• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.orgpolicy.v2;
18
19import "google/api/annotations.proto";
20import "google/api/client.proto";
21import "google/api/field_behavior.proto";
22import "google/api/resource.proto";
23import "google/cloud/orgpolicy/v2/constraint.proto";
24import "google/protobuf/empty.proto";
25import "google/protobuf/field_mask.proto";
26import "google/protobuf/timestamp.proto";
27import "google/type/expr.proto";
28
29option csharp_namespace = "Google.Cloud.OrgPolicy.V2";
30option go_package = "cloud.google.com/go/orgpolicy/apiv2/orgpolicypb;orgpolicypb";
31option java_multiple_files = true;
32option java_outer_classname = "OrgPolicyProto";
33option java_package = "com.google.cloud.orgpolicy.v2";
34option php_namespace = "Google\\Cloud\\OrgPolicy\\V2";
35option ruby_package = "Google::Cloud::OrgPolicy::V2";
36
37// An interface for managing organization policies.
38//
39// The Organization Policy Service provides a simple mechanism for
40// organizations to restrict the allowed configurations across their entire
41// resource hierarchy.
42//
43// You can use a policy to configure restrictions on resources. For
44// example, you can enforce a policy that restricts which Google
45// Cloud APIs can be activated in a certain part of your resource
46// hierarchy, or prevents serial port access to VM instances in a
47// particular folder.
48//
49// Policies are inherited down through the resource hierarchy. A policy
50// applied to a parent resource automatically applies to all its child resources
51// unless overridden with a policy lower in the hierarchy.
52//
53// A constraint defines an aspect of a resource's configuration that can be
54// controlled by an organization's policy administrator. Policies are a
55// collection of constraints that defines their allowable configuration on a
56// particular resource and its child resources.
57service OrgPolicy {
58  option (google.api.default_host) = "orgpolicy.googleapis.com";
59  option (google.api.oauth_scopes) =
60      "https://www.googleapis.com/auth/cloud-platform";
61
62  // Lists constraints that could be applied on the specified resource.
63  rpc ListConstraints(ListConstraintsRequest)
64      returns (ListConstraintsResponse) {
65    option (google.api.http) = {
66      get: "/v2/{parent=projects/*}/constraints"
67      additional_bindings { get: "/v2/{parent=folders/*}/constraints" }
68      additional_bindings { get: "/v2/{parent=organizations/*}/constraints" }
69    };
70    option (google.api.method_signature) = "parent";
71  }
72
73  // Retrieves all of the policies that exist on a particular resource.
74  rpc ListPolicies(ListPoliciesRequest) returns (ListPoliciesResponse) {
75    option (google.api.http) = {
76      get: "/v2/{parent=projects/*}/policies"
77      additional_bindings { get: "/v2/{parent=folders/*}/policies" }
78      additional_bindings { get: "/v2/{parent=organizations/*}/policies" }
79    };
80    option (google.api.method_signature) = "parent";
81  }
82
83  // Gets a policy on a resource.
84  //
85  // If no policy is set on the resource, `NOT_FOUND` is returned. The
86  // `etag` value can be used with `UpdatePolicy()` to update a
87  // policy during read-modify-write.
88  rpc GetPolicy(GetPolicyRequest) returns (Policy) {
89    option (google.api.http) = {
90      get: "/v2/{name=projects/*/policies/*}"
91      additional_bindings { get: "/v2/{name=folders/*/policies/*}" }
92      additional_bindings { get: "/v2/{name=organizations/*/policies/*}" }
93    };
94    option (google.api.method_signature) = "name";
95  }
96
97  // Gets the effective policy on a resource. This is the result of merging
98  // policies in the resource hierarchy and evaluating conditions. The
99  // returned policy will not have an `etag` or `condition` set because it is
100  // an evaluated policy across multiple resources.
101  // Subtrees of Resource Manager resource hierarchy with 'under:' prefix will
102  // not be expanded.
103  rpc GetEffectivePolicy(GetEffectivePolicyRequest) returns (Policy) {
104    option (google.api.http) = {
105      get: "/v2/{name=projects/*/policies/*}:getEffectivePolicy"
106      additional_bindings {
107        get: "/v2/{name=folders/*/policies/*}:getEffectivePolicy"
108      }
109      additional_bindings {
110        get: "/v2/{name=organizations/*/policies/*}:getEffectivePolicy"
111      }
112    };
113    option (google.api.method_signature) = "name";
114  }
115
116  // Creates a policy.
