1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.securitycenter.v2; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/timestamp.proto"; 22 23option csharp_namespace = "Google.Cloud.SecurityCenter.V2"; 24option go_package = "cloud.google.com/go/securitycenter/apiv2/securitycenterpb;securitycenterpb"; 25option java_multiple_files = true; 26option java_outer_classname = "ResourceValueConfigProto"; 27option java_package = "com.google.cloud.securitycenter.v2"; 28option php_namespace = "Google\\Cloud\\SecurityCenter\\V2"; 29option ruby_package = "Google::Cloud::SecurityCenter::V2"; 30 31// A resource value config (RVC) is a mapping configuration of user's resources 32// to resource values. Used in Attack path simulations. 33message ResourceValueConfig { 34 option (google.api.resource) = { 35 type: "securitycenter.googleapis.com/ResourceValueConfig" 36 pattern: "organizations/{organization}/resourceValueConfigs/{resource_value_config}" 37 }; 38 39 // Resource value mapping for Sensitive Data Protection findings 40 // If any of these mappings have a resource value that is not unspecified, 41 // the resource_value field will be ignored when reading this configuration. 42 message SensitiveDataProtectionMapping { 43 // Resource value mapping for high-sensitivity Sensitive Data Protection 44 // findings 45 ResourceValue high_sensitivity_mapping = 1; 46 47 // Resource value mapping for medium-sensitivity Sensitive Data Protection 48 // findings 49 ResourceValue medium_sensitivity_mapping = 2; 50 } 51 52 // Name for the resource value config 53 string name = 1; 54 55 // Resource value level this expression represents 56 // Only required when there is no SDP mapping in the request 57 ResourceValue resource_value = 2; 58 59 // Required. Tag values combined with AND to check against. 60 // Values in the form "tagValues/123" 61 // E.g. [ "tagValues/123", "tagValues/456", "tagValues/789" ] 62 // https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing 63 repeated string tag_values = 3 [(google.api.field_behavior) = REQUIRED]; 64 65 // Apply resource_value only to resources that match resource_type. 66 // resource_type will be checked with "AND" of other resources. 67 // E.g. "storage.googleapis.com/Bucket" with resource_value "HIGH" will 68 // apply "HIGH" value only to "storage.googleapis.com/Bucket" resources. 69 string resource_type = 4; 70 71 // Project or folder to scope this config to. 72 // For example, "project/456" would apply this config only to resources in 73 // "project/456" 74 // scope will be checked with "AND" of other resources. 75 string scope = 5; 76 77 // List of resource labels to search for, evaluated with AND. 78 // E.g. "resource_labels_selector": {"key": "value", "env": "prod"} 79 // will match resources with labels "key": "value" AND "env": "prod" 80 // https://cloud.google.com/resource-manager/docs/creating-managing-labels 81 map<string, string> resource_labels_selector = 6; 82 83 // Description of the resource value config. 84 string description = 7; 85 86 // Output only. Timestamp this resource value config was created. 87 google.protobuf.Timestamp create_time = 8 88 [(google.api.field_behavior) = OUTPUT_ONLY]; 89 90 // Output only. Timestamp this resource value config was last updated. 91 google.protobuf.Timestamp update_time = 9 92 [(google.api.field_behavior) = OUTPUT_ONLY]; 93 94 // A mapping of the sensitivity on Sensitive Data Protection finding to 95 // resource values. This mapping can only be used in combination with a 96 // resource_type that is related to BigQuery, e.g. 97 // "bigquery.googleapis.com/Dataset". 98 SensitiveDataProtectionMapping sensitive_data_protection_mapping = 11; 99} 100 101// Value enum to map to a resource 102enum ResourceValue { 103 // Unspecific value 104 RESOURCE_VALUE_UNSPECIFIED = 0; 105 106 // High resource value 107 HIGH = 1; 108 109 // Medium resource value 110 MEDIUM = 2; 111 112 // Low resource value 113 LOW = 3; 114 115 // No resource value, e.g. ignore these resources 116 NONE = 4; 117} 118