1// Copyright 2021 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.osconfig.v1; 18 19import "google/api/field_behavior.proto"; 20 21option csharp_namespace = "Google.Cloud.OsConfig.V1"; 22option go_package = "cloud.google.com/go/osconfig/apiv1/osconfigpb;osconfigpb"; 23option java_multiple_files = true; 24option java_outer_classname = "OsPolicyProto"; 25option java_package = "com.google.cloud.osconfig.v1"; 26option php_namespace = "Google\\Cloud\\OsConfig\\V1"; 27option ruby_package = "Google::Cloud::OsConfig::V1"; 28 29// An OS policy defines the desired state configuration for a VM. 30message OSPolicy { 31 // Policy mode 32 enum Mode { 33 // Invalid mode 34 MODE_UNSPECIFIED = 0; 35 36 // This mode checks if the configuration resources in the policy are in 37 // their desired state. No actions are performed if they are not in the 38 // desired state. This mode is used for reporting purposes. 39 VALIDATION = 1; 40 41 // This mode checks if the configuration resources in the policy are in 42 // their desired state, and if not, enforces the desired state. 43 ENFORCEMENT = 2; 44 } 45 46 // Filtering criteria to select VMs based on inventory details. 47 message InventoryFilter { 48 // Required. The OS short name 49 string os_short_name = 1 [(google.api.field_behavior) = REQUIRED]; 50 51 // The OS version 52 // 53 // Prefix matches are supported if asterisk(*) is provided as the 54 // last character. For example, to match all versions with a major 55 // version of `7`, specify the following value for this field `7.*` 56 // 57 // An empty string matches all OS versions. 58 string os_version = 2; 59 } 60 61 // An OS policy resource is used to define the desired state configuration 62 // and provides a specific functionality like installing/removing packages, 63 // executing a script etc. 64 // 65 // The system ensures that resources are always in their desired state by 66 // taking necessary actions if they have drifted from their desired state. 67 message Resource { 68 // A remote or local file. 69 message File { 70 // Specifies a file available via some URI. 71 message Remote { 72 // Required. URI from which to fetch the object. It should contain both 73 // the protocol and path following the format `{protocol}://{location}`. 74 string uri = 1 [(google.api.field_behavior) = REQUIRED]; 75 76 // SHA256 checksum of the remote file. 77 string sha256_checksum = 2; 78 } 79 80 // Specifies a file available as a Cloud Storage Object. 81 message Gcs { 82 // Required. Bucket of the Cloud Storage object. 83 string bucket = 1 [(google.api.field_behavior) = REQUIRED]; 84 85 // Required. Name of the Cloud Storage object. 86 string object = 2 [(google.api.field_behavior) = REQUIRED]; 87 88 // Generation number of the Cloud Storage object. 89 int64 generation = 3; 90 } 91 92 // A specific type of file. 93 oneof type { 94 // A generic remote file. 95 Remote remote = 1; 96 97 // A Cloud Storage object. 98 Gcs gcs = 2; 99 100 // A local path within the VM to use. 101 string local_path = 3; 102 } 103 104 // Defaults to false. When false, files are subject to validations 105 // based on the file type: 106 // 107 // Remote: A checksum must be specified. 108 // Cloud Storage: An object generation number must be specified. 109 bool allow_insecure = 4; 110 } 111 112 // A resource that manages a system package. 113 message PackageResource { 114 // The desired state that the OS Config agent maintains on the VM. 115 enum DesiredState { 116 // Unspecified is invalid. 117 DESIRED_STATE_UNSPECIFIED = 0; 118 119 // Ensure that the package is installed. 120 INSTALLED = 1; 121 122 // The agent ensures that the package is not installed and 123 // uninstalls it if detected. 124 REMOVED = 2; 125 } 126 127 // A deb package file. dpkg packages only support INSTALLED state. 128 message Deb { 129 // Required. A deb package. 130 File source = 1 [(google.api.field_behavior) = REQUIRED]; 131 132 // Whether dependencies should also be installed. 133 // - install when false: `dpkg -i package` 134 // - install when true: `apt-get update && apt-get -y install 135 // package.deb` 136 bool pull_deps = 2; 137 } 138 139 // A package managed by APT. 140 // - install: `apt-get update && apt-get -y install [name]` 141 // - remove: `apt-get -y remove [name]` 142 message APT { 143 // Required. Package name. 144 string name = 1 [(google.api.field_behavior) = REQUIRED]; 145 } 146 147 // An RPM package file. RPM packages only support INSTALLED state. 148 message RPM { 149 // Required. An rpm package. 150 File source = 1 [(google.api.field_behavior) = REQUIRED]; 151 152 // Whether dependencies should also be installed. 