kpt-grpc-demo/google/cloud/assuredworkloads/v1/assuredworkloads.proto

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.assuredworkloads.v1;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.AssuredWorkloads.V1";
option go_package = "google.golang.org/genproto/googleapis/cloud/assuredworkloads/v1;assuredworkloads";
option java_multiple_files = true;
option java_outer_classname = "AssuredworkloadsProto";
option java_package = "com.google.cloud.assuredworkloads.v1";
option php_namespace = "Google\\Cloud\\AssuredWorkloads\\V1";
option ruby_package = "Google::Cloud::AssuredWorkloads::V1";
option (google.api.resource_definition) = {
  type: "assuredworkloads.googleapis.com/Location"
  pattern: "organizations/{organization}/locations/{location}"
};

// Service to manage AssuredWorkloads.
service AssuredWorkloadsService {
  option (google.api.default_host) = "assuredworkloads.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Creates Assured Workload.
  rpc CreateWorkload(CreateWorkloadRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1/{parent=organizations/*/locations/*}/workloads"
      body: "workload"
    };
    option (google.api.method_signature) = "parent,workload";
    option (google.longrunning.operation_info) = {
      response_type: "Workload"
      metadata_type: "CreateWorkloadOperationMetadata"
    };
  }

  // Updates an existing workload.
  // Currently allows updating of workload display_name and labels.
  // For force updates don't set etag field in the Workload.
  // Only one update operation per workload can be in progress.
  rpc UpdateWorkload(UpdateWorkloadRequest) returns (Workload) {
    option (google.api.http) = {
      patch: "/v1/{workload.name=organizations/*/locations/*/workloads/*}"
      body: "workload"
    };
    option (google.api.method_signature) = "workload,update_mask";
  }

  // Restrict the list of resources allowed in the Workload environment.
  // The current list of allowed products can be found at
  // https://cloud.google.com/assured-workloads/docs/supported-products
  // In addition to assuredworkloads.workload.update permission, the user should
  // also have orgpolicy.policy.set permission on the folder resource
  // to use this functionality.
  rpc RestrictAllowedResources(RestrictAllowedResourcesRequest) returns (RestrictAllowedResourcesResponse) {
    option (google.api.http) = {
      post: "/v1/{name=organizations/*/locations/*/workloads/*}:restrictAllowedResources"
      body: "*"
    };
  }

  // Deletes the workload. Make sure that workload's direct children are already
  // in a deleted state, otherwise the request will fail with a
  // FAILED_PRECONDITION error.
  rpc DeleteWorkload(DeleteWorkloadRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/v1/{name=organizations/*/locations/*/workloads/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Gets Assured Workload associated with a CRM Node
  rpc GetWorkload(GetWorkloadRequest) returns (Workload) {
    option (google.api.http) = {
      get: "/v1/{name=organizations/*/locations/*/workloads/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Lists Assured Workloads under a CRM Node.
  rpc ListWorkloads(ListWorkloadsRequest) returns (ListWorkloadsResponse) {
    option (google.api.http) = {
      get: "/v1/{parent=organizations/*/locations/*}/workloads"
    };
    option (google.api.method_signature) = "parent";
  }

  // Lists the Violations in the AssuredWorkload Environment.
  // Callers may also choose to read across multiple Workloads as per
  // [AIP-159](https://google.aip.dev/159) by using '-' (the hyphen or dash
  // character) as a wildcard character instead of workload-id in the parent.
  // Format `organizations/{org_id}/locations/{location}/workloads/-`
  rpc ListViolations(ListViolationsRequest) returns (ListViolationsResponse) {
    option (google.api.method_signature) = "parent";
  }

  // Retrieves Assured Workload Violation based on ID.
  rpc GetViolation(GetViolationRequest) returns (Violation) {
    option (google.api.method_signature) = "name";
  }

  // Acknowledges an existing violation. By acknowledging a violation, users
  // acknowledge the existence of a compliance violation in their workload and
  // decide to ignore it due to a valid business justification. Acknowledgement
  // is a permanent operation and it cannot be reverted.
  rpc AcknowledgeViolation(AcknowledgeViolationRequest) returns (AcknowledgeViolationResponse) {
  }
}

