1// Copyright 2021 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.osconfig.v1alpha; 18 19import "google/api/field_behavior.proto"; 20 21option csharp_namespace = "Google.Cloud.OsConfig.V1Alpha"; 22option go_package = "cloud.google.com/go/osconfig/apiv1alpha/osconfigpb;osconfigpb"; 23option java_multiple_files = true; 24option java_outer_classname = "OsPolicyProto"; 25option java_package = "com.google.cloud.osconfig.v1alpha"; 26option php_namespace = "Google\\Cloud\\OsConfig\\V1alpha"; 27option ruby_package = "Google::Cloud::OsConfig::V1alpha"; 28 29// An OS policy defines the desired state configuration for a VM. 30message OSPolicy { 31 // Policy mode 32 enum Mode { 33 // Invalid mode 34 MODE_UNSPECIFIED = 0; 35 36 // This mode checks if the configuration resources in the policy are in 37 // their desired state. No actions are performed if they are not in the 38 // desired state. This mode is used for reporting purposes. 39 VALIDATION = 1; 40 41 // This mode checks if the configuration resources in the policy are in 42 // their desired state, and if not, enforces the desired state. 43 ENFORCEMENT = 2; 44 } 45 46 // Filtering criteria to select VMs based on OS details. 47 message OSFilter { 48 // This should match OS short name emitted by the OS inventory agent. 49 // An empty value matches any OS. 50 string os_short_name = 1; 51 52 // This value should match the version emitted by the OS inventory 53 // agent. 54 // Prefix matches are supported if asterisk(*) is provided as the 55 // last character. For example, to match all versions with a major 56 // version of `7`, specify the following value for this field `7.*` 57 string os_version = 2; 58 } 59 60 // Filtering criteria to select VMs based on inventory details. 61 message InventoryFilter { 62 // Required. The OS short name 63 string os_short_name = 1 [(google.api.field_behavior) = REQUIRED]; 64 65 // The OS version 66 // 67 // Prefix matches are supported if asterisk(*) is provided as the 68 // last character. For example, to match all versions with a major 69 // version of `7`, specify the following value for this field `7.*` 70 // 71 // An empty string matches all OS versions. 72 string os_version = 2; 73 } 74 75 // An OS policy resource is used to define the desired state configuration 76 // and provides a specific functionality like installing/removing packages, 77 // executing a script etc. 78 // 79 // The system ensures that resources are always in their desired state by 80 // taking necessary actions if they have drifted from their desired state. 81 message Resource { 82 // A remote or local file. 83 message File { 84 // Specifies a file available via some URI. 85 message Remote { 86 // Required. URI from which to fetch the object. It should contain both the 87 // protocol and path following the format `{protocol}://{location}`. 88 string uri = 1 [(google.api.field_behavior) = REQUIRED]; 89 90 // SHA256 checksum of the remote file. 91 string sha256_checksum = 2; 92 } 93 94 // Specifies a file available as a Cloud Storage Object. 95 message Gcs { 96 // Required. Bucket of the Cloud Storage object. 97 string bucket = 1 [(google.api.field_behavior) = REQUIRED]; 98 99 // Required. Name of the Cloud Storage object. 100 string object = 2 [(google.api.field_behavior) = REQUIRED]; 101 102 // Generation number of the Cloud Storage object. 103 int64 generation = 3; 104 } 105 106 // A specific type of file. 107 oneof type { 108 // A generic remote file. 109 Remote remote = 1; 110 111 // A Cloud Storage object. 112 Gcs gcs = 2; 113 114 // A local path within the VM to use. 115 string local_path = 3; 116 } 117 118 // Defaults to false. When false, files are subject to validations 119 // based on the file type: 120 // 121 // Remote: A checksum must be specified. 122 // Cloud Storage: An object generation number must be specified. 123 bool allow_insecure = 4; 124 } 125 126 // A resource that manages a system package. 