117  //
118  // Returns a `google.rpc.Status` with `google.rpc.Code.NOT_FOUND` if the
119  // constraint does not exist.
120  // Returns a `google.rpc.Status` with `google.rpc.Code.ALREADY_EXISTS` if the
121  // policy already exists on the given Google Cloud resource.
122  rpc CreatePolicy(CreatePolicyRequest) returns (Policy) {
123    option (google.api.http) = {
124      post: "/v2/{parent=projects/*}/policies"
125      body: "policy"
126      additional_bindings {
127        post: "/v2/{parent=folders/*}/policies"
128        body: "policy"
129      }
130      additional_bindings {
131        post: "/v2/{parent=organizations/*}/policies"
132        body: "policy"
133      }
134    };
135    option (google.api.method_signature) = "parent,policy";
136  }
137
138  // Updates a policy.
139  //
140  // Returns a `google.rpc.Status` with `google.rpc.Code.NOT_FOUND` if the
141  // constraint or the policy do not exist.
142  // Returns a `google.rpc.Status` with `google.rpc.Code.ABORTED` if the etag
143  // supplied in the request does not match the persisted etag of the policy
144  //
145  // Note: the supplied policy will perform a full overwrite of all
146  // fields.
147  rpc UpdatePolicy(UpdatePolicyRequest) returns (Policy) {
148    option (google.api.http) = {
149      patch: "/v2/{policy.name=projects/*/policies/*}"
150      body: "policy"
151      additional_bindings {
152        patch: "/v2/{policy.name=folders/*/policies/*}"
153        body: "policy"
154      }
155      additional_bindings {
156        patch: "/v2/{policy.name=organizations/*/policies/*}"
157        body: "policy"
158      }
159    };
160    option (google.api.method_signature) = "policy";
161  }
162
163  // Deletes a policy.
164  //
165  // Returns a `google.rpc.Status` with `google.rpc.Code.NOT_FOUND` if the
166  // constraint or organization policy does not exist.
167  rpc DeletePolicy(DeletePolicyRequest) returns (google.protobuf.Empty) {
168    option (google.api.http) = {
169      delete: "/v2/{name=projects/*/policies/*}"
170      additional_bindings { delete: "/v2/{name=folders/*/policies/*}" }
171      additional_bindings { delete: "/v2/{name=organizations/*/policies/*}" }
172    };
173    option (google.api.method_signature) = "name";
174  }
175
176  // Creates a custom constraint.
177  //
178  // Returns a `google.rpc.Status` with `google.rpc.Code.NOT_FOUND` if the
179  // organization does not exist.
180  // Returns a `google.rpc.Status` with `google.rpc.Code.ALREADY_EXISTS` if the
181  // constraint already exists on the given organization.
182  rpc CreateCustomConstraint(CreateCustomConstraintRequest)
183      returns (CustomConstraint) {
184    option (google.api.http) = {
185      post: "/v2/{parent=organizations/*}/customConstraints"
186      body: "custom_constraint"
187    };
188    option (google.api.method_signature) = "parent,custom_constraint";
189  }
190
191  // Updates a custom constraint.
192  //
193  // Returns a `google.rpc.Status` with `google.rpc.Code.NOT_FOUND` if the
194  // constraint does not exist.
195  //
196  // Note: the supplied policy will perform a full overwrite of all
197  // fields.
198  rpc UpdateCustomConstraint(UpdateCustomConstraintRequest)
199      returns (CustomConstraint) {
200    option (google.api.http) = {
201      patch: "/v2/{custom_constraint.name=organizations/*/customConstraints/*}"
202      body: "custom_constraint"
203    };
204    option (google.api.method_signature) = "custom_constraint";
205  }
206
207  // Gets a custom constraint.
208  //
209  // Returns a `google.rpc.Status` with `google.rpc.Code.NOT_FOUND` if the
210  // custom constraint does not exist.
211  rpc GetCustomConstraint(GetCustomConstraintRequest)
212      returns (CustomConstraint) {
213    option (google.api.http) = {
214      get: "/v2/{name=organizations/*/customConstraints/*}"
215    };
216    option (google.api.method_signature) = "name";
217  }
218
219  // Retrieves all of the custom constraints that exist on a particular
220  // organization resource.