// Request for creating a workload.
message CreateWorkloadRequest {
  // Required. The resource name of the new Workload's parent.
  // Must be of the form `organizations/{org_id}/locations/{location_id}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "assuredworkloads.googleapis.com/Workload"
    }
  ];

  // Required. Assured Workload to create
  Workload workload = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. A identifier associated with the workload and underlying projects which
  // allows for the break down of billing costs for a workload. The value
  // provided for the identifier will add a label to the workload and contained
  // projects with the identifier as the value.
  string external_id = 3 [(google.api.field_behavior) = OPTIONAL];
}

// Request for Updating a workload.
message UpdateWorkloadRequest {
  // Required. The workload to update.
  // The workload's `name` field is used to identify the workload to be updated.
  // Format:
  // organizations/{org_id}/locations/{location_id}/workloads/{workload_id}
  Workload workload = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The list of fields to be updated.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
}

// Request for deleting a Workload.
message DeleteWorkloadRequest {
  // Required. The `name` field is used to identify the workload.
  // Format:
  // organizations/{org_id}/locations/{location_id}/workloads/{workload_id}
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "assuredworkloads.googleapis.com/Workload"
    }
  ];

  // Optional. The etag of the workload.
  // If this is provided, it must match the server's etag.
  string etag = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Request for fetching a workload.
message GetWorkloadRequest {
  // Required. The resource name of the Workload to fetch. This is the workload's
  // relative path in the API, formatted as
  // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}".
  // For example,
  // "organizations/123/locations/us-east1/workloads/assured-workload-1".
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "assuredworkloads.googleapis.com/Workload"
    }
  ];
}

// Request for fetching workloads in an organization.
message ListWorkloadsRequest {
  // Required. Parent Resource to list workloads from.
  // Must be of the form `organizations/{org_id}/locations/{location}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "assuredworkloads.googleapis.com/Workload"
    }
  ];

  // Page size.
  int32 page_size = 2;

  // Page token returned from previous request. Page token contains context from
  // previous request. Page token needs to be passed in the second and following
  // requests.
  string page_token = 3;

  // A custom filter for filtering by properties of a workload. At this time,
  // only filtering by labels is supported.
  string filter = 4;
}

// Response of ListWorkloads endpoint.
message ListWorkloadsResponse {
  // List of Workloads under a given parent.
  repeated Workload workloads = 1;

  // The next page token. Return empty if reached the last page.
  string next_page_token = 2;
}

// A Workload object for managing highly regulated workloads of cloud
// customers.
message Workload {
  option (google.api.resource) = {
    type: "assuredworkloads.googleapis.com/Workload"
    pattern: "organizations/{organization}/locations/{location}/workloads/{workload}"
  };

  // Represent the resources that are children of this Workload.
  message ResourceInfo {
    // The type of resource.
    enum ResourceType {
      // Unknown resource type.
      RESOURCE_TYPE_UNSPECIFIED = 0;

      // Consumer project.
      // AssuredWorkloads Projects are no longer supported. This field will be
      // ignored only in CreateWorkload requests. ListWorkloads and GetWorkload
      // will continue to provide projects information.
      // Use CONSUMER_FOLDER instead.
      CONSUMER_PROJECT = 1 [deprecated = true];

      // Consumer Folder.
      CONSUMER_FOLDER = 4;

      // Consumer project containing encryption keys.
      ENCRYPTION_KEYS_PROJECT = 2;

      // Keyring resource that hosts encryption keys.
      KEYRING = 3;
    }

    // Resource identifier.
    // For a project this represents project_number.
    int64 resource_id = 1;

    // Indicates the type of resource.
    ResourceType resource_type = 2;
  }

  // Supported Compliance Regimes.
  enum ComplianceRegime {
    // Unknown compliance regime.
    COMPLIANCE_REGIME_UNSPECIFIED = 0;

    // Information protection as per DoD IL4 requirements.
    IL4 = 1;

    // Criminal Justice Information Services (CJIS) Security policies.
    CJIS = 2;

    // FedRAMP High data protection controls
    FEDRAMP_HIGH = 3;

    // FedRAMP Moderate data protection controls
    FEDRAMP_MODERATE = 4;

    // Assured Workloads For US Regions data protection controls
    US_REGIONAL_ACCESS = 5;

