1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.assuredworkloads.v1beta1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/field_mask.proto"; 23import "google/protobuf/timestamp.proto"; 24 25option csharp_namespace = "Google.Cloud.AssuredWorkloads.V1Beta1"; 26option go_package = "cloud.google.com/go/assuredworkloads/apiv1beta1/assuredworkloadspb;assuredworkloadspb"; 27option java_multiple_files = true; 28option java_outer_classname = "AssuredworkloadsProto"; 29option java_package = "com.google.cloud.assuredworkloads.v1beta1"; 30option php_namespace = "Google\\Cloud\\AssuredWorkloads\\V1beta1"; 31option ruby_package = "Google::Cloud::AssuredWorkloads::V1beta1"; 32option (google.api.resource_definition) = { 33 type: "assuredworkloads.googleapis.com/Location" 34 pattern: "organizations/{organization}/locations/{location}" 35}; 36 37// Request for creating a workload. 38message CreateWorkloadRequest { 39 // Required. The resource name of the new Workload's parent. 40 // Must be of the form `organizations/{org_id}/locations/{location_id}`. 41 string parent = 1 [ 42 (google.api.field_behavior) = REQUIRED, 43 (google.api.resource_reference) = { 44 child_type: "assuredworkloads.googleapis.com/Workload" 45 } 46 ]; 47 48 // Required. Assured Workload to create 49 Workload workload = 2 [(google.api.field_behavior) = REQUIRED]; 50 51 // Optional. A identifier associated with the workload and underlying projects which 52 // allows for the break down of billing costs for a workload. The value 53 // provided for the identifier will add a label to the workload and contained 54 // projects with the identifier as the value. 55 string external_id = 3 [(google.api.field_behavior) = OPTIONAL]; 56} 57 58// Request for Updating a workload. 59message UpdateWorkloadRequest { 60 // Required. The workload to update. 61 // The workload's `name` field is used to identify the workload to be updated. 62 // Format: 63 // organizations/{org_id}/locations/{location_id}/workloads/{workload_id} 64 Workload workload = 1 [(google.api.field_behavior) = REQUIRED]; 65 66 // Required. The list of fields to be updated. 67 google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; 68} 69 70// Request for restricting list of available resources in Workload environment. 71message RestrictAllowedResourcesRequest { 72 // The type of restriction. 73 enum RestrictionType { 74 // Unknown restriction type. 75 RESTRICTION_TYPE_UNSPECIFIED = 0; 76 77 // Allow the use all of all gcp products, irrespective of the compliance 78 // posture. This effectively removes gcp.restrictServiceUsage OrgPolicy 79 // on the AssuredWorkloads Folder. 80 ALLOW_ALL_GCP_RESOURCES = 1; 81 82 // Based on Workload's compliance regime, allowed list changes. 83 // See - https://cloud.google.com/assured-workloads/docs/supported-products 84 // for the list of supported resources. 85 ALLOW_COMPLIANT_RESOURCES = 2; 86 } 87 88 // Required. The resource name of the Workload. This is the workloads's 89 // relative path in the API, formatted as 90 // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". 91 // For example, 92 // "organizations/123/locations/us-east1/workloads/assured-workload-1". 93 string name = 1 [(google.api.field_behavior) = REQUIRED]; 94 95 // Required. The type of restriction for using gcp products in the Workload environment. 96 RestrictionType restriction_type = 2 [(google.api.field_behavior) = REQUIRED]; 97} 98 99// Response for restricting the list of allowed resources. 100message RestrictAllowedResourcesResponse { 101 102} 103 104// Request for deleting a Workload. 105message DeleteWorkloadRequest { 106 // Required. The `name` field is used to identify the workload. 107 // Format: 108 // organizations/{org_id}/locations/{location_id}/workloads/{workload_id} 109 string name = 1 [ 110 (google.api.field_behavior) = REQUIRED, 111 (google.api.resource_reference) = { 112 type: "assuredworkloads.googleapis.com/Workload" 113 } 114 ]; 115 116 // Optional. The etag of the workload. 117 // If this is provided, it must match the server's etag. 118 string etag = 2 [(google.api.field_behavior) = OPTIONAL]; 119} 120 121// Request for fetching a workload. 