221  rpc ListCustomConstraints(ListCustomConstraintsRequest)
222      returns (ListCustomConstraintsResponse) {
223    option (google.api.http) = {
224      get: "/v2/{parent=organizations/*}/customConstraints"
225    };
226    option (google.api.method_signature) = "parent";
227  }
228
229  // Deletes a custom constraint.
230  //
231  // Returns a `google.rpc.Status` with `google.rpc.Code.NOT_FOUND` if the
232  // constraint does not exist.
233  rpc DeleteCustomConstraint(DeleteCustomConstraintRequest)
234      returns (google.protobuf.Empty) {
235    option (google.api.http) = {
236      delete: "/v2/{name=organizations/*/customConstraints/*}"
237    };
238    option (google.api.method_signature) = "name";
239  }
240}
241
242// Defines an organization policy which is used to specify constraints
243// for configurations of Google Cloud resources.
244message Policy {
245  option (google.api.resource) = {
246    type: "orgpolicy.googleapis.com/Policy"
247    pattern: "projects/{project}/policies/{policy}"
248    pattern: "folders/{folder}/policies/{policy}"
249    pattern: "organizations/{organization}/policies/{policy}"
250  };
251
252  // Immutable. The resource name of the policy. Must be one of the following
253  // forms, where `constraint_name` is the name of the constraint which this
254  // policy configures:
255  //
256  // * `projects/{project_number}/policies/{constraint_name}`
257  // * `folders/{folder_id}/policies/{constraint_name}`
258  // * `organizations/{organization_id}/policies/{constraint_name}`
259  //
260  // For example, `projects/123/policies/compute.disableSerialPortAccess`.
261  //
262  // Note: `projects/{project_id}/policies/{constraint_name}` is also an
263  // acceptable name for API requests, but responses will return the name using
264  // the equivalent project number.
265  string name = 1 [(google.api.field_behavior) = IMMUTABLE];
266
267  // Basic information about the Organization Policy.
268  PolicySpec spec = 2;
269
270  // Deprecated.
271  AlternatePolicySpec alternate = 3 [deprecated = true];
272
273  // Dry-run policy.
274  // Audit-only policy, can be used to monitor how the policy would have
275  // impacted the existing and future resources if it's enforced.
276  PolicySpec dry_run_spec = 4;
277
278  // Optional. An opaque tag indicating the current state of the policy, used
279  // for concurrency control. This 'etag' is computed by the server based on the
280  // value of other fields, and may be sent on update and delete requests to
281  // ensure the client has an up-to-date value before proceeding.
282  string etag = 5 [(google.api.field_behavior) = OPTIONAL];
283}
284
285// Similar to PolicySpec but with an extra 'launch' field for launch reference.
286// The PolicySpec here is specific for dry-run/darklaunch.
287message AlternatePolicySpec {
288  // Reference to the launch that will be used while audit logging and to
289  // control the launch.
290  // Should be set only in the alternate policy.
291  string launch = 1;
292
293  // Specify constraint for configurations of Google Cloud resources.
294  PolicySpec spec = 2;
295}
296
297// Defines a Google Cloud policy specification which is used to specify
298// constraints for configurations of Google Cloud resources.
299message PolicySpec {
300  // A rule used to express this policy.
301  message PolicyRule {
302    // A message that holds specific allowed and denied values.
303    // This message can define specific values and subtrees of the Resource
304    // Manager resource hierarchy (`Organizations`, `Folders`, `Projects`) that
305    // are allowed or denied. This is achieved by using the `under:` and
306    // optional `is:` prefixes.
307    // The `under:` prefix is used to denote resource subtree values.
308    // The `is:` prefix is used to denote specific values, and is required only
309    // if the value contains a ":". Values prefixed with "is:" are treated the
310    // same as values with no prefix.
311    // Ancestry subtrees must be in one of the following formats:
312    //
313    // - `projects/<project-id>` (for example, `projects/tokyo-rain-123`)
314    // - `folders/<folder-id>` (for example, `folders/1234`)
315    // - `organizations/<organization-id>` (for example, `organizations/1234`)
316    //
317    // The `supports_under` field of the associated `Constraint`  defines
318    // whether ancestry prefixes can be used.