    // Health Insurance Portability and Accountability Act controls
    HIPAA = 6;

    // Health Information Trust Alliance controls
    HITRUST = 7;

    // Assured Workloads For EU Regions and Support controls
    EU_REGIONS_AND_SUPPORT = 8;

    // Assured Workloads For Canada Regions and Support controls
    CA_REGIONS_AND_SUPPORT = 9;

    // International Traffic in Arms Regulations
    ITAR = 10;

    // Assured Workloads for Australia Regions and Support controls
    // Available for public preview consumption.
    // Don't create production workloads.
    AU_REGIONS_AND_US_SUPPORT = 11;

    // Assured Workloads for Partners
    ASSURED_WORKLOADS_FOR_PARTNERS = 12;
  }

  // Settings specific to the Key Management Service.
  // This message is deprecated.
  // In order to create a Keyring, callers should specify,
  // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
  message KMSSettings {
    option deprecated = true;

    // Required. Input only. Immutable. The time at which the Key Management Service will automatically create a
    // new version of the crypto key and mark it as the primary.
    google.protobuf.Timestamp next_rotation_time = 1 [
      (google.api.field_behavior) = REQUIRED,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];

    // Required. Input only. Immutable. [next_rotation_time] will be advanced by this period when the Key
    // Management Service automatically rotates a key. Must be at least 24 hours
    // and at most 876,000 hours.
    google.protobuf.Duration rotation_period = 2 [
      (google.api.field_behavior) = REQUIRED,
      (google.api.field_behavior) = INPUT_ONLY,
      (google.api.field_behavior) = IMMUTABLE
    ];
  }

  // Represent the custom settings for the resources to be created.
  message ResourceSettings {
    // Resource identifier.
    // For a project this represents project_id. If the project is already
    // taken, the workload creation will fail.
    // For KeyRing, this represents the keyring_id.
    // For a folder, don't set this value as folder_id is assigned by Google.
    string resource_id = 1;

    // Indicates the type of resource. This field should be specified to
    // correspond the id to the right resource type (CONSUMER_FOLDER or
    // ENCRYPTION_KEYS_PROJECT)
    ResourceInfo.ResourceType resource_type = 2;

    // User-assigned resource display name.
    // If not empty it will be used to create a resource with the specified
    // name.
    string display_name = 3;
  }

  // Key Access Justifications(KAJ) Enrollment State.
  enum KajEnrollmentState {
    // Default State for KAJ Enrollment.
    KAJ_ENROLLMENT_STATE_UNSPECIFIED = 0;

    // Pending State for KAJ Enrollment.
    KAJ_ENROLLMENT_STATE_PENDING = 1;

    // Complete State for KAJ Enrollment.
    KAJ_ENROLLMENT_STATE_COMPLETE = 2;
  }

  // Signed Access Approvals (SAA) enrollment response.
  message SaaEnrollmentResponse {
    // Setup state of SAA enrollment.
    enum SetupState {
      // Unspecified.
      SETUP_STATE_UNSPECIFIED = 0;

      // SAA enrollment pending.
      STATUS_PENDING = 1;

      // SAA enrollment comopleted.
      STATUS_COMPLETE = 2;
    }

    // Setup error of SAA enrollment.
    enum SetupError {
      // Unspecified.
      SETUP_ERROR_UNSPECIFIED = 0;

      // Invalid states for all customers, to be redirected to AA UI for
      // additional details.
      ERROR_INVALID_BASE_SETUP = 1;

      // Returned when there is not an EKM key configured.
      ERROR_MISSING_EXTERNAL_SIGNING_KEY = 2;

      // Returned when there are no enrolled services or the customer is
      // enrolled in CAA only for a subset of services.
      ERROR_NOT_ALL_SERVICES_ENROLLED = 3;

      // Returned when exception was encountered during evaluation of other
      // criteria.
      ERROR_SETUP_CHECK_FAILED = 4;
    }

    // Indicates SAA enrollment status of a given workload.
    optional SetupState setup_status = 1;

    // Indicates SAA enrollment setup error if any.
    repeated SetupError setup_errors = 2;
  }

  // Supported Assured Workloads Partners.
  enum Partner {
    // Unknown partner regime/controls.
    PARTNER_UNSPECIFIED = 0;

