kpt-grpc-demo/google/cloud/certificatemanager/v1/certificate_manager.proto

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.certificatemanager.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/cloud/certificatemanager/v1/certificate_issuance_config.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.CertificateManager.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/certificatemanager/v1;certificatemanager";
option java_multiple_files = true;
option java_outer_classname = "CertificateManagerProto";
option java_package = "com.google.cloud.certificatemanager.v1";
option php_namespace = "Google\\Cloud\\CertificateManager\\V1";
option ruby_package = "Google::Cloud::CertificateManager::V1";

// API Overview
//
// Certificates Manager API allows customers to see and manage all their TLS
// certificates.
//
// Certificates Manager API service provides methods to manage certificates,
// group them into collections, and create serving configuration that can be
// easily applied to other Cloud resources e.g. Target Proxies.
//
// Data Model
//
// The Certificates Manager service exposes the following resources:
//
// * `Certificate` which describes a single TLS certificate.
// * `CertificateMap` which describes a collection of certificates that can be
// attached to a target resource.
// * `CertificateMapEntry` which describes a single configuration entry that
// consists of a SNI and a group of certificates. It's a subresource of
// CertificateMap.
//
// Certificate, CertificateMap and CertificateMapEntry IDs
// have to match "^[a-z0-9-]{1,63}$" regexp, which means that
// - only lower case letters, digits, and hyphen are allowed
// - length of the resource ID has to be in [1,63] range.
//
// Provides methods to manage Cloud Certificate Manager entities.
service CertificateManager {
  option (google.api.default_host) = "certificatemanager.googleapis.com";
  option (google.api.oauth_scopes) =
      "https://www.googleapis.com/auth/cloud-platform";

  // Lists Certificates in a given project and location.
  rpc ListCertificates(ListCertificatesRequest)
      returns (ListCertificatesResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/certificates"
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets details of a single Certificate.
  rpc GetCertificate(GetCertificateRequest) returns (Certificate) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/certificates/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a new Certificate in a given project and location.
  rpc CreateCertificate(CreateCertificateRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/certificates"
      body: "certificate"
    };
    option (google.api.method_signature) = "parent,certificate,certificate_id";
    option (google.longrunning.operation_info) = {
      response_type: "Certificate"
      metadata_type: "OperationMetadata"
    };
  }

  // Updates a Certificate.
  rpc UpdateCertificate(UpdateCertificateRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{certificate.name=projects/*/locations/*/certificates/*}"
      body: "certificate"
    };
    option (google.api.method_signature) = "certificate,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "Certificate"
      metadata_type: "OperationMetadata"
    };
  }

  // Deletes a single Certificate.
  rpc DeleteCertificate(DeleteCertificateRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/certificates/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }

  // Lists CertificateMaps in a given project and location.
  rpc ListCertificateMaps(ListCertificateMapsRequest)
      returns (ListCertificateMapsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/certificateMaps"
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets details of a single CertificateMap.
  rpc GetCertificateMap(GetCertificateMapRequest) returns (CertificateMap) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/certificateMaps/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a new CertificateMap in a given project and location.
  rpc CreateCertificateMap(CreateCertificateMapRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/certificateMaps"
      body: "certificate_map"
    };
    option (google.api.method_signature) =
        "parent,certificate_map,certificate_map_id";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateMap"
      metadata_type: "OperationMetadata"
    };
  }

  // Updates a CertificateMap.
  rpc UpdateCertificateMap(UpdateCertificateMapRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{certificate_map.name=projects/*/locations/*/certificateMaps/*}"
      body: "certificate_map"
    };
    option (google.api.method_signature) = "certificate_map,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateMap"
      metadata_type: "OperationMetadata"
    };
  }

  // Deletes a single CertificateMap. A Certificate Map can't be deleted
  // if it contains Certificate Map Entries. Remove all the entries from
  // the map before calling this method.
  rpc DeleteCertificateMap(DeleteCertificateMapRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/certificateMaps/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }

  // Lists CertificateMapEntries in a given project and location.
  rpc ListCertificateMapEntries(ListCertificateMapEntriesRequest)
      returns (ListCertificateMapEntriesResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*/certificateMaps/*}/certificateMapEntries"
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets details of a single CertificateMapEntry.
  rpc GetCertificateMapEntry(GetCertificateMapEntryRequest)
      returns (CertificateMapEntry) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/certificateMaps/*/certificateMapEntries/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a new CertificateMapEntry in a given project and location.
  rpc CreateCertificateMapEntry(CreateCertificateMapEntryRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*/certificateMaps/*}/certificateMapEntries"
      body: "certificate_map_entry"
    };
    option (google.api.method_signature) =
        "parent,certificate_map_entry,certificate_map_entry_id";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateMapEntry"
      metadata_type: "OperationMetadata"
    };
  }

  // Updates a CertificateMapEntry.
  rpc UpdateCertificateMapEntry(UpdateCertificateMapEntryRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{certificate_map_entry.name=projects/*/locations/*/certificateMaps/*/certificateMapEntries/*}"
      body: "certificate_map_entry"
    };
    option (google.api.method_signature) = "certificate_map_entry,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateMapEntry"
      metadata_type: "OperationMetadata"
    };
  }

  // Deletes a single CertificateMapEntry.
  rpc DeleteCertificateMapEntry(DeleteCertificateMapEntryRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/certificateMaps/*/certificateMapEntries/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }

  // Lists DnsAuthorizations in a given project and location.
  rpc ListDnsAuthorizations(ListDnsAuthorizationsRequest)
      returns (ListDnsAuthorizationsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/dnsAuthorizations"
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets details of a single DnsAuthorization.
  rpc GetDnsAuthorization(GetDnsAuthorizationRequest)
      returns (DnsAuthorization) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/dnsAuthorizations/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a new DnsAuthorization in a given project and location.
  rpc CreateDnsAuthorization(CreateDnsAuthorizationRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/dnsAuthorizations"
      body: "dns_authorization"
    };
    option (google.api.method_signature) =
        "parent,dns_authorization,dns_authorization_id";
    option (google.longrunning.operation_info) = {
      response_type: "DnsAuthorization"
      metadata_type: "OperationMetadata"
    };
  }

  // Updates a DnsAuthorization.
  rpc UpdateDnsAuthorization(UpdateDnsAuthorizationRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1/{dns_authorization.name=projects/*/locations/*/dnsAuthorizations/*}"
      body: "dns_authorization"
    };
    option (google.api.method_signature) = "dns_authorization,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "DnsAuthorization"
      metadata_type: "OperationMetadata"
    };
  }

  // Deletes a single DnsAuthorization.
  rpc DeleteDnsAuthorization(DeleteDnsAuthorizationRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/dnsAuthorizations/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }

  // Lists CertificateIssuanceConfigs in a given project and location.
  rpc ListCertificateIssuanceConfigs(ListCertificateIssuanceConfigsRequest)
      returns (ListCertificateIssuanceConfigsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=projects/*/locations/*}/certificateIssuanceConfigs"
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets details of a single CertificateIssuanceConfig.
  rpc GetCertificateIssuanceConfig(GetCertificateIssuanceConfigRequest)
      returns (CertificateIssuanceConfig) {
    option (google.api.http) = {
      get: "/v1/{name=projects/*/locations/*/certificateIssuanceConfigs/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a new CertificateIssuanceConfig in a given project and location.
  rpc CreateCertificateIssuanceConfig(CreateCertificateIssuanceConfigRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=projects/*/locations/*}/certificateIssuanceConfigs"
      body: "certificate_issuance_config"
    };
    option (google.api.method_signature) =
        "parent,certificate_issuance_config,certificate_issuance_config_id";
    option (google.longrunning.operation_info) = {
      response_type: "CertificateIssuanceConfig"
      metadata_type: "OperationMetadata"
    };
  }

