• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2022 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.orgpolicy.v2;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/timestamp.proto";
22
23option csharp_namespace = "Google.Cloud.OrgPolicy.V2";
24option go_package = "cloud.google.com/go/orgpolicy/apiv2/orgpolicypb;orgpolicypb";
25option java_multiple_files = true;
26option java_outer_classname = "ConstraintProto";
27option java_package = "com.google.cloud.orgpolicy.v2";
28option php_namespace = "Google\\Cloud\\OrgPolicy\\V2";
29option ruby_package = "Google::Cloud::OrgPolicy::V2";
30
31// A `constraint` describes a way to restrict resource's configuration. For
32// example, you could enforce a constraint that controls which cloud services
33// can be activated across an organization, or whether a Compute Engine instance
34// can have serial port connections established. `Constraints` can be configured
35// by the organization's policy administrator to fit the needs of the
36// organization by setting a `policy` that includes `constraints` at different
37// locations in the organization's resource hierarchy. Policies are inherited
38// down the resource hierarchy from higher levels, but can also be overridden.
39// For details about the inheritance rules please read about
40// [`policies`][google.cloud.OrgPolicy.v2.Policy].
41//
42// `Constraints` have a default behavior determined by the `constraint_default`
43// field, which is the enforcement behavior that is used in the absence of a
44// `policy` being defined or inherited for the resource in question.
45message Constraint {
46  option (google.api.resource) = {
47    type: "orgpolicy.googleapis.com/Constraint"
48    pattern: "projects/{project}/constraints/{constraint}"
49    pattern: "folders/{folder}/constraints/{constraint}"
50    pattern: "organizations/{organization}/constraints/{constraint}"
51  };
52
53  // Specifies the default behavior in the absence of any `Policy` for the
54  // `Constraint`. This must not be `CONSTRAINT_DEFAULT_UNSPECIFIED`.
55  //
56  // Immutable after creation.
57  enum ConstraintDefault {
58    // This is only used for distinguishing unset values and should never be
59    // used.
60    CONSTRAINT_DEFAULT_UNSPECIFIED = 0;
61
62    // Indicate that all values are allowed for list constraints.
63    // Indicate that enforcement is off for boolean constraints.
64    ALLOW = 1;
65
66    // Indicate that all values are denied for list constraints.
67    // Indicate that enforcement is on for boolean constraints.
68    DENY = 2;
69  }
70
71  // A `Constraint` that allows or disallows a list of string values, which are
72  // configured by an Organization's policy administrator with a `Policy`.
73  message ListConstraint {
74    // Indicates whether values grouped into categories can be used in
75    // `Policy.allowed_values` and `Policy.denied_values`. For example,
76    // `"in:Python"` would match any value in the 'Python' group.
77    bool supports_in = 1;
78
79    // Indicates whether subtrees of Cloud Resource Manager resource hierarchy
80    // can be used in `Policy.allowed_values` and `Policy.denied_values`. For
81    // example, `"under:folders/123"` would match any resource under the
82    // 'folders/123' folder.
83    bool supports_under = 2;
84  }
85
86  // A `Constraint` that is either enforced or not.
87  //
88  // For example a constraint `constraints/compute.disableSerialPortAccess`.
89  // If it is enforced on a VM instance, serial port connections will not be
90  // opened to that instance.
91  message BooleanConstraint {}
92
93  // Immutable. The resource name of the Constraint. Must be in one of
94  // the following forms:
95  // * `projects/{project_number}/constraints/{constraint_name}`
96  // * `folders/{folder_id}/constraints/{constraint_name}`
97  // * `organizations/{organization_id}/constraints/{constraint_name}`
98  //
99  // For example, "/projects/123/constraints/compute.disableSerialPortAccess".
100  string name = 1 [(google.api.field_behavior) = IMMUTABLE];
101
102  // The human readable name.
103  //
104  // Mutable.
105  string display_name = 2;
106
107  // Detailed description of what this `Constraint` controls as well as how and
108  // where it is enforced.
109  //
110  // Mutable.
111  string description = 3;
112
113  // The evaluation behavior of this constraint in the absence of 'Policy'.
114  ConstraintDefault constraint_default = 4;
115
116  // The type of restrictions for this `Constraint`.
117  //
118  // Immutable after creation.
119  oneof constraint_type {
120    // Defines this constraint as being a ListConstraint.
121    ListConstraint list_constraint = 5;
122
123    // Defines this constraint as being a BooleanConstraint.
124    BooleanConstraint boolean_constraint = 6;
125  }
126}
127