orgpolicy.proto 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315
  1. // Copyright 2019 Google LLC.
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. //
  15. syntax = "proto3";
  16. package google.cloud.orgpolicy.v1;
  17. import "google/protobuf/empty.proto";
  18. import "google/protobuf/timestamp.proto";
  19. import "google/api/annotations.proto";
  20. option csharp_namespace = "Google.Cloud.OrgPolicy.V1";
  21. option go_package = "google.golang.org/genproto/googleapis/cloud/orgpolicy/v1;orgpolicy";
  22. option java_multiple_files = true;
  23. option java_outer_classname = "OrgPolicyProto";
  24. option java_package = "com.google.cloud.orgpolicy.v1";
  25. option php_namespace = "Google\\Cloud\\OrgPolicy\\V1";
  26. option ruby_package = "Google::Cloud::OrgPolicy::V1";
  27. // Defines a Cloud Organization `Policy` which is used to specify `Constraints`
  28. // for configurations of Cloud Platform resources.
  29. message Policy {
  30. // Used in `policy_type` to specify how `list_policy` behaves at this
  31. // resource.
  32. //
  33. // `ListPolicy` can define specific values and subtrees of Cloud Resource
  34. // Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
  35. // are allowed or denied by setting the `allowed_values` and `denied_values`
  36. // fields. This is achieved by using the `under:` and optional `is:` prefixes.
  37. // The `under:` prefix is used to denote resource subtree values.
  38. // The `is:` prefix is used to denote specific values, and is required only
  39. // if the value contains a ":". Values prefixed with "is:" are treated the
  40. // same as values with no prefix.
  41. // Ancestry subtrees must be in one of the following formats:
  42. // - "projects/<project-id>", e.g. "projects/tokyo-rain-123"
  43. // - "folders/<folder-id>", e.g. "folders/1234"
  44. // - "organizations/<organization-id>", e.g. "organizations/1234"
  45. // The `supports_under` field of the associated `Constraint` defines whether
  46. // ancestry prefixes can be used. You can set `allowed_values` and
  47. // `denied_values` in the same `Policy` if `all_values` is
  48. // `ALL_VALUES_UNSPECIFIED`. `ALLOW` or `DENY` are used to allow or deny all
  49. // values. If `all_values` is set to either `ALLOW` or `DENY`,
  50. // `allowed_values` and `denied_values` must be unset.
  51. message ListPolicy {
  52. // This enum can be used to set `Policies` that apply to all possible
  53. // configuration values rather than specific values in `allowed_values` or
  54. // `denied_values`.
  55. //
  56. // Settting this to `ALLOW` will mean this `Policy` allows all values.
  57. // Similarly, setting it to `DENY` will mean no values are allowed. If
  58. // set to either `ALLOW` or `DENY, `allowed_values` and `denied_values`
  59. // must be unset. Setting this to `ALL_VALUES_UNSPECIFIED` allows for
  60. // setting `allowed_values` and `denied_values`.
  61. enum AllValues {
  62. // Indicates that allowed_values or denied_values must be set.
  63. ALL_VALUES_UNSPECIFIED = 0;
  64. // A policy with this set allows all values.
  65. ALLOW = 1;
  66. // A policy with this set denies all values.
  67. DENY = 2;
  68. }
  69. // List of values allowed at this resource. Can only be set if `all_values`
  70. // is set to `ALL_VALUES_UNSPECIFIED`.
  71. repeated string allowed_values = 1;
  72. // List of values denied at this resource. Can only be set if `all_values`
  73. // is set to `ALL_VALUES_UNSPECIFIED`.
  74. repeated string denied_values = 2;
  75. // The policy all_values state.
  76. AllValues all_values = 3;
  77. // Optional. The Google Cloud Console will try to default to a configuration
  78. // that matches the value specified in this `Policy`. If `suggested_value`
  79. // is not set, it will inherit the value specified higher in the hierarchy,
  80. // unless `inherit_from_parent` is `false`.
  81. string suggested_value = 4;
  82. // Determines the inheritance behavior for this `Policy`.
  83. //
  84. // By default, a `ListPolicy` set at a resource supercedes any `Policy` set
  85. // anywhere up the resource hierarchy. However, if `inherit_from_parent` is
  86. // set to `true`, then the values from the effective `Policy` of the parent
  87. // resource are inherited, meaning the values set in this `Policy` are
  88. // added to the values inherited up the hierarchy.
  89. //
  90. // Setting `Policy` hierarchies that inherit both allowed values and denied
  91. // values isn't recommended in most circumstances to keep the configuration
  92. // simple and understandable. However, it is possible to set a `Policy` with
  93. // `allowed_values` set that inherits a `Policy` with `denied_values` set.
  94. // In this case, the values that are allowed must be in `allowed_values` and
  95. // not present in `denied_values`.
  96. //
  97. // For example, suppose you have a `Constraint`
  98. // `constraints/serviceuser.services`, which has a `constraint_type` of
  99. // `list_constraint`, and with `constraint_default` set to `ALLOW`.