    // S3NS regime/controls.
    LOCAL_CONTROLS_BY_S3NS = 1;
  }

  // Optional. The resource name of the workload.
  // Format:
  // organizations/{organization}/locations/{location}/workloads/{workload}
  //
  // Read-only.
  string name = 1 [(google.api.field_behavior) = OPTIONAL];

  // Required. The user-assigned display name of the Workload.
  // When present it must be between 4 to 30 characters.
  // Allowed characters are: lowercase and uppercase letters, numbers,
  // hyphen, and spaces.
  //
  // Example: My Workload
  string display_name = 2 [(google.api.field_behavior) = REQUIRED];

  // Output only. The resources associated with this workload.
  // These resources will be created when creating the workload.
  // If any of the projects already exist, the workload creation will fail.
  // Always read only.
  repeated ResourceInfo resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Required. Immutable. Compliance Regime associated with this workload.
  ComplianceRegime compliance_regime = 4 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. Immutable. The Workload creation timestamp.
  google.protobuf.Timestamp create_time = 5 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Optional. The billing account used for the resources which are
  // direct children of workload. This billing account is initially associated
  // with the resources created as part of Workload creation.
  // After the initial creation of these resources, the customer can change
  // the assigned billing account.
  // The resource name has the form
  // `billingAccounts/{billing_account_id}`. For example,
  // `billingAccounts/012345-567890-ABCDEF`.
  string billing_account = 6 [(google.api.field_behavior) = OPTIONAL];

  // Optional. ETag of the workload, it is calculated on the basis
  // of the Workload contents. It will be used in Update & Delete operations.
  string etag = 9 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Labels applied to the workload.
  map<string, string> labels = 10 [(google.api.field_behavior) = OPTIONAL];

  // Input only. The parent resource for the resources managed by this Assured Workload. May
  // be either empty or a folder resource which is a child of the
  // Workload parent. If not specified all resources are created under the
  // parent organization.
  // Format:
  // folders/{folder_id}
  string provisioned_resources_parent = 13 [(google.api.field_behavior) = INPUT_ONLY];

  // Input only. Settings used to create a CMEK crypto key. When set, a project with a KMS
  // CMEK key is provisioned.
  // This field is deprecated as of Feb 28, 2022.
  // In order to create a Keyring, callers should specify,
  // ENCRYPTION_KEYS_PROJECT or KEYRING in ResourceSettings.resource_type field.
  KMSSettings kms_settings = 14 [
    deprecated = true,
    (google.api.field_behavior) = INPUT_ONLY
  ];

  // Input only. Resource properties that are used to customize workload resources.
  // These properties (such as custom project id) will be used to create
  // workload resources if possible. This field is optional.
  repeated ResourceSettings resource_settings = 15 [(google.api.field_behavior) = INPUT_ONLY];

  // Output only. Represents the KAJ enrollment state of the given workload.
  KajEnrollmentState kaj_enrollment_state = 17 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. Indicates the sovereignty status of the given workload.
  // Currently meant to be used by Europe/Canada customers.
  bool enable_sovereign_controls = 18 [(google.api.field_behavior) = OPTIONAL];

  // Output only. Represents the SAA enrollment response of the given workload.
  // SAA enrollment response is queried during GetWorkload call.
  // In failure cases, user friendly error message is shown in SAA details page.
  SaaEnrollmentResponse saa_enrollment_response = 20 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Urls for services which are compliant for this Assured Workload, but which
  // are currently disallowed by the ResourceUsageRestriction org policy.
  // Invoke RestrictAllowedResources endpoint to allow your project developers
  // to use these services in their environment."
  repeated string compliant_but_disallowed_services = 24 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. Compliance Regime associated with this workload.
  Partner partner = 25 [(google.api.field_behavior) = OPTIONAL];
}

// Operation metadata to give request details of CreateWorkload.
message CreateWorkloadOperationMetadata {
  // Optional. Time when the operation was created.
  google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The display name of the workload.
  string display_name = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The parent of the workload.
  string parent = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Compliance controls that should be applied to the resources managed by
  // the workload.
  Workload.ComplianceRegime compliance_regime = 4 [(google.api.field_behavior) = OPTIONAL];
}