153 // - install when false: `rpm --upgrade --replacepkgs package.rpm` 154 // - install when true: `yum -y install package.rpm` or 155 // `zypper -y install package.rpm` 156 bool pull_deps = 2; 157 } 158 159 // A package managed by YUM. 160 // - install: `yum -y install package` 161 // - remove: `yum -y remove package` 162 message YUM { 163 // Required. Package name. 164 string name = 1 [(google.api.field_behavior) = REQUIRED]; 165 } 166 167 // A package managed by Zypper. 168 // - install: `zypper -y install package` 169 // - remove: `zypper -y rm package` 170 message Zypper { 171 // Required. Package name. 172 string name = 1 [(google.api.field_behavior) = REQUIRED]; 173 } 174 175 // A package managed by GooGet. 176 // - install: `googet -noconfirm install package` 177 // - remove: `googet -noconfirm remove package` 178 message GooGet { 179 // Required. Package name. 180 string name = 1 [(google.api.field_behavior) = REQUIRED]; 181 } 182 183 // An MSI package. MSI packages only support INSTALLED state. 184 message MSI { 185 // Required. The MSI package. 186 File source = 1 [(google.api.field_behavior) = REQUIRED]; 187 188 // Additional properties to use during installation. 189 // This should be in the format of Property=Setting. 190 // Appended to the defaults of `ACTION=INSTALL 191 // REBOOT=ReallySuppress`. 192 repeated string properties = 2; 193 } 194 195 // Required. The desired state the agent should maintain for this package. 196 DesiredState desired_state = 1 [(google.api.field_behavior) = REQUIRED]; 197 198 // A system package. 199 oneof system_package { 200 // A package managed by Apt. 201 APT apt = 2; 202 203 // A deb package file. 204 Deb deb = 3; 205 206 // A package managed by YUM. 207 YUM yum = 4; 208 209 // A package managed by Zypper. 210 Zypper zypper = 5; 211 212 // An rpm package file. 213 RPM rpm = 6; 214 215 // A package managed by GooGet. 216 GooGet googet = 7; 217 218 // An MSI package. 219 MSI msi = 8; 220 } 221 } 222 223 // A resource that manages a package repository. 224 message RepositoryResource { 225 // Represents a single apt package repository. These will be added to 226 // a repo file that will be managed at 227 // `/etc/apt/sources.list.d/google_osconfig.list`. 228 message AptRepository { 229 // Type of archive. 230 enum ArchiveType { 231 // Unspecified is invalid. 232 ARCHIVE_TYPE_UNSPECIFIED = 0; 233 234 // Deb indicates that the archive contains binary files. 235 DEB = 1; 236 237 // Deb-src indicates that the archive contains source files. 238 DEB_SRC = 2; 239 } 240 241 // Required. Type of archive files in this repository. 242 ArchiveType archive_type = 1 [(google.api.field_behavior) = REQUIRED]; 243 244 // Required. URI for this repository. 245 string uri = 2 [(google.api.field_behavior) = REQUIRED]; 246 247 // Required. Distribution of this repository. 248 string distribution = 3 [(google.api.field_behavior) = REQUIRED]; 249 250 // Required. List of components for this repository. Must contain at 251 // least one item. 252 repeated string components = 4 [(google.api.field_behavior) = REQUIRED]; 253 254 // URI of the key file for this repository. The agent maintains a 255 // keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`. 256 string gpg_key = 5; 257 } 258 259 // Represents a single yum package repository. These are added to a 260 // repo file that is managed at 261 // `/etc/yum.repos.d/google_osconfig.repo`. 262 message YumRepository { 263 // Required. A one word, unique name for this repository. This is the 264 // `repo id` in the yum config file and also the `display_name` if 265 // `display_name` is omitted. This id is also used as the unique 266 // identifier when checking for resource conflicts. 267 string id = 1 [(google.api.field_behavior) = REQUIRED]; 268 269 // The display name of the repository. 270 string display_name = 2; 271 272 // Required. The location of the repository directory. 273 string base_url = 3 [(google.api.field_behavior) = REQUIRED]; 274 275 // URIs of GPG keys. 276 repeated string gpg_keys = 4; 277 } 278 279 // Represents a single zypper package repository. These are added to a 280 // repo file that is managed at 281 // `/etc/zypp/repos.d/google_osconfig.repo`. 282 message ZypperRepository { 283 // Required. A one word, unique name for this repository. This is the 284 // `repo id` in the zypper config file and also the `display_name` if 285 // `display_name` is omitted. This id is also used as the unique 286 // identifier when checking for GuestPolicy conflicts. 287 string id = 1 [(google.api.field_behavior) = REQUIRED]; 288 289 // The display name of the repository. 290 string display_name = 2; 291 292 // Required. The location of the repository directory. 293 string base_url = 3 [(google.api.field_behavior) = REQUIRED]; 294 295 // URIs of GPG keys. 296 repeated string gpg_keys = 4; 297 } 298 299 // Represents a Goo package repository. These are added to a repo file 300 // that is managed at 301 // `C:/ProgramData/GooGet/repos/google_osconfig.repo`. 