1// Copyright 2019 Google LLC. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15 16syntax = "proto3"; 17 18package google.cloud.managedidentities.v1; 19 20import "google/api/annotations.proto"; 21import "google/api/client.proto"; 22import "google/api/field_behavior.proto"; 23import "google/api/resource.proto"; 24import "google/cloud/managedidentities/v1/resource.proto"; 25import "google/longrunning/operations.proto"; 26import "google/protobuf/field_mask.proto"; 27import "google/protobuf/timestamp.proto"; 28 29option csharp_namespace = "Google.Cloud.ManagedIdentities.V1"; 30option go_package = "cloud.google.com/go/managedidentities/apiv1/managedidentitiespb;managedidentitiespb"; 31option java_multiple_files = true; 32option java_outer_classname = "ManagedIdentitiesServiceProto"; 33option java_package = "com.google.cloud.managedidentities.v1"; 34option objc_class_prefix = "GCMI"; 35option php_namespace = "Google\\Cloud\\ManagedIdentities\\V1"; 36option ruby_package = "Google::Cloud::ManagedIdentities::V1"; 37 38// API Overview 39// 40// The `managedidentites.googleapis.com` service implements the Google Cloud 41// Managed Identites API for identity services 42// (e.g. Microsoft Active Directory). 43// 44// The Managed Identities service provides methods to manage 45// (create/read/update/delete) domains, reset managed identities admin password, 46// add/remove domain controllers in GCP regions and add/remove VPC peering. 47// 48// Data Model 49// 50// The Managed Identities service exposes the following resources: 51// 52// * Locations as global, named as follows: 53// `projects/{project_id}/locations/global`. 54// 55// * Domains, named as follows: 56// `/projects/{project_id}/locations/global/domain/{domain_name}`. 57// 58// The `{domain_name}` refers to fully qualified domain name in the customer 59// project e.g. mydomain.myorganization.com, with the following restrictions: 60// 61// * Must contain only lowercase letters, numbers, periods and hyphens. 62// * Must start with a letter. 63// * Must contain between 2-64 characters. 64// * Must end with a number or a letter. 65// * Must not start with period. 66// * First segement length (mydomain form example above) shouldn't exceed 67// 15 chars. 68// * The last segment cannot be fully numeric. 69// * Must be unique within the customer project. 70service ManagedIdentitiesService { 71 option (google.api.default_host) = "managedidentities.googleapis.com"; 72 option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; 73 74 // Creates a Microsoft AD domain. 75 rpc CreateMicrosoftAdDomain(CreateMicrosoftAdDomainRequest) returns (google.longrunning.Operation) { 76 option (google.api.http) = { 77 post: "/v1/{parent=projects/*/locations/global}/domains" 78 body: "domain" 79 }; 80 option (google.api.method_signature) = "parent,domain_name,domain"; 81 option (google.longrunning.operation_info) = { 82 response_type: "Domain" 83 metadata_type: "OpMetadata" 84 }; 85 } 86 87 // Resets a domain's administrator password. 88 rpc ResetAdminPassword(ResetAdminPasswordRequest) returns (ResetAdminPasswordResponse) { 89 option (google.api.http) = { 90 post: "/v1/{name=projects/*/locations/global/domains/*}:resetAdminPassword" 91 body: "*" 92 }; 93 option (google.api.method_signature) = "name"; 94 } 95 96 // Lists domains in a project. 97 rpc ListDomains(ListDomainsRequest) returns (ListDomainsResponse) { 98 option (google.api.http) = { 99 get: "/v1/{parent=projects/*/locations/global}/domains" 100 }; 101 option (google.api.method_signature) = "parent"; 102 } 103 104 // Gets information about a domain. 105 rpc GetDomain(GetDomainRequest) returns (Domain) { 106 option (google.api.http) = { 107 get: "/v1/{name=projects/*/locations/global/domains/*}" 108 }; 109 option (google.api.method_signature) = "name"; 110 } 111 112 // Updates the metadata and configuration of a domain. 