1// Copyright 2019 Google LLC. 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15 16syntax = "proto3"; 17 18package google.cloud.orgpolicy.v1; 19 20import "google/protobuf/timestamp.proto"; 21 22option csharp_namespace = "Google.Cloud.OrgPolicy.V1"; 23option go_package = "cloud.google.com/go/orgpolicy/apiv1/orgpolicypb;orgpolicypb"; 24option java_multiple_files = true; 25option java_outer_classname = "OrgPolicyProto"; 26option java_package = "com.google.cloud.orgpolicy.v1"; 27option php_namespace = "Google\\Cloud\\OrgPolicy\\V1"; 28option ruby_package = "Google::Cloud::OrgPolicy::V1"; 29 30// Defines a Cloud Organization `Policy` which is used to specify `Constraints` 31// for configurations of Cloud Platform resources. 32message Policy { 33 // Used in `policy_type` to specify how `list_policy` behaves at this 34 // resource. 35 // 36 // `ListPolicy` can define specific values and subtrees of Cloud Resource 37 // Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that 38 // are allowed or denied by setting the `allowed_values` and `denied_values` 39 // fields. This is achieved by using the `under:` and optional `is:` prefixes. 40 // The `under:` prefix is used to denote resource subtree values. 41 // The `is:` prefix is used to denote specific values, and is required only 42 // if the value contains a ":". Values prefixed with "is:" are treated the 43 // same as values with no prefix. 44 // Ancestry subtrees must be in one of the following formats: 45 // - "projects/<project-id>", e.g. "projects/tokyo-rain-123" 46 // - "folders/<folder-id>", e.g. "folders/1234" 47 // - "organizations/<organization-id>", e.g. "organizations/1234" 48 // The `supports_under` field of the associated `Constraint` defines whether 49 // ancestry prefixes can be used. You can set `allowed_values` and 50 // `denied_values` in the same `Policy` if `all_values` is 51 // `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all 52 // values. If `all_values` is set to either `ALLOW` or `DENY`, 53 // `allowed_values` and `denied_values` must be unset. 54 message ListPolicy { 55 // This enum can be used to set `Policies` that apply to all possible 56 // configuration values rather than specific values in `allowed_values` or 57 // `denied_values`. 58 // 59 // Settting this to `ALLOW` will mean this `Policy` allows all values. 60 // Similarly, setting it to `DENY` will mean no values are allowed. If 61 // set to either `ALLOW` or `DENY, `allowed_values` and `denied_values` 62 // must be unset. Setting this to `ALL_VALUES_UNSPECIFIED` allows for 63 // setting `allowed_values` and `denied_values`. 64 enum AllValues { 65 // Indicates that allowed_values or denied_values must be set. 66 ALL_VALUES_UNSPECIFIED = 0; 67 68 // A policy with this set allows all values. 69 ALLOW = 1; 70 71 // A policy with this set denies all values. 72 DENY = 2; 73 } 74 75 // List of values allowed at this resource. Can only be set if `all_values` 76 // is set to `ALL_VALUES_UNSPECIFIED`. 77 repeated string allowed_values = 1; 78 79 // List of values denied at this resource. Can only be set if `all_values` 80 // is set to `ALL_VALUES_UNSPECIFIED`. 81 repeated string denied_values = 2; 82 83 // The policy all_values state. 84 AllValues all_values = 3; 85 86 // Optional. The Google Cloud Console will try to default to a configuration 87 // that matches the value specified in this `Policy`. If `suggested_value` 88 // is not set, it will inherit the value specified higher in the hierarchy, 89 // unless `inherit_from_parent` is `false`. 90 string suggested_value = 4; 91 92 // Determines the inheritance behavior for this `Policy`. 93 // 94 // By default, a `ListPolicy` set at a resource supercedes any `Policy` set 95 // anywhere up the resource hierarchy. However, if `inherit_from_parent` is 96 // set to `true`, then the values from the effective `Policy` of the parent 97 // resource are inherited, meaning the values set in this `Policy` are 98 // added to the values inherited up the hierarchy. 99 // 100 // Setting `Policy` hierarchies that inherit both allowed values and denied 101 // values isn't recommended in most circumstances to keep the configuration 102 // simple and understandable. However, it is possible to set a `Policy` with 103 // `allowed_values` set that inherits a `Policy` with `denied_values` set. 104 // In this case, the values that are allowed must be in `allowed_values` and 105 // not present in `denied_values`. 106 // 107 // For example, suppose you have a `Constraint` 108 // `constraints/serviceuser.services`, which has a `constraint_type` of 109 // `list_constraint`, and with `constraint_default` set to `ALLOW`. 