122message GetWorkloadRequest { 123 // Required. The resource name of the Workload to fetch. This is the workloads's 124 // relative path in the API, formatted as 125 // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}". 126 // For example, 127 // "organizations/123/locations/us-east1/workloads/assured-workload-1". 128 string name = 1 [ 129 (google.api.field_behavior) = REQUIRED, 130 (google.api.resource_reference) = { 131 type: "assuredworkloads.googleapis.com/Workload" 132 } 133 ]; 134} 135 136// A request to analyze a hypothetical move of a source project or project-based 137// workload to a target (destination) folder-based workload. 138message AnalyzeWorkloadMoveRequest { 139 // The resource type to be moved to the destination workload. It can be either 140 // an existing project or a project-based workload. 141 oneof projectOrWorkloadResource { 142 // The source type is a project-based workload. Specify the workloads's 143 // relative resource name, formatted as: 144 // "organizations/{ORGANIZATION_ID}/locations/{LOCATION_ID}/workloads/{WORKLOAD_ID}" 145 // For example: 146 // "organizations/123/locations/us-east1/workloads/assured-workload-1" 147 string source = 1; 148 149 // The source type is a project. Specify the project's relative resource 150 // name, formatted as either a project number or a project ID: 151 // "projects/{PROJECT_NUMBER}" or "projects/{PROJECT_ID}" 152 // For example: 153 // "projects/951040570662" when specifying a project number, or 154 // "projects/my-project-123" when specifying a project ID. 155 string project = 3; 156 } 157 158 // Required. The resource ID of the folder-based destination workload. This workload is 159 // where the source project will hypothetically be moved to. Specify the 160 // workload's relative resource name, formatted as: 161 // "organizations/{ORGANIZATION_ID}/locations/{LOCATION_ID}/workloads/{WORKLOAD_ID}" 162 // For example: 163 // "organizations/123/locations/us-east1/workloads/assured-workload-2" 164 string target = 2 [(google.api.field_behavior) = REQUIRED]; 165} 166 167// A response that includes the analysis of the hypothetical resource move. 168message AnalyzeWorkloadMoveResponse { 169 // A list of blockers that should be addressed before moving the source 170 // project or project-based workload to the destination folder-based workload. 171 repeated string blockers = 1; 172} 173 174// Request for fetching workloads in an organization. 175message ListWorkloadsRequest { 176 // Required. Parent Resource to list workloads from. 177 // Must be of the form `organizations/{org_id}/locations/{location}`. 178 string parent = 1 [ 179 (google.api.field_behavior) = REQUIRED, 180 (google.api.resource_reference) = { 181 child_type: "assuredworkloads.googleapis.com/Workload" 182 } 183 ]; 184 185 // Page size. 186 int32 page_size = 2; 187 188 // Page token returned from previous request. Page token contains context from 189 // previous request. Page token needs to be passed in the second and following 190 // requests. 191 string page_token = 3; 192 193 // A custom filter for filtering by properties of a workload. At this time, 194 // only filtering by labels is supported. 195 string filter = 4; 196} 197 198// Response of ListWorkloads endpoint. 199message ListWorkloadsResponse { 200 // List of Workloads under a given parent. 201 repeated Workload workloads = 1; 202 203 // The next page token. Return empty if reached the last page. 204 string next_page_token = 2; 205} 206 207// An Workload object for managing highly regulated workloads of cloud 208// customers. 209message Workload { 210 option (google.api.resource) = { 211 type: "assuredworkloads.googleapis.com/Workload" 212 pattern: "organizations/{organization}/locations/{location}/workloads/{workload}" 213 }; 214 215 // Represent the resources that are children of this Workload. 216 message ResourceInfo { 217 // The type of resource. 218 enum ResourceType { 219 // Unknown resource type. 220 RESOURCE_TYPE_UNSPECIFIED = 0; 221 222 // Deprecated. Existing workloads will continue to support this, but new 223 // CreateWorkloadRequests should not specify this as an input value. 224 CONSUMER_PROJECT = 1 [deprecated = true]; 225 226 // Consumer Folder. 