127 message PackageResource { 128 // The desired state that the OS Config agent maintains on the VM. 129 enum DesiredState { 130 // Unspecified is invalid. 131 DESIRED_STATE_UNSPECIFIED = 0; 132 133 // Ensure that the package is installed. 134 INSTALLED = 1; 135 136 // The agent ensures that the package is not installed and 137 // uninstalls it if detected. 138 REMOVED = 2; 139 } 140 141 // A deb package file. dpkg packages only support INSTALLED state. 142 message Deb { 143 // Required. A deb package. 144 File source = 1 [(google.api.field_behavior) = REQUIRED]; 145 146 // Whether dependencies should also be installed. 147 // - install when false: `dpkg -i package` 148 // - install when true: `apt-get update && apt-get -y install 149 // package.deb` 150 bool pull_deps = 2; 151 } 152 153 // A package managed by APT. 154 // - install: `apt-get update && apt-get -y install [name]` 155 // - remove: `apt-get -y remove [name]` 156 message APT { 157 // Required. Package name. 158 string name = 1 [(google.api.field_behavior) = REQUIRED]; 159 } 160 161 // An RPM package file. RPM packages only support INSTALLED state. 162 message RPM { 163 // Required. An rpm package. 164 File source = 1 [(google.api.field_behavior) = REQUIRED]; 165 166 // Whether dependencies should also be installed. 167 // - install when false: `rpm --upgrade --replacepkgs package.rpm` 168 // - install when true: `yum -y install package.rpm` or 169 // `zypper -y install package.rpm` 170 bool pull_deps = 2; 171 } 172 173 // A package managed by YUM. 174 // - install: `yum -y install package` 175 // - remove: `yum -y remove package` 176 message YUM { 177 // Required. Package name. 178 string name = 1 [(google.api.field_behavior) = REQUIRED]; 179 } 180 181 // A package managed by Zypper. 182 // - install: `zypper -y install package` 183 // - remove: `zypper -y rm package` 184 message Zypper { 185 // Required. Package name. 186 string name = 1 [(google.api.field_behavior) = REQUIRED]; 187 } 188 189 // A package managed by GooGet. 190 // - install: `googet -noconfirm install package` 191 // - remove: `googet -noconfirm remove package` 192 message GooGet { 193 // Required. Package name. 194 string name = 1 [(google.api.field_behavior) = REQUIRED]; 195 } 196 197 // An MSI package. MSI packages only support INSTALLED state. 198 message MSI { 199 // Required. The MSI package. 200 File source = 1 [(google.api.field_behavior) = REQUIRED]; 201 202 // Additional properties to use during installation. 203 // This should be in the format of Property=Setting. 204 // Appended to the defaults of `ACTION=INSTALL 205 // REBOOT=ReallySuppress`. 206 repeated string properties = 2; 207 } 208 209 // Required. The desired state the agent should maintain for this package. 210 DesiredState desired_state = 1 [(google.api.field_behavior) = REQUIRED]; 211 212 // A system package. 213 oneof system_package { 214 // A package managed by Apt. 215 APT apt = 2; 216 217 // A deb package file. 218 Deb deb = 3; 219 220 // A package managed by YUM. 221 YUM yum = 4; 222 223 // A package managed by Zypper. 224 Zypper zypper = 5; 225 226 // An rpm package file. 227 RPM rpm = 6; 228 229 // A package managed by GooGet. 230 GooGet googet = 7; 231 232 // An MSI package. 233 MSI msi = 8; 234 } 235 } 236 237 // A resource that manages a package repository. 238 message RepositoryResource { 239 // Represents a single apt package repository. These will be added to 240 // a repo file that will be managed at 241 // `/etc/apt/sources.list.d/google_osconfig.list`. 242 message AptRepository { 243 // Type of archive. 244 enum ArchiveType { 245 // Unspecified is invalid. 246 ARCHIVE_TYPE_UNSPECIFIED = 0; 247 248 // Deb indicates that the archive contains binary files. 249 DEB = 1; 250 251 // Deb-src indicates that the archive contains source files. 252 DEB_SRC = 2; 253 } 254 255 // Required. Type of archive files in this repository. 256 ArchiveType archive_type = 1 [(google.api.field_behavior) = REQUIRED]; 257 258 // Required. URI for this repository. 