110 // Suppose that at the Organization level, a `Policy` is applied that 111 // restricts the allowed API activations to {`E1`, `E2`}. Then, if a 112 // `Policy` is applied to a project below the Organization that has 113 // `inherit_from_parent` set to `false` and field all_values set to DENY, 114 // then an attempt to activate any API will be denied. 115 // 116 // The following examples demonstrate different possible layerings for 117 // `projects/bar` parented by `organizations/foo`: 118 // 119 // Example 1 (no inherited values): 120 // `organizations/foo` has a `Policy` with values: 121 // {allowed_values: "E1" allowed_values:"E2"} 122 // `projects/bar` has `inherit_from_parent` `false` and values: 123 // {allowed_values: "E3" allowed_values: "E4"} 124 // The accepted values at `organizations/foo` are `E1`, `E2`. 125 // The accepted values at `projects/bar` are `E3`, and `E4`. 126 // 127 // Example 2 (inherited values): 128 // `organizations/foo` has a `Policy` with values: 129 // {allowed_values: "E1" allowed_values:"E2"} 130 // `projects/bar` has a `Policy` with values: 131 // {value: "E3" value: "E4" inherit_from_parent: true} 132 // The accepted values at `organizations/foo` are `E1`, `E2`. 133 // The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`. 134 // 135 // Example 3 (inheriting both allowed and denied values): 136 // `organizations/foo` has a `Policy` with values: 137 // {allowed_values: "E1" allowed_values: "E2"} 138 // `projects/bar` has a `Policy` with: 139 // {denied_values: "E1"} 140 // The accepted values at `organizations/foo` are `E1`, `E2`. 141 // The value accepted at `projects/bar` is `E2`. 142 // 143 // Example 4 (RestoreDefault): 144 // `organizations/foo` has a `Policy` with values: 145 // {allowed_values: "E1" allowed_values:"E2"} 146 // `projects/bar` has a `Policy` with values: 147 // {RestoreDefault: {}} 148 // The accepted values at `organizations/foo` are `E1`, `E2`. 149 // The accepted values at `projects/bar` are either all or none depending on 150 // the value of `constraint_default` (if `ALLOW`, all; if 151 // `DENY`, none). 152 // 153 // Example 5 (no policy inherits parent policy): 154 // `organizations/foo` has no `Policy` set. 155 // `projects/bar` has no `Policy` set. 156 // The accepted values at both levels are either all or none depending on 157 // the value of `constraint_default` (if `ALLOW`, all; if 158 // `DENY`, none). 159 // 160 // Example 6 (ListConstraint allowing all): 161 // `organizations/foo` has a `Policy` with values: 162 // {allowed_values: "E1" allowed_values: "E2"} 163 // `projects/bar` has a `Policy` with: 164 // {all: ALLOW} 165 // The accepted values at `organizations/foo` are `E1`, E2`. 166 // Any value is accepted at `projects/bar`. 167 // 168 // Example 7 (ListConstraint allowing none): 169 // `organizations/foo` has a `Policy` with values: 170 // {allowed_values: "E1" allowed_values: "E2"} 171 // `projects/bar` has a `Policy` with: 172 // {all: DENY} 173 // The accepted values at `organizations/foo` are `E1`, E2`. 174 // No value is accepted at `projects/bar`. 175 // 176 // Example 10 (allowed and denied subtrees of Resource Manager hierarchy): 177 // Given the following resource hierarchy 178 // O1->{F1, F2}; F1->{P1}; F2->{P2, P3}, 179 // `organizations/foo` has a `Policy` with values: 180 // {allowed_values: "under:organizations/O1"} 181 // `projects/bar` has a `Policy` with: 182 // {allowed_values: "under:projects/P3"} 183 // {denied_values: "under:folders/F2"} 184 // The accepted values at `organizations/foo` are `organizations/O1`, 185 // `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`, 186 // `projects/P3`. 187 // The accepted values at `projects/bar` are `organizations/O1`, 188 // `folders/F1`, `projects/P1`. 189 bool inherit_from_parent = 5; 190 } 191 192 // Used in `policy_type` to specify how `boolean_policy` will behave at this 193 // resource. 194 message BooleanPolicy { 195 // If `true`, then the `Policy` is enforced. If `false`, then any 196 // configuration is acceptable. 197 // 198 // Suppose you have a `Constraint` 199 // `constraints/compute.disableSerialPortAccess` with `constraint_default` 200 // set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following 201 // behavior: 202 // - If the `Policy` at this resource has enforced set to `false`, serial 203 // port connection attempts will be allowed. 204 // - If the `Policy` at this resource has enforced set to `true`, serial 205 // port connection attempts will be refused. 