227 CONSUMER_FOLDER = 4; 228 229 // Consumer project containing encryption keys. 230 ENCRYPTION_KEYS_PROJECT = 2; 231 232 // Keyring resource that hosts encryption keys. 233 KEYRING = 3; 234 } 235 236 // Resource identifier. 237 // For a project this represents project_number. 238 int64 resource_id = 1; 239 240 // Indicates the type of resource. 241 ResourceType resource_type = 2; 242 } 243 244 // Supported Compliance Regimes. 245 enum ComplianceRegime { 246 // Unknown compliance regime. 247 COMPLIANCE_REGIME_UNSPECIFIED = 0; 248 249 // Information protection as per DoD IL4 requirements. 250 IL4 = 1; 251 252 // Criminal Justice Information Services (CJIS) Security policies. 253 CJIS = 2; 254 255 // FedRAMP High data protection controls 256 FEDRAMP_HIGH = 3; 257 258 // FedRAMP Moderate data protection controls 259 FEDRAMP_MODERATE = 4; 260 261 // Assured Workloads For US Regions data protection controls 262 US_REGIONAL_ACCESS = 5; 263 264 // Health Insurance Portability and Accountability Act controls 265 HIPAA = 6; 266 267 // Health Information Trust Alliance controls 268 HITRUST = 7; 269 270 // Assured Workloads For EU Regions and Support controls 271 EU_REGIONS_AND_SUPPORT = 8; 272 273 // Assured Workloads For Canada Regions and Support controls 274 CA_REGIONS_AND_SUPPORT = 9; 275 276 // International Traffic in Arms Regulations 277 ITAR = 10; 278 279 // Assured Workloads for Australia Regions and Support controls 280 AU_REGIONS_AND_US_SUPPORT = 11; 281 } 282 283 // Settings specific to the Key Management Service. 284 message KMSSettings { 285 option deprecated = true; 286 287 // Required. Input only. Immutable. The time at which the Key Management Service will automatically create a 288 // new version of the crypto key and mark it as the primary. 289 google.protobuf.Timestamp next_rotation_time = 1 [ 290 (google.api.field_behavior) = REQUIRED, 291 (google.api.field_behavior) = INPUT_ONLY, 292 (google.api.field_behavior) = IMMUTABLE 293 ]; 294 295 // Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key 296 // Management Service automatically rotates a key. Must be at least 24 hours 297 // and at most 876,000 hours. 298 google.protobuf.Duration rotation_period = 2 [ 299 (google.api.field_behavior) = REQUIRED, 300 (google.api.field_behavior) = INPUT_ONLY, 301 (google.api.field_behavior) = IMMUTABLE 302 ]; 303 } 304 305 // Settings specific to resources needed for IL4. 306 message IL4Settings { 307 option deprecated = true; 308 309 // Input only. Immutable. Settings used to create a CMEK crypto key. 310 KMSSettings kms_settings = 1 [ 311 (google.api.field_behavior) = INPUT_ONLY, 312 (google.api.field_behavior) = IMMUTABLE 313 ]; 314 } 315 316 // Settings specific to resources needed for CJIS. 317 message CJISSettings { 318 option deprecated = true; 319 320 // Input only. Immutable. Settings used to create a CMEK crypto key. 321 KMSSettings kms_settings = 1 [ 322 (google.api.field_behavior) = INPUT_ONLY, 323 (google.api.field_behavior) = IMMUTABLE 324 ]; 325 } 326 327 // Settings specific to resources needed for FedRAMP High. 328 message FedrampHighSettings { 329 option deprecated = true; 330 331 // Input only. Immutable. Settings used to create a CMEK crypto key. 332 KMSSettings kms_settings = 1 [ 333 (google.api.field_behavior) = INPUT_ONLY, 334 (google.api.field_behavior) = IMMUTABLE 335 ]; 336 } 337 338 // Settings specific to resources needed for FedRAMP Moderate. 339 message FedrampModerateSettings { 340 option deprecated = true; 341 342 // Input only. Immutable. Settings used to create a CMEK crypto key. 343 KMSSettings kms_settings = 1 [ 344 (google.api.field_behavior) = INPUT_ONLY, 345 (google.api.field_behavior) = IMMUTABLE 346 ]; 347 } 348 349 // Represent the custom settings for the resources to be created. 350 message ResourceSettings { 351 // Resource identifier. 352 // For a project this represents project_id. If the project is already 353 // taken, the workload creation will fail. 354 // For KeyRing, this represents the keyring_id. 355 // For a folder, don't set this value as folder_id is assigned by Google. 