1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.kms.inventory.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/protobuf/timestamp.proto"; 24 25option cc_enable_arenas = true; 26option csharp_namespace = "Google.Cloud.Kms.Inventory.V1"; 27option go_package = "cloud.google.com/go/kms/inventory/apiv1/inventorypb;inventorypb"; 28option java_multiple_files = true; 29option java_outer_classname = "KeyTrackingServiceProto"; 30option java_package = "com.google.cloud.kms.inventory.v1"; 31option php_namespace = "Google\\Cloud\\Kms\\Inventory\\V1"; 32 33// Returns information about the resources in an org that are protected by a 34// given Cloud KMS key via CMEK. 35service KeyTrackingService { 36 option (google.api.default_host) = "kmsinventory.googleapis.com"; 37 option (google.api.oauth_scopes) = 38 "https://www.googleapis.com/auth/cloud-platform"; 39 40 // Returns aggregate information about the resources protected by the given 41 // Cloud KMS [CryptoKey][google.cloud.kms.v1.CryptoKey]. Only resources within 42 // the same Cloud organization as the key will be returned. The project that 43 // holds the key must be part of an organization in order for this call to 44 // succeed. 45 rpc GetProtectedResourcesSummary(GetProtectedResourcesSummaryRequest) 46 returns (ProtectedResourcesSummary) { 47 option (google.api.http) = { 48 get: "/v1/{name=projects/*/locations/*/keyRings/*/cryptoKeys/**}/protectedResourcesSummary" 49 }; 50 option (google.api.method_signature) = "name"; 51 } 52 53 // Returns metadata about the resources protected by the given Cloud KMS 54 // [CryptoKey][google.cloud.kms.v1.CryptoKey] in the given Cloud organization. 55 rpc SearchProtectedResources(SearchProtectedResourcesRequest) 56 returns (SearchProtectedResourcesResponse) { 57 option (google.api.http) = { 58 get: "/v1/{scope=organizations/*}/protectedResources:search" 59 }; 60 option (google.api.method_signature) = "scope, crypto_key"; 61 } 62} 63 64// Request message for 65// [KeyTrackingService.GetProtectedResourcesSummary][google.cloud.kms.inventory.v1.KeyTrackingService.GetProtectedResourcesSummary]. 66message GetProtectedResourcesSummaryRequest { 67 // Required. The resource name of the 68 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 69 string name = 1 [ 70 (google.api.field_behavior) = REQUIRED, 71 (google.api.resource_reference) = { 72 type: "kmsinventory.googleapis.com/ProtectedResourcesSummary" 73 } 74 ]; 75} 76 77// Aggregate information about the resources protected by a Cloud KMS key in the 78// same Cloud organization as the key. 79message ProtectedResourcesSummary { 80 option (google.api.resource) = { 81 type: "kmsinventory.googleapis.com/ProtectedResourcesSummary" 82 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/protectedResourcesSummary" 83 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/protectedResourcesSummary" 84 }; 85 86 // The full name of the ProtectedResourcesSummary resource. 87 // Example: 88 // projects/test-project/locations/us/keyRings/test-keyring/cryptoKeys/test-key/protectedResourcesSummary 89 string name = 5; 90 91 // The total number of protected resources in the same Cloud organization as 92 // the key. 93 int64 resource_count = 1; 94 95 // The number of distinct Cloud projects in the same Cloud organization as the 96 // key that have resources protected by the key. 97 int32 project_count = 2; 98 99 // The number of resources protected by the key grouped by resource type. 100 map<string, int64> resource_types = 3; 101 102 // The number of resources protected by the key grouped by Cloud product. 103 map<string, int64> cloud_products = 6; 104 105 // The number of resources protected by the key grouped by region. 106 map<string, int64> locations = 4; 107} 108 109// Request message for 110// [KeyTrackingService.SearchProtectedResources][google.cloud.kms.inventory.v1.KeyTrackingService.SearchProtectedResources]. 111message SearchProtectedResourcesRequest { 112 // Required. Resource name of the organization. 113 // Example: organizations/123 114 string scope = 2 [ 115 (google.api.field_behavior) = REQUIRED, 116 (google.api.resource_reference) = { 117 type: "cloudresourcemanager.googleapis.com/Organization" 118 } 119 ]; 120 121 // Required. The resource name of the 122 // [CryptoKey][google.cloud.kms.v1.CryptoKey]. 