319    message StringValues {
320      // List of values allowed at this resource.
321      repeated string allowed_values = 1;
322
323      // List of values denied at this resource.
324      repeated string denied_values = 2;
325    }
326
327    oneof kind {
328      // List of values to be used for this policy rule. This field can be set
329      // only in policies for list constraints.
330      StringValues values = 1;
331
332      // Setting this to true means that all values are allowed. This field can
333      // be set only in policies for list constraints.
334      bool allow_all = 2;
335
336      // Setting this to true means that all values are denied. This field can
337      // be set only in policies for list constraints.
338      bool deny_all = 3;
339
340      // If `true`, then the policy is enforced. If `false`, then any
341      // configuration is acceptable.
342      // This field can be set only in policies for boolean constraints.
343      bool enforce = 4;
344    }
345
346    // A condition which determines whether this rule is used
347    // in the evaluation of the policy. When set, the `expression` field in
348    // the `Expr' must include from 1 to 10 subexpressions, joined by the "||"
349    // or "&&" operators. Each subexpression must be of the form
350    // "resource.matchTag('<ORG_ID>/tag_key_short_name,
351    // 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id',
352    // 'tagValues/value_id')". where key_name and value_name are the resource
353    // names for Label Keys and Values. These names are available from the Tag
354    // Manager Service. An example expression is:
355    // "resource.matchTag('123456789/environment,
356    // 'prod')". or "resource.matchTagId('tagKeys/123',
357    // 'tagValues/456')".
358    google.type.Expr condition = 5;
359  }
360
361  // An opaque tag indicating the current version of the policySpec, used for
362  // concurrency control.
363  //
364  // This field is ignored if used in a `CreatePolicy` request.
365  //
366  // When the policy is returned from either a `GetPolicy` or a
367  // `ListPolicies` request, this `etag` indicates the version of the
368  // current policySpec to use when executing a read-modify-write loop.
369  //
370  // When the policy is returned from a `GetEffectivePolicy` request, the
371  // `etag` will be unset.
372  string etag = 1;
373
374  // Output only. The time stamp this was previously updated. This
375  // represents the last time a call to `CreatePolicy` or `UpdatePolicy` was
376  // made for that policy.
377  google.protobuf.Timestamp update_time = 2
378      [(google.api.field_behavior) = OUTPUT_ONLY];
379
380  // In policies for boolean constraints, the following requirements apply:
381  //
382  //   - There must be one and only one policy rule where condition is unset.
383  //   - Boolean policy rules with conditions must set `enforced` to the
384  //     opposite of the policy rule without a condition.
385  //   - During policy evaluation, policy rules with conditions that are
386  //     true for a target resource take precedence.
387  repeated PolicyRule rules = 3;
388
389  // Determines the inheritance behavior for this policy.
390  //
391  // If `inherit_from_parent` is true, policy rules set higher up in the
392  // hierarchy (up to the closest root) are inherited and present in the
393  // effective policy. If it is false, then no rules are inherited, and this
394  // policy becomes the new root for evaluation.
395  // This field can be set only for policies which configure list constraints.
396  bool inherit_from_parent = 4;
397
398  // Ignores policies set above this resource and restores the
399  // `constraint_default` enforcement behavior of the specific constraint at
400  // this resource.
401  // This field can be set in policies for either list or boolean
402  // constraints. If set, `rules` must be empty and `inherit_from_parent`
403  // must be set to false.
404  bool reset = 5;
405}
406
407// The request sent to the [ListConstraints]
408// [google.cloud.orgpolicy.v2.OrgPolicy.ListConstraints] method.
409message ListConstraintsRequest {
410  // Required. The Google Cloud resource that parents the constraint. Must be in
411  // one of the following forms:
412  //
413  // * `projects/{project_number}`
414  // * `projects/{project_id}`
415  // * `folders/{folder_id}`
416  // * `organizations/{organization_id}`
417  string parent = 1 [
418    (google.api.field_behavior) = REQUIRED,
419    (google.api.resource_reference) = {
420      child_type: "orgpolicy.googleapis.com/Constraint"
421    }
422  ];
423
424  // Size of the pages to be returned. This is currently unsupported and will
425  // be ignored. The server may at any point start using this field to limit
426  // page size.