259 string uri = 2 [(google.api.field_behavior) = REQUIRED]; 260 261 // Required. Distribution of this repository. 262 string distribution = 3 [(google.api.field_behavior) = REQUIRED]; 263 264 // Required. List of components for this repository. Must contain at least one 265 // item. 266 repeated string components = 4 [(google.api.field_behavior) = REQUIRED]; 267 268 // URI of the key file for this repository. The agent maintains a 269 // keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`. 270 string gpg_key = 5; 271 } 272 273 // Represents a single yum package repository. These are added to a 274 // repo file that is managed at 275 // `/etc/yum.repos.d/google_osconfig.repo`. 276 message YumRepository { 277 // Required. A one word, unique name for this repository. This is the `repo 278 // id` in the yum config file and also the `display_name` if 279 // `display_name` is omitted. This id is also used as the unique 280 // identifier when checking for resource conflicts. 281 string id = 1 [(google.api.field_behavior) = REQUIRED]; 282 283 // The display name of the repository. 284 string display_name = 2; 285 286 // Required. The location of the repository directory. 287 string base_url = 3 [(google.api.field_behavior) = REQUIRED]; 288 289 // URIs of GPG keys. 290 repeated string gpg_keys = 4; 291 } 292 293 // Represents a single zypper package repository. These are added to a 294 // repo file that is managed at 295 // `/etc/zypp/repos.d/google_osconfig.repo`. 296 message ZypperRepository { 297 // Required. A one word, unique name for this repository. This is the `repo 298 // id` in the zypper config file and also the `display_name` if 299 // `display_name` is omitted. This id is also used as the unique 300 // identifier when checking for GuestPolicy conflicts. 301 string id = 1 [(google.api.field_behavior) = REQUIRED]; 302 303 // The display name of the repository. 304 string display_name = 2; 305 306 // Required. The location of the repository directory. 307 string base_url = 3 [(google.api.field_behavior) = REQUIRED]; 308 309 // URIs of GPG keys. 310 repeated string gpg_keys = 4; 311 } 312 313 // Represents a Goo package repository. These are added to a repo file 314 // that is managed at 315 // `C:/ProgramData/GooGet/repos/google_osconfig.repo`. 316 message GooRepository { 317 // Required. The name of the repository. 318 string name = 1 [(google.api.field_behavior) = REQUIRED]; 319 320 // Required. The url of the repository. 321 string url = 2 [(google.api.field_behavior) = REQUIRED]; 322 } 323 324 // A specific type of repository. 325 oneof repository { 326 // An Apt Repository. 327 AptRepository apt = 1; 328 329 // A Yum Repository. 330 YumRepository yum = 2; 331 332 // A Zypper Repository. 333 ZypperRepository zypper = 3; 334 335 // A Goo Repository. 336 GooRepository goo = 4; 337 } 338 } 339 340 // A resource that allows executing scripts on the VM. 341 // 342 // The `ExecResource` has 2 stages: `validate` and `enforce` and both stages 343 // accept a script as an argument to execute. 344 // 345 // When the `ExecResource` is applied by the agent, it first executes the 346 // script in the `validate` stage. The `validate` stage can signal that the 347 // `ExecResource` is already in the desired state by returning an exit code 348 // of `100`. If the `ExecResource` is not in the desired state, it should 349 // return an exit code of `101`. Any other exit code returned by this stage 350 // is considered an error. 351 // 352 // If the `ExecResource` is not in the desired state based on the exit code 353 // from the `validate` stage, the agent proceeds to execute the script from 354 // the `enforce` stage. If the `ExecResource` is already in the desired 355 // state, the `enforce` stage will not be run. 356 // Similar to `validate` stage, the `enforce` stage should return an exit 357 // code of `100` to indicate that the resource in now in its desired state. 