xref: /aosp_15_r20/external/googleapis/google/cloud/orgpolicy/v2/constraint.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.orgpolicy.v2;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/timestamp.proto";
22
23option csharp_namespace = "Google.Cloud.OrgPolicy.V2";
24option go_package = "cloud.google.com/go/orgpolicy/apiv2/orgpolicypb;orgpolicypb";
25option java_multiple_files = true;
26option java_outer_classname = "ConstraintProto";
27option java_package = "com.google.cloud.orgpolicy.v2";
28option php_namespace = "Google\\Cloud\\OrgPolicy\\V2";
29option ruby_package = "Google::Cloud::OrgPolicy::V2";
30
31// A constraint describes a way to restrict resource's configuration. For
32// example, you could enforce a constraint that controls which Google Cloud
33// services can be activated across an organization, or whether a Compute Engine
34// instance can have serial port connections established. Constraints can be
35// configured by the organization policy administrator to fit the needs of the
36// organization by setting a policy that includes constraints at different
37// locations in the organization's resource hierarchy. Policies are inherited
38// down the resource hierarchy from higher levels, but can also be overridden.
39// For details about the inheritance rules please read about
40// [`policies`][google.cloud.OrgPolicy.v2.Policy].
41//
42// Constraints have a default behavior determined by the `constraint_default`
43// field, which is the enforcement behavior that is used in the absence of a
44// policy being defined or inherited for the resource in question.
45message Constraint {
46  option (google.api.resource) = {
47    type: "orgpolicy.googleapis.com/Constraint"
48    pattern: "projects/{project}/constraints/{constraint}"
49    pattern: "folders/{folder}/constraints/{constraint}"
50    pattern: "organizations/{organization}/constraints/{constraint}"
51  };
52
53  // Specifies the default behavior in the absence of any policy for the
54  // constraint. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
55  //
56  // Immutable after creation.
57  enum ConstraintDefault {
58    // This is only used for distinguishing unset values and should never be
59    // used.
60    CONSTRAINT_DEFAULT_UNSPECIFIED = 0;
61
62    // Indicate that all values are allowed for list constraints.
63    // Indicate that enforcement is off for boolean constraints.
64    ALLOW = 1;
65
66    // Indicate that all values are denied for list constraints.
67    // Indicate that enforcement is on for boolean constraints.
68    DENY = 2;
69  }
70
71  // A constraint that allows or disallows a list of string values, which are
72  // configured by an Organization Policy administrator with a policy.
73  message ListConstraint {
74    // Indicates whether values grouped into categories can be used in
75    // `Policy.allowed_values` and `Policy.denied_values`. For example,
76    // `"in:Python"` would match any value in the 'Python' group.
77    bool supports_in = 1;
78
79    // Indicates whether subtrees of the Resource Manager resource hierarchy
80    // can be used in `Policy.allowed_values` and `Policy.denied_values`. For
81    // example, `"under:folders/123"` would match any resource under the
82    // 'folders/123' folder.
83    bool supports_under = 2;
84  }
85
86  // A constraint that is either enforced or not.
87  //
88  // For example, a constraint `constraints/compute.disableSerialPortAccess`.
89  // If it is enforced on a VM instance, serial port connections will not be
90  // opened to that instance.
91  message BooleanConstraint {}
92
93  // Immutable. The resource name of the constraint. Must be in one of
94  // the following forms:
95  //
96  // * `projects/{project_number}/constraints/{constraint_name}`
97  // * `folders/{folder_id}/constraints/{constraint_name}`
98  // * `organizations/{organization_id}/constraints/{constraint_name}`
99  //
100  // For example, "/projects/123/constraints/compute.disableSerialPortAccess".
101  string name = 1 [(google.api.field_behavior) = IMMUTABLE];
102
103  // The human readable name.
104  //
105  // Mutable.
106  string display_name = 2;
107
108  // Detailed description of what this constraint controls as well as how and
109  // where it is enforced.
110  //
111  // Mutable.