427  int32 page_size = 2;
428
429  // Page token used to retrieve the next page. This is currently unsupported
430  // and will be ignored. The server may at any point start using this field.
431  string page_token = 3;
432}
433
434// The response returned from the [ListConstraints]
435// [google.cloud.orgpolicy.v2.OrgPolicy.ListConstraints] method.
436message ListConstraintsResponse {
437  // The collection of constraints that are available on the targeted resource.
438  repeated Constraint constraints = 1;
439
440  // Page token used to retrieve the next page. This is currently not used.
441  string next_page_token = 2;
442}
443
444// The request sent to the [ListPolicies]
445// [google.cloud.orgpolicy.v2.OrgPolicy.ListPolicies] method.
446message ListPoliciesRequest {
447  // Required. The target Google Cloud resource that parents the set of
448  // constraints and policies that will be returned from this call. Must be in
449  // one of the following forms:
450  //
451  // * `projects/{project_number}`
452  // * `projects/{project_id}`
453  // * `folders/{folder_id}`
454  // * `organizations/{organization_id}`
455  string parent = 1 [
456    (google.api.field_behavior) = REQUIRED,
457    (google.api.resource_reference) = {
458      child_type: "orgpolicy.googleapis.com/Policy"
459    }
460  ];
461
462  // Size of the pages to be returned. This is currently unsupported and will
463  // be ignored. The server may at any point start using this field to limit
464  // page size.
465  int32 page_size = 2;
466
467  // Page token used to retrieve the next page. This is currently unsupported
468  // and will be ignored. The server may at any point start using this field.
469  string page_token = 3;
470}
471
472// The response returned from the [ListPolicies]
473// [google.cloud.orgpolicy.v2.OrgPolicy.ListPolicies] method. It will be empty
474// if no policies are set on the resource.
475message ListPoliciesResponse {
476  // All policies that exist on the resource. It will be empty if no
477  // policies are set.
478  repeated Policy policies = 1;
479
480  // Page token used to retrieve the next page. This is currently not used, but
481  // the server may at any point start supplying a valid token.
482  string next_page_token = 2;
483}
484
485// The request sent to the [GetPolicy]
486// [google.cloud.orgpolicy.v2.OrgPolicy.GetPolicy] method.
487message GetPolicyRequest {
488  // Required. Resource name of the policy. See
489  // [Policy][google.cloud.orgpolicy.v2.Policy] for naming requirements.
490  string name = 1 [
491    (google.api.field_behavior) = REQUIRED,
492    (google.api.resource_reference) = {
493      type: "orgpolicy.googleapis.com/Policy"
494    }
495  ];
496}
497
498// The request sent to the [GetEffectivePolicy]
499// [google.cloud.orgpolicy.v2.OrgPolicy.GetEffectivePolicy] method.
500message GetEffectivePolicyRequest {
501  // Required. The effective policy to compute. See
502  // [Policy][google.cloud.orgpolicy.v2.Policy] for naming requirements.
503  string name = 1 [
504    (google.api.field_behavior) = REQUIRED,
505    (google.api.resource_reference) = {
506      type: "orgpolicy.googleapis.com/Policy"
507    }
508  ];
509}
510
511// The request sent to the [CreatePolicyRequest]
512// [google.cloud.orgpolicy.v2.OrgPolicy.CreatePolicy] method.
513message CreatePolicyRequest {
514  // Required. The Google Cloud resource that will parent the new policy. Must
515  // be in one of the following forms:
516  //
517  // * `projects/{project_number}`
518  // * `projects/{project_id}`
519  // * `folders/{folder_id}`
520  // * `organizations/{organization_id}`
521  string parent = 1 [
522    (google.api.field_behavior) = REQUIRED,
523    (google.api.resource_reference) = {
524      child_type: "orgpolicy.googleapis.com/Policy"
525    }
526  ];
527
528  // Required. Policy to create.
529  Policy policy = 3 [(google.api.field_behavior) = REQUIRED];
530}
531
532// The request sent to the [UpdatePolicyRequest]
533// [google.cloud.orgpolicy.v2.OrgPolicy.UpdatePolicy] method.
534message UpdatePolicyRequest {
535  // Required. Policy to update.
536  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
537
538  // Field mask used to specify the fields to be overwritten in the policy
539  // by the set. The fields specified in the update_mask are relative to the
540  // policy, not the full request.