113 rpc UpdateDomain(UpdateDomainRequest) returns (google.longrunning.Operation) { 114 option (google.api.http) = { 115 patch: "/v1/{domain.name=projects/*/locations/global/domains/*}" 116 body: "domain" 117 }; 118 option (google.api.method_signature) = "domain,update_mask"; 119 option (google.longrunning.operation_info) = { 120 response_type: "Domain" 121 metadata_type: "OpMetadata" 122 }; 123 } 124 125 // Deletes a domain. 126 rpc DeleteDomain(DeleteDomainRequest) returns (google.longrunning.Operation) { 127 option (google.api.http) = { 128 delete: "/v1/{name=projects/*/locations/global/domains/*}" 129 }; 130 option (google.api.method_signature) = "name"; 131 option (google.longrunning.operation_info) = { 132 response_type: "google.protobuf.Empty" 133 metadata_type: "OpMetadata" 134 }; 135 } 136 137 // Adds an AD trust to a domain. 138 rpc AttachTrust(AttachTrustRequest) returns (google.longrunning.Operation) { 139 option (google.api.http) = { 140 post: "/v1/{name=projects/*/locations/global/domains/*}:attachTrust" 141 body: "*" 142 }; 143 option (google.api.method_signature) = "name,trust"; 144 option (google.longrunning.operation_info) = { 145 response_type: "Domain" 146 metadata_type: "OpMetadata" 147 }; 148 } 149 150 // Updates the DNS conditional forwarder. 151 rpc ReconfigureTrust(ReconfigureTrustRequest) returns (google.longrunning.Operation) { 152 option (google.api.http) = { 153 post: "/v1/{name=projects/*/locations/global/domains/*}:reconfigureTrust" 154 body: "*" 155 }; 156 option (google.api.method_signature) = "name,target_domain_name,target_dns_ip_addresses"; 157 option (google.longrunning.operation_info) = { 158 response_type: "Domain" 159 metadata_type: "OpMetadata" 160 }; 161 } 162 163 // Removes an AD trust. 164 rpc DetachTrust(DetachTrustRequest) returns (google.longrunning.Operation) { 165 option (google.api.http) = { 166 post: "/v1/{name=projects/*/locations/global/domains/*}:detachTrust" 167 body: "*" 168 }; 169 option (google.api.method_signature) = "name,trust"; 170 option (google.longrunning.operation_info) = { 171 response_type: "Domain" 172 metadata_type: "OpMetadata" 173 }; 174 } 175 176 // Validates a trust state, that the target domain is reachable, and that the 177 // target domain is able to accept incoming trust requests. 178 rpc ValidateTrust(ValidateTrustRequest) returns (google.longrunning.Operation) { 179 option (google.api.http) = { 180 post: "/v1/{name=projects/*/locations/global/domains/*}:validateTrust" 181 body: "*" 182 }; 183 option (google.api.method_signature) = "name,trust"; 184 option (google.longrunning.operation_info) = { 185 response_type: "Domain" 186 metadata_type: "OpMetadata" 187 }; 188 } 189} 190 191// Represents the metadata of the long-running operation. 192message OpMetadata { 193 // Output only. The time the operation was created. 194 google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 195 196 // Output only. The time the operation finished running. 197 google.protobuf.Timestamp end_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 198 199 // Output only. Server-defined resource path for the target of the operation. 200 string target = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 201 202 // Output only. Name of the verb executed by the operation. 203 string verb = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 204 205 // Output only. Identifies whether the user has requested cancellation 206 // of the operation. Operations that have successfully been cancelled 207 // have [Operation.error][] value with a [google.rpc.Status.code][google.rpc.Status.code] of 1, 208 // corresponding to `Code.CANCELLED`. 209 bool requested_cancellation = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; 210 211 // Output only. API version used to start the operation. 