  // Deletes a single CertificateIssuanceConfig.
  rpc DeleteCertificateIssuanceConfig(DeleteCertificateIssuanceConfigRequest)
      returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1/{name=projects/*/locations/*/certificateIssuanceConfigs/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }
}

// Request for the `ListCertificates` method.
message ListCertificatesRequest {
  // Required. The project and location from which the certificate should be
  // listed, specified in the format `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Maximum number of certificates to return per call.
  int32 page_size = 2;

  // The value returned by the last `ListCertificatesResponse`. Indicates that
  // this is a continuation of a prior `ListCertificates` call, and that the
  // system should return the next page of data.
  string page_token = 3;

  // Filter expression to restrict the Certificates returned.
  string filter = 4;

  // A list of Certificate field names used to specify the order of the returned
  // results. The default sorting order is ascending. To specify descending
  // order for a field, add a suffix " desc".
  string order_by = 5;
}

// Response for the `ListCertificates` method.
message ListCertificatesResponse {
  // A list of certificates for the parent resource.
  repeated Certificate certificates = 1;

  // If there might be more results than those appearing in this response, then
  // `next_page_token` is included. To get the next set of results, call this
  // method again using the value of `next_page_token` as `page_token`.
  string next_page_token = 2;

  // A list of locations that could not be reached.
  repeated string unreachable = 3;
}

// Request for the `GetCertificate` method.
message GetCertificateRequest {
  // Required. A name of the certificate to describe. Must be in the format
  // `projects/*/locations/*/certificates/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/Certificate"
    }
  ];
}

// Request for the `CreateCertificate` method.
message CreateCertificateRequest {
  // Required. The parent resource of the certificate. Must be in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. A user-provided name of the certificate.
  string certificate_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A definition of the certificate to create.
  Certificate certificate = 3 [(google.api.field_behavior) = REQUIRED];
}

// Request for the `UpdateCertificate` method.
message UpdateCertificateRequest {
  // Required. A definition of the certificate to update.
  Certificate certificate = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The update mask applies to the resource. For the `FieldMask`
  // definition, see
  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.
  google.protobuf.FieldMask update_mask = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request for the `DeleteCertificate` method.
message DeleteCertificateRequest {
  // Required. A name of the certificate to delete. Must be in the format
  // `projects/*/locations/*/certificates/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/Certificate"
    }
  ];
}

// Request for the `ListCertificateMaps` method.
message ListCertificateMapsRequest {
  // Required. The project and location from which the certificate maps should
  // be listed, specified in the format `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Maximum number of certificate maps to return per call.
  int32 page_size = 2;

  // The value returned by the last `ListCertificateMapsResponse`. Indicates
  // that this is a continuation of a prior `ListCertificateMaps` call, and that
  // the system should return the next page of data.
  string page_token = 3;

  // Filter expression to restrict the Certificates Maps returned.
  string filter = 4;

  // A list of Certificate Map field names used to specify the order of the
  // returned results. The default sorting order is ascending. To specify
  // descending order for a field, add a suffix " desc".
  string order_by = 5;
}

// Response for the `ListCertificateMaps` method.
message ListCertificateMapsResponse {
  // A list of certificate maps for the parent resource.
  repeated CertificateMap certificate_maps = 1;

  // If there might be more results than those appearing in this response, then
  // `next_page_token` is included. To get the next set of results, call this
  // method again using the value of `next_page_token` as `page_token`.
  string next_page_token = 2;

  // Locations that could not be reached.
  repeated string unreachable = 3;
}

// Request for the `GetCertificateMap` method.
message GetCertificateMapRequest {
  // Required. A name of the certificate map to describe. Must be in the format
  // `projects/*/locations/*/certificateMaps/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/CertificateMap"
    }
  ];
}

// Request for the `CreateCertificateMap` method.
message CreateCertificateMapRequest {
  // Required. The parent resource of the certificate map. Must be in the format
  // `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. A user-provided name of the certificate map.
  string certificate_map_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A definition of the certificate map to create.
  CertificateMap certificate_map = 3 [(google.api.field_behavior) = REQUIRED];
}