358 // Any other exit code is considered an error. 359 // 360 // NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to 361 // have an explicit indicator of `in desired state`, `not in desired state` 362 // and errors. Because, for example, Powershell will always return an exit 363 // code of `0` unless an `exit` statement is provided in the script. So, for 364 // reasons of consistency and being explicit, exit codes `100` and `101` 365 // were chosen. 366 message ExecResource { 367 // A file or script to execute. 368 message Exec { 369 // The interpreter to use. 370 enum Interpreter { 371 // Invalid value, the request will return validation error. 372 INTERPRETER_UNSPECIFIED = 0; 373 374 // If an interpreter is not specified, the 375 // source is executed directly. This execution, without an 376 // interpreter, only succeeds for executables and scripts that have <a 377 // href="https://en.wikipedia.org/wiki/Shebang_(Unix)" 378 // class="external">shebang lines</a>. 379 NONE = 1; 380 381 // Indicates that the script runs with `/bin/sh` on Linux and 382 // `cmd.exe` on Windows. 383 SHELL = 2; 384 385 // Indicates that the script runs with PowerShell. 386 POWERSHELL = 3; 387 } 388 389 // What to execute. 390 oneof source { 391 // A remote or local file. 392 File file = 1; 393 394 // An inline script. 395 // The size of the script is limited to 1024 characters. 396 string script = 2; 397 } 398 399 // Optional arguments to pass to the source during execution. 400 repeated string args = 3; 401 402 // Required. The script interpreter to use. 403 Interpreter interpreter = 4 [(google.api.field_behavior) = REQUIRED]; 404 405 // Only recorded for enforce Exec. 406 // Path to an output file (that is created by this Exec) whose 407 // content will be recorded in OSPolicyResourceCompliance after a 408 // successful run. Absence or failure to read this file will result in 409 // this ExecResource being non-compliant. Output file size is limited to 410 // 100K bytes. 411 string output_file_path = 5; 412 } 413 414 // Required. What to run to validate this resource is in the desired state. 415 // An exit code of 100 indicates "in desired state", and exit code of 101 416 // indicates "not in desired state". Any other exit code indicates a 417 // failure running validate. 418 Exec validate = 1 [(google.api.field_behavior) = REQUIRED]; 419 420 // What to run to bring this resource into the desired state. 421 // An exit code of 100 indicates "success", any other exit code indicates 422 // a failure running enforce. 423 Exec enforce = 2; 424 } 425 426 // A resource that manages the state of a file. 427 message FileResource { 428 // Desired state of the file. 429 enum DesiredState { 430 // Unspecified is invalid. 431 DESIRED_STATE_UNSPECIFIED = 0; 432 433 // Ensure file at path is present. 434 PRESENT = 1; 435 436 // Ensure file at path is absent. 437 ABSENT = 2; 438 439 // Ensure the contents of the file at path matches. If the file does 440 // not exist it will be created. 441 CONTENTS_MATCH = 3; 442 } 443 444 // The source for the contents of the file. 445 oneof source { 446 // A remote or local source. 447 File file = 1; 448 449 // A a file with this content. 450 // The size of the content is limited to 1024 characters. 451 string content = 2; 452 } 453 454 // Required. The absolute path of the file within the VM. 455 string path = 3 [(google.api.field_behavior) = REQUIRED]; 456 457 // Required. Desired state of the file. 458 DesiredState state = 4 [(google.api.field_behavior) = REQUIRED]; 459 460 // Consists of three octal digits which represent, in 461 // order, the permissions of the owner, group, and other users for the 462 // file (similarly to the numeric mode used in the linux chmod 463 // utility). Each digit represents a three bit number with the 4 bit 464 // corresponding to the read permissions, the 2 bit corresponds to the 465 // write bit, and the one bit corresponds to the execute permission. 