid Build Coastguard Worker  // or
*d5c09012SAndroid Build Coastguard Worker  //     projects/PROJECTID/datasets/DATASETID
*d5c09012SAndroid Build Coastguard Worker  string resource = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The required IAM permission.
*d5c09012SAndroid Build Coastguard Worker  string permission = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Whether or not authorization for `resource` and `permission`
*d5c09012SAndroid Build Coastguard Worker  // was granted.
*d5c09012SAndroid Build Coastguard Worker  bool granted = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Resource attributes used in IAM condition evaluation. This field contains
*d5c09012SAndroid Build Coastguard Worker  // resource attributes like resource type and resource name.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // To get the whole view of the attributes used in IAM
*d5c09012SAndroid Build Coastguard Worker  // condition evaluation, the user must also look into
*d5c09012SAndroid Build Coastguard Worker  // `AuditLog.request_metadata.request_attributes`.
*d5c09012SAndroid Build Coastguard Worker  google.rpc.context.AttributeContext.Resource resource_attributes = 5;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Metadata about the request.
*d5c09012SAndroid Build Coastguard Workermessage RequestMetadata {
*d5c09012SAndroid Build Coastguard Worker  // The IP address of the caller.
*d5c09012SAndroid Build Coastguard Worker  // For a caller from the internet, this will be the public IPv4 or IPv6
*d5c09012SAndroid Build Coastguard Worker  // address. For calls made from inside Google's internal production network
*d5c09012SAndroid Build Coastguard Worker  // from one GCP service to another, `caller_ip` will be redacted to "private".
*d5c09012SAndroid Build Coastguard Worker  // For a caller from a Compute Engine VM with a external IP address,
*d5c09012SAndroid Build Coastguard Worker  // `caller_ip` will be the VM's external IP address. For a caller from a
*d5c09012SAndroid Build Coastguard Worker  // Compute Engine VM without a external IP address, if the VM is in the same
*d5c09012SAndroid Build Coastguard Worker  // organization (or project) as the accessed resource, `caller_ip` will be the
*d5c09012SAndroid Build Coastguard Worker  // VM's internal IPv4 address, otherwise `caller_ip` will be redacted to
*d5c09012SAndroid Build Coastguard Worker  // "gce-internal-ip". See https://cloud.google.com/compute/docs/vpc/ for more
*d5c09012SAndroid Build Coastguard Worker  // information.
*d5c09012SAndroid Build Coastguard Worker  string caller_ip = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The user agent of the caller.
*d5c09012SAndroid Build Coastguard Worker  // This information is not authenticated and should be treated accordingly.
*d5c09012SAndroid Build Coastguard Worker  // For example:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // +   `google-api-python-client/1.4.0`:
*d5c09012SAndroid Build Coastguard Worker  //     The request was made by the Google API client for Python.
*d5c09012SAndroid Build Coastguard Worker  // +   `Cloud SDK Command Line Tool apitools-client/1.0 gcloud/0.9.62`:
*d5c09012SAndroid Build Coastguard Worker  //     The request was made by the Google Cloud SDK CLI (gcloud).
*d5c09012SAndroid Build Coastguard Worker  // +   `AppEngine-Google; (+http://code.google.com/appengine; appid:
*d5c09012SAndroid Build Coastguard Worker  // s~my-project`:
*d5c09012SAndroid Build Coastguard Worker  //     The request was made from the `my-project` App Engine app.
*d5c09012SAndroid Build Coastguard Worker  string caller_supplied_user_agent = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The network of the caller.
*d5c09012SAndroid Build Coastguard Worker  // Set only if the network host project is part of the same GCP organization
*d5c09012SAndroid Build Coastguard Worker  // (or project) as the accessed resource.
*d5c09012SAndroid Build Coastguard Worker  // See https://cloud.google.com/compute/docs/vpc/ for more information.
*d5c09012SAndroid Build Coastguard Worker  // This is a scheme-less URI full resource name. For example:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //     "//compute.googleapis.com/projects/PROJECT_ID/global/networks/NETWORK_ID"
*d5c09012SAndroid Build Coastguard Worker  string caller_network = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Request attributes used in IAM condition evaluation. This field contains
*d5c09012SAndroid Build Coastguard Worker  // request attributes like request time and access levels associated with
*d5c09012SAndroid Build Coastguard Worker  // the request.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // To get the whole view of the attributes used in IAM
*d5c09012SAndroid Build Coastguard Worker  // condition evaluation, the user must also look into
*d5c09012SAndroid Build Coastguard Worker  // `AuditLog.authentication_info.resource_attributes`.