// Request for the `UpdateCertificateMap` method.
message UpdateCertificateMapRequest {
  // Required. A definition of the certificate map to update.
  CertificateMap certificate_map = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The update mask applies to the resource. For the `FieldMask`
  // definition, see
  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.
  google.protobuf.FieldMask update_mask = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request for the `DeleteCertificateMap` method.
message DeleteCertificateMapRequest {
  // Required. A name of the certificate map to delete. Must be in the format
  // `projects/*/locations/*/certificateMaps/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/CertificateMap"
    }
  ];
}

// Request for the `ListCertificateMapEntries` method.
message ListCertificateMapEntriesRequest {
  // Required. The project, location and certificate map from which the
  // certificate map entries should be listed, specified in the format
  // `projects/*/locations/*/certificateMaps/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/CertificateMap"
    }
  ];

  // Maximum number of certificate map entries to return. The service may return
  // fewer than this value.
  // If unspecified, at most 50 certificate map entries will be returned.
  // The maximum value is 1000; values above 1000 will be coerced to 1000.
  int32 page_size = 2;

  // The value returned by the last `ListCertificateMapEntriesResponse`.
  // Indicates that this is a continuation of a prior
  // `ListCertificateMapEntries` call, and that the system should return the
  // next page of data.
  string page_token = 3;

  // Filter expression to restrict the returned Certificate Map Entries.
  string filter = 4;

  // A list of Certificate Map Entry field names used to specify
  // the order of the returned results. The default sorting order is ascending.
  // To specify descending order for a field, add a suffix " desc".
  string order_by = 5;
}

// Response for the `ListCertificateMapEntries` method.
message ListCertificateMapEntriesResponse {
  // A list of certificate map entries for the parent resource.
  repeated CertificateMapEntry certificate_map_entries = 1;

  // If there might be more results than those appearing in this response, then
  // `next_page_token` is included. To get the next set of results, call this
  // method again using the value of `next_page_token` as `page_token`.
  string next_page_token = 2;

  // Locations that could not be reached.
  repeated string unreachable = 3;
}

// Request for the `GetCertificateMapEntry` method.
message GetCertificateMapEntryRequest {
  // Required. A name of the certificate map entry to describe. Must be in the
  // format `projects/*/locations/*/certificateMaps/*/certificateMapEntries/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/CertificateMapEntry"
    }
  ];
}

// Request for the `CreateCertificateMapEntry` method.
message CreateCertificateMapEntryRequest {
  // Required. The parent resource of the certificate map entry. Must be in the
  // format `projects/*/locations/*/certificateMaps/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/CertificateMap"
    }
  ];

  // Required. A user-provided name of the certificate map entry.
  string certificate_map_entry_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A definition of the certificate map entry to create.
  CertificateMapEntry certificate_map_entry = 3
      [(google.api.field_behavior) = REQUIRED];
}

// Request for the `UpdateCertificateMapEntry` method.
message UpdateCertificateMapEntryRequest {
  // Required. A definition of the certificate map entry to create map entry.
  CertificateMapEntry certificate_map_entry = 1
      [(google.api.field_behavior) = REQUIRED];

  // Required. The update mask applies to the resource. For the `FieldMask`
  // definition, see
  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.
  google.protobuf.FieldMask update_mask = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request for the `DeleteCertificateMapEntry` method.
message DeleteCertificateMapEntryRequest {
  // Required. A name of the certificate map entry to delete. Must be in the
  // format `projects/*/locations/*/certificateMaps/*/certificateMapEntries/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/CertificateMapEntry"
    }
  ];
}

// Request for the `ListDnsAuthorizations` method.
message ListDnsAuthorizationsRequest {
  // Required. The project and location from which the dns authorizations should
  // be listed, specified in the format `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Maximum number of dns authorizations to return per call.
  int32 page_size = 2;

  // The value returned by the last `ListDnsAuthorizationsResponse`. Indicates
  // that this is a continuation of a prior `ListDnsAuthorizations` call, and
  // that the system should return the next page of data.
  string page_token = 3;