// Request for restricting list of available resources in Workload environment.
message RestrictAllowedResourcesRequest {
  // The type of restriction.
  enum RestrictionType {
    // Unknown restriction type.
    RESTRICTION_TYPE_UNSPECIFIED = 0;

    // Allow the use all of all gcp products, irrespective of the compliance
    // posture. This effectively removes gcp.restrictServiceUsage OrgPolicy
    // on the AssuredWorkloads Folder.
    ALLOW_ALL_GCP_RESOURCES = 1;

    // Based on Workload's compliance regime, allowed list changes.
    // See - https://cloud.google.com/assured-workloads/docs/supported-products
    // for the list of supported resources.
    ALLOW_COMPLIANT_RESOURCES = 2;
  }

  // Required. The resource name of the Workload. This is the workloads's
  // relative path in the API, formatted as
  // "organizations/{organization_id}/locations/{location_id}/workloads/{workload_id}".
  // For example,
  // "organizations/123/locations/us-east1/workloads/assured-workload-1".
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The type of restriction for using gcp products in the Workload environment.
  RestrictionType restriction_type = 2 [(google.api.field_behavior) = REQUIRED];
}

// Response for restricting the list of allowed resources.
message RestrictAllowedResourcesResponse {

}

// Request for acknowledging the violation
// Next Id: 4
message AcknowledgeViolationRequest {
  // Required. The resource name of the Violation to acknowledge.
  // Format:
  // organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. Business justification explaining the need for violation acknowledgement
  string comment = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. This field is deprecated and will be removed in future version of the API.
  // Name of the OrgPolicy which was modified with non-compliant change and
  // resulted in this violation.
  // Format:
  // projects/{project_number}/policies/{constraint_name}
  // folders/{folder_id}/policies/{constraint_name}
  // organizations/{organization_id}/policies/{constraint_name}
  string non_compliant_org_policy = 3 [
    deprecated = true,
    (google.api.field_behavior) = OPTIONAL
  ];
}

// Response for violation acknowledgement
message AcknowledgeViolationResponse {

}

// Interval defining a time window.
message TimeWindow {
  // The start of the time window.
  google.protobuf.Timestamp start_time = 1;

  // The end of the time window.
  google.protobuf.Timestamp end_time = 2;
}

// Request for fetching violations in an organization.
message ListViolationsRequest {
  // Required. The Workload name.
  // Format `organizations/{org_id}/locations/{location}/workloads/{workload}`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "assuredworkloads.googleapis.com/Violation"
    }
  ];

  // Optional. Specifies the time window for retrieving active Violations.
  // When specified, retrieves Violations that were active between start_time
  // and end_time.
  TimeWindow interval = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Page size.
  int32 page_size = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Page token returned from previous request.
  string page_token = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. A custom filter for filtering by the Violations properties.
  string filter = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response of ListViolations endpoint.
message ListViolationsResponse {
  // List of Violations under a Workload.
  repeated Violation violations = 1;

  // The next page token. Returns empty if reached the last page.
  string next_page_token = 2;
}

// Request for fetching a Workload Violation.
message GetViolationRequest {
  // Required. The resource name of the Violation to fetch (ie. Violation.name).
  // Format:
  // organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "assuredworkloads.googleapis.com/Violation"
    }
  ];
}

// Workload monitoring Violation.
message Violation {
  option (google.api.resource) = {
    type: "assuredworkloads.googleapis.com/Violation"
    pattern: "organizations/{organization}/locations/{location}/workloads/{workload}/violations/{violation}"
  };

  // Violation State Values
  enum State {
    // Unspecified state.
    STATE_UNSPECIFIED = 0;

    // Violation is resolved.
    RESOLVED = 2;

    // Violation is Unresolved
    UNRESOLVED = 3;

    // Violation is Exception
    EXCEPTION = 4;
  }

  // Represents remediation guidance to resolve compliance violation for
  // AssuredWorkload
  message Remediation {
    // Classifying remediation into various types based on the kind of
    // violation. For example, violations caused due to changes in boolean org
    // policy requires different remediation instructions compared to violation
    // caused due to changes in allowed values of list org policy.
    enum RemediationType {
      // Unspecified remediation type
      REMEDIATION_TYPE_UNSPECIFIED = 0;