356 string resource_id = 1; 357 358 // Indicates the type of resource. This field should be specified to 359 // correspond the id to the right project type (CONSUMER_PROJECT or 360 // ENCRYPTION_KEYS_PROJECT) 361 ResourceInfo.ResourceType resource_type = 2; 362 363 // User-assigned resource display name. 364 // If not empty it will be used to create a resource with the specified 365 // name. 366 string display_name = 3; 367 } 368 369 // Key Access Justifications(KAJ) Enrollment State. 370 enum KajEnrollmentState { 371 // Default State for KAJ Enrollment. 372 KAJ_ENROLLMENT_STATE_UNSPECIFIED = 0; 373 374 // Pending State for KAJ Enrollment. 375 KAJ_ENROLLMENT_STATE_PENDING = 1; 376 377 // Complete State for KAJ Enrollment. 378 KAJ_ENROLLMENT_STATE_COMPLETE = 2; 379 } 380 381 // Signed Access Approvals (SAA) enrollment response. 382 message SaaEnrollmentResponse { 383 // Setup state of SAA enrollment. 384 enum SetupState { 385 // Unspecified. 386 SETUP_STATE_UNSPECIFIED = 0; 387 388 // SAA enrollment pending. 389 STATUS_PENDING = 1; 390 391 // SAA enrollment comopleted. 392 STATUS_COMPLETE = 2; 393 } 394 395 // Setup error of SAA enrollment. 396 enum SetupError { 397 // Unspecified. 398 SETUP_ERROR_UNSPECIFIED = 0; 399 400 // Invalid states for all customers, to be redirected to AA UI for 401 // additional details. 402 ERROR_INVALID_BASE_SETUP = 1; 403 404 // Returned when there is not an EKM key configured. 405 ERROR_MISSING_EXTERNAL_SIGNING_KEY = 2; 406 407 // Returned when there are no enrolled services or the customer is 408 // enrolled in CAA only for a subset of services. 409 ERROR_NOT_ALL_SERVICES_ENROLLED = 3; 410 411 // Returned when exception was encountered during evaluation of other 412 // criteria. 413 ERROR_SETUP_CHECK_FAILED = 4; 414 } 415 416 // Indicates SAA enrollment status of a given workload. 417 optional SetupState setup_status = 1; 418 419 // Indicates SAA enrollment setup error if any. 420 repeated SetupError setup_errors = 2; 421 } 422 423 // Optional. The resource name of the workload. 424 // Format: 425 // organizations/{organization}/locations/{location}/workloads/{workload} 426 // 427 // Read-only. 428 string name = 1 [(google.api.field_behavior) = OPTIONAL]; 429 430 // Required. The user-assigned display name of the Workload. 431 // When present it must be between 4 to 30 characters. 432 // Allowed characters are: lowercase and uppercase letters, numbers, 433 // hyphen, and spaces. 434 // 435 // Example: My Workload 436 string display_name = 2 [(google.api.field_behavior) = REQUIRED]; 437 438 // Output only. The resources associated with this workload. 439 // These resources will be created when creating the workload. 440 // If any of the projects already exist, the workload creation will fail. 441 // Always read only. 442 repeated ResourceInfo resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY]; 443 444 // Required. Immutable. Compliance Regime associated with this workload. 445 ComplianceRegime compliance_regime = 4 [ 446 (google.api.field_behavior) = REQUIRED, 447 (google.api.field_behavior) = IMMUTABLE 448 ]; 449 450 // Output only. Immutable. The Workload creation timestamp. 451 google.protobuf.Timestamp create_time = 5 [ 452 (google.api.field_behavior) = OUTPUT_ONLY, 453 (google.api.field_behavior) = IMMUTABLE 454 ]; 455 456 // Output only. The billing account used for the resources which are 457 // direct children of workload. This billing account is initially associated 458 // with the resources created as part of Workload creation. 459 // After the initial creation of these resources, the customer can change 460 // the assigned billing account. 461 // The resource name has the form 462 // `billingAccounts/{billing_account_id}`. For example, 463 // `billingAccounts/012345-567890-ABCDEF`. 464 string billing_account = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 465 466 // Settings specific to the selected [compliance_regime] 467 oneof compliance_regime_settings { 468 // Input only. Immutable. Settings specific to resources needed for IL4. 