123 string crypto_key = 1 [ 124 (google.api.field_behavior) = REQUIRED, 125 (google.api.resource_reference) = { type: "*" } 126 ]; 127 128 // The maximum number of resources to return. The service may return fewer 129 // than this value. 130 // If unspecified, at most 500 resources will be returned. 131 // The maximum value is 500; values above 500 will be coerced to 500. 132 int32 page_size = 3; 133 134 // A page token, received from a previous 135 // [KeyTrackingService.SearchProtectedResources][google.cloud.kms.inventory.v1.KeyTrackingService.SearchProtectedResources] 136 // call. Provide this to retrieve the subsequent page. 137 // 138 // When paginating, all other parameters provided to 139 // [KeyTrackingService.SearchProtectedResources][google.cloud.kms.inventory.v1.KeyTrackingService.SearchProtectedResources] 140 // must match the call that provided the page token. 141 string page_token = 4; 142 143 // Optional. A list of resource types that this request searches for. If 144 // empty, it will search all the [trackable resource 145 // types](https://cloud.google.com/kms/docs/view-key-usage#tracked-resource-types). 146 // 147 // Regular expressions are also supported. For example: 148 // 149 // * `compute.googleapis.com.*` snapshots resources whose type starts 150 // with `compute.googleapis.com`. 151 // * `.*Image` snapshots resources whose type ends with `Image`. 152 // * `.*Image.*` snapshots resources whose type contains `Image`. 153 // 154 // See [RE2](https://github.com/google/re2/wiki/Syntax) for all supported 155 // regular expression syntax. If the regular expression does not match any 156 // supported resource type, an INVALID_ARGUMENT error will be returned. 157 repeated string resource_types = 5 [(google.api.field_behavior) = OPTIONAL]; 158} 159 160// Response message for 161// [KeyTrackingService.SearchProtectedResources][google.cloud.kms.inventory.v1.KeyTrackingService.SearchProtectedResources]. 162message SearchProtectedResourcesResponse { 163 // Protected resources for this page. 164 repeated ProtectedResource protected_resources = 1; 165 166 // A token that can be sent as `page_token` to retrieve the next page. 167 // If this field is omitted, there are no subsequent pages. 168 string next_page_token = 2; 169} 170 171// Metadata about a resource protected by a Cloud KMS key. 172message ProtectedResource { 173 option (google.api.resource) = { 174 type: "cloudasset.googleapis.com/Asset" 175 pattern: "*" 176 }; 177 178 // The full resource name of the resource. 179 // Example: 180 // `//compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1`. 181 string name = 1; 182 183 // Format: `projects/{PROJECT_NUMBER}`. 184 string project = 2; 185 186 // The ID of the project that owns the resource. 187 string project_id = 9; 188 189 // The Cloud product that owns the resource. 190 // Example: `compute` 191 string cloud_product = 8; 192 193 // Example: `compute.googleapis.com/Disk` 194 string resource_type = 3; 195 196 // Location can be `global`, regional like `us-east1`, or zonal like 197 // `us-west1-b`. 198 string location = 4; 199 200 // A key-value pair of the resource's labels (v1) to their values. 201 map<string, string> labels = 5; 202 203 // The name of the Cloud KMS 204 // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions?hl=en) 205 // used to protect this resource via CMEK. This field is empty if the 206 // Google Cloud product owning the resource does not provide key version data 207 // to Asset Inventory. If there are multiple key versions protecting the 208 // resource, then this is same value as the first element of 209 // crypto_key_versions. 210 string crypto_key_version = 6 [(google.api.resource_reference) = { 211 type: "cloudkms.googleapis.com/CryptoKeyVersion" 212 }]; 213 214 // The names of the Cloud KMS 215 // [CryptoKeyVersion](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions?hl=en) 216 // used to protect this resource via CMEK. This field is empty if the 217 // Google Cloud product owning the resource does not provide key versions data 218 // to Asset Inventory. The first element of this field is stored in 219 // crypto_key_version. 220 repeated string crypto_key_versions = 10 [(google.api.resource_reference) = { 221 type: "cloudkms.googleapis.com/CryptoKeyVersion" 222 }]; 223 224 // Output only. The time at which this resource was created. The granularity 225 // is in seconds. Timestamp.nanos will always be 0. 226 google.protobuf.Timestamp create_time = 7 227 [(google.api.field_behavior) = OUTPUT_ONLY]; 228} 229