212 string api_version = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 213} 214 215// Request message for 216// [CreateMicrosoftAdDomain][google.cloud.managedidentities.v1.CreateMicrosoftAdDomain] 217message CreateMicrosoftAdDomainRequest { 218 // Required. The resource project name and location using the form: 219 // `projects/{project_id}/locations/global` 220 string parent = 1 [ 221 (google.api.field_behavior) = REQUIRED, 222 (google.api.resource_reference) = { 223 child_type: "managedidentities.googleapis.com/Domain" 224 } 225 ]; 226 227 // Required. The fully qualified domain name. 228 // e.g. mydomain.myorganization.com, with the following restrictions: 229 // 230 // * Must contain only lowercase letters, numbers, periods and hyphens. 231 // * Must start with a letter. 232 // * Must contain between 2-64 characters. 233 // * Must end with a number or a letter. 234 // * Must not start with period. 235 // * First segement length (mydomain form example above) shouldn't exceed 236 // 15 chars. 237 // * The last segment cannot be fully numeric. 238 // * Must be unique within the customer project. 239 string domain_name = 2 [(google.api.field_behavior) = REQUIRED]; 240 241 // Required. A Managed Identity domain resource. 242 Domain domain = 3 [(google.api.field_behavior) = REQUIRED]; 243} 244 245// Request message for 246// [ResetAdminPassword][google.cloud.managedidentities.v1.ResetAdminPassword] 247message ResetAdminPasswordRequest { 248 // Required. The domain resource name using the form: 249 // `projects/{project_id}/locations/global/domains/{domain_name}` 250 string name = 1 [ 251 (google.api.field_behavior) = REQUIRED, 252 (google.api.resource_reference) = { 253 type: "managedidentities.googleapis.com/Domain" 254 } 255 ]; 256} 257 258// Response message for 259// [ResetAdminPassword][google.cloud.managedidentities.v1.ResetAdminPassword] 260message ResetAdminPasswordResponse { 261 // A random password. See [admin][google.cloud.managedidentities.v1.Domain.admin] for more information. 262 string password = 1; 263} 264 265// Request message for 266// [ListDomains][google.cloud.managedidentities.v1.ListDomains] 267message ListDomainsRequest { 268 // Required. The resource name of the domain location using the form: 269 // `projects/{project_id}/locations/global` 270 string parent = 1 [ 271 (google.api.field_behavior) = REQUIRED, 272 (google.api.resource_reference) = { 273 child_type: "managedidentities.googleapis.com/Domain" 274 } 275 ]; 276 277 // Optional. The maximum number of items to return. 278 // If not specified, a default value of 1000 will be used. 279 // Regardless of the page_size value, the response may include a partial list. 280 // Callers should rely on a response's 281 // [next_page_token][google.cloud.managedidentities.v1.ListDomainsResponse.next_page_token] 282 // to determine if there are additional results to list. 283 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 284 285 // Optional. The `next_page_token` value returned from a previous ListDomainsRequest 286 // request, if any. 287 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 288 289 // Optional. A filter specifying constraints of a list operation. 290 // For example, `Domain.fqdn="mydomain.myorginization"`. 291 string filter = 4 [(google.api.field_behavior) = OPTIONAL]; 292 293 // Optional. Specifies the ordering of results. See 294 // [Sorting 295 // order](https://cloud.google.com/apis/design/design_patterns#sorting_order) 296 // for more information. 297 string order_by = 5 [(google.api.field_behavior) = OPTIONAL]; 298} 299 300// Response message for 301// [ListDomains][google.cloud.managedidentities.v1.ListDomains] 302message ListDomainsResponse { 303 // A list of Managed Identities Service domains in the project. 304 repeated Domain domains = 1; 305 306 // A token to retrieve the next page of results, or empty if there are no more 307 // results in the list. 308 string next_page_token = 2; 309 310 // A list of locations that could not be reached. 