469 IL4Settings il4_settings = 7 [ 470 deprecated = true, 471 (google.api.field_behavior) = INPUT_ONLY, 472 (google.api.field_behavior) = IMMUTABLE 473 ]; 474 475 // Input only. Immutable. Settings specific to resources needed for CJIS. 476 CJISSettings cjis_settings = 8 [ 477 deprecated = true, 478 (google.api.field_behavior) = INPUT_ONLY, 479 (google.api.field_behavior) = IMMUTABLE 480 ]; 481 482 // Input only. Immutable. Settings specific to resources needed for FedRAMP High. 483 FedrampHighSettings fedramp_high_settings = 11 [ 484 deprecated = true, 485 (google.api.field_behavior) = INPUT_ONLY, 486 (google.api.field_behavior) = IMMUTABLE 487 ]; 488 489 // Input only. Immutable. Settings specific to resources needed for FedRAMP Moderate. 490 FedrampModerateSettings fedramp_moderate_settings = 12 [ 491 deprecated = true, 492 (google.api.field_behavior) = INPUT_ONLY, 493 (google.api.field_behavior) = IMMUTABLE 494 ]; 495 } 496 497 // Optional. ETag of the workload, it is calculated on the basis 498 // of the Workload contents. It will be used in Update & Delete operations. 499 string etag = 9 [(google.api.field_behavior) = OPTIONAL]; 500 501 // Optional. Labels applied to the workload. 502 map<string, string> labels = 10 [(google.api.field_behavior) = OPTIONAL]; 503 504 // Input only. The parent resource for the resources managed by this Assured Workload. May 505 // be either empty or a folder resource which is a child of the 506 // Workload parent. If not specified all resources are created under the 507 // parent organization. 508 // Format: 509 // folders/{folder_id} 510 string provisioned_resources_parent = 13 [(google.api.field_behavior) = INPUT_ONLY]; 511 512 // Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS 513 // CMEK key is provisioned. 514 // This field is deprecated as of Feb 28, 2022. 515 // In order to create a Keyring, callers should specify, 516 // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field. 517 KMSSettings kms_settings = 14 [ 518 deprecated = true, 519 (google.api.field_behavior) = INPUT_ONLY 520 ]; 521 522 // Input only. Resource properties that are used to customize workload resources. 523 // These properties (such as custom project id) will be used to create 524 // workload resources if possible. This field is optional. 525 repeated ResourceSettings resource_settings = 15 [(google.api.field_behavior) = INPUT_ONLY]; 526 527 // Output only. Represents the KAJ enrollment state of the given workload. 528 KajEnrollmentState kaj_enrollment_state = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; 529 530 // Optional. Indicates the sovereignty status of the given workload. 531 // Currently meant to be used by Europe/Canada customers. 532 bool enable_sovereign_controls = 18 [(google.api.field_behavior) = OPTIONAL]; 533 534 // Output only. Represents the SAA enrollment response of the given workload. 535 // SAA enrollment response is queried during GetWorkload call. 536 // In failure cases, user friendly error message is shown in SAA details page. 537 SaaEnrollmentResponse saa_enrollment_response = 20 [(google.api.field_behavior) = OUTPUT_ONLY]; 538 539 // Output only. Urls for services which are compliant for this Assured Workload, but which 540 // are currently disallowed by the ResourceUsageRestriction org policy. 541 // Invoke RestrictAllowedResources endpoint to allow your project developers 542 // to use these services in their environment." 543 repeated string compliant_but_disallowed_services = 24 [(google.api.field_behavior) = OUTPUT_ONLY]; 544} 545 546// Operation metadata to give request details of CreateWorkload. 547message CreateWorkloadOperationMetadata { 548 // Optional. Time when the operation was created. 549 google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OPTIONAL]; 550 551 // Optional. The display name of the workload. 552 string display_name = 2 [(google.api.field_behavior) = OPTIONAL]; 553 554 // Optional. The parent of the workload. 555 string parent = 3 [(google.api.field_behavior) = OPTIONAL]; 556 557 // Optional. Compliance controls that should be applied to the resources managed by 558 // the workload. 559 Workload.ComplianceRegime compliance_regime = 4 [(google.api.field_behavior) = OPTIONAL]; 560 561 // Optional. Resource properties in the input that are used for creating/customizing 562 // workload resources. 563 repeated Workload.ResourceSettings resource_settings = 5 [(google.api.field_behavior) = OPTIONAL]; 564} 565