*d5c09012SAndroid Build Coastguard Worker  google.rpc.context.AttributeContext.Request request_attributes = 7;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The destination of a network activity, such as accepting a TCP connection.
*d5c09012SAndroid Build Coastguard Worker  // In a multi hop network activity, the destination represents the receiver of
*d5c09012SAndroid Build Coastguard Worker  // the last hop. Only two fields are used in this message, Peer.port and
*d5c09012SAndroid Build Coastguard Worker  // Peer.ip. These fields are optionally populated by those services utilizing
*d5c09012SAndroid Build Coastguard Worker  // the IAM condition feature.
*d5c09012SAndroid Build Coastguard Worker  google.rpc.context.AttributeContext.Peer destination_attributes = 8;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Location information about a resource.
*d5c09012SAndroid Build Coastguard Workermessage ResourceLocation {
*d5c09012SAndroid Build Coastguard Worker  // The locations of a resource after the execution of the operation.
*d5c09012SAndroid Build Coastguard Worker  // Requests to create or delete a location based resource must populate
*d5c09012SAndroid Build Coastguard Worker  // the 'current_locations' field and not the 'original_locations' field.
*d5c09012SAndroid Build Coastguard Worker  // For example:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //     "europe-west1-a"
*d5c09012SAndroid Build Coastguard Worker  //     "us-east1"
*d5c09012SAndroid Build Coastguard Worker  //     "nam3"
*d5c09012SAndroid Build Coastguard Worker  repeated string current_locations = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // The locations of a resource prior to the execution of the operation.
*d5c09012SAndroid Build Coastguard Worker  // Requests that mutate the resource's location must populate both the
*d5c09012SAndroid Build Coastguard Worker  // 'original_locations' as well as the 'current_locations' fields.
*d5c09012SAndroid Build Coastguard Worker  // For example:
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  //     "europe-west1-a"
*d5c09012SAndroid Build Coastguard Worker  //     "us-east1"
*d5c09012SAndroid Build Coastguard Worker  //     "nam3"
*d5c09012SAndroid Build Coastguard Worker  repeated string original_locations = 2;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Identity delegation history of an authenticated service account.
*d5c09012SAndroid Build Coastguard Workermessage ServiceAccountDelegationInfo {
*d5c09012SAndroid Build Coastguard Worker  // First party identity principal.
*d5c09012SAndroid Build Coastguard Worker  message FirstPartyPrincipal {
*d5c09012SAndroid Build Coastguard Worker    // The email address of a Google account.
*d5c09012SAndroid Build Coastguard Worker    string principal_email = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // Metadata about the service that uses the service account.
*d5c09012SAndroid Build Coastguard Worker    google.protobuf.Struct service_metadata = 2;
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Third party identity principal.
*d5c09012SAndroid Build Coastguard Worker  message ThirdPartyPrincipal {
*d5c09012SAndroid Build Coastguard Worker    // Metadata about third party identity.
*d5c09012SAndroid Build Coastguard Worker    google.protobuf.Struct third_party_claims = 1;
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // A string representing the principal_subject associated with the identity.
*d5c09012SAndroid Build Coastguard Worker  // For most identities, the format will be
*d5c09012SAndroid Build Coastguard Worker  // `principal://iam.googleapis.com/{identity pool name}/subject/{subject)`
*d5c09012SAndroid Build Coastguard Worker  // except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD)
*d5c09012SAndroid Build Coastguard Worker  // that are still in the legacy format `serviceAccount:{identity pool
*d5c09012SAndroid Build Coastguard Worker  // name}[{subject}]`
*d5c09012SAndroid Build Coastguard Worker  string principal_subject = 3;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Entity that creates credentials for service account and assumes its
*d5c09012SAndroid Build Coastguard Worker  // identity for authentication.
*d5c09012SAndroid Build Coastguard Worker  oneof Authority {
*d5c09012SAndroid Build Coastguard Worker    // First party (Google) identity as the real authority.