466 // Default behavior is 755. 467 // 468 // Below are some examples of permissions and their associated values: 469 // read, write, and execute: 7 470 // read and execute: 5 471 // read and write: 6 472 // read only: 4 473 string permissions = 5; 474 } 475 476 // Required. The id of the resource with the following restrictions: 477 // 478 // * Must contain only lowercase letters, numbers, and hyphens. 479 // * Must start with a letter. 480 // * Must be between 1-63 characters. 481 // * Must end with a number or a letter. 482 // * Must be unique within the OS policy. 483 string id = 1 [(google.api.field_behavior) = REQUIRED]; 484 485 // Resource type. 486 oneof resource_type { 487 // Package resource 488 PackageResource pkg = 2; 489 490 // Package repository resource 491 RepositoryResource repository = 3; 492 493 // Exec resource 494 ExecResource exec = 4; 495 496 // File resource 497 FileResource file = 5; 498 } 499 } 500 501 // Resource groups provide a mechanism to group OS policy resources. 502 // 503 // Resource groups enable OS policy authors to create a single OS policy 504 // to be applied to VMs running different operating Systems. 505 // 506 // When the OS policy is applied to a target VM, the appropriate resource 507 // group within the OS policy is selected based on the `OSFilter` specified 508 // within the resource group. 509 message ResourceGroup { 510 // Deprecated. Use the `inventory_filters` field instead. 511 // Used to specify the OS filter for a resource group 512 OSFilter os_filter = 1 [deprecated = true]; 513 514 // List of inventory filters for the resource group. 515 // 516 // The resources in this resource group are applied to the target VM if it 517 // satisfies at least one of the following inventory filters. 518 // 519 // For example, to apply this resource group to VMs running either `RHEL` or 520 // `CentOS` operating systems, specify 2 items for the list with following 521 // values: 522 // inventory_filters[0].os_short_name='rhel' and 523 // inventory_filters[1].os_short_name='centos' 524 // 525 // If the list is empty, this resource group will be applied to the target 526 // VM unconditionally. 527 repeated InventoryFilter inventory_filters = 3; 528 529 // Required. List of resources configured for this resource group. 530 // The resources are executed in the exact order specified here. 531 repeated Resource resources = 2 [(google.api.field_behavior) = REQUIRED]; 532 } 533 534 // Required. The id of the OS policy with the following restrictions: 535 // 536 // * Must contain only lowercase letters, numbers, and hyphens. 537 // * Must start with a letter. 538 // * Must be between 1-63 characters. 539 // * Must end with a number or a letter. 540 // * Must be unique within the assignment. 541 string id = 1 [(google.api.field_behavior) = REQUIRED]; 542 543 // Policy description. 544 // Length of the description is limited to 1024 characters. 545 string description = 2; 546 547 // Required. Policy mode 548 Mode mode = 3 [(google.api.field_behavior) = REQUIRED]; 549 550 // Required. List of resource groups for the policy. 551 // For a particular VM, resource groups are evaluated in the order specified 552 // and the first resource group that is applicable is selected and the rest 553 // are ignored. 554 // 555 // If none of the resource groups are applicable for a VM, the VM is 556 // considered to be non-compliant w.r.t this policy. This behavior can be 557 // toggled by the flag `allow_no_resource_group_match` 558 repeated ResourceGroup resource_groups = 4 [(google.api.field_behavior) = REQUIRED]; 559 560 // This flag determines the OS policy compliance status when none of the 561 // resource groups within the policy are applicable for a VM. Set this value 562 // to `true` if the policy needs to be reported as compliant even if the 563 // policy has nothing to validate or enforce. 564 bool allow_no_resource_group_match = 5; 565} 566