  100. // Suppose that at the Organization level, a `Policy` is applied that
  101. // restricts the allowed API activations to {`E1`, `E2`}. Then, if a
  102. // `Policy` is applied to a project below the Organization that has
  103. // `inherit_from_parent` set to `false` and field all_values set to DENY,
  104. // then an attempt to activate any API will be denied.
  105. //
  106. // The following examples demonstrate different possible layerings for
  107. // `projects/bar` parented by `organizations/foo`:
  108. //
  109. // Example 1 (no inherited values):
  110. // `organizations/foo` has a `Policy` with values:
  111. // {allowed_values: "E1" allowed_values:"E2"}
  112. // `projects/bar` has `inherit_from_parent` `false` and values:
  113. // {allowed_values: "E3" allowed_values: "E4"}
  114. // The accepted values at `organizations/foo` are `E1`, `E2`.
  115. // The accepted values at `projects/bar` are `E3`, and `E4`.
  116. //
  117. // Example 2 (inherited values):
  118. // `organizations/foo` has a `Policy` with values:
  119. // {allowed_values: "E1" allowed_values:"E2"}
  120. // `projects/bar` has a `Policy` with values:
  121. // {value: "E3" value: "E4" inherit_from_parent: true}
  122. // The accepted values at `organizations/foo` are `E1`, `E2`.
  123. // The accepted values at `projects/bar` are `E1`, `E2`, `E3`, and `E4`.
  124. //
  125. // Example 3 (inheriting both allowed and denied values):
  126. // `organizations/foo` has a `Policy` with values:
  127. // {allowed_values: "E1" allowed_values: "E2"}
  128. // `projects/bar` has a `Policy` with:
  129. // {denied_values: "E1"}
  130. // The accepted values at `organizations/foo` are `E1`, `E2`.
  131. // The value accepted at `projects/bar` is `E2`.
  132. //
  133. // Example 4 (RestoreDefault):
  134. // `organizations/foo` has a `Policy` with values:
  135. // {allowed_values: "E1" allowed_values:"E2"}
  136. // `projects/bar` has a `Policy` with values:
  137. // {RestoreDefault: {}}
  138. // The accepted values at `organizations/foo` are `E1`, `E2`.
  139. // The accepted values at `projects/bar` are either all or none depending on
  140. // the value of `constraint_default` (if `ALLOW`, all; if
  141. // `DENY`, none).
  142. //
  143. // Example 5 (no policy inherits parent policy):
  144. // `organizations/foo` has no `Policy` set.
  145. // `projects/bar` has no `Policy` set.
  146. // The accepted values at both levels are either all or none depending on
  147. // the value of `constraint_default` (if `ALLOW`, all; if
  148. // `DENY`, none).
  149. //
  150. // Example 6 (ListConstraint allowing all):
  151. // `organizations/foo` has a `Policy` with values:
  152. // {allowed_values: "E1" allowed_values: "E2"}
  153. // `projects/bar` has a `Policy` with:
  154. // {all: ALLOW}
  155. // The accepted values at `organizations/foo` are `E1`, E2`.
  156. // Any value is accepted at `projects/bar`.
  157. //
  158. // Example 7 (ListConstraint allowing none):
  159. // `organizations/foo` has a `Policy` with values:
  160. // {allowed_values: "E1" allowed_values: "E2"}
  161. // `projects/bar` has a `Policy` with:
  162. // {all: DENY}
  163. // The accepted values at `organizations/foo` are `E1`, E2`.
  164. // No value is accepted at `projects/bar`.
  165. //
  166. // Example 10 (allowed and denied subtrees of Resource Manager hierarchy):
  167. // Given the following resource hierarchy
  168. // O1->{F1, F2}; F1->{P1}; F2->{P2, P3},
  169. // `organizations/foo` has a `Policy` with values:
  170. // {allowed_values: "under:organizations/O1"}
  171. // `projects/bar` has a `Policy` with:
  172. // {allowed_values: "under:projects/P3"}
  173. // {denied_values: "under:folders/F2"}
  174. // The accepted values at `organizations/foo` are `organizations/O1`,
  175. // `folders/F1`, `folders/F2`, `projects/P1`, `projects/P2`,
  176. // `projects/P3`.
  177. // The accepted values at `projects/bar` are `organizations/O1`,
  178. // `folders/F1`, `projects/P1`.
  179. bool inherit_from_parent = 5;
  180. }
  181. // Used in `policy_type` to specify how `boolean_policy` will behave at this
  182. // resource.
  183. message BooleanPolicy {
  184. // If `true`, then the `Policy` is enforced. If `false`, then any
  185. // configuration is acceptable.
  186. //
  187. // Suppose you have a `Constraint`
  188. // `constraints/compute.disableSerialPortAccess` with `constraint_default`
  189. // set to `ALLOW`. A `Policy` for that `Constraint` exhibits the following
  190. // behavior:
  191. // - If the `Policy` at this resource has enforced set to `false`, serial
  192. // port connection attempts will be allowed.