  // Filter expression to restrict the Dns Authorizations returned.
  string filter = 4;

  // A list of Dns Authorization field names used to specify the order of the
  // returned results. The default sorting order is ascending. To specify
  // descending order for a field, add a suffix " desc".
  string order_by = 5;
}

// Response for the `ListDnsAuthorizations` method.
message ListDnsAuthorizationsResponse {
  // A list of dns authorizations for the parent resource.
  repeated DnsAuthorization dns_authorizations = 1;

  // If there might be more results than those appearing in this response, then
  // `next_page_token` is included. To get the next set of results, call this
  // method again using the value of `next_page_token` as `page_token`.
  string next_page_token = 2;

  // Locations that could not be reached.
  repeated string unreachable = 3;
}

// Request for the `GetDnsAuthorization` method.
message GetDnsAuthorizationRequest {
  // Required. A name of the dns authorization to describe. Must be in the
  // format `projects/*/locations/*/dnsAuthorizations/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/DnsAuthorization"
    }
  ];
}

// Request for the `CreateDnsAuthorization` method.
message CreateDnsAuthorizationRequest {
  // Required. The parent resource of the dns authorization. Must be in the
  // format `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "locations.googleapis.com/Location"
    }
  ];

  // Required. A user-provided name of the dns authorization.
  string dns_authorization_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. A definition of the dns authorization to create.
  DnsAuthorization dns_authorization = 3
      [(google.api.field_behavior) = REQUIRED];
}

// Request for the `UpdateDnsAuthorization` method.
message UpdateDnsAuthorizationRequest {
  // Required. A definition of the dns authorization to update.
  DnsAuthorization dns_authorization = 1
      [(google.api.field_behavior) = REQUIRED];

  // Required. The update mask applies to the resource. For the `FieldMask`
  // definition, see
  // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask.
  google.protobuf.FieldMask update_mask = 2
      [(google.api.field_behavior) = REQUIRED];
}

// Request for the `DeleteDnsAuthorization` method.
message DeleteDnsAuthorizationRequest {
  // Required. A name of the dns authorization to delete. Must be in the format
  // `projects/*/locations/*/dnsAuthorizations/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "certificatemanager.googleapis.com/DnsAuthorization"
    }
  ];
}

// Represents the metadata of the long-running operation. Output only.
message OperationMetadata {
  // The time the operation was created.
  google.protobuf.Timestamp create_time = 1;

  // The time the operation finished running.
  google.protobuf.Timestamp end_time = 2;

  // Server-defined resource path for the target of the operation.
  string target = 3;

  // Name of the verb executed by the operation.
  string verb = 4;

  // Human-readable status of the operation, if any.
  string status_message = 5;

  // Identifies whether the user has requested cancellation
  // of the operation. Operations that have successfully been cancelled
  // have [Operation.error][] value with a
  // [google.rpc.Status.code][google.rpc.Status.code] of 1, corresponding to
  // `Code.CANCELLED`.
  bool requested_cancellation = 6;

  // API version used to start the operation.
  string api_version = 7;
}

// Defines TLS certificate.
message Certificate {
  option (google.api.resource) = {
    type: "certificatemanager.googleapis.com/Certificate"
    pattern: "projects/{project}/locations/{location}/certificates/{certificate}"
  };

  // Certificate data for a SelfManaged Certificate.
  // SelfManaged Certificates are uploaded by the user. Updating such
  // certificates before they expire remains the user's responsibility.
  message SelfManagedCertificate {
    // Input only. The PEM-encoded certificate chain.
    // Leaf certificate comes first, followed by intermediate ones if any.
    string pem_certificate = 1 [(google.api.field_behavior) = INPUT_ONLY];

    // Input only. The PEM-encoded private key of the leaf certificate.
    string pem_private_key = 2 [(google.api.field_behavior) = INPUT_ONLY];
  }

  // Configuration and state of a Managed Certificate.
  // Certificate Manager provisions and renews Managed Certificates
  // automatically, for as long as it's authorized to do so.
  message ManagedCertificate {
    enum State {
      STATE_UNSPECIFIED = 0;