302 message GooRepository { 303 // Required. The name of the repository. 304 string name = 1 [(google.api.field_behavior) = REQUIRED]; 305 306 // Required. The url of the repository. 307 string url = 2 [(google.api.field_behavior) = REQUIRED]; 308 } 309 310 // A specific type of repository. 311 oneof repository { 312 // An Apt Repository. 313 AptRepository apt = 1; 314 315 // A Yum Repository. 316 YumRepository yum = 2; 317 318 // A Zypper Repository. 319 ZypperRepository zypper = 3; 320 321 // A Goo Repository. 322 GooRepository goo = 4; 323 } 324 } 325 326 // A resource that allows executing scripts on the VM. 327 // 328 // The `ExecResource` has 2 stages: `validate` and `enforce` and both stages 329 // accept a script as an argument to execute. 330 // 331 // When the `ExecResource` is applied by the agent, it first executes the 332 // script in the `validate` stage. The `validate` stage can signal that the 333 // `ExecResource` is already in the desired state by returning an exit code 334 // of `100`. If the `ExecResource` is not in the desired state, it should 335 // return an exit code of `101`. Any other exit code returned by this stage 336 // is considered an error. 337 // 338 // If the `ExecResource` is not in the desired state based on the exit code 339 // from the `validate` stage, the agent proceeds to execute the script from 340 // the `enforce` stage. If the `ExecResource` is already in the desired 341 // state, the `enforce` stage will not be run. 342 // Similar to `validate` stage, the `enforce` stage should return an exit 343 // code of `100` to indicate that the resource in now in its desired state. 344 // Any other exit code is considered an error. 345 // 346 // NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to 347 // have an explicit indicator of `in desired state`, `not in desired state` 348 // and errors. Because, for example, Powershell will always return an exit 349 // code of `0` unless an `exit` statement is provided in the script. So, for 350 // reasons of consistency and being explicit, exit codes `100` and `101` 351 // were chosen. 352 message ExecResource { 353 // A file or script to execute. 354 message Exec { 355 // The interpreter to use. 356 enum Interpreter { 357 // Invalid value, the request will return validation error. 358 INTERPRETER_UNSPECIFIED = 0; 359 360 // If an interpreter is not specified, the 361 // source is executed directly. This execution, without an 362 // interpreter, only succeeds for executables and scripts that have <a 363 // href="https://en.wikipedia.org/wiki/Shebang_(Unix)" 364 // class="external">shebang lines</a>. 365 NONE = 1; 366 367 // Indicates that the script runs with `/bin/sh` on Linux and 368 // `cmd.exe` on Windows. 369 SHELL = 2; 370 371 // Indicates that the script runs with PowerShell. 372 POWERSHELL = 3; 373 } 374 375 // What to execute. 376 oneof source { 377 // A remote or local file. 378 File file = 1; 379 380 // An inline script. 381 // The size of the script is limited to 1024 characters. 382 string script = 2; 383 } 384 385 // Optional arguments to pass to the source during execution. 386 repeated string args = 3; 387 388 // Required. The script interpreter to use. 389 Interpreter interpreter = 4 [(google.api.field_behavior) = REQUIRED]; 390 391 // Only recorded for enforce Exec. 392 // Path to an output file (that is created by this Exec) whose 393 // content will be recorded in OSPolicyResourceCompliance after a 394 // successful run. Absence or failure to read this file will result in 395 // this ExecResource being non-compliant. Output file size is limited to 396 // 100K bytes. 397 string output_file_path = 5; 398 } 399 400 // Required. What to run to validate this resource is in the desired 401 // state. An exit code of 100 indicates "in desired state", and exit code 402 // of 101 indicates "not in desired state". Any other exit code indicates 403 // a failure running validate. 404 Exec validate = 1 [(google.api.field_behavior) = REQUIRED]; 405 406 // What to run to bring this resource into the desired state. 407 // An exit code of 100 indicates "success", any other exit code indicates 408 // a failure running enforce. 409 Exec enforce = 2; 410 } 411 412 // A resource that manages the state of a file. 413 message FileResource { 414 // Desired state of the file. 415 enum DesiredState { 416 // Unspecified is invalid. 417 DESIRED_STATE_UNSPECIFIED = 0; 418 419 // Ensure file at path is present. 420 PRESENT = 1; 421 422 // Ensure file at path is absent. 423 ABSENT = 2; 424 425 // Ensure the contents of the file at path matches. If the file does 426 // not exist it will be created. 