      // Remediation type for boolean org policy
      REMEDIATION_BOOLEAN_ORG_POLICY_VIOLATION = 1;

      // Remediation type for list org policy which have allowed values in the
      // monitoring rule
      REMEDIATION_LIST_ALLOWED_VALUES_ORG_POLICY_VIOLATION = 2;

      // Remediation type for list org policy which have denied values in the
      // monitoring rule
      REMEDIATION_LIST_DENIED_VALUES_ORG_POLICY_VIOLATION = 3;

      // Remediation type for gcp.restrictCmekCryptoKeyProjects
      REMEDIATION_RESTRICT_CMEK_CRYPTO_KEY_PROJECTS_ORG_POLICY_VIOLATION = 4;
    }

    // Instructions to remediate violation
    message Instructions {
      // Remediation instructions to resolve violation via gcloud cli
      message Gcloud {
        // Gcloud command to resolve violation
        repeated string gcloud_commands = 1;

        // Steps to resolve violation via gcloud cli
        repeated string steps = 2;

        // Additional urls for more information about steps
        repeated string additional_links = 3;
      }

      // Remediation instructions to resolve violation via cloud console
      message Console {
        // Link to console page where violations can be resolved
        repeated string console_uris = 1;

        // Steps to resolve violation via cloud console
        repeated string steps = 2;

        // Additional urls for more information about steps
        repeated string additional_links = 3;
      }

      // Remediation instructions to resolve violation via gcloud cli
      Gcloud gcloud_instructions = 1;

      // Remediation instructions to resolve violation via cloud console
      Console console_instructions = 2;
    }

    // Required. Remediation instructions to resolve violations
    Instructions instructions = 1 [(google.api.field_behavior) = REQUIRED];

    // Values that can resolve the violation
    // For example: for list org policy violations, this will either be the list
    // of allowed or denied values
    repeated string compliant_values = 2;

    // Output only. Reemediation type based on the type of org policy values violated
    RemediationType remediation_type = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
  }

  // Output only. Immutable. Name of the Violation.
  // Format:
  // organizations/{organization}/locations/{location}/workloads/{workload_id}/violations/{violations_id}
  string name = 1 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. Description for the Violation.
  // e.g. OrgPolicy gcp.resourceLocations has non compliant value.
  string description = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Time of the event which triggered the Violation.
  google.protobuf.Timestamp begin_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The last time when the Violation record was updated.
  google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Time of the event which fixed the Violation.
  // If the violation is ACTIVE this will be empty.
  google.protobuf.Timestamp resolve_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Category under which this violation is mapped.
  // e.g. Location, Service Usage, Access, Encryption, etc.
  string category = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. State of the violation
  State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Immutable. The org-policy-constraint that was incorrectly changed, which resulted in
  // this violation.
  string org_policy_constraint = 8 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. Immutable. Audit Log Link for violated resource
  // Format:
  // https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{timeRange}{folder}
  string audit_log_link = 11 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. Immutable. Name of the OrgPolicy which was modified with non-compliant change and
  // resulted this violation.
  //  Format:
  //  projects/{project_number}/policies/{constraint_name}
  //  folders/{folder_id}/policies/{constraint_name}
  //  organizations/{organization_id}/policies/{constraint_name}
  string non_compliant_org_policy = 12 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.field_behavior) = IMMUTABLE
  ];

  // Output only. Compliance violation remediation
  Remediation remediation = 13 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. A boolean that indicates if the violation is acknowledged
  bool acknowledged = 14 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. Timestamp when this violation was acknowledged last.
  // This will be absent when acknowledged field is marked as false.
  optional google.protobuf.Timestamp acknowledgement_time = 15 [(google.api.field_behavior) = OPTIONAL];

  // Output only. Immutable. Audit Log link to find business justification provided for violation
  // exception. Format:
  // https://console.cloud.google.com/logs/query;query={logName}{protoPayload.resourceName}{protoPayload.methodName}{timeRange}{organization}
  string exception_audit_log_link = 16 [
    (google.api.field_behavior) = OUTPUT_ONLY,
    (google.api.field_behavior) = IMMUTABLE
  ];
}