      // Certificate Manager attempts to provision or renew the certificate.
      // If the process takes longer than expected, consult the
      // `provisioning_issue` field.
      PROVISIONING = 1;

      // Multiple certificate provisioning attempts failed and Certificate
      // Manager gave up. To try again, delete and create a new managed
      // Certificate resource.
      // For details see the `provisioning_issue` field.
      FAILED = 2;

      // The certificate management is working, and a certificate has been
      // provisioned.
      ACTIVE = 3;
    }

    // Information about issues with provisioning a Managed Certificate.
    message ProvisioningIssue {
      enum Reason {
        REASON_UNSPECIFIED = 0;

        // Certificate provisioning failed due to an issue with one or more of
        // the domains on the certificate.
        // For details of which domains failed, consult the
        // `authorization_attempt_info` field.
        AUTHORIZATION_ISSUE = 1;

        // Exceeded Certificate Authority quotas or internal rate limits of the
        // system. Provisioning may take longer to complete.
        RATE_LIMITED = 2;
      }

      // Output only. Reason for provisioning failures.
      Reason reason = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

      // Output only. Human readable explanation about the issue. Provided to
      // help address the configuration issues. Not guaranteed to be stable. For
      // programmatic access use Reason enum.
      string details = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
    }

    // State of the latest attempt to authorize a domain for certificate
    // issuance.
    message AuthorizationAttemptInfo {
      enum State {
        STATE_UNSPECIFIED = 0;

        // Certificate provisioning for this domain is under way. GCP will
        // attempt to authorize the domain.
        AUTHORIZING = 1;

        // A managed certificate can be provisioned, no issues for this domain.
        AUTHORIZED = 6;

        // Attempt to authorize the domain failed. This prevents the Managed
        // Certificate from being issued.
        // See `failure_reason` and `details` fields for more information.
        FAILED = 7;
      }

      enum FailureReason {
        FAILURE_REASON_UNSPECIFIED = 0;

        // There was a problem with the user's DNS or load balancer
        // configuration for this domain.
        CONFIG = 1;

        // Certificate issuance forbidden by an explicit CAA record for the
        // domain or a failure to check CAA records for the domain.
        CAA = 2;

        // Reached a CA or internal rate-limit for the domain,
        // e.g. for certificates per top-level private domain.
        RATE_LIMITED = 3;
      }

      // Domain name of the authorization attempt.
      string domain = 1;

      // Output only. State of the domain for managed certificate issuance.
      State state = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

      // Output only. Reason for failure of the authorization attempt for the
      // domain.
      FailureReason failure_reason = 3
          [(google.api.field_behavior) = OUTPUT_ONLY];

      // Output only. Human readable explanation for reaching the state.
      // Provided to help address the configuration issues. Not guaranteed to be
      // stable. For programmatic access use FailureReason enum.
      string details = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
    }

    // Immutable. The domains for which a managed SSL certificate will be
    // generated. Wildcard domains are only supported with DNS challenge
    // resolution.
    repeated string domains = 1 [(google.api.field_behavior) = IMMUTABLE];

    // Immutable. Authorizations that will be used for performing domain
    // authorization.
    repeated string dns_authorizations = 2 [
      (google.api.field_behavior) = IMMUTABLE,
      (google.api.resource_reference) = {
        type: "certificatemanager.googleapis.com/DnsAuthorization"
      }
    ];

    // The resource name for a
    // [CertificateIssuanceConfig][google.cloud.certificatemanager.v1.CertificateIssuanceConfig]
    // used to configure private PKI certificates in the format
    // `projects/*/locations/*/certificateIssuanceConfigs/*`.
    // If this field is not set, the certificates will instead be publicly
    // signed as documented at
    // https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
    string issuance_config = 6 [
      (google.api.field_behavior) = IMMUTABLE,
      (google.api.resource_reference) = {
        type: "certificatemanager.googleapis.com/CertificateIssuanceConfig"
      }
    ];