  193. // - If the `Policy` at this resource has enforced set to `true`, serial
  194. // port connection attempts will be refused.
  195. // - If the `Policy` at this resource is `RestoreDefault`, serial port
  196. // connection attempts will be allowed.
  197. // - If no `Policy` is set at this resource or anywhere higher in the
  198. // resource hierarchy, serial port connection attempts will be allowed.
  199. // - If no `Policy` is set at this resource, but one exists higher in the
  200. // resource hierarchy, the behavior is as if the`Policy` were set at
  201. // this resource.
  202. //
  203. // The following examples demonstrate the different possible layerings:
  204. //
  205. // Example 1 (nearest `Constraint` wins):
  206. // `organizations/foo` has a `Policy` with:
  207. // {enforced: false}
  208. // `projects/bar` has no `Policy` set.
  209. // The constraint at `projects/bar` and `organizations/foo` will not be
  210. // enforced.
  211. //
  212. // Example 2 (enforcement gets replaced):
  213. // `organizations/foo` has a `Policy` with:
  214. // {enforced: false}
  215. // `projects/bar` has a `Policy` with:
  216. // {enforced: true}
  217. // The constraint at `organizations/foo` is not enforced.
  218. // The constraint at `projects/bar` is enforced.
  219. //
  220. // Example 3 (RestoreDefault):
  221. // `organizations/foo` has a `Policy` with:
  222. // {enforced: true}
  223. // `projects/bar` has a `Policy` with:
  224. // {RestoreDefault: {}}
  225. // The constraint at `organizations/foo` is enforced.
  226. // The constraint at `projects/bar` is not enforced, because
  227. // `constraint_default` for the `Constraint` is `ALLOW`.
  228. bool enforced = 1;
  229. }
  230. // Ignores policies set above this resource and restores the
  231. // `constraint_default` enforcement behavior of the specific `Constraint` at
  232. // this resource.
  233. //
  234. // Suppose that `constraint_default` is set to `ALLOW` for the
  235. // `Constraint` `constraints/serviceuser.services`. Suppose that organization
  236. // foo.com sets a `Policy` at their Organization resource node that restricts
  237. // the allowed service activations to deny all service activations. They
  238. // could then set a `Policy` with the `policy_type` `restore_default` on
  239. // several experimental projects, restoring the `constraint_default`
  240. // enforcement of the `Constraint` for only those projects, allowing those
  241. // projects to have all services activated.
  242. message RestoreDefault {
  243. }
  244. // Version of the `Policy`. Default version is 0;
  245. int32 version = 1;
  246. // The name of the `Constraint` the `Policy` is configuring, for example,
  247. // `constraints/serviceuser.services`.
  248. //
  249. // Immutable after creation.
  250. string constraint = 2;
  251. // An opaque tag indicating the current version of the `Policy`, used for
  252. // concurrency control.
  253. //
  254. // When the `Policy` is returned from either a `GetPolicy` or a
  255. // `ListOrgPolicy` request, this `etag` indicates the version of the current
  256. // `Policy` to use when executing a read-modify-write loop.
  257. //
  258. // When the `Policy` is returned from a `GetEffectivePolicy` request, the
  259. // `etag` will be unset.
  260. //
  261. // When the `Policy` is used in a `SetOrgPolicy` method, use the `etag` value
  262. // that was returned from a `GetOrgPolicy` request as part of a
  263. // read-modify-write loop for concurrency control. Not setting the `etag`in a
  264. // `SetOrgPolicy` request will result in an unconditional write of the
  265. // `Policy`.
  266. bytes etag = 3;
  267. // The time stamp the `Policy` was previously updated. This is set by the
  268. // server, not specified by the caller, and represents the last time a call to
  269. // `SetOrgPolicy` was made for that `Policy`. Any value set by the client will
  270. // be ignored.
  271. google.protobuf.Timestamp update_time = 4;
  272. // The field to populate is based on the `constraint_type` value in the
  273. // `Constraint`.
  274. // `list_constraint` => `list_policy`
  275. // `boolean_constraint` => `boolean_policy`
  276. //
  277. // A `restore_default` message may be used with any `Constraint` type.
  278. //
  279. // Providing a *_policy that is incompatible with the `constraint_type` will
  280. // result in an `invalid_argument` error.
  281. //
  282. // Attempting to set a `Policy` with a `policy_type` not set will result in an
  283. // `invalid_argument` error.
  284. oneof policy_type {
  285. // List of values either allowed or disallowed.
  286. ListPolicy list_policy = 5;
  287. // For boolean `Constraints`, whether to enforce the `Constraint` or not.
  288. BooleanPolicy boolean_policy = 6;
  289. // Restores the default behavior of the constraint; independent of
  290. // `Constraint` type.
  291. RestoreDefault restore_default = 7;
  292. }
  293. }