427 CONTENTS_MATCH = 3; 428 } 429 430 // The source for the contents of the file. 431 oneof source { 432 // A remote or local source. 433 File file = 1; 434 435 // A a file with this content. 436 // The size of the content is limited to 1024 characters. 437 string content = 2; 438 } 439 440 // Required. The absolute path of the file within the VM. 441 string path = 3 [(google.api.field_behavior) = REQUIRED]; 442 443 // Required. Desired state of the file. 444 DesiredState state = 4 [(google.api.field_behavior) = REQUIRED]; 445 446 // Consists of three octal digits which represent, in 447 // order, the permissions of the owner, group, and other users for the 448 // file (similarly to the numeric mode used in the linux chmod 449 // utility). Each digit represents a three bit number with the 4 bit 450 // corresponding to the read permissions, the 2 bit corresponds to the 451 // write bit, and the one bit corresponds to the execute permission. 452 // Default behavior is 755. 453 // 454 // Below are some examples of permissions and their associated values: 455 // read, write, and execute: 7 456 // read and execute: 5 457 // read and write: 6 458 // read only: 4 459 string permissions = 5; 460 } 461 462 // Required. The id of the resource with the following restrictions: 463 // 464 // * Must contain only lowercase letters, numbers, and hyphens. 465 // * Must start with a letter. 466 // * Must be between 1-63 characters. 467 // * Must end with a number or a letter. 468 // * Must be unique within the OS policy. 469 string id = 1 [(google.api.field_behavior) = REQUIRED]; 470 471 // Resource type. 472 oneof resource_type { 473 // Package resource 474 PackageResource pkg = 2; 475 476 // Package repository resource 477 RepositoryResource repository = 3; 478 479 // Exec resource 480 ExecResource exec = 4; 481 482 // File resource 483 FileResource file = 5; 484 } 485 } 486 487 // Resource groups provide a mechanism to group OS policy resources. 488 // 489 // Resource groups enable OS policy authors to create a single OS policy 490 // to be applied to VMs running different operating Systems. 491 // 492 // When the OS policy is applied to a target VM, the appropriate resource 493 // group within the OS policy is selected based on the `OSFilter` specified 494 // within the resource group. 495 message ResourceGroup { 496 // List of inventory filters for the resource group. 497 // 498 // The resources in this resource group are applied to the target VM if it 499 // satisfies at least one of the following inventory filters. 500 // 501 // For example, to apply this resource group to VMs running either `RHEL` or 502 // `CentOS` operating systems, specify 2 items for the list with following 503 // values: 504 // inventory_filters[0].os_short_name='rhel' and 505 // inventory_filters[1].os_short_name='centos' 506 // 507 // If the list is empty, this resource group will be applied to the target 508 // VM unconditionally. 509 repeated InventoryFilter inventory_filters = 1; 510 511 // Required. List of resources configured for this resource group. 512 // The resources are executed in the exact order specified here. 513 repeated Resource resources = 2 [(google.api.field_behavior) = REQUIRED]; 514 } 515 516 // Required. The id of the OS policy with the following restrictions: 517 // 518 // * Must contain only lowercase letters, numbers, and hyphens. 519 // * Must start with a letter. 520 // * Must be between 1-63 characters. 521 // * Must end with a number or a letter. 522 // * Must be unique within the assignment. 523 string id = 1 [(google.api.field_behavior) = REQUIRED]; 524 525 // Policy description. 526 // Length of the description is limited to 1024 characters. 527 string description = 2; 528 529 // Required. Policy mode 530 Mode mode = 3 [(google.api.field_behavior) = REQUIRED]; 531 532 // Required. List of resource groups for the policy. 533 // For a particular VM, resource groups are evaluated in the order specified 534 // and the first resource group that is applicable is selected and the rest 535 // are ignored. 536 // 537 // If none of the resource groups are applicable for a VM, the VM is 538 // considered to be non-compliant w.r.t this policy. This behavior can be 539 // toggled by the flag `allow_no_resource_group_match` 540 repeated ResourceGroup resource_groups = 4 541 [(google.api.field_behavior) = REQUIRED]; 542 543 // This flag determines the OS policy compliance status when none of the 544 // resource groups within the policy are applicable for a VM. Set this value 545 // to `true` if the policy needs to be reported as compliant even if the 546 // policy has nothing to validate or enforce. 547 bool allow_no_resource_group_match = 5; 548} 549