xref: /aosp_15_r20/external/googleapis/google/cloud/securitycenter/settings/v1beta1/component_settings.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2020 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.securitycenter.settings.v1beta1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/timestamp.proto";
22
23option cc_enable_arenas = true;
24option csharp_namespace = "Google.Cloud.SecurityCenter.Settings.V1Beta1";
25option go_package = "cloud.google.com/go/securitycenter/settings/apiv1beta1/settingspb;settingspb";
26option java_multiple_files = true;
27option java_outer_classname = "ComponentSettingsProto";
28option java_package = "com.google.cloud.securitycenter.settings.v1beta1";
29option php_namespace = "Google\\Cloud\\SecurityCenter\\Settings\\V1beta1";
30option ruby_package = "Google::Cloud::SecurityCenter::Settings::V1beta1";
31
32// Component Settings for Security Command Center
33message ComponentSettings {
34  option (google.api.resource) = {
35    type: "securitycenter.googleapis.com/ComponentSettings"
36    pattern: "organizations/{organization}/components/{component}/settings"
37    pattern: "folders/{folder}/components/{component}/settings"
38    pattern: "projects/{project}/components/{component}/settings"
39    pattern: "projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings"
40    pattern: "projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings"
41    pattern: "projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings"
42  };
43
44  // Settings for each detector.
45  message DetectorSettings {
46    // ENABLE to enable component, DISABLE to disable and INHERIT to inherit
47    // setting from ancestors.
48    ComponentEnablementState state = 1;
49  }
50
51  // The relative resource name of the component settings.
52  // Formats:
53  //  * `organizations/{organization}/components/{component}/settings`
54  //  * `folders/{folder}/components/{component}/settings`
55  //  * `projects/{project}/components/{component}/settings`
56  //  * `projects/{project}/locations/{location}/clusters/{cluster}/components/{component}/settings`
57  //  * `projects/{project}/regions/{region}/clusters/{cluster}/components/{component}/settings`
58  //  * `projects/{project}/zones/{zone}/clusters/{cluster}/components/{component}/settings`
59  string name = 1;
60
61  // ENABLE to enable component, DISABLE to disable and INHERIT to inherit
62  // setting from ancestors.
63  ComponentEnablementState state = 2;
64
65  // Output only. The service account to be used for security center component.
66  // The component must have permission to "act as" the service account.
67  string project_service_account = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
68
69  // Settings for detectors.  Not all detectors must have settings present at
70  // each and every level in the hierarchy.  If it is not present the setting
71  // will be inherited from its ancestors folders, organizations or the
72  // defaults.
73  map<string, DetectorSettings> detector_settings = 4;
74
75  // Output only. An fingerprint used for optimistic concurrency. If none is provided
76  // on updates then the existing metadata will be blindly overwritten.
77  string etag = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
78
79  // Output only. The time these settings were last updated.
80  google.protobuf.Timestamp update_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
81
82  // Component specific settings.  This must match the component value.
83  oneof specific_settings {
84    // Container Threate Detection specific settings
85    // For component, expect CONTAINER_THREAT_DETECTION
86    ContainerThreatDetectionSettings container_threat_detection_settings = 41;
87
88    // Event Threat Detection specific settings
89    // For component, expect EVENT_THREAT_DETECTION
90    EventThreatDetectionSettings event_threat_detection_settings = 42;
91
92    // Security Health Analytics specific settings
93    // For component, expect SECURITY_HEALTH_ANALYTICS
94    SecurityHealthAnalyticsSettings security_health_analytics_settings = 44;
95
96    // Web Security Scanner specific settings
97    // For component, expect WEB_SECURITY_SCANNER
98    WebSecurityScanner web_security_scanner_settings = 40;
99  }
100}
101
102// User specified settings for Web Security Scanner
103message WebSecurityScanner {
104
105}
106
107// User specified settings for KTD
108message ContainerThreatDetectionSettings {
109
110}
111
112// User specified settings for ETD
113message EventThreatDetectionSettings {
114
115}
116
117// User specified settings for Security Health Analytics
118message SecurityHealthAnalyticsSettings {
119  // Settings for "NON_ORG_IAM_MEMBER" scanner.
120  message NonOrgIamMemberSettings {
121    // User emails ending in the provided identities are allowed to have IAM
122    // permissions on a project or the organization. Otherwise a finding will
123    // be created.
124    // A valid identity can be:
125    //   *  a domain that starts with "@", e.g. "@yourdomain.com".
126    //   *  a fully specified email address that does not start with "@", e.g.
127    //   "[email protected]"
128    // Regular expressions are not supported.
129    // Service accounts are not examined by the scanner and will be omitted if
130    // added to the list.
131    // If not specified, only Gmail accounts will be considered as non-approved.
132    repeated string approved_identities = 1;
133  }
134
135  // Settings for "ADMIN_SERVICE_ACCOUNT" scanner.
136  message AdminServiceAccountSettings {
137    // User-created service accounts ending in the provided identities are
138    // allowed to have Admin, Owner or Editor roles granted to them. Otherwise
139    // a finding will be created.
140    // A valid identity can be:
141    //   *  a partilly specified service account that starts with "@", e.g.
142    //   "@myproject.iam.gserviceaccount.com". This approves all the service
143    //   accounts suffixed with the specified identity.
144    //   *  a fully specified service account that does not start with "@", e.g.
145    //   "[email protected]".
146    // Google-created service accounts are all approved.
147    repeated string approved_identities = 1;
148  }
149
150  // Settings for "NON_ORG_IAM_MEMBER" scanner.
151  NonOrgIamMemberSettings non_org_iam_member_settings = 1;
152
153  // Settings for "ADMIN_SERVICE_ACCOUNT" scanner.
154  AdminServiceAccountSettings admin_service_account_settings = 2;
155}
156
157// Valid states for a component
158enum ComponentEnablementState {
159  // No state specified, equivalent of INHERIT
160  COMPONENT_ENABLEMENT_STATE_UNSPECIFIED = 0;
161
162  // Disable the component
163  DISABLE = 1;
164
165  // Enable the component
166  ENABLE = 2;
167
168  // Inherit the state from resources parent folder or organization.
169  INHERIT = 3;
170}
171