541  google.protobuf.FieldMask update_mask = 3;
542}
543
544// The request sent to the [DeletePolicy]
545// [google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy] method.
546message DeletePolicyRequest {
547  // Required. Name of the policy to delete.
548  // See the policy entry for naming rules.
549  string name = 1 [
550    (google.api.field_behavior) = REQUIRED,
551    (google.api.resource_reference) = {
552      type: "orgpolicy.googleapis.com/Policy"
553    }
554  ];
555
556  // Optional. The current etag of policy. If an etag is provided and does not
557  // match the current etag of the policy, deletion will be blocked and an
558  // ABORTED error will be returned.
559  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
560}
561
562// The request sent to the [CreateCustomConstraintRequest]
563// [google.cloud.orgpolicy.v2.OrgPolicy.CreateCustomConstraint] method.
564message CreateCustomConstraintRequest {
565  // Required. Must be in the following form:
566  //
567  // * `organizations/{organization_id}`
568  string parent = 1 [
569    (google.api.field_behavior) = REQUIRED,
570    (google.api.resource_reference) = {
571      child_type: "orgpolicy.googleapis.com/CustomConstraint"
572    }
573  ];
574
575  // Required. Custom constraint to create.
576  CustomConstraint custom_constraint = 2
577      [(google.api.field_behavior) = REQUIRED];
578}
579
580// The request sent to the [GetCustomConstraint]
581// [google.cloud.orgpolicy.v2.OrgPolicy.GetCustomConstraint] method.
582message GetCustomConstraintRequest {
583  // Required. Resource name of the custom constraint. See the custom constraint
584  // entry for naming requirements.
585  string name = 1 [
586    (google.api.field_behavior) = REQUIRED,
587    (google.api.resource_reference) = {
588      type: "orgpolicy.googleapis.com/CustomConstraint"
589    }
590  ];
591}
592
593// The request sent to the [ListCustomConstraints]
594// [google.cloud.orgpolicy.v2.OrgPolicy.ListCustomConstraints] method.
595message ListCustomConstraintsRequest {
596  // Required. The target Google Cloud resource that parents the set of custom
597  // constraints that will be returned from this call. Must be in one of the
598  // following forms:
599  //
600  // * `organizations/{organization_id}`
601  string parent = 1 [
602    (google.api.field_behavior) = REQUIRED,
603    (google.api.resource_reference) = {
604      child_type: "orgpolicy.googleapis.com/CustomConstraint"
605    }
606  ];
607
608  // Size of the pages to be returned. This is currently unsupported and will
609  // be ignored. The server may at any point start using this field to limit
610  // page size.
611  int32 page_size = 2;
612
613  // Page token used to retrieve the next page. This is currently unsupported
614  // and will be ignored. The server may at any point start using this field.
615  string page_token = 3;
616}
617
618// The response returned from the [ListCustomConstraints]
619// [google.cloud.orgpolicy.v2.OrgPolicy.ListCustomConstraints] method. It will
620// be empty if no custom constraints are set on the organization resource.
621message ListCustomConstraintsResponse {
622  // All custom constraints that exist on the organization resource. It will be
623  // empty if no custom constraints are set.
624  repeated CustomConstraint custom_constraints = 1;
625
626  // Page token used to retrieve the next page. This is currently not used, but
627  // the server may at any point start supplying a valid token.
628  string next_page_token = 2;
629}
630
631// The request sent to the [UpdateCustomConstraintRequest]
632// [google.cloud.orgpolicy.v2.OrgPolicy.UpdateCustomConstraint] method.
633message UpdateCustomConstraintRequest {
634  // Required. `CustomConstraint` to update.
635  CustomConstraint custom_constraint = 1
636      [(google.api.field_behavior) = REQUIRED];
637}
638
639// The request sent to the [DeleteCustomConstraint]
640// [google.cloud.orgpolicy.v2.OrgPolicy.DeleteCustomConstraint] method.
641message DeleteCustomConstraintRequest {
642  // Required. Name of the custom constraint to delete.
643  // See the custom constraint entry for naming rules.
644  string name = 1 [
645    (google.api.field_behavior) = REQUIRED,
646    (google.api.resource_reference) = {
647      type: "orgpolicy.googleapis.com/CustomConstraint"
648    }
649  ];
650}
651