112  string description = 3;
113
114  // The evaluation behavior of this constraint in the absence of a policy.
115  ConstraintDefault constraint_default = 4;
116
117  // The type of restrictions for this `Constraint`.
118  //
119  // Immutable after creation.
120  oneof constraint_type {
121    // Defines this constraint as being a ListConstraint.
122    ListConstraint list_constraint = 5;
123
124    // Defines this constraint as being a BooleanConstraint.
125    BooleanConstraint boolean_constraint = 6;
126  }
127
128  // Shows if dry run is supported for this constraint or not.
129  bool supports_dry_run = 7;
130}
131
132// A custom constraint defined by customers which can *only* be applied to the
133// given resource types and organization.
134//
135// By creating a custom constraint, customers can apply policies of this
136// custom constraint. *Creating a custom constraint itself does NOT apply any
137// policy enforcement*.
138message CustomConstraint {
139  option (google.api.resource) = {
140    type: "orgpolicy.googleapis.com/CustomConstraint"
141    pattern: "organizations/{organization}/customConstraints/{custom_constraint}"
142  };
143
144  // The operation for which this constraint will be applied. To apply this
145  // constraint only when creating new VMs, the `method_types` should be
146  // `CREATE` only. To apply this constraint when creating or deleting
147  // VMs, the `method_types` should be `CREATE` and `DELETE`.
148  //
149  // `UPDATE` only custom constraints are not supported. Use `CREATE` or
150  // `CREATE, UPDATE`.
151  enum MethodType {
152    // Unspecified. Results in an error.
153    METHOD_TYPE_UNSPECIFIED = 0;
154
155    // Constraint applied when creating the resource.
156    CREATE = 1;
157
158    // Constraint applied when updating the resource.
159    UPDATE = 2;
160
161    // Constraint applied when deleting the resource.
162    // Not supported yet.
163    DELETE = 3;
164  }
165
166  // Allow or deny type.
167  enum ActionType {
168    // Unspecified. Results in an error.
169    ACTION_TYPE_UNSPECIFIED = 0;
170
171    // Allowed action type.
172    ALLOW = 1;
173
174    // Deny action type.
175    DENY = 2;
176  }
177
178  // Immutable. Name of the constraint. This is unique within the organization.
179  // Format of the name should be
180  //
181  // * `organizations/{organization_id}/customConstraints/{custom_constraint_id}`
182  //
183  // Example: `organizations/123/customConstraints/custom.createOnlyE2TypeVms`
184  //
185  // The max length is 70 characters and the minimum length is 1. Note that the
186  // prefix `organizations/{organization_id}/customConstraints/` is not counted.
187  string name = 1 [(google.api.field_behavior) = IMMUTABLE];
188
189  // Immutable. The resource instance type on which this policy applies. Format
190  // will be of the form : `<canonical service name>/<type>` Example:
191  //
192  //  * `compute.googleapis.com/Instance`.
193  repeated string resource_types = 2 [(google.api.field_behavior) = IMMUTABLE];
194
195  // All the operations being applied for this constraint.
196  repeated MethodType method_types = 3;
197
198  // Org policy condition/expression. For example:
199  // `resource.instanceName.matches("[production|test]_.*_(\d)+")` or,
200  // `resource.management.auto_upgrade == true`
201  //
202  // The max length of the condition is 1000 characters.
203  string condition = 4;
204
205  // Allow or deny type.
206  ActionType action_type = 5;
207
208  // One line display name for the UI.
209  // The max length of the display_name is 200 characters.
210  string display_name = 6;
211
212  // Detailed information about this custom policy constraint.
213  // The max length of the description is 2000 characters.
214  string description = 7;
215
216  // Output only. The last time this custom constraint was updated. This
217  // represents the last time that the `CreateCustomConstraint` or
218  // `UpdateCustomConstraint` RPC was called
219  google.protobuf.Timestamp update_time = 8
220      [(google.api.field_behavior) = OUTPUT_ONLY];
221}
222