    // Output only. State of the managed certificate resource.
    State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

    // Output only. Information about issues with provisioning a Managed
    // Certificate.
    ProvisioningIssue provisioning_issue = 3
        [(google.api.field_behavior) = OUTPUT_ONLY];

    // Output only. Detailed state of the latest authorization attempt for each
    // domain specified for managed certificate resource.
    repeated AuthorizationAttemptInfo authorization_attempt_info = 5
        [(google.api.field_behavior) = OUTPUT_ONLY];
  }

  // Certificate scope.
  enum Scope {
    // Certificates with default scope are served from core Google data centers.
    // If unsure, choose this option.
    DEFAULT = 0;

    // Certificates with scope EDGE_CACHE are special-purposed certificates,
    // served from non-core Google data centers.
    EDGE_CACHE = 1;
  }

  // A user-defined name of the certificate. Certificate names must be unique
  // globally and match pattern `projects/*/locations/*/certificates/*`.
  string name = 1;

  // One or more paragraphs of text description of a certificate.
  string description = 8;

  // Output only. The creation timestamp of a Certificate.
  google.protobuf.Timestamp create_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The last update timestamp of a Certificate.
  google.protobuf.Timestamp update_time = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Set of labels associated with a Certificate.
  map<string, string> labels = 4;

  oneof type {
    // If set, defines data of a self-managed certificate.
    SelfManagedCertificate self_managed = 5;

    // If set, contains configuration and state of a managed certificate.
    ManagedCertificate managed = 11;
  }

  // Output only. The list of Subject Alternative Names of dnsName type defined
  // in the certificate (see RFC 5280 4.2.1.6). Managed certificates that
  // haven't been provisioned yet have this field populated with a value of the
  // managed.domains field.
  repeated string san_dnsnames = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The PEM-encoded certificate chain.
  string pem_certificate = 9 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The expiry timestamp of a Certificate.
  google.protobuf.Timestamp expire_time = 7
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Immutable. The scope of the certificate.
  Scope scope = 12 [(google.api.field_behavior) = IMMUTABLE];
}

// Defines a collection of certificate configurations.
message CertificateMap {
  option (google.api.resource) = {
    type: "certificatemanager.googleapis.com/CertificateMap"
    pattern: "projects/{project}/locations/{location}/certificateMaps/{certificate_map}"
  };

  // Describes a Target Proxy which uses this Certificate Map.
  message GclbTarget {
    // Defines IP configuration where this Certificate Map is serving.
    message IpConfig {
      // Output only. An external IP address.
      string ip_address = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

      // Output only. Ports.
      repeated uint32 ports = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
    }

    // A Target Proxy to which this map is attached to.
    oneof target_proxy {
      // Output only. This field returns the resource name in the following
      // format:
      // `//compute.googleapis.com/projects/*/global/targetHttpsProxies/*`.
      string target_https_proxy = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

      // Output only. This field returns the resource name in the following
      // format:
      // `//compute.googleapis.com/projects/*/global/targetSslProxies/*`.
      string target_ssl_proxy = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
    }

    // Output only. IP configurations for this Target Proxy where the
    // Certificate Map is serving.
    repeated IpConfig ip_configs = 2
        [(google.api.field_behavior) = OUTPUT_ONLY];
  }

  // A user-defined name of the Certificate Map. Certificate Map names must be
  // unique globally and match pattern
  // `projects/*/locations/*/certificateMaps/*`.
  string name = 1;

  // One or more paragraphs of text description of a certificate map.
  string description = 5;

  // Output only. The creation timestamp of a Certificate Map.
  google.protobuf.Timestamp create_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The update timestamp of a Certificate Map.
  google.protobuf.Timestamp update_time = 6
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Set of labels associated with a Certificate Map.
  map<string, string> labels = 3;

