xref: /aosp_15_r20/external/googleapis/google/cloud/cloudcontrolspartner/v1/violations.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.cloudcontrolspartner.v1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/timestamp.proto";
22import "google/type/interval.proto";
23
24option csharp_namespace = "Google.Cloud.CloudControlsPartner.V1";
25option go_package = "cloud.google.com/go/cloudcontrolspartner/apiv1/cloudcontrolspartnerpb;cloudcontrolspartnerpb";
26option java_multiple_files = true;
27option java_outer_classname = "ViolationsProto";
28option java_package = "com.google.cloud.cloudcontrolspartner.v1";
29option php_namespace = "Google\\Cloud\\CloudControlsPartner\\V1";
30option ruby_package = "Google::Cloud::CloudControlsPartner::V1";
31
32// Details of resource Violation
33message Violation {
34  option (google.api.resource) = {
35    type: "cloudcontrolspartner.googleapis.com/Violation"
36    pattern: "organizations/{organization}/locations/{location}/customers/{customer}/workloads/{workload}/violations/{violation}"
37    plural: "violations"
38    singular: "violation"
39  };
40
41  // Represents remediation guidance to resolve compliance violation for
42  // AssuredWorkload
43  message Remediation {
44    // Instructions to remediate violation
45    message Instructions {
46      // Remediation instructions to resolve violation via gcloud cli
47      message Gcloud {
48        // Gcloud command to resolve violation
49        repeated string gcloud_commands = 1;
50
51        // Steps to resolve violation via gcloud cli
52        repeated string steps = 2;
53
54        // Additional urls for more information about steps
55        repeated string additional_links = 3;
56      }
57
58      // Remediation instructions to resolve violation via cloud console
59      message Console {
60        // Link to console page where violations can be resolved
61        repeated string console_uris = 1;
62
63        // Steps to resolve violation via cloud console
64        repeated string steps = 2;
65
66        // Additional urls for more information about steps
67        repeated string additional_links = 3;
68      }
69
70      // Remediation instructions to resolve violation via gcloud cli
71      Gcloud gcloud_instructions = 1;
72
73      // Remediation instructions to resolve violation via cloud console
74      Console console_instructions = 2;
75    }
76
77    // Classifying remediation into various types based on the kind of
78    // violation. For example, violations caused due to changes in boolean org
79    // policy requires different remediation instructions compared to violation
80    // caused due to changes in allowed values of list org policy.
81    enum RemediationType {
82      // Unspecified remediation type
83      REMEDIATION_TYPE_UNSPECIFIED = 0;
84
85      // Remediation type for boolean org policy
86      REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1;
87
88      // Remediation type for list org policy which have allowed values in the
89      // monitoring rule
90      REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2;
91
92      // Remediation type for list org policy which have denied values in the
93      // monitoring rule
94      REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3;
95
96      // Remediation type for gcp.restrictCmekCryptoKeyProjects
97      REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4;
98
99      // Remediation type for resource violation.
100      REMEDIATION_RESOURCE_VIOLATION = 5;
101    }
102
103    // Required. Remediation instructions to resolve violations
104    Instructions instructions = 1 [(google.api.field_behavior) = REQUIRED];
105
106    // Values that can resolve the violation
107    // For example: for list org policy violations, this will either be the list
108    // of allowed or denied values
109    repeated string compliant_values = 2;
110
111    // Output only. Remediation type based on the type of org policy values
112    // violated
113    RemediationType remediation_type = 3
114        [(google.api.field_behavior) = OUTPUT_ONLY];
115  }
116
117  // Violation State Values
118  enum State {
119    // Unspecified state.
120    STATE_UNSPECIFIED = 0;
121
122    // Violation is resolved.
123    RESOLVED = 1;
124
125    // Violation is Unresolved
126    UNRESOLVED = 2;
127
128    // Violation is Exception
129    EXCEPTION = 3;
130  }
131
132  // Identifier. Format:
133  // `organizations/{organization}/locations/{location}/customers/{customer}/workloads/{workload}/violations/{violation}`
134  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
135
136  // Output only. Description for the Violation.
137  // e.g. OrgPolicy gcp.resourceLocations has non compliant value.
138  string description = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
139
140  // Output only. Time of the event which triggered the Violation.
141  google.protobuf.Timestamp begin_time = 3
142      [(google.api.field_behavior) = OUTPUT_ONLY];
143
144  // Output only. The last time when the Violation record was updated.
145  google.protobuf.Timestamp update_time = 4
146      [(google.api.field_behavior) = OUTPUT_ONLY];
147
148  // Output only. Time of the event which fixed the Violation.
149  // If the violation is ACTIVE this will be empty.
150  google.protobuf.Timestamp resolve_time = 5
151      [(google.api.field_behavior) = OUTPUT_ONLY];
152
153  // Output only. Category under which this violation is mapped.
154  // e.g. Location, Service Usage, Access, Encryption, etc.
155  string category = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
156
157  // Output only. State of the violation
158  State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
159
160  // Output only. Immutable. Name of the OrgPolicy which was modified with
161  // non-compliant change and resulted this violation. Format:
162  //  `projects/{project_number}/policies/{constraint_name}`
163  //  `folders/{folder_id}/policies/{constraint_name}`
164  //  `organizations/{organization_id}/policies/{constraint_name}`
165  string non_compliant_org_policy = 8 [
166    (google.api.field_behavior) = OUTPUT_ONLY,
167    (google.api.field_behavior) = IMMUTABLE
168  ];
169
170  // The folder_id of the violation
171  int64 folder_id = 9;
172
173  // Output only. Compliance violation remediation
174  Remediation remediation = 13 [(google.api.field_behavior) = OUTPUT_ONLY];
175}
176
177// Message for requesting list of Violations
178message ListViolationsRequest {
179  // Required. Parent resource
180  // Format
181  // `organizations/{organization}/locations/{location}/customers/{customer}/workloads/{workload}`
182  string parent = 1 [
183    (google.api.field_behavior) = REQUIRED,
184    (google.api.resource_reference) = {
185      child_type: "cloudcontrolspartner.googleapis.com/Violation"
186    }
187  ];
188
189  // Optional. The maximum number of customers row to return. The service may
190  // return fewer than this value. If unspecified, at most 10 customers will be
191  // returned.
192  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
193
194  // Optional. A page token, received from a previous `ListViolations` call.
195  // Provide this to retrieve the subsequent page.
196  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
197
198  // Optional. Filtering results
199  string filter = 4 [(google.api.field_behavior) = OPTIONAL];
200
201  // Optional. Hint for how to order the results
202  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
203
204  // Optional. Specifies the interval for retrieving violations.
205  // if unspecified, all violations will be returned.
206  google.type.Interval interval = 6 [(google.api.field_behavior) = OPTIONAL];
207}
208
209// Response message for list customer violation requests
210message ListViolationsResponse {
211  // List of violation
212  repeated Violation violations = 1;
213
214  // A token that can be sent as `page_token` to retrieve the next page.
215  // If this field is omitted, there are no subsequent pages.
216  string next_page_token = 2;
217
218  // Workloads that could not be reached due to permission errors or any other
219  // error. Ref: https://google.aip.dev/217
220  repeated string unreachable = 3;
221}
222
223// Message for getting a Violation
224message GetViolationRequest {
225  // Required. Format:
226  // `organizations/{organization}/locations/{location}/customers/{customer}/workloads/{workload}/violations/{violation}`
227  string name = 1 [
228    (google.api.field_behavior) = REQUIRED,
229    (google.api.resource_reference) = {
230      type: "cloudcontrolspartner.googleapis.com/Violation"
231    }
232  ];
233}
234