311 repeated string unreachable = 3; 312} 313 314// Request message for [GetDomain][google.cloud.managedidentities.v1.GetDomain] 315message GetDomainRequest { 316 // Required. The domain resource name using the form: 317 // `projects/{project_id}/locations/global/domains/{domain_name}` 318 string name = 1 [ 319 (google.api.field_behavior) = REQUIRED, 320 (google.api.resource_reference) = { 321 type: "managedidentities.googleapis.com/Domain" 322 } 323 ]; 324} 325 326// Request message for 327// [UpdateDomain][google.cloud.managedidentities.v1.UpdateDomain] 328message UpdateDomainRequest { 329 // Required. Mask of fields to update. At least one path must be supplied in this 330 // field. The elements of the repeated paths field may only include 331 // fields from [Domain][google.cloud.managedidentities.v1.Domain]: 332 // * `labels` 333 // * `locations` 334 // * `authorized_networks` 335 google.protobuf.FieldMask update_mask = 1 [(google.api.field_behavior) = REQUIRED]; 336 337 // Required. Domain message with updated fields. Only supported fields specified in 338 // update_mask are updated. 339 Domain domain = 2 [(google.api.field_behavior) = REQUIRED]; 340} 341 342// Request message for 343// [DeleteDomain][google.cloud.managedidentities.v1.DeleteDomain] 344message DeleteDomainRequest { 345 // Required. The domain resource name using the form: 346 // `projects/{project_id}/locations/global/domains/{domain_name}` 347 string name = 1 [ 348 (google.api.field_behavior) = REQUIRED, 349 (google.api.resource_reference) = { 350 type: "managedidentities.googleapis.com/Domain" 351 } 352 ]; 353} 354 355// Request message for 356// [AttachTrust][google.cloud.managedidentities.v1.AttachTrust] 357message AttachTrustRequest { 358 // Required. The resource domain name, project name and location using the form: 359 // `projects/{project_id}/locations/global/domains/{domain_name}` 360 string name = 1 [ 361 (google.api.field_behavior) = REQUIRED, 362 (google.api.resource_reference) = { 363 type: "managedidentities.googleapis.com/Domain" 364 } 365 ]; 366 367 // Required. The domain trust resource. 368 Trust trust = 2 [(google.api.field_behavior) = REQUIRED]; 369} 370 371// Request message for 372// [ReconfigureTrust][google.cloud.managedidentities.v1.ReconfigureTrust] 373message ReconfigureTrustRequest { 374 // Required. The resource domain name, project name and location using the form: 375 // `projects/{project_id}/locations/global/domains/{domain_name}` 376 string name = 1 [ 377 (google.api.field_behavior) = REQUIRED, 378 (google.api.resource_reference) = { 379 type: "managedidentities.googleapis.com/Domain" 380 } 381 ]; 382 383 // Required. The fully-qualified target domain name which will be in trust with current 384 // domain. 385 string target_domain_name = 2 [(google.api.field_behavior) = REQUIRED]; 386 387 // Required. The target DNS server IP addresses to resolve the remote domain involved 388 // in the trust. 389 repeated string target_dns_ip_addresses = 3 [(google.api.field_behavior) = REQUIRED]; 390} 391 392// Request message for 393// [DetachTrust][google.cloud.managedidentities.v1.DetachTrust] 394message DetachTrustRequest { 395 // Required. The resource domain name, project name, and location using the form: 396 // `projects/{project_id}/locations/global/domains/{domain_name}` 397 string name = 1 [ 398 (google.api.field_behavior) = REQUIRED, 399 (google.api.resource_reference) = { 400 type: "managedidentities.googleapis.com/Domain" 401 } 402 ]; 403 404 // Required. The domain trust resource to removed. 405 Trust trust = 2 [(google.api.field_behavior) = REQUIRED]; 406} 407 408// Request message for 409// [ValidateTrust][google.cloud.managedidentities.v1.ValidateTrust] 410message ValidateTrustRequest { 411 // Required. The resource domain name, project name, and location using the form: 412 // `projects/{project_id}/locations/global/domains/{domain_name}` 413 string name = 1 [ 414 (google.api.field_behavior) = REQUIRED, 415 (google.api.resource_reference) = { 416 type: "managedidentities.googleapis.com/Domain" 417 } 418 ]; 419 420 // Required. The domain trust to validate trust state for. 421 Trust trust = 2 [(google.api.field_behavior) = REQUIRED]; 422} 423