*d5c09012SAndroid Build Coastguard Worker    FirstPartyPrincipal first_party_principal = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // Third party identity as the real authority.
*d5c09012SAndroid Build Coastguard Worker    ThirdPartyPrincipal third_party_principal = 2;
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Information related to policy violations for this request.
*d5c09012SAndroid Build Coastguard Workermessage PolicyViolationInfo {
*d5c09012SAndroid Build Coastguard Worker  // Indicates the orgpolicy violations for this resource.
*d5c09012SAndroid Build Coastguard Worker  OrgPolicyViolationInfo org_policy_violation_info = 1;
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Represents OrgPolicy Violation information.
*d5c09012SAndroid Build Coastguard Workermessage OrgPolicyViolationInfo {
*d5c09012SAndroid Build Coastguard Worker  // Optional. Resource payload that is currently in scope and is subjected to orgpolicy
*d5c09012SAndroid Build Coastguard Worker  // conditions. This payload may be the subset of the actual Resource that may
*d5c09012SAndroid Build Coastguard Worker  // come in the request. This payload should not contain any core content.
*d5c09012SAndroid Build Coastguard Worker  google.protobuf.Struct payload = 1 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Optional. Resource type that the orgpolicy is checked against.
*d5c09012SAndroid Build Coastguard Worker  // Example: compute.googleapis.com/Instance, store.googleapis.com/bucket
*d5c09012SAndroid Build Coastguard Worker  string resource_type = 2 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Optional. Tags referenced on the resource at the time of evaluation. These also
*d5c09012SAndroid Build Coastguard Worker  // include the federated tags, if they are supplied in the CheckOrgPolicy
*d5c09012SAndroid Build Coastguard Worker  // or CheckCustomConstraints Requests.
*d5c09012SAndroid Build Coastguard Worker  //
*d5c09012SAndroid Build Coastguard Worker  // Optional field as of now. These tags are the Cloud tags that are
*d5c09012SAndroid Build Coastguard Worker  // available on the resource during the policy evaluation and will
*d5c09012SAndroid Build Coastguard Worker  // be available as part of the OrgPolicy check response for logging purposes.
*d5c09012SAndroid Build Coastguard Worker  map<string, string> resource_tags = 3 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Optional. Policy violations
*d5c09012SAndroid Build Coastguard Worker  repeated ViolationInfo violation_info = 4 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker}
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker// Provides information about the Policy violation info for this request.
*d5c09012SAndroid Build Coastguard Workermessage ViolationInfo {
*d5c09012SAndroid Build Coastguard Worker  // Policy Type enum
*d5c09012SAndroid Build Coastguard Worker  enum PolicyType {
*d5c09012SAndroid Build Coastguard Worker    // Default value. This value should not be used.
*d5c09012SAndroid Build Coastguard Worker    POLICY_TYPE_UNSPECIFIED = 0;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // Indicates boolean policy constraint
*d5c09012SAndroid Build Coastguard Worker    BOOLEAN_CONSTRAINT = 1;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // Indicates list policy constraint
*d5c09012SAndroid Build Coastguard Worker    LIST_CONSTRAINT = 2;
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker    // Indicates custom policy constraint
*d5c09012SAndroid Build Coastguard Worker    CUSTOM_CONSTRAINT = 3;
*d5c09012SAndroid Build Coastguard Worker  }
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Optional. Constraint name
*d5c09012SAndroid Build Coastguard Worker  string constraint = 1 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Optional. Error message that policy is indicating.
*d5c09012SAndroid Build Coastguard Worker  string error_message = 2 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Optional. Value that is being checked for the policy.
*d5c09012SAndroid Build Coastguard Worker  // This could be in encrypted form (if pii sensitive).
*d5c09012SAndroid Build Coastguard Worker  // This field will only be emitted in LIST_POLICY types
*d5c09012SAndroid Build Coastguard Worker  string checked_value = 3 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker
*d5c09012SAndroid Build Coastguard Worker  // Optional. Indicates the type of the policy.
*d5c09012SAndroid Build Coastguard Worker  PolicyType policy_type = 4 [(google.api.field_behavior) = OPTIONAL];
*d5c09012SAndroid Build Coastguard Worker}