206 // - If the `Policy` at this resource is `RestoreDefault`, serial port 207 // connection attempts will be allowed. 208 // - If no `Policy` is set at this resource or anywhere higher in the 209 // resource hierarchy, serial port connection attempts will be allowed. 210 // - If no `Policy` is set at this resource, but one exists higher in the 211 // resource hierarchy, the behavior is as if the`Policy` were set at 212 // this resource. 213 // 214 // The following examples demonstrate the different possible layerings: 215 // 216 // Example 1 (nearest `Constraint` wins): 217 // `organizations/foo` has a `Policy` with: 218 // {enforced: false} 219 // `projects/bar` has no `Policy` set. 220 // The constraint at `projects/bar` and `organizations/foo` will not be 221 // enforced. 222 // 223 // Example 2 (enforcement gets replaced): 224 // `organizations/foo` has a `Policy` with: 225 // {enforced: false} 226 // `projects/bar` has a `Policy` with: 227 // {enforced: true} 228 // The constraint at `organizations/foo` is not enforced. 229 // The constraint at `projects/bar` is enforced. 230 // 231 // Example 3 (RestoreDefault): 232 // `organizations/foo` has a `Policy` with: 233 // {enforced: true} 234 // `projects/bar` has a `Policy` with: 235 // {RestoreDefault: {}} 236 // The constraint at `organizations/foo` is enforced. 237 // The constraint at `projects/bar` is not enforced, because 238 // `constraint_default` for the `Constraint` is `ALLOW`. 239 bool enforced = 1; 240 } 241 242 // Ignores policies set above this resource and restores the 243 // `constraint_default` enforcement behavior of the specific `Constraint` at 244 // this resource. 245 // 246 // Suppose that `constraint_default` is set to `ALLOW` for the 247 // `Constraint` `constraints/serviceuser.services`. Suppose that organization 248 // foo.com sets a `Policy` at their Organization resource node that restricts 249 // the allowed service activations to deny all service activations. They 250 // could then set a `Policy` with the `policy_type` `restore_default` on 251 // several experimental projects, restoring the `constraint_default` 252 // enforcement of the `Constraint` for only those projects, allowing those 253 // projects to have all services activated. 254 message RestoreDefault { 255 256 } 257 258 // Version of the `Policy`. Default version is 0; 259 int32 version = 1; 260 261 // The name of the `Constraint` the `Policy` is configuring, for example, 262 // `constraints/serviceuser.services`. 263 // 264 // Immutable after creation. 265 string constraint = 2; 266 267 // An opaque tag indicating the current version of the `Policy`, used for 268 // concurrency control. 269 // 270 // When the `Policy` is returned from either a `GetPolicy` or a 271 // `ListOrgPolicy` request, this `etag` indicates the version of the current 272 // `Policy` to use when executing a read-modify-write loop. 273 // 274 // When the `Policy` is returned from a `GetEffectivePolicy` request, the 275 // `etag` will be unset. 276 // 277 // When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value 278 // that was returned from a `GetOrgPolicy` request as part of a 279 // read-modify-write loop for concurrency control. Not setting the `etag`in a 280 // `SetOrgPolicy` request will result in an unconditional write of the 281 // `Policy`. 282 bytes etag = 3; 283 284 // The time stamp the `Policy` was previously updated. This is set by the 285 // server, not specified by the caller, and represents the last time a call to 286 // `SetOrgPolicy` was made for that `Policy`. Any value set by the client will 287 // be ignored. 288 google.protobuf.Timestamp update_time = 4; 289 290 // The field to populate is based on the `constraint_type` value in the 291 // `Constraint`. 292 // `list_constraint` => `list_policy` 293 // `boolean_constraint` => `boolean_policy` 294 // 295 // A `restore_default` message may be used with any `Constraint` type. 296 // 297 // Providing a *_policy that is incompatible with the `constraint_type` will 298 // result in an `invalid_argument` error. 299 // 300 // Attempting to set a `Policy` with a `policy_type` not set will result in an 301 // `invalid_argument` error. 302 oneof policy_type { 303 // List of values either allowed or disallowed. 304 ListPolicy list_policy = 5; 305 306 // For boolean `Constraints`, whether to enforce the `Constraint` or not. 307 BooleanPolicy boolean_policy = 6; 308 309 // Restores the default behavior of the constraint; independent of 310 // `Constraint` type. 311 RestoreDefault restore_default = 7; 312 } 313} 314