  // Output only. A list of GCLB targets which use this Certificate Map.
  // A Target Proxy is only present on this list if it's attached to a
  // Forwarding Rule.
  repeated GclbTarget gclb_targets = 4
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Defines a certificate map entry.
message CertificateMapEntry {
  option (google.api.resource) = {
    type: "certificatemanager.googleapis.com/CertificateMapEntry"
    pattern: "projects/{project}/locations/{location}/certificateMaps/{certificate_map}/certificateMapEntries/{certificate_map_entry}"
  };

  // Defines predefined cases other than SNI-hostname match when this
  // configuration should be applied.
  enum Matcher {
    // A matcher has't been recognized.
    MATCHER_UNSPECIFIED = 0;

    // A primary certificate that is served when SNI wasn't specified in the
    // request or SNI couldn't be found in the map.
    PRIMARY = 1;
  }

  // A user-defined name of the Certificate Map Entry. Certificate Map Entry
  // names must be unique globally and match pattern
  // `projects/*/locations/*/certificateMaps/*/certificateMapEntries/*`.
  string name = 1;

  // One or more paragraphs of text description of a certificate map entry.
  string description = 9;

  // Output only. The creation timestamp of a Certificate Map Entry.
  google.protobuf.Timestamp create_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The update timestamp of a Certificate Map Entry.
  google.protobuf.Timestamp update_time = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Set of labels associated with a Certificate Map Entry.
  map<string, string> labels = 4;

  oneof match {
    // A Hostname (FQDN, e.g. `example.com`) or a wildcard hostname expression
    // (`*.example.com`) for a set of hostnames with common suffix. Used as
    // Server Name Indication (SNI) for selecting a proper certificate.
    string hostname = 5;

    // A predefined matcher for particular cases, other than SNI selection.
    Matcher matcher = 10;
  }

  // A set of Certificates defines for the given `hostname`. There can be
  // defined up to fifteen certificates in each Certificate Map Entry. Each
  // certificate must match pattern `projects/*/locations/*/certificates/*`.
  repeated string certificates = 7 [(google.api.resource_reference) = {
    type: "certificatemanager.googleapis.com/Certificate"
  }];

  // Output only. A serving state of this Certificate Map Entry.
  ServingState state = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// A DnsAuthorization resource describes a way to perform domain authorization
// for certificate issuance.
message DnsAuthorization {
  option (google.api.resource) = {
    type: "certificatemanager.googleapis.com/DnsAuthorization"
    pattern: "projects/{project}/locations/{location}/dnsAuthorizations/{dns_authorization}"
  };

  // The structure describing the DNS Resource Record that needs to be added
  // to DNS configuration for the authorization to be usable by
  // certificate.
  message DnsResourceRecord {
    // Output only. Fully qualified name of the DNS Resource Record.
    // e.g. `_acme-challenge.example.com`
    string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

    // Output only. Type of the DNS Resource Record.
    // Currently always set to "CNAME".
    string type = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

    // Output only. Data of the DNS Resource Record.
    string data = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
  }

  // A user-defined name of the dns authorization. DnsAuthorization names must
  // be unique globally and match pattern
  // `projects/*/locations/*/dnsAuthorizations/*`.
  string name = 1;

  // Output only. The creation timestamp of a DnsAuthorization.
  google.protobuf.Timestamp create_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The last update timestamp of a DnsAuthorization.
  google.protobuf.Timestamp update_time = 3
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Set of labels associated with a DnsAuthorization.
  map<string, string> labels = 4;

  // One or more paragraphs of text description of a DnsAuthorization.
  string description = 5;

  // Required. Immutable. A domain which is being authorized. A DnsAuthorization
  // resource covers a single domain and its wildcard, e.g. authorization for
  // `example.com` can be used to issue certificates for `example.com` and
  // `*.example.com`.
  string domain = 6 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. DNS Resource Record that needs to be added to DNS
  // configuration.
  DnsResourceRecord dns_resource_record = 10
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Defines set of serving states associated with a resource.
enum ServingState {
  // The status is undefined.
  SERVING_STATE_UNSPECIFIED = 0;

  // The configuration is serving.
  ACTIVE = 1;

  // Update is in progress. Some frontends may serve this configuration.
  PENDING = 2;
}